It's a pretty safe bet that a lot of organizations in the Northeast are bulking up their business continuity plans (BCP) right now. That's because many of them were left in the rubble following Superstorm Sandy, and experience is often the best teacher.
If your organization escaped that disaster, you should let the experiences of those that got hit be lesson enough for you. Don't wait until it's too late; the whole point of a BCP and an information systems contingency plan (ISCP) is to be prepared before catastrophe strikes.
Unfortunately, we're all adept at postponing planning. Let's face it: ISCPs are not cheap, sexy or fun, and often they aren't even used after time, money and effort have been spent developing them. And we tend to think that a business-crippling disaster just isn't likely. The odds are indeed low. Category 5 hurricanes like Andrew (South Florida, 1992) are relatively rare, and the chances of one hitting New York are extremely slim. That's one reason why Sandy is so instructive.
Compare it to Katrina (Gulf Coast, 2005), which trumped Sandy in many ways. A Category 3 storm when it went ashore, Katrina caused damage that was assessed at $120 billion and led to 1,836 deaths. Sandy was barely a Category 1 when it hit the coast, and it caused $30 billion to $60 billion in damage and resulted in 109 deaths. But Sandy had a much bigger impact on business. The three states most affected by Sandy are home to 85 Fortune 500 headquarters, compared with 20 in the area affected by Katrina. Sandy's power outages affected 8.4 million people (and thousands of businesses), whereas Katrina left 1.7 million people without power. And Sandy's impact was felt throughout the world economy when it forced the closure of the New York Stock Exchange and many U.S. government offices.
In other words, a storm doesn't have to be a record-breaker in terms of strength to cause tremendous havoc. And businesses located along the coast aren't the only ones at risk. There are all kinds of disasters, including earthquakes, tornados, wildfires, tsunamis and blizzards.
I've heard people argue that ISCPs don't increase revenue, cut costs or create new services. That's true, but they can help to avoid costs and prevent devastating drops in revenue. And creating an ISCP identifies potential vulnerabilities, whose elimination strengthens IT robustness.
What's more, an ISCP can help with compliance. Increasingly, professional organizations and federal guidelines strongly encourage or mandate BCPs. For example, the National Association of Securities Dealers requires the creation and maintenance of a BCP. Sarbanes-Oxley Section 404 requires management to establish and maintain "adequate internal control over financial reporting." The inability to recover after full or partial outages could be considered noncompliance.
An effective ISCP project has four phases. First, fund it. Second, create a comprehensive ISCP. (NIST provides an excellent model.) Third, test it regularly to verify the integrity of planned operations and to ensure that employees understand their responsibilities. Fourth, update the ISCP periodically, to reflect infrastructure changes and add support for new services, such as BYOD, mobile access and big data. Beyond that, examine existing ISCPs to find holes in coverage. And don't forget supplier exposure!
With Sandy fresh in mind, take advantage of management's increased awareness of the threat of natural disasters. But act quickly; memories will fade. Develop an ISCP before this window closes.
Bart Perkins is managing partner at Louisville, Ky.-based Leverage Partners, which helps organizations invest well in IT. Contact him at BartPerkins@LeveragePartners.com.