We’ve written articles on Risk, Ransomware, Cloud Security and many others to help you think about what happens when things go wrong. But what about when it really kicks off, when your offices are forced to close, when the threat of headless chicken mode becomes very real?

How would your organisation handle disaster? How would your staff react?How much work would you lose or how far would productivity drop, and for how long? Planning for the very worst case may seem dramatic, but I bet you have household insurance for your own peace of mind so why not apply the same for work?

The following is based on actual events……

Consider this very real story from recent Ethical IT (EIT) client history. It was a Friday, a client of ours was in the middle of an office move. Staff were excited about the new premises, good plans were in place for the move day, telecoms and IT were all installed, everyone was bought into the project. It was summer!

The EIT team were helping pack down the old office IT systems, when the office manager enters looking very pale. The new landlords have a problem: a random HSE inspection has identified a major risk to tenants in the building, and access has been shut down until the site is made safe. It’s going to be at least three weeks before the risk can be removed; totally unforeseen, unexpected and potentially catastrophic for our clients – they have nowhere to move to, and were due to open again on Monday.

“We can work remotely though….. can’t we…?”

The enormity of the problem quickly dawned on the team. True, email was cloud based, but their core systems handle sensitive data so needed a secure connection, which is only configured at the old and new sites.  Certain core processes are transacted via post which had already been switched to the new location. Advertising had been sent out celebrating the new offices. Worst of all, finance & payroll systems were already in situ – having been moved first because they carry the most importance – and were now inaccessible.

Our clients were in the midst of a true disaster; earthquakes, floods or attacks had nothing to do with it, it was just terrible luck at the worst possible time, and despite all their careful planning and focus on making the office move (in itself hard enough) a roaring success.

You’re damned if you do and damned if you don’t  

No organisation has the resources to plan for every eventuality, but taking some time to draw out a simple, light weight Disaster Recovery (DR) or Business Continuity Plan (BCP) that can be invoked in times like these is priceless.

The plan itself may not get you out of trouble. Yes, business will be affected, customers or supporters will be impacted, stress levels will rise. But having a set of tasks to follow in times of crisis helps ensure you’ve done the best you can, covered all the bases you can, and keeps the team focussed on getting things back to normal as fast as possible, irrespective of emotion.

Duck and Cover!

Here is a very brief summary of five steps you could take towards maintaining control when disaster strikes. As always, we publish a White Paper at the same time as this Blog which goes into more detail; search Knowledgebase on http://www.ethicalit.net/knowlegebase/ to grab the guide:

  1. Choose your core team. These are the key players that are going to front up each of your Core Functions. Each person should have a photo, 2 phone numbers, work and personal email addresses, as well as a backup “2nd in Command” support person should they be unavailable.
  2. Carve up the organisation into Core Functions. Finance, HR, Communications, Facilities, IT. Each function should be designated a person from step 1 who will lead that on area if the DR Plan is invoked. In smaller organisations this may be a few people covering most functions.
  3. Next you need to identify your Business Critical systems and processes. Scenario Planning is a great tool here – “what if X system was down” or “who could cover Y is such and such was unavailable”. Score each risk out of 10 using metrics such as likelihood, impact on the organisation should it happen, proximity of the risk (e.g. a supplier going bust would further away from you than your in-house payroll system breaking). Scoring the risks should enable you to focus on the top items first.
  4. Draw up high level plans for reach risk, starting with Communications – internal to staff and external to stakeholders. It’s likely that your IT systems may be central to these plans and this is where technology like cloud, backups and remote working can mitigate a lot of physical risks
  5. Without staff knowing what the plan is and where to get hold of it when they need to, it’s meaningless. The last step is the most important; get your staff up to speed on the plan, train them on where to go if there is a disaster, starting with how they will be informed the DR plan has been activated.

Fail to Plan, Plan to Fail…

Unexpected events happen. In our story at the start, our clients were not acting irresponsibly or being reckless, they were just unfortunate. Having a simple and clear plan to fall back on seems so simple in hindsight!

As it happened, we were able to get them up and running by Tuesday the following week, and thanks to our unique partnership with the Ethical Property Company – who provide office space to the charity sector – we even put them up in temporary accommodation, but it served as a case study to us all in planning against disaster.

So have a look at our Ethical IT Knowledgebase for further advice and support on this and many other topics, share as widely as you can and please do speak to us about how we might help you plan for disaster by harnessing the Cloud, Remote Backups and even emergency Office Facilities for a (very) rainy day.

Ethical IT

September 2017