Disaster Planning

Stephen DeAngelis

September 02, 2009

In an earlier post entitled Plans vs. Planning, I quoted the late President and 5-star General, Dwight D. Eisenhower, who remarked:

“In preparing for battle, I have always found that plans are useless, but planning is indispensable.” – Dwight D. Eisenhower, from Dr. Mardy’s Quotes of the Week

In that post, I also observed that too often people can’t see the difference between plans and planning. In my mind, the first reflects rigidity while the latter epitomizes flexibility and adaptability. I believe that businesses of all sizes need to plan for the future. They need to consider what they are going to do if “the unthinkable” happens. Such planning requires business leaders to ask a lot of “what if” questions, consider a number of possible alternative futures, and prudently plan for more common occurrences like fire, cyber attacks, and supply disruptions. Joyce Rosenberg, a reporter who writes about small business for the Associated Press, warns that waiting until the last minute to think about how to respond to a crisis could be fatal for a business [“So, you have one hour to do disaster planning …Salt Lake Tribune, 23 August 2009]. Considering the fires burning near Los Angeles, her warning is timely. She writes:

“There’s a brush fire bearing down on your small business. You’ve been told you have one hour to evacuate — which means you have one hour to come up with and execute a disaster preparation plan. This is a scenario similar to what thousands of small-business owners face each year. Luckily, that’s enough time to take care of a company’s most valuable assets, its employees and its data. Disaster prep is one of those tasks that many small-business owners keep planning to get to, but keep putting off. And it certainly may not seem like a priority at a company that’s contending with slumping sales and cash flow during a recession. While it’s understandable that some owners don’t get around to disaster planning, they’re courting danger.”

I became interested in resilience following the terrorist attacks in September 2001. I learned that many of the companies conducting business in the World Trade Center towers had learned lessons from an earlier terrorist attempt to bring down the towers and had wisely backed up their data at another site. Nevertheless, the event started me thinking about how to identify a company’s most critical assets and, once identified, how to protect them. With the help of Carnegie Mellon University’s Software Engineering Institute, I adapted their Operationally Critical Threat and Vulnerability Evaluation (OCTAVE®) process to develop Enterra Solutions’ Enterprise Resilience Management Methodology™ (ERMM). Using this methodology companies can identify their critical assets (that is, those assets that if lost would cripple the business), assess how well those assets are currently being protected, and develop a course of action to cover any shortfalls. The process can be adapted to businesses both large and small. Disaster planning, Rosenberg writes, is especially critical for small businesses because they have few, if any, reserves to help get them back on their feet.

“Without disaster planning, ‘there’s no way I’d be able to recover my retirement,’ [John Toigo, a disaster recovery consultant based in Dunedin, Fla.] said, referring to the fact that so many owners expect to some day sell their companies and live off the proceeds. Minimal preparation — the kind you would have to resort to if a disaster were in fact on the way — can be accomplished in an hour. And you can do much more if you have the luxury of an entire day.”

I must insert a note of caution here. The operative words in the previous paragraph are “minimal preparation.” We’ve routinely find that business owners have not taken the time to consider which of their assets are “critical.” To uncover critical assets, a number of important questions need to be answered. Are those assets physical? Are they processes? Do they involve data storage? Truly understanding one’s business, especially a large business, requires a critical, but time consuming, process. It certainly can’t be accomplished in an hour or even a day. But it’s worth the effort. Getting back to the bare-bones things that can be done, Rosenberg reports:

“Toigo said the first thing to be done is to put together a list of contact phone numbers, physical and e-mail addresses for everyone on the staff, and to be sure everyone has a copy. Staffers should provide several different ways that they can be reached during an emergency. Luis Yepez, vice president of Mainstream Global, a Lawrence, Mass.-based computer reseller, said owners should also let employees know they are concerned about their staffers’ welfare. ‘Stress the important, that you care about their safety, their well being,’ he said. Just as crucial is to let employees know that you’re prepared for the contingencies, that you’ve thought about how you’re going to get the company up and running. In other words, you’ve thought about how you’re going to protect their jobs. Yepez noted that it’s also important to know how you’re going to stay in touch with your clients, customers and vendors. They need to know your situation because what happens to you affects them.”

Good planning takes time. As I noted earlier, I’m a big fan of asking lots of “what if” questions and examining alternative scenarios that could dramatically affect the business landscape. Often that kind of in depth planning is best done with outside help — using people who have experience in thinking about out-of-the-box events. Rosenberg admits good planning takes time to do right.

“The fact is, though, if you’re doing eleventh-hour disaster prep, you may not have thought it all out. But you can talk to staff and e-mail your business associates and let everyone know so they won’t be left wondering about what’s going on.”

She recommends that companies get into the habit of backing up critical data. In today’s IT environment, doing so is quick and relatively inexpensive. If you haven’t been smart enough to do that and the disaster is at the door, Rosenberg advises that you “grab your server and take it with you. If you have laptops, of course they’re very easy to transport. … You should also be grabbing important documents that will help you if you have to submit an insurance claim. That includes policies and, if they’re easy to find, invoices to prove how much you paid for computers, furniture and other equipment. Though you may need to reference these documents at work, you should keep copies off-site as well.”

She goes to provide some useful last minute advice, like turning off utilities before you run out the door or boarding up windows before a hurricane hits. There are, she reports, lots of good resources on the Internet and she recommends “the Institute for Business & Home Safety’s site, www.disastersafety.org, and the federal government’s guide at www.ready.gov/business. … The Small Business Administration also has information at www.sba.gov/beawareandprepare/business.html.” Of course, if you want a more comprehensive assessment of how to protect your business, you can always contact my company!