One of the key activities in a disaster recovery plan is the damage assessment. It starts soon after the incident...
occurs and provides an initial view of the situation; what has actually happened; what assets (e.g., buildings, people, IT systems) are affected and which of them has been damaged; and an evaluation of the potential for the situation to continue and possibly escalate.
This data is then used by first responders, emergency teams and company management to determine the likely next steps in the incident, such as: 1) evacuate the building, 2) shelter-in-place, 3) engage first responders like police/fire departments, 4) shut down power, 5) shut down systems, 6) seal the building, 7) launch disaster recovery plans and 8) launch business continuity plans.
The 2010 edition of the National Fire Protection Association’s standard NFPA 1600, Standard on Disaster/Emergency Management and Business Continuity Programs, defines a damage assessment as “an appraisal or determination of the effects of the incident on humans, on physical, operational, economic characteristics and on the environment.” The need for a damage assessment is defined in Section 6.4.5 of the standard. NFPA 1600:2010 is an American National Standard and is one of the three standards approved as part of FEMA’s Private Sector Preparedness Program (PS-Prep). The standard is valuable as it provides details on how to organize and implement business continuity and emergency response plans.
Before conducting a formal damage assessment of a major event (e.g., a disaster that impacts a wide area, with multiple jurisdictions), it may be necessary to perform what is called a Preliminary Damage Assessment (PDA) as defined by the Federal Emergency Management Agency (FEMA). This is a joint (e.g., FEMA, state, county) assessment that helps determine the magnitude and impact of an event’s damage.
For example, a joint FEMA/state team may visit local disaster relief applicants and view their damage first-hand to assess the scope of damage and estimate repair costs. The state uses the results of the PDA to determine if the situation is beyond the combined capabilities of the state and local resources, as well as verify the need for supplemental federal assistance.
The PDA also identifies any additional needs that may require immediate attention. Organizations impacted by a local or regional incident should contact their local emergency management authorities (e.g., local/state offices of emergency management, FEMA) to determine if PDAs and other assessments are being conducted. This will ensure they are suitably informed of the situation, and if they can offer assistance to response activities.
If the emergency situation is not a large-scale event, such as described above, and is confined to a specific location, such as a data center, we can proceed with the damage assessment in the following order:
- Ensure that all personnel are safely evacuated
- If the event was a fire or similar event that required activation of first responder organizations, ensure that the area has been deemed safe for re-entry by damage assessment team members
- Secure the affected area with company or third-party security personnel to prevent unauthorized access
- Establish who will have access to the area and notify security personnel accordingly
- Conduct visual inspection of the exterior of the facility (if the data center is in a separate building) to identify any physical damage, especially damage to building entrances/exits/windows which would compromise building security
- Inspect building environmental controls, such as commercial power feeds, transformers, emergency power systems, HVAC and air handling systems and the water supply
- Inspect fire suppression systems, such as FM200, hand-held fire extinguishers, water-based systems
- Inspect the interior operations area and identify/inventory damaged devices (e.g., servers, routers, data storage devices, power distribution units, equipment cabinets, workstations), furniture, cable racks, cabinets, cabling and wiring, items hanging from the ceiling, damaged ceiling and floor tiles, documentation/vital records, damaged light fixtures, loose or dangling wall-mounted shelves or cabinets and any water damage
- Test availability of systems, network services (internal LANs, Internet access, voice over IP system) and access to data, data bases and related IT assets
- Inspect work areas adjacent to affected area (e.g., offices, conference rooms, storage closets, equipment closets, canteens, bathrooms)
- Inspect other important building attributes, such as stairwells, emergency doors, emergency lighting, signage, security systems
- Summarize and present the damage assessment findings to the appropriate emergency management leadership, e.g., incident commander or corporate emergency management team leader. If the incident is of significant magnitude and severity, periodic (e.g., hourly) damage assessment reports are advisable so that leadership is aware of escalating damage and related issues.
As part of disaster recovery planning, it’s a good idea to have damage assessment forms prepared in advance to simplify the data collection and report writing processes.
Based on the findings of the damage assessment, the organization’s management will be in a position to decide whether to 1) reopen the office, 2) close the office, 3) reopen the office with limited access, 4) activate technology disaster recovery plans, 5) activate business continuity plans, 6) activate alternate work area recovery plans, 7) activate hot/cold site recovery initiatives or 8) develop and launch an alternate strategy.
About this author: Paul Kirvan, CISA, FBCVI, CBCP, has more than 20 years experience in business continuity management as a consultant, author and educator. He has been directly involved with dozens of IT/telecom consulting and audit engagements ranging from governance program development, program exercising, execution and maintenance, and RFP preparation and response. Kirvan currently works as an independent business continuity consultant/auditor and is the secretary of the Business Continuity Institute USA chapter. He can be reached at firstname.lastname@example.org.