Natural disasters -- hurricanes, tornados, earthquakes, etc. -- disrupt “business as usual” for both you and your customers. One way to avoid disruptions is to create sound digital policies. Let's delve into the how and what to get this done!
The coronavirus came upon us rather suddenly, and organizations had to adjust on the fly. While most large organizations have continuity of business and disaster recovery plans in place (and some are required to, like those governed by HIPAA regulations), they tend to focus on what is likely rather than what is possible. And I’d bet that most businesses didn’t put “a deadly pandemic that shuts down the global economy for 2+ months” in the “likely” category.
But here we are anyway, trying to keep the world open almost 100% digitally and mostly from home, something that has stretched the limits of technology. Most employees don’t have enterprise-level security on their home devices. And then there’s bandwidth. If a family has two parents and several kids working and learning for home, bandwidth becomes a big problem. And that’s if they’re not Zoom-bombed.
Don’t feel bad, though. There are some things that are truly beyond the bounds of our imagination, like the 2016 incident where a wayward monkey turned off the lights throughout the entire country of Kenya, leaving millions of businesses and individuals without power.
I expect that, as we come to the end of this crisis, we’ll start seeing content from businesses sharing the lessons they learned and telling us what they would have done differently if only they had known. I also think that we’ll see a lot of organizations creating “work from home” digital policies. (For example, “Don’t join a video conference from a room where there’s a girlie calendar on the wall behind you!” or “Please wear pants!”)
But I think it’s important that we don’t limit these lessons to “What to Do During a Global Pandemic.” So I thought I’d do a series of blog posts that dig a little deeper into what organizations need to think about in terms of specific disasters or events that uproot “business as usual”.
I chose natural disasters for my first post because most businesses have some sort of plan in place for that. But I want to challenge you to take a good look at those plans, open up your imaginations, and decide whether you need to make any changes.
Natural disasters -- hurricanes, tornados, earthquakes, etc. -- disrupt “business as usual” for both you and your customers.
Remember when I mentioned that businesses tend to think about what’s likely vs. what’s possible? That makes sense from a budgetary perspective. But if the “possible” actually happens, it can be disastrous for businesses that built their emergency plans on “likely.”
With that in mind, let’s take a look at some of the things you can do to make sure your disaster recovery plan is in good shape from a digital policy standpoint:
This means not only the data itself, but also the hardware, software, apps, integrations, etc. During the inventory, record the vendor and their emergency contact information. If you work with SaaS providers, review your SLAs.
Some organizations -- financial institutions, media outlets, hospitals, Amazon, and other retailers, etc. -- are 100% dependent on their data. And not just their data, but the ability to access it whenever needed. According to Strategic Research, organizations like these lose an average of $90,000 per hour of downtime. They not only need a backup of their data; they also need a business continuity plan that allows them to operate normally throughout the disaster.
Small businesses, on the other hand -- independent retailers, the corner pub, etc. -- can get by with a much simpler plan. Their digital policy may not need to include much more than putting a “We’re temporarily closed because of X” message on their website, posting it on social media, and sending a similar message to people on their email list. But it’s important for them to do something so that customers don’t assume they’ve gone out of business.
This is especially important for large organizations, where the sheer volume of data and related infrastructure can be overwhelming. The truth, however, is that, in most cases, you don’t need to recover everything right away. So, as part of your digital policies for natural disasters, prioritize your recovery activities by how essential they are to business operations:
Hurricane Sandy taught us that, when Mother Nature plays the “possible” card instead of the “likely” card, remote data centers may not be remote enough. Hurricane Sandy savaged enough of the east coast that some businesses lost not only their primary site, but their backup sites, as well.
HuffPost, for example, had a primary data center in New York City, close to Battery Park. That one flooded early in the disaster, bringing down the HuffPost site. As crews worked to “failover” to their backup sites -- one in New York and another in New Jersey -- those sites, too, went down.
Earthquakes are another example. While earthquakes in California tend to be somewhat localized, the same isn’t true for earthquakes along the New Madrid Fault, due to differences in ground composition. During 1811-1812, three massive earthquakes along the New Madrid Seismic Zone were felt up to 1,000 miles away. If an earthquake of that magnitude struck today, scientists predict that everything between Memphis and St. Louis (and maybe even Chicago) would suffer catastrophic damage. Moreover, if the bridges along the Mississippi River collapsed, it would be difficult to get to a data center on the other side of the river except by air.
The takeaway: Think very carefully about where you locate your backup data center. It should be far enough away that it won’t be affected by the same natural disaster, but close enough that you can get there in an emergency.
The challenge of finding a location that serves both needs is one reason organizations are moving their disaster recovery to the cloud, even if they still maintain a physical data center as a backup.
It costs considerably less to pay for cloud disaster recovery services than to build and maintain a second data center that may never be needed (or may be inaccessible even if it is needed). The lower initial cost and immediate access to data and operational functions is making the cloud an increasingly popular disaster-recovery option.
Digital policies for disaster recovery/business continuity that aren’t written down don't really exist! You need a plan that nails down exactly who is responsible for doing what (and don’t forget to include their contact information!) as well as the triggers that should propel them into action.
Some actions might be immediate -- taking care of things that need to be in place before a disaster, like finding a provider and beginning the process of backing up your data to the cloud. Another immediate action might be making several people responsible for alerting the organization to potential threats, like hurricane and tornado forecasts. The sooner you’re aware of a potential disaster, the sooner you can start preparing.
Most actions, however, will be triggered by some sort of event: a power outage, an earthquake, etc. Common actions might include:
In the same Janco survey, 51% of respondents blamed the failure on outdated plans. Any number of changes to the business could make your digital policies for natural disasters obsolete. A plan based on recovering your data from backup tapes won’t be very helpful if you’ve moved to the cloud, for instance. And one of the most common situations is when someone who plays a major role in the recovery plan leaves the company. (An automated workflow could easily resolve that problem: Whenever someone who’s part of the disaster recovery effort leaves the company, an alert could be sent to the person with primary responsibility for digital policies regarding disaster recovery efforts.)
To cut to the chase, any change to the company’s digital activities should prompt a review of the relevant digital policies.
A plan that looks bullet-proof on paper can come crashing down for the simplest of reasons. Often, it’s because critical information exists only in someone’s head -- and that someone isn’t available. Your disaster recovery plan should be self-contained, meaning that employees should be able to carry out the steps without any outside input.
Testing can range from participants sitting around a conference room table to a “live” test set up on a duplicate hot site. At every level of testing, someone should be taking notes and documenting what went right and what went wrong. After the test, those notes will provide the basis for a debrief. Any changes made as a result of that debrief should be corrected, and the appropriate updates made to the plan.
Communication during a natural disaster should be one of your top priorities. Both employees and customers need to know what to do and how/when you’ll provide updates. Since your typical forms of communication might not work during a natural disaster, it’s important to have a strong “Plan B.”
Power outages, for example, are a real possibility. Since cell phones may still work during a power outage, consider sending text messages or using something like Workplace, the business version of Facebook’s safety check-in for regular users. Collaborative tools like Slack and WeChat are other good options. They’ll only work, however, if you’ve set things up ahead of time and employees (or customers) know where to look for information.
Your first priority should be to develop a way to communicate with executive leadership as well as the people who are part of your disaster recovery plan. As I mentioned above, you should establish pre-determined communication channels for alternate ways to communicate if, for instance, your email and company phone system are down.
Your plan for executive leadership should also establish a spokesperson for responding to media inquiries and guidelines for what the spokesperson should say.
Your digital policies should also ensure that the rest of your employees know to check the same channels for information, and, as much as possible (you can’t create all messaging for a disaster that hasn’t happened yet), establish what information to convey:
It’s equally important to develop a digital policy for communicating with customers. The technical challenges are similar to those for communicating with employees: Power outages could make typical channels inaccessible. So part of any plan for communicating with customers should include which channels to use and whether to be proactive -- reaching out to customers -- or reactive, responding to customer inquiries.
Your digital policy for communicating with customers should also specify who is authorized to say what. For example, it’s important to designate someone from your leadership team to be the official spokesperson for media inquiries, but your social media team might be better positioned for monitoring and responding to customers, since they’re already on the front lines. However, they need to know what to say and what not to say, and your digital policies should spell that out in as much detail as possible.
To do that, think about your industry and your customers, identify what concerns and questions customers are likely to have, and address those in your digital policies (again, you might have to tweak things in a real disaster -- you can’t anticipate everything!):
Finally, make sure your messaging doesn’t ignore the human side of a tragedy. Employees might have a mess to clean up -- and that’s if they didn’t lose their homes altogether. And, depending on the nature of your services, customers may feel justifiably panicked if, for instance, they can’t access their financial accounts or important medical information. Any communications you send out should demonstrate compassion and reassurance, whether you’re talking to employees or customers.
The data your company owns, as well as the business processes that rely on that data, are some of your company’s greatest assets. It’s well worth brainstorming both “likely” and “possible” scenarios and developing the most comprehensive plan your budget allows.
Want more practical advice on digital policies? Read other articles in “Shifts in Technology” series:
Part 2: Digital policies are no good if they’re static
Part 3: Is there risk hiding in your digital policies?
Part 4: How to set your digital policies up for continuous improvement
Need a hand getting your policies in order? Get in touch to schedule a workshop or discuss a consulting engagement.
Photo by Yosh Ginsu
Sign up and stay up to date by getting insights like this delivered to your mailbox.