Immediate Vault Immediate Access

Preparedness in a Changing Climate

Could Mother Nature disrupt your business? This is an old tale for many companies who make their homes in states that regularly experience extreme weather — but what about the rest of us? When the tail end of Hurricane Irene tracked over the Northeast this past August, it left behind some of the worst flooding and storm damage the region had experienced in more than 70 years. Meanwhile, Texas is coming off the harshest drought the state has ever experienced while a rash of tornadoes has been plaguing the South and Midwest. The February 2011 blizzard brought Chicago and New York to a standstill and did I mention Hawaii reported snowfall — in June?

As extreme weather becomes more widespread, no one is safe from nature’s wrath. Having a disaster preparedness plan, including backup and recovery for critical systems, will help your organization mitigate risk and maintain compliance, even in the event of a natural disaster.

Is Your Business Prepared?
Is your business ready? Could it recover in the event of an extreme weather occurrence or natural disaster? Plenty of companies think they are doing the right things in risk management. They are conducting regular business continuity business impact analyses (BIAs) and putting disaster recovery plans in place for their key applications, but often these activities are standalone processes with outputs held by business owners in emails, filing cabinets or limited file shares. IT security or risk management teams may have little visibility of any of this documentation, and as a result, have no easy way to identify emerging IT or business risks that might affect business continuity or disaster recovery planning. More serious still, senior business executives often also lack insight and simply assume that IT can get a data center up and running again quickly — completely failing to understand the extent of what might happen to the business while those critical processes are down.

Requirements for Preparedness
A GRC approach to disaster preparedness calls for greater control and visibility. It’s important that organizations look at this as a business function, not just an IT function.

An important part of disaster recovery planning is to be able to differentiate between your organization’s critical and non-critical functions and activities. You should be able to measure the value of your business processes and IT assets in order to risk-rate them according to the potential impact of an outage. How will this effect revenues, brand image, stakeholder confidence and customer loyalty? By doing this risk-rating, you can focus your disaster recovery plans on critical or high-value systems and processes and tie them to the company’s bigger risk concerns.

Another cornerstone of disaster planning is centralization of all of your analyses, plans and related documentation in a single repository. Centralization is not just about improving access and control, but also about making it easier to standardize by bringing everything together in one place so you can more easily view and respond to any overlaps, inconsistencies and gaps. Furthermore, it helps improve reporting by providing a holistic view of your business resilience program at any point in time.

As we’ve learned with all the events of this year, Mother Nature can be fickle. Even with plenty of warning of what’s coming, you can’t always be sure your assets will be protected. Your best option is to be very sure that you are prepared with options to keep your most critical operations running, and that you know exactly how to implement them.

Committing to Change: Don’t Be Afraid of What You Find
Once you have identified what your company needs and you have committed to making the required changes to your current preparedness program, you may have to brace yourself for some of the things you may discover as you start to delve deeper. Some examples of typical problems are:

  • Disaster recovery plans are missing, incomplete, or not fully adequate
  • There is a significant gap between the risk and business strategies
  • Vague plans for on-call/emergency coverage
  • Lack of staff training/expertise for disaster recovery plans

Ultimately, most of these issues can be resolved with proper planning and clear communications. IT, finance, legal and the business departments all need to be on the same page when it comes to disaster planning. What is important to the marketing department, for example, may not be viewed as a high value business process by IT and as a result may not be tiered appropriately — leaving the marketing department out of luck in the event of an outage. Without clear, deliberate and well thought out plans, the risk to both businesses and employees increases and the recovery process takes more time than it should — eating away at revenue and reputation.

How Can You Make Sure Your Company Is Ready?
Once you have identified the issues with your preparedness plan, and the improvements you need to make, you are well on track to ensuring the readiness of your company.

As I touched on earlier — communication and collaboration is of the utmost importance. You need to ensure a common understanding across departments of the processes, assets and functions that are of most importance to the business and, therefore, to its customers. This understanding is what will underpin the risk-rating and BIAs that will drive your preparedness planning.

Next is tying together people, processes and technology to avoid conflicts, gaps and wasteful overlaps. Specialist software tools can support this effort by streamlining workflows and making it easy for non-technical users to carry out activities like running real-time reports. These tools also typically provide the central repository you need for all your documented output.

Finally, training and testing are absolutely vital to a solid disaster preparedness plan. What good is a robust plan, if no one knows what to with it?

Preparedness depends on knowing exactly what to do, when to do it and how to do it. There is no second chance when a disaster strikes, only lessons learned.