How would you execute on your disaster recovery and business continuity plan if you had less than 30 percent of employees available and no idea how to locate the rest?
Do you know if your emergency generators have enough fuel to last more than 24 hours? On what floor are they located?
Is CISD part of your disaster recovery plan? Do you even know what CISD is?
If you don’t have solid answers to these kinds of questions, the bad news is that your disaster recovery plan is lacking. And you’re not alone. According to a recent survey, 22 percent of CIOs don’t even have a disaster recovery plan and of those who do, only 31 percent rate that plan as extremely or very effective.
The good news, said Paul Saffo, is that in this post-Katrina, pre-flu pandemic environment, there’s a brief window of opportunity for you to do something about it.
Saffo moderated this panel made up of eight CIOs from across the country – some affected by the devastation in the Gulf, others whose organizations are helping in the recovery – along with representatives from first responder and government entities. They talked about their recent — often very personal — experiences with natural disasters and offered hard won advice. After the panel, the audience broke up into work groups to brainstorm about ways CIOs can help each other and first responders in dealing with disasters.
Following are some snippets from the eye-opening panel and audience discussion.
* What most surprised you during or after Katrina hit?
“The biggest surprise was just how little sleep the human body needs to function normally.”
David Clarke (who joined the panel by phone)
Vice President & CTO
The American Red Cross
“That the issues identified after 09/11 hadn’t been fixed.”
Chief, Command, Control & Communications Div., Pacific Region
US Coast Guard
“We have disasters all the time in California so there were no big surprises. But the hardest thing was tracking and locating employees.”
SBC Communications, Inc.
“We realized we had business continuity plan, but we didn’t have a community continuity plan.”
General Manager, Enterprise Architecture Program
“The biggest surprise for me was [that] people were surprised that so many organizations were not prepared.”
Acting Director, National Cyber Security Division
Department of Homeland Security (DHS)
“The biggest challenge was how to operate when so many management employees were not there to pull together as response to the crisis. So we had to create a temporary organization to do the recovery work.”
Internal Information Services Vice President & CIO
Northrop Grumman Ship Systems Sector
“The biggest surprise was the 30-foot storm surge.”
Julia Harwell Segars
Vice President & CIO
“I was surprised it wasn’t followed by pestilence,” Shield said to a round of laughter. “The real challenge was getting data out of the impacted areas.”
Executive Vice President & CIO
The Weather Channel
“We had a good business recovery plan. But 30 of my family members lost their homes due to Katrina. I came to realize how going home and sleeping on air mattress affects your ability to execute on the plan.”
Senior Vice President, Administration & CIO
The Shaw Group Inc.
Some other issues that arose during discussion included:
* Interoperability or Lack Thereof
Paul Saffo pointed out that first responders and businesses speak totally different languages and think about things in completely different ways. That can prevent a collaborative response to disasters. Krotowski of Chevron says they do emergency exercises involved local governments and first responders to create a “core of connectedness” before disaster strikes.
* Working Without a Net
Thomson of the Shaw Group was quite candid about working as a contractor to DHS, FEMA and local governments after Katrina hit. “You start realizing how paralyzed you really are in helping people,” he said. “Contracts aren’t in place ahead of time to facilitate the speed of recovery. It’s like you are literally handcuffed and prevented from helping people in need. But you wind up going ahead and saving lives, pumping out millions of gallons of water out of New Orleans, putting 50,000 blue roofs (tarps) on houses.” His biggest piece of advice: “The earlier we can get these relationships in place, the better prepared we will be to take on disasters and terrorist acts in the future.”
* The Power of People
Rideout of Northrop Grumman Ship Systems Sector lost her home in Katrina. Twenty five percent of her company’s employees were displaced. And there was extensive damage to their shipyard in Mississippi, including loss of data center, one-third of the desktops, and most of network and telecom infrastructure in. “We had to immediately start to rebuild that with staff in a state of shock,” Rideout said. “It’s amazing how people rise to occasion. Even though they were grieving, they were working 24 hours a day to make sure things payroll still ran even though their own homes were destroyed.”
* Critical Incident Stress Debriefing
A quick survey of audience members revealed that only 2 conference attendees had even heard of the acronym CISD. But Day of the U.S. Coast Guard said these psychological services were critical in the first days after the storm when his staff was responding to a situation he described as “their worst nightmare.” “They were encountering dead bodies and they had to leave them there to focus on other people they could help, which was mind boggling to them,” Day said. “ Having counselors available to them when they came in for a warm meal after 22 hours of work – to assist them and talk about things – was critical. If you don’t do that, you’ll have additional casualties among your first responders. It’s a major thing that gets forgotten in disaster recovery plans.
When disaster strikes, there are corporations all over the country that could assist the first responders at the federal, state and local level. But figuring out who can provide what resources remains a problem. Purdy of DHS alerted the audience to a new web site they’ve set up called the National Emergency Resource Registry, which will help match up the resources that are needed and the resources that may be available from the private and public sectors.
* Lines of Communication
Finding ways to communicate in the aftermath of Katrina was a particular challenge for the Red Cross. Clarke explained (by phone) that they had to create lots of impromptu communication channels from satellite to land lines to cell phones. Even HAM radios played a big part. “We used anything we could make work,” Clarke said. “We tried everything but smoke signals.”
Interoperability of communication, however, continues to be a big issue. Day of the Coast Guard said DHS is trying to figure out a solution but isn’t there yet. He put out a call for the community of CIOs to think about possible solutions.
* Anticipating the Unanticipated
No disaster recovery plan can cover every possible contingency. The best plan, said Rideout of Northrop Grumman, is a flexible one. “There are always going to be things you have to decide on the fly,” she said. “You shouldn’t get a false sense of security from your ‘fantastic’ disaster recover plan, but next time you’ll probably get hit by something totally different.”
The Red Cross’s Clarke echoed that sentiment. He said the scenario that keeps him awake at night is the multiple disaster – a natural disaster like a hurricane followed by a major denial-of-service attack. That’s why you must create detailed but flexible plans. “Anticipate the unanticipated,” he warned.