Special Report: Hurricane Preparedness - Are your IT systems ready for the 2007 hurricane season?
Blake McLane, CyrusOne, Houston
The oil and gas industry is all too familiar with the devastation hurricanes bring to not only equipment, such as rigs and pipelines, but also to office building, people, and IT assets. What’s more devastating than the physical damage of a hurricane, is the down time of a business. How can IT leaders in the industry minimize the operational and financial risks during the 2007 hurricane season?
Infrared satellite photo shows the eye of Hurricane Katrina and the magnitude of the storm in the hours before it slammed into Louisiana and Mississippi on Aug. 29, 2005. Photo image courtesy US Weather Service.
During a storm, IT leaders and staff work miracles to keep companies up and running-or at least minimize loss and also to protect data. Business continuity and disaster recovery plans materialize from a hazy concept to a hard reality. And for business leaders whose bailiwicks fall outside of IT, those barely-remembered pleas for contingency-related IT expenditures suddenly came back to mind.
So as we move in 2007, what are we taking with us into the upcoming hurricane season that will enable IT leaders from small oil and gas companies and Fortune 500s alike to escape the most egregious pitfalls of the potential impacts of a storm? Tactically, there are hundreds if not thousands. But strategically, 6 especially critical guidelines:
- Understand the stakes
- Assessing downtime
- Avoid the technology trap
- Maintain executive buy-in
- Keep plans current
- Know the drill
Understand the stakes
How far is far enough?
Is your location at risk?
Understanding the impact of a storm at your location is key to developing applicable disaster avoidance and business continuity plans. Obviously, coastal cities withstand the most risk during a hurricane. However, cities that are located 40 to 50 miles inland are surprisingly un-effected. For example, Houston is located 50 miles from the Texas coast, therefore the main threat during a hurricane is the high winds. According to the Weather Research Center, the highest winds in a hurricane are just right of the track (direction of motion of the storm), in the eye wall. When a hurricane is expected to make landfall near Galveston with maximum sustained winds of 115 mph, the effects on the downtown Houston area withstand wind speeds of only 70 to 80 mph (see Figure 1). Evacuating may not be an option if your building is located on the coast. However, shutting down all your operations and leaving town is not the only option if you are 50 miles inland. Know the facts. Don’t over estimate or under estimate your evacuation plan.
Assessing downtime
For every hour, for every day, for every week a particular application or system is down there is a financial impact. Know the numbers. If people understand the cost of downtime, then they have the information and motivation they need to move forward and plan accordingly beforehand. Many times people don’t understand the costs associated with downtime so they have a tough time getting their hands around business continuity and disaster recovery.
When it comes to your company’s valuable data and functional applications, the whole is greater than the sum of the parts. Having a spreadsheet outlaying the specific cost of IT application, internet and network downtime is the only way of knowing whether you’re truly investing in a protection of your company’s operation or simply being scared into overspending following a major disaster. When you have the numbers, you know where you stand. Don’t have time to figure it out? Hire a consultant to do it for you. Just get the numbers.
Avoid the technology trap
Don’t forget “people infrastructure”
Servers. Back-up tapes. Generators. These are the tangibles that initially come to mind when one considers disaster recovery and business continuity preparedness. But there are two sides to the coin: the technology-that’s the obvious component, and the second one-people. Dohsung Yum is director, IT enterprise for knowledge-based service assurance provider NetIQ: “When Tropical Storm Alison hit, we had the technology covered: the financial systems, CRM, file servers-we were fine. But that wasn’t quite the case on the people side. The building we were in wouldn’t let us back in without power. No elevators. No phones for tech support or sales to use.” Yum made alternative arrangements on the spot for some “people infrastructure” to get a temporary shop up and running for critical personnel, then modified his contingency plan. When Rita loomed in 2005, hardened offsite office space was in place right down to fresh coffee for the critical personnel.
And outside of human and technical infrastructure, IT leaders must also remember that disasters affect HR availability and reliability. During the 2005 hurricanes, many were not willing to tackle work issues in lieu of turning their attentions toward their families’ safety-a perfectly natural response. “Leading up to Rita, we flew a small group of order management personnel from our Houston data center out to San Jose, California facility, just in case,” notes NetIQ’s Dohsung Yum. “It was hard to find people to go. They were concerned about their families, boarding up their windows, traveling. They didn’t want to be far from home.” NetIQ has addressed the issue by replacing their San Jose facility with a local one, a move that was already underway for economic purposes.
But people’s natural desire to be with their families means resources can evaporate or muddle in terms of which responsibilities fall under whose aegis. Assign critical roles to those who are comfortable being away from their families, or make arrangements for the families of critical staffers’ safety in advance so they can focus on their jobs comfortably. Everybody wants their families to be physically safe and comfortable, but we also need healthy companies to come back to for our families’ financial wellbeing.
Maintain executive buy-in
Keep executive buy-in all year
In the weeks leading up to and following a hurricane, C-level executives, board members, and other stakeholder hang on the every word of those responsible for disaster recovery and business continuity. Unfortunately, that attention is short-lived. Hurricane season passes. New crises emerge. These challenges become yesterday’s headline. The CIO’s role is to keep the momentum of contingency support going all year long. Armed with hard numbers, potential risks, and a solid case for why executives should care, this is critical for getting the resources you need to succeed. And since you will be the ones feeling the heat if those contingencies fail, it’s in your own best interest.
Keep plans current
On outdated plan is a useless plan
Another unfortunate trend brought forth by experience was a sudden realization that many business continuity and disaster recovery plans were out of date. These plans have to live and breathe. Don’t make the mistake of drafting a brilliant plan and then shelving it as your organization lives on to make operational and environment changes, pursue new corporate objectives, or access a different portfolio of IT resources. You should, with every operational change, ask yourself: “How does this affect my disaster recovery plan? How does this affect potential downtime?” It sounds obvious, but as any venture capitalist will tell you, ideas are easy-it’s the execution that matters.
Know the drill
If you fail to plan...
Power. Connectivity. Employee and partner communication. PR. Before you need to deploy your business continuity or disaster recovery plan, have processes in place for all fundamental infrastructure, back-office, and communication needs. Whether you’re dealing in facility design, roles and responsibilities, or operational planning-the simple exercise of holding all phone calls, clearing your desk, and laying all the facts out in front of you for a rigorous series of “what if questioning” has true power.
And you may not have to start from scratch. “In 2005, some companies were more prepared than others because of compliance demands,” notes CyrusOne’s Vazquez. Those companies who were forced to make investments in compliance for regulations like The US Public Company Accounting Reform and Investor Protection Act of 2002 (Sarbanes-Oxley) survived better than smaller enterprises that failed to see continuity expenditures as the cost of doing business. Some of those processes can be used as a template, though it’s by no means comprehensive. Disaster recovery is not technically a mandatory part of SOX regulation, though it is a practical component of sound IT stewardship. After all, if a company loses its financial information it’s in for big trouble.
About the Author
Blake McLane [[email protected]] is the senior vice president of strategic business development for Houston-based CyrusOne [www.cyrusone.com]. The company specializes in providing data center solutions for the oil and gas industry.