Podcast Transcript: Business Continuity and Disaster Recovery Planning with James Lee Witt

1 2 Page 2
Page 2 of 2

First of all, we took the recommendations and we helped them in their operations center, helping to design and fulfill the roles and responsibilities of each of those positions, whether it was staffing up for answering calls from customers coming in about power outages, to responding with utilizing communications to other power companies coming in to help put power back up.

So literally practicing some of these things?

Absolutely. Develop a scenario, OK, we’ve got this happening, we got 20,000 customers out of power, how are we going to get them back on? And you go through that process, who makes the decision to do what. You train them and you exercise them on this.

Do you see a difference, or have you seen a difference, between companies where maybe the disaster recovery plan is a bit more abstract, like if this happens, this is what we’ll do, maybe just people talk about it versus the actual carrying out as if it were happening in real life?

I think probably the state of Illinois, in Chicago probably, has developed the best private-public partner concept, particularly Chicago First working with the city and private sector. They have done the credentialing, they have brought the private sector in to the table, they sat them down and just really developed a very good concept of how they both could help each other. I think it’s important. What are you going to do if you need ice? What are you going to do if you need water? What are you going to do if you need a generator? Just all the kind of things that might help you get through the first five days. That’s all part of that planning process.

But those are very concrete things, ice, generator, I mean, the generator one seems pretty obvious but there might be things that a person or a business would need in those first few days that they hadn’t thought about. What would you recommend to them, how to think about this so that they do come up with these concrete things that they might need?

I would look at what resources and capability do I have within the company, and then I would look at what resources I would need to help my company to survive outside of the company. Then, if I needed to, I would look at having pre-event contracts set up to provide those resources and capability to my company and employees. The thing of it is, you can do a pre-event contract, you can take bids on it or you can take companies that you’re associated with and partner with them, but you can do a pre-event contract that does not cost you anything until you use the service. Then I would work with the state or local government that my company was in, and I would say, here’s my plan, here are the resources that we have, that we would have even available to help if we survive an event, but here’s the type of resources that we may need to maintain our company and its employees, and these are the pre-event contracts we’ve put in place. I would partner with them and make sure that it was consistent with their plan, as well, particularly evacuation planning.

I met with the western governors in Phoenix a few months ago, and the governors said, what should we plan on doing? I said the first thing you should do, you should look at every state agency, your National Guard, and you need to make sure that you have the resource capability within your state, and if you don’t you should do the pre-event contracts to be able to provide those other resources. I think it’s going to be important that we all look at that in this world today, because you cannot always rely on the Federal government to supply all that capability.

What advice would you give to CSOs or security executives in general: If the CEO or the board is not paying attention to disaster recovery or perhaps think they are in an area where they don’t need to worry about it, what should the CSO or security executive say to those people to help them understand or help them change their minds, that yes, we do need this?

I would get a very credible source that had a credibility to sit down with them and say, look, here are your risks, this is what you’ve done to minimize that risk, here’s some things that could probably help you. I would do my very best to ask for an outside independent review of what you have in place and what capability you have, and then go from there. It’s really important that our businesses across the country do this and plan for it. It’s so important. The business community is our jobs, they’re our tax base. It’s everything that supports a community.

Look at Louisiana. The parishes down there, Saint Bernard Parish, I was down there not long ago, they have a 70,000 population. They had one drugstore open, and they only had five businesses, and it’s been nine months. It’s really important. It doesn’t make any difference if you don’t feel like you’re not in a high-risk area, but it’s really important. Even if power went off, it’s important that you have a plan that would address that. What happened, I think it was in Des Moines, Iowa in the ’93 flood, the water treatment plant got inundated with flood water. When it got inundated with flood water, they had to shut the sewer treatment plant down. We had to provide 200, I think it was 250 port-a-potties, we had to provide water and ice, and the business communities shut down and I think it was, they said it cost, that community shut down, for the time period it was, it cost 250 million dollars in revenue. It may be a small thing that can create a very large economic loss for our business.

It’s just really important to identify that risk or potential risk and then develop something that you can implement to minimize the effectiveness on your company. Then you get into the security side of it. If technology and communications capability and having a database set up that would help you through an event, particularly if it was a security risk, is very important. One of the things that we’ve been doing and have done working with Global Options Group in New York, we’ve been able to combine four different companies that they have acquired, us too, and to provide a more comprehensive service that is not only for the Fortune 1000 corporations but it also includes emergency preparedness recovery, crisis management, security consulting, business intelligence, all the things that we feel like it’s going to be important for companies not only here but around the world. There’s a lot of capability out there and I would just encourage every single business and company to look at this, because it can happen. Look at how many stores Wal-Mart in Louisiana that were affected. Wal-Mart hired a Director of Emergency Management and a risk manager for Wal-Mart just to do that, and Wal-Mart had their act together and they were actually providing resources to the state.

As far as hurricanes go, since we are in hurricane season, what besides the communication and insurance are specific things that people need to think about that they might not know?

I think one of the things that’s important is that, know who you can depend on, not only within the company but outside the company. That’s why I said that it’s really important that you know who your police and fire chief or sheriff or emergency management director within the community that you live and work and have a business in. It’s important that you partner with them, absolutely critical. You’d be amazed at how many of them would welcome the opportunity to work with the private sector to be able to do that. Basically, if you can take care of yourself and your employees, then it’s not a burden on the response capability.

So would you say this even for, say, a small restaurant or a little boutique or a medium-sized business? Does it not matter what you’re talking about, any business?

It doesn’t. It should be any business, it shouldn’t make any difference if it’s one employee or 100 employees or 1,000, they need to plan to minimize and mitigate any potential risk that they may have.

And identify, depending on region of the country or even if you’re talking to specifically hurricane, what your specific risks are.

Absolutely.

Thank you so much for joining me today.

All right, well I appreciate it.

Listen to the podcast online.

Copyright © 2006 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Microsoft's very bad year for security: A timeline