The coronavirus came upon us rather suddenly, and organizations had to adjust on the fly. While most large organizations have continuity of business and disaster recovery plans in place (and some are required to, like those governed by HIPAA regulations), they tend to focus on what is likely rather than what is possible. And I’d bet that most businesses didn’t put “a deadly pandemic that shuts down the global economy for 2+ months” in the “likely” category.

But here we are anyway, trying to keep the world open almost 100% digitally and mostly from home, something that has stretched the limits of technology. Most employees don’t have enterprise-level security on their home devices. And then there’s bandwidth. If a family has two parents and several kids working and learning for home, bandwidth becomes a big problem. And that’s if they’re not Zoom-bombed.

Don’t feel bad, though. There are some things that are truly beyond the bounds of our imagination, like the 2016 incident where a wayward monkey turned off the lights throughout the entire country of Kenya, leaving millions of businesses and individuals without power.

I expect that, as we come to the end of this crisis, we’ll start seeing content from businesses sharing the lessons they learned and telling us what they would have done differently if only they had known. I also think that we’ll see a lot of organizations creating “work from home” digital policies. (For example, “Don’t join a video conference from a room where there’s a girlie calendar on the wall behind you!” or “Please wear pants!”)

But I think it’s important that we don’t limit these lessons to “What to Do During a Global Pandemic.” So I thought I’d do a series of blog posts that dig a little deeper into what organizations need to think about in terms of specific disasters or events that uproot “business as usual”.

I chose natural disasters for my first post because most businesses have some sort of plan in place for that. But I want to challenge you to take a good look at those plans, open up your imaginations, and decide whether you need to make any changes.

Digital policies for natural disasters

Natural disasters -- hurricanes, tornados, earthquakes, etc. -- disrupt “business as usual” for both you and your customers.

Remember when I mentioned that businesses tend to think about what’s likely vs. what’s possible? That makes sense from a budgetary perspective. But if the “possible” actually happens, it can be disastrous for businesses that built their emergency plans on “likely.”

With that in mind, let’s take a look at some of the things you can do to make sure your disaster recovery plan is in good shape from a digital policy standpoint:

Inventory all assets related to your data

This means not only the data itself, but also the hardware, software, apps, integrations, etc. During the inventory, record the vendor and their emergency contact information. If you work with SaaS providers, review your SLAs.

Determine your risk tolerance: How dependent is your business on your digital assets (both data and the IT architecture that supports it)?

Some organizations -- financial institutions, media outlets, hospitals, Amazon, and other retailers, etc. -- are 100% dependent on their data. And not just their data, but the ability to access it whenever needed. According to Strategic Research, organizations like these lose an average of $90,000 per hour of downtime. They not only need a backup of their data; they also need a business continuity plan that allows them to operate normally throughout the disaster.

Small businesses, on the other hand -- independent retailers, the corner pub, etc. -- can get by with a much simpler plan. Their digital policy may not need to include much more than putting a “We’re temporarily closed because of X” message on their website, posting it on social media, and sending a similar message to people on their email list. But it’s important for them to do something so that customers don’t assume they’ve gone out of business.

Prioritize your digital assets and applications

This is especially important for large organizations, where the sheer volume of data and related infrastructure can be overwhelming. The truth, however, is that, in most cases, you don’t need to recover everything right away. So, as part of your digital policies for natural disasters, prioritize your recovery activities by how essential they are to business operations:

• Mission-critical: These are processes and data that are critical to your business operations. For an online retailer, mission-critical processes would include making it possible for shoppers to browse your online catalog and place an order. Showing them related items they might like is not mission-critical and can wait until problems with a higher priority have been resolved.
• Essential: These are the processes and data that, while important, you can get by without them for a short time. Showing customers related items would probably fall into this category.
• Important: These are the processes and data that you can function without until you’re back to business-as-usual. You may even realize that some of them aren’t necessary! On the other hand, you may find out during testing, as one company did, that seemingly unimportant functions like email actually belong in the mission-critical category!

Determine which disasters are likely to affect your primary location, as well as the extent of the damage

Hurricane Sandy taught us that, when Mother Nature plays the “possible” card instead of the “likely” card, remote data centers may not be remote enough. Hurricane Sandy savaged enough of the east coast that some businesses lost not only their primary site, but their backup sites, as well.

HuffPost, for example, had a primary data center in New York City, close to Battery Park. That one flooded early in the disaster, bringing down the HuffPost site. As crews worked to “failover” to their backup sites -- one in New York and another in New Jersey -- those sites, too, went down.

Earthquakes are another example. While earthquakes in California tend to be somewhat localized, the same isn’t true for earthquakes along the New Madrid Fault, due to differences in ground composition. During 1811-1812, three massive earthquakes along the New Madrid Seismic Zone were felt up to 1,000 miles away. If an earthquake of that magnitude struck today, scientists predict that everything between Memphis and St. Louis (and maybe even Chicago) would suffer catastrophic damage. Moreover, if the bridges along the Mississippi River collapsed, it would be difficult to get to a data center on the other side of the river except by air.

The takeaway: Think very carefully about where you locate your backup data center. It should be far enough away that it won’t be affected by the same natural disaster, but close enough that  you can get there in an emergency.

The challenge of finding a location that serves both needs is one reason organizations are moving their disaster recovery to the cloud, even if they still maintain a physical data center as a backup.

The new kid on the block: The cloud

It costs considerably less to pay for cloud disaster recovery services than to build and maintain a second data center that may never be needed (or may be inaccessible even if it is needed). The lower initial cost and immediate access to data and operational functions is making the cloud an increasingly popular disaster-recovery option.

Document your plan and who’s responsible for each action

Digital policies for disaster recovery/business continuity that aren’t written down don't really exist! You need a plan that nails down exactly who is responsible for doing what (and don’t forget to include their contact information!) as well as the triggers that should propel them into action.

Some actions might be immediate -- taking care of things that need to be in place before a disaster, like finding a provider and beginning the process of backing up your data to the cloud. Another immediate action might be making several people responsible for alerting the organization to potential threats, like hurricane and tornado forecasts. The sooner you’re aware of a potential disaster, the sooner you can start preparing.

Most actions, however, will be triggered by some sort of event: a power outage, an earthquake, etc. Common actions might include:

• Beginning the “failover” to your backup system, wherever it may be.
• Arranging for employees to work from home (without sacrificing data privacy) or from another central location, or transferring their responsibilities to a team in an unaffected area. In addition, any employee-related policies should address the fact that many people won’t be willing to leave their families in the middle of a disaster area. If you need critical employees to transfer to a secondary location, you might need to consider moving their families, too.
• Ensuring that the people responsible for an action have the necessary know-how and access. During a natural disaster, you can’t assume that the guru who knows all of the ins and outs of your recovery process will be available. That’s why it’s important for the process to be documented in your digital policies -- in language that’s easily understood and steps that can be followed by someone who’s not an expert. In addition, everyone who has a job to do should have the proper login credentials. (In a survey conducted by Janco Associates, 37% of respondents blamed the failure of their disaster recovery plans on the inability to find passwords.)

Update, test, and communicate

Update

In the same Janco survey, 51% of respondents blamed the failure on outdated plans. Any number of changes to the business could make your digital policies for natural disasters obsolete. A plan based on recovering your data from backup tapes won’t be very helpful if you’ve moved to the cloud, for instance. And one of the most common situations is when someone who plays a major role in the recovery plan leaves the company. (An automated workflow could easily resolve that problem: Whenever someone who’s part of the disaster recovery effort leaves the company, an alert could be sent to the person with primary responsibility for digital policies regarding disaster recovery efforts.)

To cut to the chase, any change to the company’s digital activities should prompt a review of the relevant digital policies.

Test

A plan that looks bullet-proof on paper can come crashing down for the simplest of reasons. Often, it’s because critical information exists only in someone’s head -- and that someone isn’t available. Your disaster recovery plan should be self-contained, meaning that employees should be able to carry out the steps without any outside input.

Testing can range from participants sitting around a conference room table to a “live” test set up on a duplicate hot site. At every level of testing, someone should be taking notes and documenting what went right and what went wrong. After the test, those notes will provide the basis for a debrief. Any changes made as a result of that debrief should be corrected, and the appropriate updates made to the plan.

Communicate

Communication during a natural disaster should be one of your top priorities. Both employees and customers need to know what to do and how/when you’ll provide updates. Since your typical forms of communication might not work during a natural disaster, it’s important to have a strong “Plan B.”

Power outages, for example, are a real possibility. Since cell phones may still work during a power outage, consider sending text messages or using something like Workplace, the business version of Facebook’s safety check-in for regular users. Collaborative tools like Slack and WeChat are other good options. They’ll only work, however, if you’ve set things up ahead of time and employees (or customers) know where to look for information.

Employees

Your first priority should be to develop a way to communicate with executive leadership as well as the people who are part of your disaster recovery plan. As I mentioned above, you should establish pre-determined communication channels for alternate ways to communicate if, for instance, your email and company phone system are down.

Your plan for executive leadership should also establish a spokesperson for responding to media inquiries and guidelines for what the spokesperson should say.

Your digital policies should also ensure that the rest of your employees know to check the same channels for information, and, as much as possible (you can’t create all messaging for a disaster that hasn’t happened yet), establish what information to convey:

• The scope of the disaster (for example, a multinational organization will have many areas that are unaffected)
• How the company is responding to the disaster (whether work be reassigned to employees in non-affected areas, for example)
• Whether employees should stay home or come in to work (as well as where they should go, if the primary location is inaccessible)
• What employees should and shouldn’t say to customers (in person, on the phone, through email, through social media, etc.)
• What, if anything, the company is doing to assist employees who have been affected by the disaster

Customers

It’s equally important to develop a digital policy for communicating with customers. The technical challenges are similar to those for communicating with employees: Power outages could make typical channels inaccessible. So part of any plan for communicating with customers should include which channels to use and whether to be proactive -- reaching out to customers -- or reactive, responding to customer inquiries.

Your digital policy for communicating with customers should also specify who is authorized to say what. For example, it’s important to designate someone from your leadership team to be the official spokesperson for media inquiries, but your social media team might be better positioned for monitoring and responding to customers, since they’re already on the front lines. However, they need to know what to say and what not to say, and your digital policies should spell that out in as much detail as possible.

To do that, think about your industry and your customers, identify what concerns and questions customers are likely to have, and address those in your digital policies (again, you might have to tweak things in a real disaster -- you can’t anticipate everything!):

• How your company’s operations are being affected by the disaster
• How you’ll continue to serve your customers
• If you can’t serve customers at all, when you expect to up and running
• What affects customers might expect: Delayed deliveries, inability to access your website, etc.
• How employees should respond to customer questions and complaints

Finally, make sure your messaging doesn’t ignore the human side of a tragedy. Employees might have a mess to clean up -- and that’s if they didn’t lose their homes altogether. And, depending on the nature of your services, customers may feel justifiably panicked if, for instance, they can’t access their financial accounts or important medical information. Any communications you send out should demonstrate compassion and reassurance, whether you’re talking to employees or customers.

Planning for natural disaster

The data your company owns, as well as the business processes that rely on that data, are some of your company’s greatest assets. It’s well worth brainstorming both “likely” and “possible” scenarios and developing the most comprehensive plan your budget allows.

Want more practical advice on digital policies? Read other articles in “Shifts in Technology” series:

Part 2: Digital policies are no good if they’re static

Part 3: Is there risk hiding in your digital policies?

Part 4: How to set your digital policies up for continuous improvement

Need a hand getting your policies in order? Get in touch to schedule a workshop or discuss a consulting engagement.

‍

Photo by Yosh Ginsu