After Superstorm Sandy, an Opportunity to be Better Prepared
The whole point of an information systems contingency plan is to be prepared before catastrophe strikes. Unfortunately, we're all adept at postponing planning.
Mon, January 14, 2013
Computerworld — It's a pretty safe bet that a lot of organizations in the Northeast are bulking up their business continuity plans (BCP) right now. That's because many of them were left in the rubble following Superstorm Sandy, and experience is often the best teacher.
If your organization escaped that disaster, you should let the experiences of those that got hit be lesson enough for you. Don't wait until it's too late; the whole point of a BCP and an information systems contingency plan (ISCP) is to be prepared before catastrophe strikes.
Unfortunately, we're all adept at postponing planning. Let's face it: ISCPs are not cheap, sexy or fun, and often they aren't even used after time, money and effort have been spent developing them. And we tend to think that a business-crippling disaster just isn't likely. The odds are indeed low. Category 5 hurricanes like Andrew (South Florida, 1992) are relatively rare, and the chances of one hitting New York are extremely slim. That's one reason why Sandy is so instructive.
Compare it to Katrina (Gulf Coast, 2005), which trumped Sandy in many ways. A Category 3 storm when it went ashore, Katrina caused damage that was assessed at $120 billion and led to 1,836 deaths. Sandy was barely a Category 1 when it hit the coast, and it caused $30 billion to $60 billion in damage and resulted in 109 deaths. But Sandy had a much bigger impact on business. The three states most affected by Sandy are home to 85 Fortune 500 headquarters, compared with 20 in the area affected by Katrina. Sandy's power outages affected 8.4 million people (and thousands of businesses), whereas Katrina left 1.7 million people without power. And Sandy's impact was felt throughout the world economy when it forced the closure of the New York Stock Exchange and many U.S. government offices.
In other words, a storm doesn't have to be a record-breaker in terms of strength to cause tremendous havoc. And businesses located along the coast aren't the only ones at risk. There are all kinds of disasters, including earthquakes, tornados, wildfires, tsunamis and blizzards.
I've heard people argue that ISCPs don't increase revenue, cut costs or create new services. That's true, but they can help to avoid costs and prevent devastating drops in revenue. And creating an ISCP identifies potential vulnerabilities, whose elimination strengthens IT robustness.
What's more, an ISCP can help with compliance. Increasingly, professional organizations and federal guidelines strongly encourage or mandate BCPs. For example, the National Association of Securities Dealers requires the creation and maintenance of a BCP. Sarbanes-Oxley Section 404 requires management to establish and maintain "adequate internal control over financial reporting." The inability to recover after full or partial outages could be considered noncompliance.