Preparing for a Disaster

By Elizabeth Wasserman

In the wake of Hurricane Katrina, one of the worst natural disasters to ever hit the U.S., many companies in the New Orleans area have been unable to do business, government agencies have been incapable of providing basic services, and an unknown number of organizations completely lost their information technology capabilities.

The wrath of Katrina was widespread. Physical plants, warehouses, and offices were destroyed. The workforce was scattered, and more than 1,000 people died. For organizations that relied on IT, many may never be able to replace the data, the systems, and the hardware that was lost. Even businesses that prepared for potential disasters by developing backup systems may have suffered dual losses if those data centers were within a 50-mile radius of the storm's center.

Every CIO and IT executive has lessons to learn from Hurricane Katrina. Disasters come in many forms. Mother Nature is responsible for earthquakes, hurricanes, tsunamis, and blizzards. Other types of disasters are man-made -- viruses, hacker attacks, or terrorist attacks can also completely disable an organization's IT abilities. The risk is that any of these attacks could take down an organization's IT operations, and that can result in lost revenue, a drop in a company's stock price, regulatory penalties, and the loss of customers to competitors.

"It could put a company out of business," says Roberta Witty, research vice president at Gartner. "We've seen a real growth in awareness of the need for preparedness. Still, it takes companies by surprise, especially something like Katrina." The bottom line, says Witty, "If you don't have a plan, you're not going to recover so quickly."

CIOs are charged with ensuring that IT operations has a plan in the face of a disaster to keep the business up and running -- or at least make sure it recovers quickly. But CIOs are also dealing with a challenging -- and changing -- IT environment. There are a multitude of different devices hooked up to networks these days. A growing number of business units have different business goals and processes. And the growing reliance on outsourced IT processes and business partners adds yet another level of complexity.

One key step in preparing for the impact of a natural disaster or hacker attack is to thoroughly understand the resources that are most critical to an organization. Here are some ways that CIOs can review resources and prioritize:

• Business impact assessment    Look at business processes, technology, relationships with trading partners -- everything that helps the organization do business. A thorough analysis will help set the stage for understanding business priorities in preparing for a disaster.
• Identify mission-critical functions    Find out what brings in the most money. Which business functions would result in the biggest hit to revenue if lost? Most often these would be customer or partner-facing processes; an organization that isn't there for customers may lose them in a crisis. Other mission-critical processes include supply chains and even email, Witty points out.
• Analyze risks    Explore the types of risks that these mission-critical functions face. How susceptible is the organization to site-specific threats -- floods, hurricanes, downed power lines, terrorist attacks? Is the IT network vulnerable to hacker attacks, operational errors, hardware failures, or other risks due to reliance on an IT service provider?
• Put strategies together    The plan should outline what staff, technology, and special equipment the organization will need to bounce back or continue operations. Who will be doing what, where, when, and for how long? In addition, determine what type of message to communicate to the public and shareholders.
• Test the plan    Run tests at the IT recovery site.

A recent Forrester report by analyst Colin Rankine looks at what lessons business leaders need to take away from the Hurricane Katrina recovery efforts. Most importantly, the report says location is the biggest determining factor for risk. While some business operations need to be located near deep-water ports in hurricane-vulnerable Florida or the Gulf of Mexico, such as warehouses and distribution centers, Forrester advises that all other facilities be located in areas facing less risk. In addition, the report cites reliance on wireless communications as a potential risk in a hurricane-prone environment. Not only were wireless and landline facilities destroyed, but the number of regional emergencies overloaded wireless systems. Despite the cost, Rankine says CIOs may want to consider having satellite phones for select operations managers or response coordinators.

CIOs may face challenges in terms of putting in place disaster preparedness plans and procedures. Witty says that one of the biggest objections is cost. She says disaster recovery on average is 4 percent of the data center budget, but the data center is 50 percent of the overall IT budget. That 4 percent could be a drop in the bucket compared to the costs of rebuilding an organization's IT operation in the event of disaster. In addition, some CIOs encounter apathy when they mention disaster preparedness. "People say, 'It's never happened to us before.'" Witty says. " 'Who would want to attack us?'"

The biggest problem, as illustrated by Hurricane Katrina, is that organizations aren't planning for these enormous disasters. Between the Sept. 11, 2001 terrorist attacks, the Indian Ocean tsunami in 2004, and the hurricane that hit New Orleans, recent history demonstrates that catastrophic disasters can happen more than just once in a lifetime.

Elizabeth Wasserman has written about technology and business for Inc., CIO Insight, and the San Jose Mercury News. She is a freelance writer based in Fairfax, Virginia.