Posts filed under ‘Security’
Regardless of our circumstances we often share the same thoughts. The notion “It can’t happen here”, is such a common way of looking at disaster, that even Kissinger got into the act with his famous “There cannot be a crisis next week. My schedule is already full.”
Humor aside, disasters happen regardless of what you had planned for the week. How badly they affect us, is determined by our ability to respond without warning to crisis situations.
The traditional approach to disaster planning is to create a methodology, install contingency plans, ensure that proper backups of crucial data are made, and place all this documentation in yellow binders on a shelf. If we’re diligent, we take it out once a year for some exercise.
This way of planning for disaster, while it provides many benefits, also contains a serious flaw. It’s not so much the cost – insurance of any type always costs money. The flaw is more subtle, but it is potentially serious enough to scuttle the best laid plan.
It is this, Disasters by their very nature, happen unexpectedly. Our success on the day is based upon how we react when we’re confused and don’t know what’s going on. Planning allows us to think through the process of what to do if (when?) something happens, before it actually occurs. That thought process alone is the central core of any contingency plan, but just thinking about it, isn’t enough. We have to go into the water before we know how to swim. We have to live it, to learn from it. Planning for the experience is not the same as experiencing the plan.
How to improve a disaster recovery plan? Given the stated nature of disasters, ‘unexpectedly and without warning’ seems like the right approach.
At 9:00am on a Monday morning, inform 50% (or a mere dozen if that would be too disruptive) of your management team, individually and personally, that they’re leaving immediately for an off site location for an emergency meeting. No prior warning. No details provided. No excuses accepted. All meetings regardless of importance are ignored. No notification to secretaries/assistants or clients allowed. All cell phones and blackberries collected. In other words, just like a real life crisis.
When they arrive via the waiting bus, they’re told of the ‘disaster’ that has taken place. They are to respond to this ‘disaster’ over the next day or two. What is the ‘disaster’? That depends on how severe you want it to be and what you think would provide the best information.
There’s a certain beauty to this exercise – NO PREPARATION IS REQUIRED. (except possibly for the bus) The Exercise starts at 9:00am when your employees are informed. NO hotel is booked – no coffee pre-ordered, no Flip Charts on site.
I already hear the objections… we need to book the hotel in advance otherwise…
Question… on the day our building is on fire, bombed, flooded, the senior exec team all killed in an air crash, captured by ninjas etc. etc. will we already have a room booked? If we cannot manage this minuscule exercise in crisis – then we are fundamentally incapable of handling a real emergency.
Back at the office the remainder of the management team can take the exercise one step further and pretend the entire off site team are victims of a disaster. This secondary exercise might be more than your organization can handle without severely impacting day-to-day operations. The alternative is to merely explain what is going on and cope with their unexpected absence for two days (week?). There is learning even this minimalist approach.
The exercise provides two benefits. First? An immediate and relatively inexpensive evaluation of how well your management team responds to an unexpected crisis.
Secondly? In a very short period of time, with minimal impact to your organization, you highlight those areas most vulnerable to the ‘disaster’ you selected. With that in hand you can now move forward to a ‘real’ contingency plan with specific objectives in mind.
The objections to this exercise are many and obvious. You can’t afford the time. The board would object. You can’t afford the negative impact to the business. Your schedule is full next week.
When someone accidentally does something which results in an extremely negative consequence, it’s not a surprise to feel some sympathy. After all, it could happen to anyone. When they do it again, and get the same predictable result, we scratch our heads in some puzzlement, but we might, if we’re in a good mood, still retain a shred of compassion for their woes.
When they persist in this behaviour several dozen times, then all empathy flees and we can only conclude they’re lacking the necessary mental capacity to put two and two together and get a single digit answer. In other words, we’re idiots. (I’ll explain why I’m using ‘we’ instead of ‘they’ in a moment.)