Disaster recovery planning for both internal threats and external threats

Both internal threats and external threats can wreak havoc to even the best disaster recovery plan. Read important tips about why your disaster recovery plan needs to go deeper than just a business impact analysis.

It's an unsettling feeling to realize that your disaster recovery (DR) plan overlooked a particular threat. Our...

DR plan had prepared for fires, floods, electrical and hardware failures. We even had regional plans for things such as hurricanes, tornadoes and earthquakes. Business impact analysis, risk and mitigation were the mantras of our contingency team, yet we had somehow missed potential high-impact, high-probability threats.

As threats evolve, so should your business contingency (BC) plan. In this particular case, we didn't think that our newest employee would mistake the red button to cut power in the data center in case of a fire as the exit button when the sliding door didn't immediately open.

Data centers sure get quiet and dark when all of the disk drives stop spinning and the air conditioning shuts down. Even the untested emergency exit lights were out since their batteries had gone dead.

A list of hazards that are normally overlooked in contingency plans could exceed several hundred items. This article will focus on those internal and external threats that I have found to be prevalent in most business scenarios, but are missing from the contingency plans I have audited. These internal and external threats are common enough to warrant inclusion in almost every plan. They fall into two general categories and, which at a minimum, you need to assess for their impact on your organization.

Geographic threats

Everyone loves the new four-lane divided highways that make getting home from work so much faster. But have you taken the time to look at what makes up the traffic on this road? The Federal Motor Carriers Safety Regulations (FMCSR) requires that semis use hazardous materials placards when shipping hazardous cargo and dangerous goods in the United States. So how complete is your plan if one of these trucks overturns and spills a Class-3 flammable liquid alongside your building?

Take this scenario further and think about how your company would respond if this liquid caught fire and impacted your building. Most fire suppression systems are internally focused and assume something inside starts the blaze, but did this tanker just block your primary exit points?

Prepare for external threats

It's a good idea to take a look around the area surrounding your facility and assess the potential external threats. You should take a look at the new buildings and tenants that now make up the neighborhood since you first arrived. Do any of the neighboring companies house tanks with red Hazmat diamonds? Is there ongoing construction that may pose threats to your generator? One small accident there could equal a major evacuation or worse for your company.

When disaster strikes, how much time will you have to evacuate? You need to forget about an orderly shutdown and backup of the systems and figure out these scenarios change the contingency and recovery plans.

Planners and auditors need to ask these "odd threat" questions and determine the level of response appropriate for their company. The right preparation, training and testing must be executed to combat external threats, especially those with a high probability of occurrence or risk. Employees must be ready to administer first aid if applicable; they must know how to safely evacuate themselves and others, and feel that the company has their wellbeing as a priority. If a hazardous gas is your potential threat, do you have breathing masks for your employees or ways to seal off your building if a leak occurs?

These less obvious external threats can be very difficult for a contingency planner to anticipate. Mitigation steps may be impossible and quantifying the probability of the risk often depends on trusting others to care as much about contingency planning as you.

How does one mitigate for a potential hazardous spill, for example? If the probability is high due to a new chemical facility having moved in, perhaps the mitigation is to move your firm's offices across town. If it is lower, working with the municipality to have the truck route realigned away from your building might be the answer.

Addressing human threats

While the most frequent user/tester of data retention strategies is often the employee who hits "delete," most plans also address the malicious acts of hackers or current/former employees. What is missing, though, is addressing the realities of the internal/human threats in the modern world. Does the contingency plan address a mass epidemic where the majority of your employees will be unable to come to work or may be incapacitated and unable to work remotely? Contingency plans must address how the company survives during a pandemic just as thoroughly as they address a potential earthquake.

The news is populated with socioeconomic issues related to gang violence, terrorism (domestic and international), illicit drug usage and even kidnapping and extortion. The contingency plan often will identify an organization's key employees and alternates if they are unavailable, yet often fails to address how the organization responds when those same people are being held hostage. If you don't have geographically dispersed alternates who are properly trained, how many key people have you identified? It only takes one or two key decision makers being incapacitated to paralyze an organization unprepared with redundant staff and a clear chain of command.

Perhaps that nice urban location for the office has now become ground zero for rival gangs and the sound of gun fire greets your employees as they leave the office. Does the contingency plan cover a bullet hole that somehow found its way into the UPS system? As unemployment increases and the stress on your remaining employees grows due to the uncertain economy, a company will find that the risks from people might become greater than previously thought.

A recent survey of 233 police departments by the Police Executive Research Forum found that 100 departments (43%) reported rising levels of what they felt were recession-related crimes. Forty percent said that thefts had increased in recent months; 39% reported that robberies were up and 32% said burglaries had surged 20%. These crimes are more frequently being carried out by formerly law abiding workers, the same people entrusted with corporate data and security.

You need to assess your surroundings with a different viewpoint and ask "what if." The time for the obvious has passed and now it is imperative that contingency plans include more of the unusual, but equally devastating threats.

About this author: Ken Koch is a recognized leader in contingency activities critical to mitigation, preparation, planning and recovery from manmade and natural threats. Mr. Koch is a frequently invited speaker at seminars and private events, industry topical writer, instructor/educator and business continuity consultant. Since founding his own firm in 1997, he has assisted both public and private sector clients with risk assessment, exercise planning and evaluations, and staff training along with declared disaster recovery situations.

Do you have comments on this tip? Let us know. Please let others know how useful this tip was via the rating scale below.

Do you know a helpful storage tip, timesaver or workaround? Email the editors to talk about writing for SearchDisasterRecovery.com.

Dig Deeper on Disaster recovery planning - management