Sue Kerr, President of Continuity First, a business continuity/disaster recovery consultancy, talks about how organizations have handled H1N1. She also discusses:
Kerr is also the president of the Old Dominion Association of Contingency Planners, Education Director for the National Association of Contingency Planners and a previous member of the Disaster Recovery Journal Editorial Advisory Board. She has been active in setting standards for the industry as well as training others. She has spoken at various conferences and has done training for corporations, governmental organizations as well as the community. She has been published in industry journals and has been interviewed multiple occasions as a subject matter expert.
She is a Certified Business Continuity Professional through the Disaster Recovery Institute. In addition to working as a consultant for 5 years, she spent 11 years at a Fortune 500 company developing and implementing its Business Continuity Program. She was the Crisis Manager for such events as September 11th, major hurricanes and tropical storms, wild fires, white powder incidents, as well as many others. She has first-hand knowledge on how to design and implement a Crisis Management and Business Continuity Program as well as respond to various incidents.
TOM FIELD: What are the business continuity trends as we head into 2010? Hi, this is Tom Field, Editorial Director with Information Security Media Group. We are talking today with Sue Kerr, President and Founder of Continuity First, a consulting firm that specializes in crisis management, business continuity and disaster recovery. Sue, thanks so much for joining me.
SUE KERR: Thank you Tom.
FIELD: Sue, just to give us some context, why don't you tell us a little bit about yourself, your background in business continuity and disaster recovery, and what you do at Continuity First.
KERR: Okay. Well, I am the President of Continuity First as well as the Education Director for the National Association of Contingency Planners, and I am also the President of the Old Dominion Chapter for the ACP. I have been certified in business continuity since 1998, but I have been working in the industry since 1994. I have been both a practitioner from a private organization as well as a consultant, and this has afforded me an opportunity to see both sides of the industry and to add more value as a consultant because I actually managed programs like what I am helping others to implement. I have had the opportunity to work with many types of businesses and industries, both public and private, and work both with crisis management, business continuity and disaster recovery.
FIELD: Well, Sue, as you know, business continuity and disaster recovery plans have got a bit of a test this year with the two waves we have seen so far of the H1N1 virus, so I wanted to ask you: Given what you have seen, what do you think is the state of business continuity and disaster recovery today?
KERR: The state of business continuity and disaster recovery--historically we have looked at disaster recovery as being the systems and the applications and ensuring those things would be available post-disaster. And since that time we have become more complex with it and looking at business continuity itself and continuation of the business, but looking more form a building and workspace perspective and the process contained within. More recently, though, organizations have begun planning for the unavailability of the workforce as a result of a pandemic or other threat that would prevent people from coming to work because they are sick, they are caring for someone that is sick, or quite honestly just because they are afraid to come in. So we are seeing more plans being developed along those lines as well now.
FIELD: What would you say, given what you see day to day, are the biggest challenges that are facing organizations when it comes to business continuity and disaster recovery?
KERR: Well, with any economy organizations are always trying to do more with fewer people, and now it has become even more critical as organizations try to maintain their viability. While business continuity protects their core business, it is really not their core business for most organizations, therefore the development of plans is often put at the bottom of the priorities. Finding available resources within an organization that have the time and the knowledge to put plans in place is really a huge challenge for many organizations.
FIELD: Now as you know, we serve financial services as well as federal and state and local government agencies. As you look around and across industries, do you see that there are particularly good role models anywhere that somebody really can look to for guidance on business continuity and disaster recovery?
KERR: Absolutely. Specific industries are much more prepared than others. Financial institutions are required to have plans and are audited to ensure that they have them, therefore they tend to be the most advanced in their planning. Most other industries have been lagging severely behind the financial industry, though, in getting these plans developed. A few organizations that are not regulated or who don't have requirements such as Sarbanes-Oxley or ISO certifications, haven't really taken the time to formally document their plans. I see this becoming extremely important in the healthcare industry as well, as physicians and hospitals move towards electronic medical records. They are going to need to make sure that they have these records available for the treatment of their patients. However, basically any organization who can't afford to lose their business should really be developing a plan.
The time to think about it is now, before a disaster happens, rather than waiting until after something happens, which so many organizations do. I kind of liken it to you looking for car insurance after you have had an accident; that's not the way to do it.
FIELD: Well, Sue, for a lot of organizations H1N1 has been kind of the test that they were all told that they should expect sometime. How would you say that organizations generally have responded to this test?
KERR: Well, response to the H1N1 has really been mixed. Organizations that planned for some type of pandemic had really the Avian flu or the H5N1 in mind when they were planning their process. The assumption was that it would begin overseas and that we would at least have a little warning prior to it hitting the U.S. As you know, the H1N1 did not follow that path. This virus was also less severe than the H5N1 was expected to be. Many organizations did not have plans for this occurrence, but because of the absenteeism rate, and the mortality rates were not as high, they were really able to rally their resources and respond. As expected, there were shortages of specific supplies such as hand sanitizers and masks for those that were searching for them, but overall the businesses responded well to the first two waves of the virus.
My concern is that because they survived the first two waves that planning will become less of a priority and will possibly give some people a false sense of security in their ability to respond to something more severe.
FIELD: Well, that is an interesting point. What lessons learned would you say that we have received and we can apply to a future crisis, whether it is a third wave or something else entirely?
KERR: Well, towards the H1N1 specifically, many organizations tied their response to the response levels of the World Health Organization and the CDC. Most organizations now recognize that they need to be more local with their response triggers, looking at how the virus is affecting their organization and community and develop triggers based on that. Specifically looking at absenteeism, severity, organizational impact locally to implement specific triggers within their plan instead of looking at what the World Health Organization or the CDC are doing within their response levels. The second lesson learned really pertains to availability of supplies. Organizations also learned that there will be likely shortages of personal protective supplies, and they really started to order them now in case there is another wave of the virus. But, again, these things would be applicable whether it is the H1N1 or any type of incident.
And the third lesson learned is really around communications. Many organizations did not have any communications prepared.. I think organizations have identified the need to develop comprehensive communication plans and to have those prepared at the time of the incident just like they would need for any incident, whether it was H1N1 or fire or any other type of disaster.
FIELD: Well, frighteningly enough as we sit here and talk today we are probably five, six weeks away from January 1, 2010. What would you say are the areas that organizations really need to focus on in terms of business continuity and disaster recovery as we get into the new year?
KERR: I think there is still a lot of work to do towards preparing for pandemics. A third wave is still a real possibility, as well as the possibility of the virus mutating once the seasonal flu being to hit. Organizations need to identify their priorities during a pandemic, which may be very different from other disasters, when they are the only facility affected, and plan how to maintain their operations. Additionally, many organizations have done little to no overall planning for any type of disasters. Organizations have not yet taken the time to prepare with backups of systems and plans for their process and really need to take action now to become prepared.
I believe a focus on the employees will also be key in 2010. Those who have already prepared their organizations need to educate their employees to be prepared. Not only do they need to understand the organizational plan, but also their role in it. They need to be personally prepared. If an employee is not personally prepared, then the likelihood is that they are probably not going to be available to support he organization during a regional disaster.
I believe that the employee focus towards education as well as support after the disaster is really the next logical step in the overall planning process for an organization with a relatively mature plan. And then, as always, once the plans are developed, in 2010 we need to keep our focus on an escalating level of exercising of the plans and ensuring that the plans are maintained. As always, you need to exercise like you would execute with realistic scenarios and realistic actions.
FIELD: Sue, one last question for you. I want to take you in a different direction entirely. Business continuity and disaster recovery certainly have gotten lots of publicity over the last year or so and people are looking toward it as a good career possibility. What would you advise somebody that is looking to start a career today in business continuity and disaster recovery?
KERR: I think the first step would be to network with others in the field to get a feel for what the field is really like. The Association of Contingency Planners has local chapters across the U.S. where anyone interested in a career would find knowledge and support. They sponsor educational sessions as well as opportunities to network with others in the industry.
Additionally, there are many programs starting at colleges and universities around the U.S. providing education in this specific field. The Disaster Recovery Institute International is also an excellent source of educational offering, and they are also a highly recognized certifying body within the field. Also begin reviewing the different standards available such as NFPA, the National Fire Protection Act 1600, The British Standard 25999, as well as the generally accepted practices provided by Disaster Recovery Institute International to rally better understand the industry and what is going on within it.
FIELD: Sue, I really appreciate your time and your insights today. You are very knowledgeable on the topic and you have shared with us some great information.
KERR: Thank you, Tom, I appreciate the opportunity.
FIELD: We have been talking about business continuity and disaster recovery. We have been talking with Sue Kerr, the President and Founder of Continuity First.
For Information Security Media Group, I'm Tom Field. Thank you very much.