Why Your Security Strategy Needs Disaster Recovery and Business Continuity Plans 

Maintaining corporate security during a disaster and keeping employees safe goes hand in hand with returning to productivity, according to CRJ Key Network Partner, Dataminr.

When severe, real-world incidents strike, disaster recovery and business continuity plans prove essential to mitigate costly downtime and employee risk. Not all situations, however, can be managed by just one person or one team: During disasters, your operation needs clearly defined responsibilities in place in order to address the situation, reduce damage, and continue business as smoothly as possible.

These concerns over risk and process extend to corporate security teams, who engage disaster recovery and business continuity plans in order to re-establish normal operations. Even during a disaster, security needs to remain a focus, both to prevent unauthorised access and to ensure that employees face nothing more than controlled risks. Working alongside recovery and continuity teams through rehearsed plans and thought-out strategies, security teams provide a foundation of stable operations and data-driven information critical to resuming regular work.

During Houston’s Hurricane Harvey and Puerto Rico’s Hurricane Maria in 2017, specific industry sectors served as case studies for effective disaster recovery and business continuity plans: The pharmaceutical industry in Puerto Rico was challenged with surviving the storm, restarting security and operations, and continuing production; while in Houston, oil and gas producers struggled to handle flooding and power loss in sensitive refinery sites.

Disaster Recovery

From floods to plumbing failures, security system downtime to property destruction, disasters can take many forms. In response, disaster recovery plans are designed to help the business understand what to do in these situations in order to protect people and equipment. Your plan should factor in a wide range of potential challenges, and sort these into categories based on expected impact and risk. A disaster at the scale of Hurricane Maria, for instance, should be covered in the plan.

_{Damage to trees, powerlines, and buildings in Puerto Rico from Hurricane Maria, Sep 2017. It cost the economy tens of billions of dollars. Photo: Cliff Estes|123rf}

During Maria, Puerto Rico and its industries struggled with immediate impacts of a Category 5 storm, including flooding, power outages, and inaccessible roads and facilities. The effects were staggering for all:

100 per cent of people were without power after the storm and 80 per cent a month later
100 per cent were without mobile phone coverage after the storm and 70 per cent a month later
As of Tuesday, October 17, 2017, 35 per cent of households did not have access to safe drinking water

In the case of Puerto Rico, an island home to one of the world’s largest pharmaceutical operations, disaster recovery plans and preparation played a major part in company recovery. Anticipating storm damage by investing in duplicate generators and resilient buildings, many pharmaceutical facilities shifted production sites in advance of Maria; AstraZeneca forecasted no interruption in supply or security after moving core production to other countries, while Eli Lilly launched a disaster recovery plan as the storm hit. These operations planned for the storm’s maximum potential and were best prepared as possible.

Overall, however, Puerto Rico’s businesses struggled to respond to the disaster, leaving workers and residents in a state of emergency over one month later. Pharmaceutical companies may have executed precautionary and preventative safety measures, but they’re still struggling to remedy the national drug shortage of life-saving medicines. While they had strategic crisis management and corporate security plans in place, their experience also demonstrates the importance of having robust, rehearsed business continuity plans to ensure the business is still able to function until normal operating conditions resume.

Business Continuity

After Hurricane Maria, the entire island of Puerto Rico was shut down; power was cut, many workers’ homes were destroyed, and roads were inaccessible. For businesses to continue, they needed a long-term plan to remain open and powered, while supporting employees.

Business continuity plans address what steps are taken by an organisation in the days and weeks after the disaster, with the goal to establish normal and secure operations as rapidly as possible. Prior to Hurricane Harvey hitting Houston, organisations prepared for regular flooding by identifying likely failure points—such as flood-sensitive breakers and doors in facilities—building resources for employees before the storm, and installing permanent generators above flood levels in production facilities.

In Puerto Rico, the power grid was expected to fail in a severe storm, but businesses that considered this risk properly planned for months of no central power. This led companies like Amgen to factor extreme conditions into its plan and invest in generators, fuel, and infrastructure for several months of extended operations; ultimately, Amgen suffered little unexpected downtime. Considerations for business continuity broadly range, from employee emergency messaging and updating to factoring in a $4 per gallon fuel cost across inefficient generators.

Houston had other unique challenges. While the grid stayed active after the storm and fuel was not a concern, oil and chemical producers needed business continuity plans that factored in the hazards of potentially unstable substances. With power cut temporarily when generators flooded, chemicals could not be properly refrigerated and were likely to explode. Refineries calculated this risk into their business continuity plans and set off controlled burns of the chemicals to reduce the impacts to facilities and residents. Their plan needed to include long-term redundancy that accounted for risks like generator failure, facility safety and security, and flooding above expected levels.

Organisations can draw insight from Puerto Rico’s major pharmaceutical companies and Houston’s refineries when developing multi-month continuity plans that assume extreme damage. When strategising, ensure that you consider the critical parts of the business required to continue operations and that you have the resources available to maintain them; organisations should look inward as part of their business impact assessment as much as they look outward, in order to identify potential risks and properly understand impact and prevention.

Preparation Is Key

In Puerto Rico, both AstraZeneca and Amgen rehearsed their plans with employees prior to the storm and were ready to send home non-essential staff and streamline the operation. When disaster struck, everyone had instructions in order to stay safe and prevent undue harm to the facility, proving that an effective disaster recovery and business continuity plan require training and visibility so that all know how to react. In the middle of an incident, it is too late to rehearse.

Training can include annual and quarterly reviews of the key parts of the plan, as well as random drills to test responses and find any security or process gaps in the co-ordination. Corporate security teams, as well as disaster recovery and business continuity teams, should be included in leading this process. Key roles, like supervisors and mechanical staff, should have extra training in order for them to assist and direct others. In the event of an emergency, these employees are likely to lead the recovery and ensure your business maximises safety and minimises damage.

It’s vital that an organisation clearly identify the above personnel and ensure they know their responsibilities in the case of an emergency; otherwise, the plan itself will almost certainly fail. Maintaining corporate security during a disaster and keeping employees safe goes hand in hand with returning to productivity. Envision these three elements—people, planning, and preparation—as three legs of a stool; it’s clear that by removing one of the legs, the stool will be unbalanced and will not function. Similarly, with disaster response, business continuity and crisis management, these three legs are all required to ensure a balanced response.

Visit Dataminr's webiste for more case studies.

Image: lightwise|123rf