With all of the focus on Cybersecurity in IT these days I think it is important to not forget about your disaster planning. A cyber-event can definitely be considered a disaster and sometimes your Disaster Recovery Plan (DRP) could save you from a cyber-event but I want to talk about a basic element of a DRP: The People.
In 1992, Hurricane Andrew hit Florida and killed 23 people along with $25 billion in damage. While the world was not as IT-dependent as it is today, it identified a huge issue in most companies’ Disaster Recovery Plan. While there were plans in place to move processes to other facilities and restore mainframes at Disaster Recovery sites, the missing element was people. Disasters are not selective, they destroy homes with same power as they destroy businesses. When time came to start moving systems after the storm, key people were missing since they had disasters of their own to worry about: Their home was destroyed, their car was under water, and their families needed them. Bottom line was, the plans were good but they lacked the key element, people.
In the aftermath of that event, many companies updated their disaster recovery plan to focus on how they can maintain their business and take care of their people. Some companies put into place a system to help families find living space and basic needs so that their employees can work on recovering the company’s systems and processes. If you are in a high-risk area like South Florida, the possibility of losing your home to a storm is greater than Shenandoah Valley or even Central Virginia. But we have our own risks as well.
The highest risks to Mid-Atlantic companies are probably ice or snow storms. Does your Disaster Recovery Plan consider how to restore systems if the roads are impassible? For some companies, waiting it out is reasonable but for some companies being closed for 2-3 days could put them out of business. As you work through your risk assessment for disaster planning, you should consider the impact of key people being unavailable and how that risk could be minimized. Would cross-training be appropriate? Should the duties be spread to more than one person? Remember, remote access may not be available if power lines and other lines go down due to the storm.
I always like to bring these discussions to the personal level. You are also dependent on key people for keeping your house running. If you use propane or oil for heating your home, those people may not be able to get to work for the same reasons as I talked about above. You should be prepared for that. If you have an elderly person that you help out, what are they going to do if you are snowed in? These things need advanced planning. You may be dependent on a key person or you may be the key person; are you prepared for that?
LEARN MORE ABOUT OUR RISK ADVISORY SERVICES and how they can help with your disaster recovery planning
Throughout his time at YHB Curtis has provided IT audit and consulting to clients, even while holding the position of the firm’s IT director for several years. Now, as head of the YHB Risk Advisory Services Team, Curtis focuses on assisting organizations in a variety of industries with internal audits and IT-related audit and consulting services. Also, he frequently speaks and gives presentations on SOX compliance, internal controls, and data security.