Posted by: David Schneier
Audit, auditor, bcp, business continuity, business continuity plan, compliance, disaster, disaster recovery, DR, exam, examiner, GLBA, NCUA, regulations, regulatory, Regulatory Compliance
I’m violating my own standards by using such an easy topic to blog about but it’s too big to ignore. With the increasing insanity being inspired by 2011′s first true hurricane I’d be remiss if I didn’t at least explore the impact this is going to have on the business community.
I just heard that Mayor Bloomberg is evacuating low-lying areas in New York City and that mass transit will more or less be cut off tomorrow (Saturday) sometime around mid-day. New York’s Governor Cuomo also discussed the possibility of closing the bridges as well if weather conditions become so severe that using them might be dangerous. Upon hearing this my first thought was “how the heck are key stakeholders going to get to their disaster sites if they’re called in?” The obvious answer is that many companies will likely require that the important people go to their DR sites tonight so that they’re already there “just in case”. How wonderful for these people to have to leave their families in the midst of a potentially epic natural disaster. I can’t help but wonder how many are willing to comply and how many are going to insist that they can’t make it. Did any BCP/DR test ever take into consideration the possibility that key stakeholders would simply refuse to show up?
And with the enormous range of Hurricane Irene is it at all possible that certain recovery sites might not be able to provide the proper services, resources and support to meet such a potentially large demand? I know that they all claim that they’ve factored that in to their models and are able to provide sufficient capacity. But until they know for sure how do they really know for sure? Who among us has yet to witness any BCP/DR plan that didn’t start experiencing hiccups and delays during testing?
One element of a BCP that I’m also now wondering about is the day-after scenario. I’ve reviewed dozens of plans during my career and upon reflection cannot recall any that placed significant attention on what happens after the official disruption is at an end. I’m looking at pictures of severe flooding from Irene from those places already affected and have to wonder how many business are going to be able to open on Monday despite the fact that the roads are clear and the skies sunny and blue. In thinking about some of the more common disruptions over the years (e.g. heavy snow, ice, etc.) it was somewhat obvious that once the roads were passable it was safe to head back to the office. But that may not be the case this time around. How many plans are designed to accommodate that? Is someone from facilities charged with the responsibility of conducting a site inspection on Sunday night to see if their buildings are ready to open the next day?
Admittedly I’m picking on the entire concept of a business continuity plan but you can’t blame me, Hurricane Irene is only one reason. Middle of last week I was in the Northeast and experienced my very first earthquake event. Now I realize that anyone from California or Japan would chuckle at that statement because what I personally experienced was little more than an overloaded truck driving past me on a pothole-ridden street to those who deal with the phenomenon regularly. But still, for me it was a big deal. In the aftermath I asked around to see what happened in other places where the tremors were felt to see if anyone was formally evacuated from their building – no one was. I expected in the days following to read about how companies had dedicated time and resources to inspect their structures to ensure that everything was as it should be and that there were no signs of damage from the unexpected movements – again, almost nothing to be found. Well for all those BCP’s that I’ve reviewed where the likely threats were documented and addressed as part of their plan, how many think that maybe they should update their documentation to cover earthquakes? They can no longer justify leaving it out because it’s not a likely threat, it just happened. And now that they know it happened once they need to accept that it not only could happen again but likely will. But I’m willing to bet that a year from now I won’t find a single plan that has been modified to include what should happen in the event of an earthquake.
I’m just thinking that regulators and auditors need to stop rewarding those they’re responsible for monitoring for simply having a plan in place. At some point they’ll need to shift their focus from simply checking off that a plan exists and start digging into it a bit more. The same degree of scrutiny that emerged in 2009 because of the “Great Swine Flu” threat and making sure that BCP’s had a thorough pandemic response component now needs to become standard fare for the overall plan. Companies need to conduct more than tacit testing exercises and really start thinking things through. Between companies having antiquated and irrelevant plans, to those who have partially baked plans and worse yet, those who don’t even have one in place it’s time to do something about it.
The worst time to discover that you need a viable plan and don’t have one is, well, when you actually need it. If enduring both an epic hurricane and your first earthquake don’t inspire you to action nothing will.