Developing effective disaster recovery programs: what can we learn from Hurricanes Irma & Harvey?
- Published: Friday, 15 September 2017 07:48
Geary Sikich looks at some of the ‘lessons learned’ which have been published following Hurricanes Irma & Harvey and provides his own take on these. He also presents a resilience framework, which breaks the resilience process into strategic, operational and tactical levels.
Worst case scenarios
When planning for disasters we frequently opt for ‘worst case’ scenario plans. Yet, time and again we are surprised when the worst case based plan that has been developed is superseded by an actual event that occurs. Hurricane Katrina taught this lesson. Will we be going back to school to learn the same lessons from Hurricane Harvey and Hurricane Irma?
Disaster recovery planning considerations for resilience
On 11th September 2017 Information Management posted an article entitled, ‘6 disaster recovery lessons organizations can learn from Harvey and Irma’. The article actually lists seven. Let’s dissect these disaster recovery lessons to see if they can be applied effectively:
# 1: Communicate the disaster recovery plan
The communication recommendation is a good one as it covers internal and external communication. Unfortunately, it stops with communicating the plan to clients. It would advisable to communicate your plan to the local, state and if applicable federal government, suppliers, vendors (‘value chain’) in addition to clients and employees. Recognize that after an event your business is most likely not a top priority for recovery by government responders. Your employees, however loyal they are, are going to be dealing with their own personal disasters and most probably will not be available for recovery efforts on your behalf. My final comment here is a question: “Why did you wait until a disaster was imminent to communicate the plan?” One should have a plan in place (preferably ‘all hazards’) and a continuous communication process that keeps all parties informed of the plan.
# 2: Forward all call and e-mails to mobile phones
Perhaps not the best recommendation or lesson learned. Mobile phone communications will be most likely to be as disrupted as other infrastructure. What about the battery life of your mobile device? No electricity means that you will not be able to charge the battery on the mobile device. In addition, the federal, state and local responders will have priority on mobile communications (see Presidential Executive Orders and federal guidelines on this issue). So, with cell towers out of service or seconded to the government, your ability to access and use mobile communications may be significantly degraded or nonexistent. Lesson learned from Hurricane Charlie: mobile communications were pretty much wiped out until providers (Version, etc.) could reestablish tower infrastructure. Hence, forwarding all calls, etc. may not be the best solution; unless of course you can forward them to a location outside of the impacted areas. However, then you may be faced with not being able to get out of the impacted areas due to infrastructure damage (roads, etc.), lack of access to transportation, etc. I would highly recommend that alternative communications strategies be established; perhaps moving call centers, key personnel, etc. to non-affected areas before the event occurs. There is generally sufficient warning with a hurricane to accomplish temporary moves, evacuation, etc. However, remember that the government has the power to commandeer all communications for national security purposes.
# 3: Form a texting chain
See comments for # 2 above – as this is also applicable for this recommendation/lesson learned. It’s all about the battery life!
# 4: Backup all client data
Great idea. Why wait until now? Haven’t you been doing this all along? The backup of client data should be a regular practice not a disaster only practice. And, what about all that other data that you have? Employee data, financial data, value chain data, etc. In any event this data should be backed up and sent to secure location/storage outside the projected impacted areas. You really need to consider the security implications too. How susceptible is the data to being hacked (if electronic), stolen (if hardcopy) or otherwise compromised? Security, security, security!
# 5: Open the office to advisory employees and family members
Really? Unless you have a bunker type facility, with cafeteria and plenty of stored supplies this may not be advisable. Most modern offices are glass and steel. Glass and steel may not stand up to hurricane force winds and flying debris as well as you may think. Also, you may find yourself stranded and unable to evacuate after the event due to infrastructure disruption. And, the government may step in and under ‘eminent domain’ take your supplies for the greater good of the community. I would suggest that one look at energy industry plans for refineries regarding hurricane preparedness and state, local plans that may offer more guidance than this recommendation provides. Assess the risks and plan accordingly. You may be creating more of a problem than you think (what about legal considerations?).
# 6: Suggest clients’ employees had ID information available
What about your employees? While I wholeheartedly embrace the general consideration of having ID available; one must ask the question: “to what end?”. How will having ID available assist in recovery? Of course, having ID is highly recommended, as well as, key and critical personal information – insurance papers, bank information and other essential data. You need a secure means of storing that information so that if separated it cannot become a source of identity loss (due to identity theft). Ensuring that all people who may be impacted by the event have proper ID is critical. I would recommend a special ID for those who will be involved in recovery operations that take place after the initial response is completed. Medical information, banking information, Social Security and all your human resources department records need to be secured.
# 7: Inform clients and colleagues of free services
Free services? Unless you are planning on providing essentials – food, water, shelter, etc. one would question the immediate recovery value of ‘free services’. While some services, such as, transportation, telecommunications, waiving of bank fees, come readily to mind; in the aftermath of a disaster, people are most concerned about the basics – food, shelter, etc. Be careful what you offer too. You may become a magnet for further disruption of your enterprise. Can you imagine the amount of potential theft that may occur by opening your doors to a dislocated population? Also, if you are offering free services ask yourself, “for how long?”, “to whom”, etc. Free services may sound good on paper, but executing may be a completely different ballgame. Be very, very careful about what you offer.
From Materials Handling and Logistics, we get the following from David Sparkman:
Think before you act. If the work involves non-routine tasks, take the necessary time to conduct a Job Safety Analysis, determine the hazards and provide training and personal protective equipment (PPE).
Emphasize ‘Situational Awareness’ by stressing that supervisors and employees keep their eyes out for unforeseen, hidden and sometimes just plain weird hazards.
Anticipate that disasters never follow the rules and plans. “Expect problems. Be paranoid,” Howard Mavity (a lawyer with Fisher Phillips) advises. “In your planning, always engage in ‘what-if’ analysis. I recommend that larger companies create a ‘What-if Committee’ and periodically brainstorm. Consider it an expanded process hazard analysis applied to every aspect of your business.”
Stay alert for hazards posed by fatigue, hunger and dehydration. When exhausted, the first thing to go is your judgment. Keep hydrated and remember that skipping meals also can lower glucose levels, resulting in bad judgment and injuries.
Fall protection is non-negotiable: Most people who are scrambling onto roofs to avoid rising water don’t know what fall protection means. However, employers must make sure that no corners are cut. “Only one error is necessary, and as in the case of trenching, excavation and confined space entry, one error often means a death,” [Mavity] says.
Generators and gas tools generate carbon monoxide—be careful about using them inside a building or any other confined space.
Follow the OSHA bloodborne pathogens standard and recognize that rising waters will contain a soup of fecal matter, fuel, rotten food, chemicals and heavy metals, and other risks. Provide PPE and remember necessary vaccinations. Vigilantly attend to open wounds and also anticipate rashes and infections.
I would add to the lessons learned and the above tips, that having cash on hand is a very good idea. As we will see with Harvey and Irma, the electronic charge and payment systems (credit cards, automated banking, etc.) is going to be disrupted due to loss of infrastructure (electric generation) for some time. Cash suddenly becomes ‘king’ once again. Additionally, personal protection should be a consideration.
You need to think and plan on three levels as depicted in figure one, ‘Resilience Framework’ below:
The strategic level should look at how your organization will achieve its goals and objectives (strategic plan) now that you are operating in discontinuity. The operational level should be focused on preventing cascade effects from the event and the tactical level should be focused on response actions for the affected elements.
On the path to probability and uncertainty?
Is recovery planning on your radar screen as a business continuity planning consideration? Is a disruptive natural disaster situation a realistic risk that your planning should begin to address with a thorough analysis of the potential consequences and your ability to implement the recovery cycle – reentry (assessment, alignment of resources and scheduling), recovery (acquisition of resources, rebuilding and replacement), resumption of operations (the new normal)? What about manmade disasters? Terrorism? Cyberthreats? International conflict? Or are these risks too far away and remote to begin to understand?
From a business impact perspective, an escalation of the situation on the Korean peninsula should be getting the attention of business continuity planners. Granted, it is not yet a hurricane Harvey or Irma situation from the standpoint of being able to assess effects and focus on response. But what about the implications of potential supply chain disruption, sanctions, cascade effects, collateral damage? Many of these can be identified, categorized, assessed. Alternative courses, ‘quick-start’ contingency plans can be developed, ‘war gamed’; becoming part of an ‘active analysis’ process rather than the static analysis that reflect most BIA and risk management practices today. Developing a ‘strategic warning’ process based on intent, that can be supported by a ‘tactical warning’ system that focuses on the ‘when, where, how, who’, can allow for less ‘surprise’ and more resilience.
Uncertainty: exploring risk
Risk is all about uncertainty. There is uncertainty associated with identification, recognition, mitigation, establishing and maintaining risk parity, etc. There is a negative and a positive side of risk; or to be clearer, there are negatives and positives that represent multi-dimensional aspects of risk. Where does potential, unrecognized value reside? Where are the negative pitfalls that lurk in the ‘false positives’ created by risk compliance? Viewing risk through a multi-dimensional lens can facilitate the identification and management of risk. Think of risk in terms of a kaleidoscope; when viewed, a simple twist can change the entire picture, perspectives and analyses.
Fundamental uncertainties derive from our fragmentary understanding of risk and complex system dynamics, and abundant stochastic variation in risk parameters. Uncertainty is not just a single dimension, but also surrounds the potential impacts of forces such as globalization and decentralization, effects of movements of global markets and trade regimes, and the effectiveness and utility of risk identification and control measures such as buffering, use of incentives, or strict regulatory approaches.
At a recent conference on disaster management that I participated in the following equation was offered by one of the speakers:
Threat x Vulnerability x Impact = Risk
I would argue that this equation provides the illusion of risk, not the reality of risk. For example, you conduct a risk assessment and determine that there is a threat (i.e., possibility of terrorist attack using a scale of 1 – 10 with 1 being not likely and 10 being extremely likely). Now you have to determine how vulnerable you are to this threat (i.e., say on a scale of 1 – 10 with 1 being not vulnerable and 10 being extremely vulnerable). Next, you determine the impact, again using the scale of 1 – 10 with 1 being no effect and 10 being extreme effect. You calculate according to the above equation and come up with a number. Now you begin to seek to determine the probability. You establish the probability using a scale of say on a scale of 1 – 10 with 1 being not probable and 10 being extremely probable. The result is a risk ranking. However, this process does not take into account observer bias or uncertainty. Uncertainty actually would carry more weight that observer bias simply because of all the unknowns that uncertainty presents. So, one may wish to re-write the equation as follows:
Threat x Vulnerability x Impact = Risk (current state – non-static)
Since the risk that we have identified is not static, uncertainty becomes more of a factor over time than probability, threat, vulnerability and impact. Over time the risk will change, especially due to the fact of uncertainty, non-static nature, potential unintended consequences, etc. Therefore the scale for uncertainty could be a positive or a negative number that extends to infinity. Risk assessment based on probability of occurrence is, in itself, a risky decision.
The need for risk parity
Risk parity is a balancing of resources to a risk. You identify a risk and then balance the resources you allocate to buffer against the risk being realized (that is occurring). This is done for all risks that you identify and is a constant process of allocation of resources to buffer the risk based on the expectation of risk occurring and the velocity, impact and ability to sustain resilience against the risk realization.
Risk parity is not static as risk is not static. When I say risk is not static, I mean that when you identify a risk and take action to mitigate that risk, the risk changes with regard to your action. The risk may increase or decrease, but it changes due to the actions taken. You essentially create a new form of risk that you have to assess with regard to your action to mitigate the original risk. This can become quite complex as others also will be altering the state of the risk by taking actions to buffer the risk. The network that your organization operates in reacts to actions taken to address risk (i.e., value chain.) all are reacting and this results in a non-static risk.
I think that ‘relevance’ is a very significant word relative to KRIs. You can have an extensive list but if they are not relevant to the organization and its operations they do little to enhance the risk management efforts. That said, we have to assess non-linearity and opacity with regard to the potential obfuscation of relevance.
Traditional concepts such as incident command, National Incident Management System, etc. are faced with ‘new ground’ so to speak, as they may not be as effective in dealing with the risk realities faced today. The nature of risk is: uncertainty, hence the projection of risk in terms of probability of occurrence can only provide limited value for a brief period. Threat dynamics are changing resulting in more uncertainty not less; this requires a planning approach that integrates, tactical, operational and strategic planning; combining continuity, emergency, crisis, disaster and contingency planning into an integrated process.
We live in a world full of consequences. Our decisions need to be made with the most information available with the recognition that all decisions carry with them flaws due to our inability know everything; uncertainty. Our focus should be on how our flawed decisions establish a context for flawed risk, threat, hazard, vulnerability (RTHV) assessments, leading to flawed plans, resulting in flawed abilities to execute effectively. If we change our thought processes from chasing symptoms and ignoring consequences to recognizing the limitations of decision making under uncertainty we may find that the decisions we are making have more upside than downside.
Geary Sikich – Entrepreneur, consultant, author and business lecturer
Geary Sikich is a seasoned risk management professional who advises private and public sector executives to develop risk buffering strategies to protect their asset base. With a M.Ed. in Counseling and Guidance, Geary's focus is human capital: what people think, who they are, what they need and how they communicate. With over 25 years in management consulting as a trusted advisor, crisis manager, senior executive and educator, Geary brings unprecedented value to clients worldwide.
Geary is well-versed in contingency planning, risk management, human resource development, 'war gaming', as well as competitive intelligence, issues analysis, global strategy and identification of transparent vulnerabilities. Geary began his career as an officer in the US Army after completing his BS in Criminology. As a thought leader, Geary leverages his skills in client attraction and the tools of LinkedIn, social media and publishing to help executives in decision analysis, strategy development and risk buffering. A well-known author, his books and articles are readily available on Amazon, Barnes & Noble and the Internet.
- Apgar, David, Risk Intelligence – Learning to Manage What We Don’t Know, Harvard Business School Press, 2006.
- Jones, Milo and Silberzahn, Philippe, Constructing Cassandra: Reframing Intelligence Failure at the CIA, 1947–2001, Stanford Security Studies (August 21, 2013) ISBN-10: 0804785805, ISBN-13: 978-0804785808
- Heisenberg, Werner; 'Uncertainty Principle' 1927 (Wikipedia)
- Kami, Michael J., 'Trigger Points: how to make decisions three times faster,' 1988, McGraw-Hill, ISBN 0-07-033219-3
- Kelly, Kevin, author of 'The Inevitable,' on the next 30 digital years at the Long Now Foundation. http://f4a.tv/2aF8g6T https://youtu.be/tvR5zZQgtGo
- Sikich, Geary W. 'Graceful Degradation and Agile Restoration Synopsis', Disaster Resource Guide, 2002
- Sikich, Geary W. 'Integrated Business Continuity: Maintaining Resilience in Times of Uncertainty,' PennWell Publishing, 2003
- Sikich, Geary W. 'Risk and Compliance: Are you driving the car while looking in the rearview mirror?' 2013
- Sikich, Geary W. 'Transparent Vulnerabilities” How we overlook the obvious, because it is too clear that it is there' 2008
- Sikich, Geary W. 'Risk and the Limitations of Knowledge' 2014
- Sikich, Geary W. 'Complexity: The Wager – Analysis or Intuition?' 2015
- Sikich, Geary W., Remme, Joop 'Unintended Consequences of Risk Reporting' 2016, Continuity Central
- Taleb, Nicholas Nassim, 'The Black Swan: The Impact of the Highly Improbable,' 2007, Random House – ISBN 978-1-4000-6351-2, 2nd Edition 2010, Random House – ISBN 978-0-8129-7381-5
- Richard A. Clarke and R.P. Eddy, 'Warnings Finding Cassandras to Stop Catastrophes' Publisher: Ecco; 1st edition (May 23, 2017), ISBN-10: 0062488023, ISBN-13: 978-0062488022
- https://www.osha.gov/dts/weather/hurricane/ OSHA’s Hurricane Preparedness and Response