Home » Business Continuity » Disaster Recovery

Understanding Risk, Post-Katrina

FEMA's disastrous handling of Hurricane Katrina's aftermath was all the more galling because the scenario was long foreseen. So what catastrophe should DHS plan for next? We pick apart the risk equation.

Consequences were in the headlines for weeks after Hurricane Katrina. Yes, Katrina was a natural disaster, one that broke trees like twigs and tossed cars like coins. But everything that happened after the winds let up was man-made. The levees failed—a consequence of the way they were built and maintained. Eighty percent of the city flooded—a consequence of having positioned homes and businesses below sea level on land that relied on the levees to stay dry. Basic infrastructures failed—sometimes because critical systems or backup generators were placed at ground level. As many as 60,000 people were left stranded at the Superdome for days—a consequence of critical personnel leaving the city to care for their own families, and of confusion over where state and local responsibilities ended and federal ones began.

No one could have stopped the storm, of course, but the country could have better controlled the consequences. That's why experts say that instead of playing a game of pin-the-probability-on-the-scenario, a more helpful approach is to mitigate the consequences of whatever happens, through good preparation.

"It's fun to think about low-probability, high-impact things," says Dave Kent, CSO of Genzyme (speaking like a true CSO). But ultimately, he says, it doesn't really matter which specific event punches out your data center, keeps your employees from getting to work, disrupts communications or electricity, or causes a pandemic.

"It doesn't serve the interest of the organization to have someone yelling, 'The sky is falling!' on every potentially low-risk, high-impact disaster that may befall an organization," Kent says. But the effects of all those possible events have certain commonalities. "You have to be thoughtful about where your people are, and you have to have a plan for doing business if you can't get into your facility. Those solutions cut across a wide range of disasters." This is Business Continuity 101: Know who your critical people are, know what your critical systems are, and have contingency plans in place to keep them both humming.

As part of this planning process, it's become clear that businesses, to an extent greater than ever, need to prepare to be self-sufficient after any large-scale disaster, rather than counting on local municipalities having enough resources to help everyone.

This is a point that people like Rad Jones, former manager of security and fire protection at Ford Motor, are trying to ingrain in businesses, under the much ballyhooed rubric of public-private partnerships. Now an academic specialist with the School of Criminal Justice at Michigan State University, Jones helps run tabletop exercises (partially funded by DHS) where business leaders come together to talk about disaster recovery and business continuity with local government officials.