Podcast Transcript: Business Continuity and Disaster Recovery Planning with James Lee Witt

Diann Daniel: Hello and welcome to Business Continuity and Disaster Recovery Planning, a conversation with James Lee Witt. I’m your host, Diann Daniel, Senior Copy Editor at CSO Magazine. Hurricane season began June 1st and runs through November 30th, and the NOAA predicts a very active season. I spoke with Witt about how businesses should prepare for hurricanes and other disasters, and whether anyone’s exempt from planning. Witt has over 25 years of disaster management experience, and was appointed Director of FEMA in 1993 by President Clinton. He served as Director until 2001. Witt is currently CEO and Chairman of James Lee Witt Associates, where he provides disaster recovery and mitigation management services to states and local governments, educational institutions, the international community, and corporations.

Diann Daniel: Hurricane season is upon us, and I’m curious what business executives and particularly security executives should be doing to prepare.

James Lee Witt: The first thing I would recommend doing is to make sure that you have the insurance coverage that you need, whether it’s for wind or whether it’s flood insurance if your business is in a 100-year flood plain. Second, I would make sure that every single employee within my business understood that if we had to evacuate, where would we go, where would we reconvene our business so that we could continue to operate. Then, make sure that I had the capability to send out alert notifications or warnings to all my employees, particularly if it was on a weekend or if employees were traveling, and with a message of what was going on, what they needed to do.

What would you propose that system would be?

There’s several different systems out there. I would look at the one that would not only potentially give voice data but also information data. A lot of times you can do it through a software program on your computer. Some programs you could do it over cell phones. I would look at the different technologies that suited my company the best and work on that. We tend to forget that every dollar we invest in prevention or preparedness could potentially save you three to five dollars in future losses, but the business interruption side of it, it could be even higher than that. I would also check with any of my suppliers that would be in a position of not being able to make those deliveries. I would make sure that any of my customers, suppliers, all understood what my plan was, what I would need to do, how I would do it, and then ask for them do likewise to make sure that the supply chain wasn’t broken.

Hearing you say it like this, it sounds like a very simple thing, but communication can be very difficult. Do you have any tips on making that communication easier and more readily available?

I think the best thing to do, first of all, is to develop your business continuity plan, and make sure that every person within that business understands it and is trained on it, so that you have that database set up, you have that information set up, and you have the people trained to be able to implement that plan if it’s needed. Then you can utilize the technology to be able to help with the implementation plan. Then I would exercise that plan. I know we’re in hurricane season but it’s still not too late to start planning.

Why do you think that there are still businesses that don’t do that, or people who aren’t preparing even though they live in areas where this is of concern?

You know, it’s interesting. Some of the corporations that we work for, and what concerns me so much, is that the lower management level and staff level really want to do something to really put in place so that their livelihood as well as their jobs and business will still be there and still working. The biggest problem that I have seen so far is getting the buy-in and the support from the upper management level, because when you’re in business, time is of the essence, and every day is full of meetings and conference calls, and this is one of the most important things that a CEO or a manager can do to help make sure that their business is still there and is still running and the jobs are still there for the employees and their families. Back when I was Director of FEMA, we did a survey of small businesses after disasters, and we found that 20 to 25 percent of those businesses that were affected by a catastrophic event never reopened. You lost your tax base, you lost jobs, and then five years later, some of these businesses went as high as 65 percent that never made it after a disaster.

Those are some concrete numbers. Why wouldn’t CEOs be paying attention to this and getting their disaster recovery plans in place?

Some have and some have hired risk managers, but not all. I think it’s really important that if you are a business, and if you supply a service or a product, it’s really important that you put in place the planning effort and the training effort and the exercising effort to be able to maintain consistency and to maintain a viable business if something does happen. I’ve seen it so many times. When Katrina really hit Louisiana, one of the big law firms there, they had an office in Baton Rouge, and their plan was to move everyone to Baton Rouge. They did, and they found out that first of all, they did not have enough IT support for it; they did not have enough room to support all the other employees coming in there; and it was a terrible, terrible situation for them.

It’s important to deal with planning now, whether it’s in a earthquake-risk state or a hurricane-risk state. Discovery Channel has hired us to look at their emergency planning and business continuity planning for all of their offices, which is huge. They see that need to be in business, they need to still be up and running in 80 countries. Even the bricklayer’s union, we did a business continuity plan for them. Back during Hurricane Fran in North Carolina, GE has a plant there. They had gone in and retrofitted their plant for hurricane resistance, and after the hurricane went through, their plant was still OK, but there was no employees to come back to work the next two days because they were taking care of their families and their home. Anheuser-Busch in California, in Pasadena, before the Northridge earthquake, spent 25 million dollars to retrofit their plant for an earthquake, and they were back open and operating two days after the earthquake making canned water for victims in the community. They said that 25 million probably saved them 150 million. There’s a lot of different ways you can approach this, but I think the most important thing is to sit down and to look at your risk and develop a plan in not only how to minimize that risk, but a plan of operations after an event.

It sounds like from some of the things that you’re saying that it’s really important to make that plan as concrete as possible. You have enough accommodations for people if that’s what you’ve decided to do, for example. Can you recommend to listeners particular questions that they might ask themselves as they’re sitting down to make these disaster recovery plans?

The most important thing that they can ask is What is our risk? Is it from hurricanes or is it from floods? Is it the storm surge or is it the wind? And then the most important thing, What have we done to protect our company against those perils? Then you develop an employee plan with that continuity plan, so that employees will know what to do after an event, or before an event. The most important thing, I’ve suggested this many times, is that every business should make sure that they help their employees to develop a family plan for their families, because if they know their family is safe and they know there’s a plan in place for their family...There’s many times you’ll see employees at work, you’ll see the children at school, and what if there is an event that you’re separated? What do you do? The family plan, you can reach out and say, OK, we developed a plan. If you’re at school, we’re at work, and there’s an event, we’re separated, call Aunt Bessie in Michigan, so everybody will have a contact place that they can call to know that they’re OK and where they’re at, potentially if you’re evacuated and get separated, which happened in Katrina. Some of those families were, just in the last few months, were reunited. An employer helps its employees to develop a family plan.

If you have a catastrophic event and you need to go back in to check your business, you need to work with your local government’s fire, emergency management, police, and you need to meet with the fire chief, the police chief, and you say, "OK, here’s our plan. Now, then, can we get credentials to allow us back in here to check on our company and our business?"

What does that mean exactly?

If you have a credential, a badge, that would, because a lot of times if an event happens and they cordon off and close the streets and won’t allow you in, if you have a credential or a badge that you’ve put together with the fire and the police and emergency management, then after it’s safe to go back in, you can go back in and check on your business and help maybe get it up and running again. It’s very important. Chicago has done this. It’s called Chicago First. It’s building that public-private partnership with public safety and emergency management and the corporations and businesses.

Do you think that there’s any difference between the approach that perhaps small businesses take to disaster recovery, and large businesses? Do you think one versus the other is better at this, or more aware?

I think it’s probably a mix. I think some of the small businesses that’s been through these events understand it and some of the bigger companies that’s been through an event would understand it more, but I’ve had people over the years say, we’re not going to be hit by any type of thing, and lo and behold, they do get hit. It’s really important to do that planning and that mitigating before something does happen, because it’ll not only help save your business and employees and save lives, it’ll be very rewarding in the outcome of it.

I would think that it even can help make the workforce more cohesive, just knowing that those plans are out there.

You know what else it would do? If you do this and you do the training and you exercise your plan, it will build a closer teamwork within the company. I’ve seen it. It’s amazing what it will do. It’ll even, particularly in a larger company, it’ll bring people together that normally don’t even associate. It builds relationships; it builds a team effort. We went into one company that was a pretty large company, and meet with them, and they wanted to look at developing an emergency plan and a business continuity plan and a security plan. What was interesting, we went in, there was no security coordinator. We sat down with the upper managers, supervisors, and said, "Well, what kind of plan have you got in place now?" And one of the supervisors said, "Well, we had a kind of an exercise, but I had my assistant Bill sit in my place." That won’t get it. You’ve got to participate in it so that you’ll know what to do. Every company, particularly from the CEO down into upper management needs to have a relocation plan. Then they need to participate in making sure that, because they are the leaders of the company, they need to know what they’re doing because if you don’t, then CNN sticks a microphone in front of you and says, "Well, what did you do, what happened here?" You need to know. You need to understand it and plan for it.

Do you have any thoughts on risk assessment of different businesses or different even departments within a business as needing a disaster recovery plan? Do you think that some departments or companies absolutely need this and some can get away without having it, or at least paying as much attention to it?

The thing of it is, the risk that we face today, whether it’s a terrorist risk or whether it’s a natural hazard, you can plan and prepare for an all-hazard concept, which I would suggest. Knowing what risk you have, whether it’s hurricane or floods or other natural disasters or tornadoes, whatever it may be, it’s important to gather the information that you would need to put together something that would fit each company or a business, depending on the size and the amount of the employees you have, which you can do. There’s all kinds of information but there’s also people that’s available to do it for you and help you through it. We worked with PEPCO Connective Power Company, and when Isabel came through, they were getting beat up really bad about their services to get power back on and so forth. We worked with them, looked at their company from inside out all the way from New Jersey to Washington, D.C., and made a hundred and something recommendations of things that they needed to implement to provide better services to their customers, met with their board and their CEO. They implemented those recommendations, and they are far better prepared today, and they’re proud of it. We did training and exercise and evaluated it for them, and they’re ranked right up there in the top of the best-prepared utility companies now.

What does some of that training and exercises look like?

1 2 Page 1
Page 1 of 2
The 10 most powerful cybersecurity companies