Disaster Recovery

6/15/2019 Disaster Recovery: 10 Lessons from Hurricane Sandy – CIO Journal – WSJ

https://deloitte.wsj.com/cio/2012/11/29/disaster-recovery-planning-10-lessons-learned-from-hurricane-sandy/ 1/6

One year ago, Hurricane Sandy struck, highlighting the crucial role employees and communications play in business continuity and the need to create short-, medium-, and long- range disaster recovery plans.

As Hurricane Sandy tore up the Atlantic coast in late October, 2012, 8.5 million homes and businesses lost power, according to the U.S. Energy Department. The protracted power outages, widespread damage, and lost business wrought by the hurricane—estimated to cost between $30 and $50 billion, according to IHS Global Insight—taught many companies unfortunate lessons about the importance of disaster recovery planning.

David Sarabacha, a principal with Deloitte & Touche LLP who specializes in resilience and recovery planning, says Hurricane Sandy reminded business leaders that thoughtful disaster preparation can pay dividends for a company’s ability to weather a storm. He identified 10 lessons from the recent hurricane that can help businesses better prepare for the next crisis.

Lesson 1: Take care of your employees. When disaster strikes, employees will rightfully put the safety of their families and homes first. “It’s impossible for employees to think about work when they don’t have heat or electricity, water is rising in their basements, their homes have been destroyed, or they need to account for loved ones,” says Sarabacha. “To the extent a company can either help employees prepare for a disaster or get back on their feet after one, the sooner it can return to business as usual.”

Sarabacha advises organizations to do more for employees than simply provide them with suggestions for personal preparedness and home safety. For example, he urges companies to offer alternate communications capabilities to decision-makers. He also recommends providing basic necessities such as water, food, shelter, and daycare to affected families, since private companies may be able to mobilize faster than relief organizations. And he counsels companies to help employees find or get priority service from contractors who can repair or rebuild their homes.

CIO Insights and Analysis from Deloitte

CONTENT FROM OUR SPONSOR

Please note: The Wall Street Journal News Department was not involved in the creation of the content below.

Disaster Recovery: 10 Lessons from Hurricane Sandy

 

 

6/15/2019 Disaster Recovery: 10 Lessons from Hurricane Sandy – CIO Journal – WSJ

https://deloitte.wsj.com/cio/2012/11/29/disaster-recovery-planning-10-lessons-learned-from-hurricane-sandy/ 2/6

While acknowledging that these “above-and-beyond” efforts can grow costly, Sarabacha also argues that the added investment may be justified if business activities are truly time sensitive and hinge on critical personnel.

Lesson 2: Crisis management, business continuity, and disaster recovery plans should be detailed. Sarabacha notes that many businesses’ disaster recovery plans are fairly high level. “Executives assume they’ll figure out the details when an event takes place,” he says. “But if business leaders don’t have sufficient lines of communication available to share information, make decisions, and disseminate instructions, their ability to implement their plans will be impaired.”

Sarabacha says disaster recovery plans should establish clear chains of decision-making and empower employees in the field to take action. They shouldn’t have to wait for direction from a senior leader, whose communications may be out of commission.

“The sooner a company can take decisive actions in the event of a disaster, the faster they may be able to recover,” he says.

Lesson 3: Plan for different impacts, both in magnitude and duration. One mistake businesses make when drafting disaster recovery plans is assuming an event will only affect their organizations for 24 to 48 hours.

“Sandy brought to light the need for short-, medium-, and longer-term business continuity plans,” says Sarabacha. “Companies will likely need different disaster recovery strategies for events of different durations.”

For example, a two-day power outage may not require renting back-up office space, but a two- week power outage may. An investment bank may need to transfer work to another office so that it can process trades during a two-day or week-long outage, but transferring work for longer periods could result in burn-out for the employees taking on additional responsibilities, notes Sarabacha.

Lesson 4: Businesses can’t rely on employees’ ability to work from home. Many companies’ business continuity plans direct employees to telecommute if they can’t get into the office, according to Sarabacha. But, as Sandy illustrated, that approach quickly falls apart if employees lack power and can’t access the corporate network from their homes.

One potential solution for large companies is to transfer work to individuals at offices that haven’t been affected. To implement this strategy effectively, says Sarabacha, companies need to know which individuals possess the skills to take on various activities. Because their human resources will be constrained and overwhelmed, they’ll also have to prioritize what work gets done.

 

 

6/15/2019 Disaster Recovery: 10 Lessons from Hurricane Sandy – CIO Journal – WSJ

https://deloitte.wsj.com/cio/2012/11/29/disaster-recovery-planning-10-lessons-learned-from-hurricane-sandy/ 3/6

“For example, if a company can only serve 50 percent of its customers because it lacks capacity in its call centers, the company needs to decide how it will prioritize service,” says Sarabacha. “Companies should seek to avoid a situation in which they are devoting their scarce resources to their least critical activities.”

Another possible solution is to set up alternate work sites through real estate or insurance companies that rent “just in time office space” on an hourly, daily, or weekly basis. Companies need to plan how they’ll get critical employees to these sites, which may be located in neighboring states, in the event air traffic or mass transit systems are compromised, notes Sarabacha. They will also need to board employees and their families in hotels while employees are working out of state, and they’ll have to cover, track, and reimburse employees for incidentals required while working off-site.

Lesson 5: Employ alternate forms of communication. During Hurricane Sandy, the Federal Communications Commission reported that 25 percent of cell phone towers lost power, rendering many mobile phones useless. Sarabacha advises companies to use other communication mechanisms, including satellite phones. “Be sure you can get a sufficient uninterruptable power supply (UPS) battery, diesel or other fueled generator to keep the satellite phones charged,” he says.

Lesson 6: Two alternate data center recovery sites are ideal. After 9/11, many companies in the Northeast moved their back-up data centers to sites closer to home, in New Jersey, according to Sarabacha. They switched from distant backup data centers to closer ones because the terrorist attacks shut down air travel, and companies wanted to make sure their back-up locations were within a commutable distance, he adds.

Because Sandy took out companies’ primary data centers in New York and their back-up data centers in New Jersey, the hurricane demonstrated the need to ideally have two fallbacks, one nearby and one far away. Sarabacha notes that not every company can afford multiple data centers, and some companies may have to accept that it could take several days or a week to recover their data centers.

Lesson 7: The cloud isn’t a panacea. Cloud-based applications and storage have mitigated some of the impact of disasters on companies. Because those applications and data can still be stored in the provider’s data center, the applications may still be available to clients provided they have power, and the data is at least theoretically recoverable or protected.

“Too many organizations don’t fully understand what their cloud providers offer in terms of disaster recovery,” says Sarabacha. “They assume cloud data is available. They need to know for sure they can get their data and their apps, not to mention when they can access them.”

 

 

6/15/2019 Disaster Recovery: 10 Lessons from Hurricane Sandy – CIO Journal – WSJ

https://deloitte.wsj.com/cio/2012/11/29/disaster-recovery-planning-10-lessons-learned-from-hurricane-sandy/ 4/6

Lesson 8: Understand your vendors’ disaster recovery plans. The Thursday after Sandy, Sarabacha spoke with a client based in southern California whose business was scrambling to re-route products from its mid-Atlantic distribution center after a logistics provider in the region was shut down by the storm.

Sarabacha says his client’s conundrum illustrates the importance of having insight into vendor and service providers’ business continuity plans. His client needed to know when and how the logistics provider would restore service, given the pent-up demand the storm created.

“Even if an event like a hurricane has a limited impact on your organization, you need to realize how it might affect your third parties and their plans for a response given your reliance on them,” he says.

Lesson 9: Test your plan. Sarabacha says few companies extensively test their business continuity and disaster recovery plans. They might test one data center, but not another. They might test data recovery, but not their ability to actively restore dependent applications or to synchronize disparate systems.

“I rarely see an integrated test that reflects what many organizations were dealing with a few weeks ago,” he says. “Realistic exercises and war games must be developed and executed to simulate both the anticipated and unknown circumstances an organization may face.”

Lesson 10: Don’t make the same mistakes again. When companies recover insurance money for facilities lost or damaged by a natural disaster, they often repair or rebuild those facilities without applying lessons learned. Consequently, says Sarabacha, those companies could find themselves in the same position following the next storm.

In the aftermath of a disaster, Sarabacha advises clients to make strategic and tactical modifications to their operations and assets (e.g., buildings, equipment, inventory, technology, human resources, and vendors). For example, if a company kept one kind of product in each warehouse before a disaster, it might decide to diversify its product mix across warehouses. Making strategic and tactical changes might also mean eliminating single points of failure, upgrading equipment, hardening facilities, and using multiple vendors for different services.

Companies that lack core competencies in crisis and disaster risk management may consider outsourcing or co-sourcing arrangements with third parties that can help them plan, prepare, and respond.

“Often it takes a swift reminder, whether an extreme weather event such as Sandy or a significantly lingering economic crisis, to demonstrate that disaster preparations will continue to be a good investment in protecting an organization’s personnel, assets, and stock price.”

 

 

6/15/2019 Disaster Recovery: 10 Lessons from Hurricane Sandy – CIO Journal – WSJ

https://deloitte.wsj.com/cio/2012/11/29/disaster-recovery-planning-10-lessons-learned-from-hurricane-sandy/ 5/6

November 29, 2012, 12:01 am

Questions? Write to deloitteeditor

Follow us on Twitter @Deloitte

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication. About Deloitte: Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the “Deloitte” name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/us/about to learn more about our global network of member firms. Copyright © 2019 Deloitte Development LLC. All rights reserved.

Search CIO Journal SEARCH

Related Deloitte Insights

DRaaS Offers Recovery Assurances Via Cloud Most businesses would be crippled by an IT outage, yet building and maintaining failover capabilities is an expensive and daunting task. Businesses can now leverage the cloud through disaster recovery as a service to gain strategic business continuity and disaster recovery assurances.

How to Create IT Resilience Without an effective IT resilience strategy, companies stand to lose millions of dollars if critical systems fail. Learn steps CIOs can take to help enhance and refine existing business continuity and disaster recovery plans, and lessen the impact of service disruption.

Editor’s Choice

Cloud Accelerates AI Adoption The cloud is democratizing access to AI, enabling more companies to enjoy its benefits. Deloitte Global predicts that organizations will accelerate their usage of cloud-based AI software and services this year, resulting in more cognitive-enabled implementations, greater AI investments, and increased rewards.

How Third-Party Data Can Enhance Analytics A growing number of companies are seeking an analytical edge by employing outside data sources. Incorporating third-party information effectively, however, can be tricky. To boost the value of their companies’ analytics efforts, business leaders may want to adopt some key practices to navigate the complexity.

TMT CIOs: Business, IT Out of Sync on Cyber, Talent An analysis from Deloitte’s Center for Technology, Media, and Telecommunications (TMT) finds that many TMT CIOs are looking to reshape their workforces by hiring talent with problem-solving abilities, social aptitude, and other soft skills. Survey results also indicate a need for more collaboration related to cybersecurity and risk among

 

 

6/15/2019 Disaster Recovery: 10 Lessons from Hurricane Sandy – CIO Journal – WSJ

https://deloitte.wsj.com/cio/2012/11/29/disaster-recovery-planning-10-lessons-learned-from-hurricane-sandy/ 6/6

TMT CIOs, CISOs, and other leaders.

About Deloitte Insights

Deloitte Insights for CIOs couples broad business insights with deep technical knowledge to help executives drive business and technology strategy, support business transformation, and enhance growth and productivity. Through fact-based research, technology perspectives and analyses, case studies and more, Deloitte Insights for CIOs informs the essential conversations in global, technology-led organizations. Learn more

Copyright ©2017 Dow Jones & Company, Inc. All Rights Reserved

This copy is for your personal, non-commercial use only. To order presentation-ready copies for distribution to your colleagues, clients or customers visit http://www.djreprints.com.