On October 30, 2012, Hurricane Sandy launched a 13-day devastating drive across the east coast, disrupting families and businesses caught in her path. The destruction included damages in excess of $70 billion, a crippled mass transit system, gas shortages, and more than 8 million customers without power. According to an article posted on the Centers for Disease Control and Prevention website, “FEMA has estimated that nearly 72,000 homes and business in New Jersey alone were damaged. An analysis of aerial imagery by the agency showed more than 500 buildings were destroyed outright or reduced to debris, another 5,000 suffered major damaged from flooding or high winds, about 24,000 had minor damage, and tens of thousands of others were affected by floodwaters.”
Hurricane Sandy was only one of many events that impacted businesses directly or indirectly during 2012, which taught businesses two things: (1) all disasters are not created equal and (2) it’s critical to be prepared. Integral to preparation is developing a disaster recovery plan (DRP).
All disasters are not created equal
Although there are a variety of natural disaster possibilities, most organizations only concern themselves with those that have affected nearby areas in the past. Your organization will need to tailor its disaster recovery planning efforts to align with the most probable disasters. This is not to say organizations outside Tornado Alley should ignore the possibility of a tornado, but based on a probability assessment, planning for a volcano may not be necessary.
Although disasters are hardly created equal, there are common issues from which the entire country can learn. For example, any large natural disaster could potentially affect the communication infrastructure in the area. Whether cell phone towers are toppled or power is simply knocked out, you may not be able to rely on cell phones to connect with your staff. (With approximately 32 percent of adults living in households with only wireless telephones, you may have no alternate landline to use.) In addition, staff may not be able to make it into the office. Whether the office no longer exists, travel is unsafe, or staff prefer to manage the effects of the disaster at home, companies need to consider how they’ll recover without full, onsite recovery teams.
It’s also important to note, however, that each disaster has unique features. For example, the advance warning time for a hurricane differs from that of a tornado. Therefore, no overall plan can cover all possibilities. While an organization may cover the backup data restoration process in an overall plan, there should also be unique staff evacuation procedures documented for each disaster possibility. It’s important that companies complete a risk assessment to identify the most likely incidents and their specific impacts (such as water damage, staff safety, and power redundancy).
Do you have a disaster recovery plan?
Ideally your DRP will never need to be used, but that doesn’t mean it’s not important to have one. In the event of a disaster, your team’s expertise with day-to-day procedures will be helpful; however, with unavailable staff and resources, you’ll need to modify existing procedures to accommodate a disaster scenario. Being able to rely on a useful DRP in this situation is a critical timesaver, eliminating the need to invent new procedures mid-disaster. Training key team members on their responsibilities and workaround procedures under the plan will greatly help to reduce confusion and wasted time.
A major misconception included in typical DRPs pertains to the number of key staff who will be available to assist in the recovery process. Results of a survey completed after a 1994 Los Angeles area earthquake confirmed that the most common reason for a business interruption was staff attending to personal matters. Even if the disaster doesn’t destroy the office or roads, the disaster could lead to multiple staff having family crises to attend to. If the technology is functioning, this can be slightly alleviated by allowing staff to work remotely from home. For those who do come into work, the organization will also need to be sensitive to the personal effects of the disaster, such as setting up a temporary office daycare if there are related school closings and power outages. As staff will be the toughest “resource” to replace during a disaster, it’s also critical that DRP efforts include cross-training initiatives from front-line staff to executive members of the organization.
Another mistake to avoid in the recovery planning process is ignoring the importance of regularly testing recovery capabilities. Generators, redundant communication lines, and backup drives all need to be tested to confirm you can rely on them when necessary. Relying on an untested secondary critical vendor connection is an improvement over having no redundancy at all; however, it could lead to a similar recovery delay if the organization waits until a disaster to realize there needs to be additional changes to firewall settings for the connection to function. Additionally, the organization should continue to complete tests as the organization grows and changes to ensure implemented controls can still support the organization.
Are you prepared?
The first steps toward developing a DRP are the most important and most difficult, as they’ll shape the entire recovery program for your organization. Our business continuity planning team has assisted clients in a variety of industries in navigating this important process. We start by meeting with key team members to identify the organization’s unique environment and explain the DRP process. To develop a comprehensive plan, our IT specialists will consult with all departments in your organization to determine which data and applications are most critical and need to be recovered most quickly after a disaster. These discussions will all be focused on the organization’s “pain threshold” for system downtime related to lost income, industry image, customer confidence, and other key impacts.
Once the critical system recovery goals have been identified, we’ll work with your IT department to identify the key resources required to meet these goals. At the end of our engagement, your team will have a plan in place to recover key resources following a disaster and re-establish business operations at an acceptable level and time frame to ensure the well-being of your organization. We’ll also assist with long-term goals to ensure the continuity plan evolves with your organization by being periodically revisited, updated, and tested.
If you decide not to do any of the above, run the following exercise. Pick a day and, for the first hour, stage a scenario in your parking lot where you don’t have access to your facility. Charge each staff member with determining what they’re going to do. This will provide a firsthand experience of what the first hour of a disaster scenario would look like for your organization.
Are you prepared for the next disaster? When loss occurs from a business interruption, whether it’s a hurricane or another disaster, the insurance claim process is usually complex and calls for an analytical approach that both the insured and the insurer accept as fair and leads to a timely resolution. Our claims experts are prepared to support businesses in the path of Superstorm Sandy, assisting with preparation of business interruption/extra expense claims and reviewing and analyzing responses from insurers. Learn more