International Policy Digest

CDC
Health /13 Mar 2020
03.13.20

Coronavirus: Dusting off Disaster Plans. Do they Still Work?

Many government agencies, as well as corporations, are responding to the coronavirus in different ways. Many have restricted corporate travel and have talked about “dusting off those disaster recovery plans” in order to cope with the current issues and events as well as everyday business and government operations.

The problem with “dusting off a plan” is, you don’t know if it will really work? Or, if it is still applicable to your organization if you have not kept it up and tested it every year. If a disaster recovery plan has never been tested, chances are, it is not worth the paper it is printed on.

Testing a Plan Every Year?

Disaster recovery has been a mainstay function for an organization’s information technology department for decades. The problem is, disaster recovery is an old approach for protecting mission-critical, information technology applications. The new approach which should be implemented is establishing enterprise-wide “business continuity” or the ability to keep critical business functions running and operational while a disaster has happened. This same idea can be applied to states and local municipalities in their emergency response plans for natural and man-made disasters and terrorist attacks.

The classic approach to disaster recovery was to have an orderly shutdown of all critical systems while the event was happening and then, wait until after the event was declared over. After an “all clear” has been announced, an orderly start-up of the systems is initiated and the organization is eventually back on track. Some organizations still follow this procedure.

Architecting organizational systems to a business continuity approach start with assessing and prioritizing hardware, functions, and applications as well as the organization’s strategic business objectives. A prioritization process needs to take place.

By going through this exercise, executives at an organization will come to find out there are procedures and processes which they were not aware of. Or, not aware of how critical some may be to their day-to-day operations. Others find out they are spending a lot of money on back-up systems that are obsolete or are no longer relevant to the core business strategic objectives.

Doing an assessment like this, forces executive management to decide what should be backed up as well as what systems should be fully redundant. It is an excellent exercise and gets everyone more aware of how the organization actually works currently.

Business continuity has a different design approach and a different price tag. If you are focused on using business continuity as an approach for coping with disasters, there is no orderly shutdown of systems. Instead, the enterprise or government agency keeps running and critical operational functions are insulated from the effects of the disaster. Many organizations need to revise old plans and focus more on business continuity than on disaster recovery.

In the past, a catastrophic event like a tornado, a flood, an earthquake or some other natural disaster would shift an organization into a disaster recovery mode. Operations would slow down to a stop. With business continuity, the systems and critical applications are designed to be impervious to the disaster and its effects. Critical operations are maintained.

After 9/11, companies located in the World Trade Center found out very quickly if they could recover from the disaster. They fell into three basic groups:

  • Companies that had no plan.
  • Companies that had a plan, but it was never tested.
  • Companies that had a plan and it was tested yearly.

Only those companies having a plan which had been tested yearly had a chance for a full recovery. Those who had a plan which was never tested had about the same success as those who had no plan in place.

Disaster recovery plans (preferably business continuity) have become a requirement for companies through the adoption of the Sarbanes-Oxley Act. In order to protect the company and its assets, a plan is required to be in place.

Organizations should test out their plans yearly if they want them to be relevant to their enterprise operations or a municipality’s operations.

For most organizations, the first thing they have to do is dust off their disaster recovery plan or in municipalities, their “emergency response plans,” and review them to see if they are even still relevant. Chances are, they have not been updated and worse yet, never been tested.

A Simple Prioritizing Approach

There are three levels to define, review and categorize when assessing where applications and business functions rank within a business continuity environment. This can apply to corporations as well as municipal or government entities. There are three categories you can use: critical, necessary, and optimal.

This three-level ranking approach provides a quick way to prioritize applications, functions, and projects. This affords a realistic segmentation as to what should be best funded for redundancy within an organization.

Creating and assigning critical, necessary and optimal categories gives both upper management as well as lower-level employees a good starting point to have discussions and eventually agree upon what is important.

Critical is defined as provides critical services that should not be cut. These services should have back-up and redundancy. Examples for a city government would include, but not be limited to public safety (police, fire and emergency services), public health (including water and sewer facilities), infrastructure (platform for commerce and economic development) and any other service deemed to be critical.

Necessary is defined as provides necessary services. Examples for the government would include, but not be limited to schools, community colleges, and some public works facilities.

Optimal is defined as provides a new social, educational program or benefit, expansion of existing public services, or anything which is not considered critical or necessary services.

Going through the exercise of determining what applications should be elevated to a mission-critical application is a great starting point to get the team who is doing this assessment a much more in-depth handle on how all the applications work and interrelate to organization’s success. It forces the team to think and decide what function falls into what category without being in a crisis-mode mindset when making those types of decisions.