Hurricane Sandy: Triple-Threat Disaster

Storm Challenges Business Continuity Pros 'To the Core'

Events such as Superstorm Sandy provide an opportunity for business continuity pros to shine. What are the essential skills they need to face a crisis?

When Sandy struck the east coast in late October, businesses, hospitals and entire communities struggled to maintain operations in the face of massive storm damage and power outages. The storm tested the region's critical infrastructure, and it provided a stage for business continuity and disaster recovery pros to showcase the skills and plans they previously has developed and tested.

The disaster showed that business continuity professionals can offer a great amount of assistance to their companies during a disaster if they know the basic skills, says Regina Phelps, principal at EMS Solutions Inc.

Those skills include:

  • Situational awareness: "They need to really have broad situational awareness so they can understand not just what's happening to them right this moment, but going forward," Phelps says in an interview with Information Security Media Group's Tom Field [transcript below].
  • Improvisation: Business continuity plans are common, Phelps explains, but too often people fail to consider the worst-case scenario. "When it doesn't work, you have to improvise," she says.
  • Creativity and Adaptability: "[Business continuity pros] need to be creative," Phelps says. "They've got to be thinking of different ways of doing something and really not being wed to the old plans that they've always had."
  • Decisiveness: Professionals are often hesitant to act on something because they're seeking more information on the situation, a characteristic Phelps says needs to be corrected. "We're not going to know everything until it's all over," she says. "People in business continuity roles are going to have to make some decisions, even with incomplete information." And if the decision is wrong, they'll have to proceed with another decision, Phelps says.
  • Reevaluation: During and after a disaster, professionals need to be reevaluating their efforts, Phelps says, including whether they've dealt with this situation before, can it be handled better, what could be done differently, and what's missing.

In an interview about response to Hurricane Sandy, Phelps discusses:

  • The most important elements of organizations' response plans;
  • Where organizations are most vulnerable;
  • Advice to business continuity pros to best help their organizations.

Phelps is an internationally recognized expert in the field of emergency management and continuity planning. With more than 26 years of experience, she has provided consultation and educational speaking services to clients on four continents. She is founder of Emergency Management & Safety Solutions, a consulting company specializing in emergency management, continuity planning and safety.

Preparation for Hurricane Sandy

TOM FIELD: I know you're on the west coast but I know you've been talking with your east coast contacts all morning. How well prepared is the east coast for Hurricane Sandy?

REGINA PHELPS: I think the east has certainly done a lot over the last few years to get better prepared for events like this. The thing that makes Sandy a little bit unusual is that it really creates what I call a trifecta. If you look at continuity planning overall, continuity planners basically look at three possible scenarios: loss of building, loss of staff and loss of data. Sandy has the potential to create all three. There's a high probability that people will not be able to get into their places of business through many parts of the east coast. There's also a unique possibility that people will not be able to get to work for many reasons. There could be transit-related issues. We've certainly seen tremendous closures of transit systems in the east coast, but we also are going to be seeing a huge impact on people's homes. When people are impacted, their homes and their communities, they won't be able to get to work easily because of either home damage, personal injuries, family illnesses or injuries, and so there's a very strong likelihood that there will be a lot less people able to come to work to recover a business.

And depending on what's happening with their data centers and their data recovery plans, there could also be a possible loss of data either because the data center has a failure or a network problem, or simply because people are not able to connect due to the fact of loss of electricity or a loss of their Internet provider. Even in a well-prepared community, the fact that we'll be facing all three possible scenarios that we plan for is going to challenge a lot of people to the core.

Greatest Vulnerabilities

FIELD: You're right to point out that we've got so much at play here, and apparently this storm is strengthening, not weakening. Given those factors, where do you foresee the greatest vulnerabilities for organizations, even with the best of planning?

PHELPS: I really think it's going to be two things. It's going to be the lack of their people able to assist them, and second is one of our more recent strategies in recovery that most companies have really embraced whole-heartedly, and that's what I call "work from home." Many companies many years ago used to have a hot site of which they would have their mission-critical employees go to a certain location that would have power, utilities, data and all the equipment they would need, and they would be able to do their mission-critical business functions. Now what happens is that many companies looking for certainly lower cost solutions, but also convenience on the part of the business and also the employee, have embraced the idea of working from home. Working from home only works if you can work from home, meaning you've got utilities, electricity and certainly you've got an Internet connection. I think what's going to happen is that our greatest vulnerability for many of the east coast clients that we have, as well as just folks in general on the east coast, is going to be the fact that one of their biggest strategies for recovery is going to fail.

FIELD: You're getting to my next question now, and that is, what might organization overlook? And it sounds like you've hit upon it.

PHELPS: Yeah. I think it's one of the things that we have cautioned our clients aggressively at, that this idea of working from home is great, but one of the things that you have to do if you're going to build your entire recovery strategy around work from home is you had better look at this strategy seriously. Plot out on a zip-code map where all of your employers are, and really look at the utility feeds that go to those areas and really ask yourself the question, "If we had a widespread outage like Hurricane Sandy, and we had a large swath of area that's now impacted, where are people going to recover?" Now there's really no back-up strategy so I think the greatest issue that people have really overlooked is the idea that they have put way too much hope and possibility in this strategy of working from home.

Lessons Learned from Irene

FIELD: To some extent - and I don't mean to trivialize what we're going through now - we went through something of a rehearsal for this back with Hurricane Irene in 2011. What business continuity lessons, if any, did we learn from that experience?

PHELPS: That's a really great question. I think that the unique thing about Hurricane Irene is that it was really forecasted to be something that was going to be majorly a problem along the coast, and as we know it turned out to be more of an inland issue, really impacting places like Vermont. That's sort of a good-news/bad-news story; bad news for the citizens of communities in Vermont, as an example, but from a perspective of business, the impacts in business were relatively smaller because it hit areas that were not so much a hub of business.

What we saw in some businesses is they learned from supply-chain disruptions that occurred as Irene grounded its way up the more inland parts of the east, but it wasn't a huge business impact. I think many people look at a situation like Hurricane Irene and it creates almost a false sense. "Well we did okay and look at all the things that happened. But it didn't happen to us." There's a good-news/bad-news story when you have a disaster like Irene or other events that have occurred of which people in businesses look and say, "Wow, not much happened to us." Well yeah, not much did, and then they almost begin to think, "Now I'm invincible. Our plans are really great." When in reality, their plans weren't really tested. I think what's going to happen over the next few days is those that are in the east coast in the North Atlantic states are really going to have their plans tested in ways that frankly I don't think any of them really imagined.

Top Skills for Business Continuity Pros

FIELD: As I mentioned up top, it's an opportunity for business continuity and disaster recovery professionals to shine, isn't it?

PHELPS: It absolutely is, and I think there's a lot that people can do in our field to be able to support leadership. It doesn't really matter whether leaders in my field are actually leading the charge, if you will, or they're supporting the folks that are leading the charge, because there's so much that we can actually help our colleagues with and I think there's a couple of things to think about.

When I often speak on the topic of crisis leadership, there are a few things that I always ask people to really think about when they think about these types of disasters. The first thing is there are about seven skills that people should really be looking at having. And if they're not the one who's the leader, they should be supporting these initiatives in the leadership of a company. The first one is situational awareness. They need to really have broad situational awareness so they can really understand not what's happening to them right this moment, but what's going forward.

There's a glut of information on the Internet, and sometimes there's so much you can almost lose your mind, if you will. One of the things I would really direct your listeners to is a really fabulous product that Google has come out with. They came out with a product that's free to the public and it's a crisis map, and what they do is they created this crisis-response organization as part of Google that just pulls together everything and they created a fabulous dashboard at www.google.org/crisismap/sandy-2012. I will be happy to send you the link and you can post it on your site. When you go to that particular site, it will give you incredible situational awareness. It's got everything that's happening currently in the storm, the forecast track, the next three days, the surge, where the shelters are. It's really a fabulous tool and a great planning tool for people in my field, and, again, in the area of having situational awareness it's absolutely essential that you get it. Sometimes with so much information, you can miss something and this Google Crisis Map I would really recommend to your listeners.

The second skill I think that people are going to have to do is improvise. Everybody has business continuity plans, but frankly most people have not really thought about the worst-case scenario. No one really does and they've really not thought about what if it all doesn't work. When it all doesn't work, in things like 9/11 or Katrina, you have to improvise. Not to [downplay] how you've always done it, but you have to literally be thinking about how you should be doing it going forward. Improvising is absolutely essential.

The next thing that people need to be thinking about is the idea of creativity and adaptability. They have to be creative. They've got to be adaptable. They've got to be thinking of different ways of doing something and really not being wed to the old plans or old tools that they've always had. They've got to be thinking forward.

Then the next thing is they need to be also looking at decisiveness. Once you've made some plans and some decisions, you've got to act, and frankly sometimes people are always waiting to know everything and we're not going to know everything about Sandy. We're not going to know everything until it's all over. People in leadership positions, people in business continuity roles, are going to have to really make some decisions, even with incomplete information. If they've decided they've made the wrong decision, they're going to have to make another one. They just have to keep moving the organization forward and that's absolutely essential.

My next action tip is the term "action." Once they've made the decision, they have to enact their plans and they have to work them, and keep looking at them over and over again, which then leads to my next step, which is communication. You've got to communicate, and social media is an absolutely essential tool in communication. Many people in business continuity have not really embraced social media. They think it's a young person's tool and I really want people to realize it's a tool for everyone. They need to really think about how they can embrace it, add to it and really learn from it, and that's absolutely essential.

The next thing they want to be thinking about and the last thing is constantly reevaluating where they're at. Looking for that term called "cognitive bias," are they being over-confident? Have they thought they've seen this before? Are they being a little smug? They need to make sure they're reevaluating it constantly and challenging themselves. Could we do it better? Could we do it different? What am I missing? Then continually keep going back to the term of situational awareness, and then that little cycle continues. People in my field can do a huge amount to help their companies and their communities if they think about those seven basic steps. It doesn't matter whether they're the leader or they're actually the person supporting the leader.

Assisting Staff, Business Partners

FIELD: What are some of the ways that professionals can help the staff? It could be remote now, those that are working at home.

PHELPS: I think it's a really great thing. The most important thing is in the area of communications. Whether the company has clearly thought through their messaging, they want to be working closely with their crisis communication folks. They also may want to work with their HR folks in case there are HR decisions that need to be made, and that could include things such as if people are displaced, what the company might do for them, emergency loans they might cut for folks, or those types of things. But use communication, setting up a Twitter feed for example, monitoring Twitter, and sending out messaging and also talking points when customers ask them, "What are you doing? How are you responding?" Have the standard company response so they're not making it up on their own. The number-one thing that a company can help them with right now is communication.

FIELD: How about for customers or even for business partners, the third parties that are dependent upon these government organizations, financial institutions, or even healthcare organizations?

PHELPS: I think the scary part for many folks is that they realize in recent disasters that there are many companies that have outsourced many different activities within their business, and they don't know what their third-party vendors are going to be doing or how they're going to be able to respond. We saw that in the Philippines and in Thailand with recent floods and outages, so I think once this is over people need to really seriously look into companies. What are they doing with their third-party providers to make sure they have ensured that those folks have adequate business continuity plans? Because their company is depending on them to provide a particular service and they're going to really need them to be able to stay up and available during the course of an emergency.

Mistakes to Avoid

FIELD: I'm glad you referenced the past emergencies we've been through. What past mistakes that we've made during those events must we not make now?

PHELPS: It's two things. One is not forward thinking, not really embracing what's going on. And also to that issue I want to say cognitive bias, and by that I mean people think it's not going to get any worse, or, "I've seen this before and it was like this way in Irene," or it was like this way in Lee, or whatever hurricane they wish to recall. [Don't] always apply your previous knowledge, because sometimes when you do that you miss what's clearly in front of you, so be aware of that. Be aware of cognitive bias on your team, be forward thinking and communicate.

I will never in my professional career hear one of my clients say, "I communicated to my staff or to my clients too much." I always hear they didn't communicate in a timely manner, they were slow, they were inefficient and they weren't transparent. I would ask all of your listeners to think about communication as their number-one issue right now.

Biggest Recovery Concerns

FIELD: The storm is going to pass and we're going to move on to other issues in a week from now. Beyond the immediate disaster, what are the biggest recovery concerns that organizations really need to be thinking about now?

PHELPS: This will be unusual because the impact to people's homes and to the communities is going to be so wide. The recovery is going to be much different than, "My business had a disruption and we cleaned it up and we went back to work." I'm not forecasting this to be certainly like a Katrina model, but it's going to be wide damage and it's going to take a long time for people to recover.

What we need to be thinking about in the days and weeks ahead is that we have to be very aware of the impact of this, both emotionally and physically, for not just at work but at home, and that people need to support their employees as best as possible. Be very aware of things such as the emotional health of your employees, things like post-traumatic stress. We will only recover as well as our people are healthy, and so there's a tendency in an emergency to burn people out, to work them really hard, including what we do to ourselves, and I think our leadership in our companies, and our business continuity professionals, need to clearly understand that they need to be aware of people and how they're taking care of themselves, and that we're making sure that our staffing is not burning people out and that people are going to get some time off. [Make sure] they're not working 20 hours straight, because we won't have anybody to help us recover weeks from now if indeed we burn everybody out in the next five days.

FIELD: Let's sum it up. If you could advise business continuity and disaster recovery professionals on how they best can help their organizations right now, what would you advise them?

PHELPS: Two things: communication and making sure your staff are taking care of themselves and their families.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.