Talk to Us
Click Off, if you don't want to search
-
Home

Items often overlooked in business continuity and disaster recovery planning

by Steve Lewis
Editor-in-Chief
Edwards Disaster Recovery Directory

In building the Edwards Information Disaster Recovery Yellow Pages™ over the last 15 years, we have worked with organizations ranging from retailers, universities, banks and dairies to insurance companies, local governments and more. Even with experienced and systematic planners, certain items are often overlooked. Some of these are small but crucial items which simply compound problems when disaster occurs; others can threaten the survival of the organization. These are discussed in turn, below.

1. Vulnerability of telephone and network terminators to falling water

Most facilities have a panel on a wall where the telephone wires enter the building. Typically this is not covered, and in the event of water coming down the wall, they "burn out" and are destroyed. Similarly, most computer networking racks are exposed in order to reduce heat buildup. However, they are not shielded from nearby sprinkler heads or water coming from above the ceiling and following the cables down to the rack. When they are hit by water, they also burn out.

2. Doors that need a key to open from the inside

Particularly in older buildings, many external doors have deadbolts which need a key in order to exit. Often institutions that are open to the public, such as banks and government offices lock their doors but remain open for many hours after their public hours have ended. For everyone’s safety, every exit door needs to be operable from the inside without a key.

3. Assuring all safes are fireproof

A frequent problem is the use of non-fireproof safes to protect key documents. Safes are designed to be burglar-proof; however, most are not insulated, and in a fire, the contents are incinerated.

4. Familiar, every-day, “low-tech” paper items

The two most important documents in any disaster are company checks and purchase orders. A supply must be kept off-site, ready to purchase critical equipment and supplies.

5. Insurance coverage for the “decorations”

Many organizations have valuable paintings, displays, and antiques in their facilities. Often these are not covered by insurance riders for danger or loss.
6. Employees’ relevant personal-life situations

Often, an organization's disaster plan requires key employees to relocate to a computer hotsite for the duration of an emergency. In a number of situations we’ve found that those employees were single parents, with no ability to even work emergency overtime, much less relocate out of the region to a hotsite. Other employees may rely exclusively on public transportation to get to and from work, and may not be able to get to a site requiring a car for transport.

You can help uncover such situations by having all employees sign a form on a yearly basis indicating that they have read and understood the disaster plan as it pertains to them, and asking them to note any limitations they may have in carrying it out. Then plan around those limitations, possibly by selecting an alternative backup site solution or assign other staff to cover.

7. Temporary, out-of-the-ordinary, situations which can affect plan execution

One of the most common atypical situations is that of temporarily disabled employees who require special assistance to exit the facilities, or are perhaps unable to carry key materials while using crutches. Planners need to identify these employees and task someone with ensuring their safety and ability to be effective during a disaster.

8. Familiar departments whose functions seem intuitively obvious

All organizations depend on a series of support functions, including mail delivery, check printing, voicemail, janitorial, and personnel. Because these functions are so familiar, planners often don't spend the time to go through the details of these operations to understand how they really operate.

9. Planning for after-hours operations

Many organizations operate around the clock. An example of this would be a bank with night depositories for large commercial customers. Often, there are no offsite lists of contact numbers, which are needed to notify these important customers if the facility becomes unavailable.

10. The needs of outside emergency organizations

Particularly in this age of consolidation, many organizations have far-flung locations. Many times local fire and police departments covering these locations do not have up-to-date contact information or copies of the building plans in the event of a disaster at their local facility. As part of their periodic disaster plan review, planners should obtain a confirmation from each local site that all relevant information has been communicated to the local authorities.

11. A “second set of eyes”

After conducting all the emotional negotiations with various “stakeholders” throughout the organization, and finally finishing the plan, it’s hard for planners to believe that the result can still be myopic–too inward-oriented. What is needed throughout the process and especially at the end, is an occasional informal “outside audit” by a knowledgeable person from outside of the organization. This person can be a disaster-planning colleague from another organization, or someone from the organization’s external auditors, parent organization, etc.

12. Out-of-region back-up vendors for key support services

When large-scale disasters strike, the vendors of many common items such as electric generators and common services such as “pumping-out flooded basements” can become overwhelmed with the demands of the disaster’s victims. Planners need to have out-of-region backup second-sources located beforehand.

13. Lessons from past crises

Almost all organizations we've worked with have had major disasters that have entered into their corporate lore. However, these organizations typically fail to document the details of what went wrong, what went right, what they've learned, and what they need to change for the future.

14. External factors--nearby risks and limitations

Many organizations don't realize they are located near areas that can be a focus of demonstrations or potential targets of violence. Locations near abortion clinics are familiar examples of this situation. In an unusual example of this dilemma, after September 11, 2001, an organization was unable to get access to their back-up office and storage site, located on an Air Force base, which was closed to the non-military public.

Planners should acquire a wider perspective on these sensitive sites from region-wide contingency management organizations such as NEDRIX (New England Disaster Recovery Information Exchange) in New England www.nedrix.com, the Business Recovery Managers Association in California www.brma.com, or the Business Continuity Planners Association in the Midwest www.bcpa.org. (See others in the “Associations” sections in the table of contents.)

15. Verifying that your company’s “outsourcing” provider has not become a terror target

In this age of outsourcing, it has become very common for companies to move key components of their operations to foreign countries, but the chosen sites are often not monitored for political and social instability. Recently, a popular outsourcing city in one of those foreign countries turned up on the “attack list” of one of the terror organizations.

16. Making unjustified assumptions:

16a. Assuming that all of your people will survive the disaster

One of the cruelest consequences of the 9/11 terrorist attack was that w hile many organizations had provided for backup operations, the employees they needed to operate them had all perished in the attack and there were no provisions for temporary workers. You need to know where to get replacement employees or contract workers who can take up the slack in such a situation. If your systems are so customized that such workers can’t be found, then you’ve identified another key vulnerability for your organization.

16b. Assuming your organization is important to the utility companies

Many planners simply assume that because of the nature of their organization (bank, nursing home, etc), the utility companies will assign them a high priority in their recovery operations. During the 2004 hurricane devastation in Florida, many nursing home operators - who simply assumed that they had the same priority as hospitals - found out that they were actually lower-level in priority than most businesses.
16c. Assuming that your generator’s fuel supply will outlast the disaster

Most diesel-powered generators only have about a three-day supply of fuel in their supply tanks. Often, during a disaster, areas become inaccessible to fuel trucks for longer periods of time than that, and alternate plans need to be drawn up for that eventuality.

16d. Assuming that airplanes and specialty transportation will always be available

Many organizations are dependent upon air deliveries of key items. An example would be drug companies who are delivering test samples for clinical trials. These deliveries were completely disrupted after 9/11 when the entire air fleet of the country was grounded. Another example would be organizations who have arranged for air delivery of replacement computers in a disaster–just the time when airports might be closed. Alternative means of transportation need to be identified in advance to cover these eventualities.

17. Neglecting to test the plan and do what it says

A well thought-out plan does put a company in a good position, but it's very important to execute the plan and make sure all the parts are in place. Actually buy the back-up generator listed in the plan. Be sure the off-site copies of the computer back-ups are tested on a regular basis. Also, be sure your overall plan is tested and distributed to all the people who need it.