The photos and videos paint a sad picture of destruction and human suffering. Once again, the unthinkable has happened; an event of epic dimensions has destroyed and disrupted life across a broad region. Media accounts range from blame (global warming, insufficient preparations, inadequate response) to predictions of impacts, to suggestions for next steps. Large enterprises struggle with resuming normal business as Sandy’s damage creates unprecedented operational disruptions.
While the damage from Sandy is record setting, it’s impact was hardly unimaginable. Almost exactly 20 years ago, a long forgotten storm known as the December 1992 nor’easter, hit the East Coast. In New York City, it resulted in some flooding of the subways, the PATH train system, as well as waterfront highways. While it’s impact was mild compared to Sandy, experts warned at the time of potentially catastrophic impacts of future storms. Just last year, Tropical Storm Irene, served as an overture to Sandy, a skirted disaster painting a stark picture of what the next storm might bring.
While destructive weather events such as Sandy or Katrina garner current media attention, over the past decade, enterprise business continuity planners have struggled with a series of diverse and unexpected classes of events. The events of 9/11, followed by the Anthrax scares, brought fears of domestic terrorist acts to the forefront. In 2003, a blackout hit the Northeast, affecting a large region of the US and Canada, impacting over 50 million people. It was the first significant power outage impacting New York City since the Blackout of 1977. The quarter century gap had lulled firms into a false sense of confidence in the reliability of the utility infrastructure. More recently, fears of pandemics involving SARS and Avian Flu have captivated the concerns of risk management professionals.
All of theses events shared a common theme: They made the unthinkable, or unimagined, a part of the “new normal”. They challenged the conventional thinking for disaster recovery preparations. It would now be standard practice to game plan for these new threats. Any firm that was unprepared for one of these incidents would face harsh scrutiny from customers, board members and regulators. Which leads to an interesting conundrum. Bio-terrorism and pandemics were not common scenarios prior to their emergence as threats in the 2000’s. Why should business continuity professionals believe that they now have all bases covered? How can they envision the next, yet unseen class of threat? Is there a set of “universal” practices that would account for any future scenario?
Before we get ahead of ourselves and attempt to outline an “ultimate model” for business continuity preparedness, let’s start with the basics. There are a time honored set of practices that have been in place in most large enterprises for many years. Here’s a very brief summary of what should be covered in any significant organization that values its brand or performs a vital civic function:
Planning – A robust planning process that identifies critical business processes, applications, job functions and people. A comprehensive set of recovery plans for all of these identified processes. A thorough set of plans for recovering data centers, critical systems, major locations and key service providers. A process to continually update these plans so that they are relevant to current business and regulatory requirements.
Testing – A set of regular tests that exercises the plans outlined in the above section. A postmortem process that looks at test results, identifies areas for improvement and tracks the remediation of the improvement items.
Incident Management – A robust process that responds to potential threats, coordinates resources and responses, and ensures that plans are executed properly to ensure that business operations are resumed within required time frames.
So with new threats constantly emerging, how can organizations create the most adaptable and flexible plans? Which practices will allow the greatest chance of successful recovery irrespective of the nature of the new challenge? Here are some best practices that are most helpful:
Geographic Diversity – This is the cornerstone of any strong business continuity program. Hardening of assets (e.g. generators, storm proofing, network diversity) has its limitations. Any single asset, when confronted with a significantly destructive threat, will be a single point of failure. Having critical resources (i.e. Data Centers, key office locations, warehouses, factories) with significant geographical separation gives the greatest chance of surviving the impact of an event.
Functional Redundancy – Having geographically separated assets is of minimal value, if the assets can’t act as a functional backup for a failed “partner” resource. While this is well understood for Data Centers, it is not as commonly put in place for job functions. An adaptable business continuity program has a “buddy system” where people in geographically separate areas can perform the same job.
Leveraging Service Providers – While frequently looked at as a potential service destabilizer, selective use of ASP’s and cloud providers can be a valuable source of additional diversity. It’s another way of limiting how many eggs you have in one basket. As an example, using email through a service provider splits off that function from your main “in-house” applications. In the event of a disaster at your primary facility, your main communication conduit would continue to function. The key here is ensuring that your selected provider has a robust recovery plan of their own, and that they are not in the same geography as your predominant resources.
Work from Home/Remote Access – All critical employees should have an ability to perform their job function from home or in another remote access setting. This is an increasingly important practice as many emerging threats (e.g. pandemic) may preclude the ability to work from a conventional office setting.
Mobile Enablement – Layered on top of remote access, an ability to use mobile devices (e.g. tablets, smart phones) to perform key business functions is a critical enabler. It provides added flexibility for a workforce that may be “on the move” after a disruptive event. Mobile devices that have broadband cellular connectivity and a long battery life can allow an employee to ride out power outages.
Association Memberships – There are a number of helpful organizations that allow organizations to share best practices and be up to date on the latest threats. One type is an industry organization focused on a particular vertical or sector. Another is a local organization that deals with challenges specific to a given region. An additional type of organization is sponsored by government agencies in a give region. Forward thinking firms should have their business continuity professionals engaged in all of these knowledge sharing groups.
Business continuity planning is a constantly evolving art form. Hurricane Sandy demonstrates to us that given enough time, we will experience events of previously unseen magnitudes. Furthermore, no one can predict the next type of threat that will emerge. Nevertheless, firms with robust business continuity programs incorporating the above mentioned practices, stand a reasonable shot at weathering the effects of “the next great event”.