Hurricane Katrina

Understanding Risk, Post-Katrina

FEMA's disastrous handling of Hurricane Katrina's aftermath was all the more galling because the scenario was long foreseen. So what catastrophe should DHS plan for next? We pick apart the risk equation.

1 2 Page 2
Page 2 of 2

"It's fun to think about low-probability, high-impact things," says Dave Kent, CSO of Genzyme (speaking like a true CSO). But ultimately, he says, it doesn't really matter which specific event punches out your data center, keeps your employees from getting to work, disrupts communications or electricity, or causes a pandemic.

"It doesn't serve the interest of the organization to have someone yelling, 'The sky is falling!' on every potentially low-risk, high-impact disaster that may befall an organization," Kent says. But the effects of all those possible events have certain commonalities. "You have to be thoughtful about where your people are, and you have to have a plan for doing business if you can't get into your facility. Those solutions cut across a wide range of disasters." This is Business Continuity 101: Know who your critical people are, know what your critical systems are, and have contingency plans in place to keep them both humming.

As part of this planning process, it's become clear that businesses, to an extent greater than ever, need to prepare to be self-sufficient after any large-scale disaster, rather than counting on local municipalities having enough resources to help everyone.

This is a point that people like Rad Jones, former manager of security and fire protection at Ford Motor, are trying to ingrain in businesses, under the much ballyhooed rubric of public-private partnerships. Now an academic specialist with the School of Criminal Justice at Michigan State University, Jones helps run tabletop exercises (partially funded by DHS) where business leaders come together to talk about disaster recovery and business continuity with local government officials.

"The business has an assumption that if they call the police department or fire department, they're going to be there," says Jones, who is also a retired U.S. Secret Service agent in charge. "What we have to look at now is wide-scale disasters that can shut down a region." When Jones asks businesspeople how they would respond to a given scenario, he says, "If somebody raises their hand and says, 'We're going to call the police,' then I say, 'Let's get the police in here.'" And the police chief is likely to point out that a major disaster would quickly exhaust the department's resources.

Taking this self-sufficiency step down another level, Jones says companies should encourage their employees to do their own disaster planning. Duct tape jokes aside, he says that DHS's website, Ready.gov, really does have good advice about the importance of storing at least 72 hours' worth of food, water, batteries, medicines and other critical supplies to have in the event of an emergency.

The risks we should really be worried about, in the end, are the meta-risks, not the specific ones—like the possibility that the country isn't devoting enough time to figuring out roles and responsibilities of different entities during any crisis.

"I think we need to have the debate about when something is the primary responsibility of the federal government, and when it's the responsibility of the state and local government, and when it's the responsibility of the private sector," says Yim, the former Homeland Security Institute director, "so that people don't try to do the same thing. We talk about layered defenses, and that doesn't mean redundant defenses. It means people doing slightly different things that in some ways are complementary."

Or like the fact that we simply don't know how to evacuate a city, either in terms of the legal processes or the logistical ones. Just look at what happened in Houston as Hurricane Rita approached hard on the heels of Katrina. Traffic was stalled so badly that many would-be evacuees turned around and went home.

Finally there's the meta-risk of where personal freedoms fit into all this. "What freedoms are we willing to give up to have orderly evacuation?" ponders Dennis Treece, director of corporate security at Massport, the agency that runs the Boston Harbor seaport and Logan Airport. "Are you willing to be told that you have to leave your home? Is it even legal to order somebody to go away? In creating a statute that allows that, there's a loss of freedom. Is that good or is that not good? Well, I think we need to have some public debate over this stuff."

The consequences, if we don't, are simply too big to consider.

Copyright © 2006 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
The 10 most powerful cybersecurity companies