Hurricane Sandy. 1. Review the key phases of disaster recovery as outlined in chapter 10 of your textbook 2. Briefly discuss the disaster recovery phases in chapter 10 and their relation to the lesso
6/15/2019 Disaster Recovery: 10 Lessons from Hurricane Sandy - CIO Journal - WSJhttps://deloitte.wsj.com/cio/2012/11/29/disaster-recovery-planning-10-lessons-learned-from-hurricane-sandy/ 1/6
One year ago, Hurricane Sandy struck, highlighting the crucial role employees and
communications play in business continuity and the need to create short-, medium-, and long-
range disaster recovery plans.
As Hurricane Sandy tore up the Atlantic coast in late October , 2012, 8.5 million homes and
businesses lost power, according to the U.S. Energy Department . The protracted power outages,
widespread damage, and lost business wrought by the hurricane—estimated to cost between
$30 and $50 billion, according to IHS Global Insight —taught many companies unfortunate
lessons about the importance of disaster recovery planning.
David Sarabacha, a principal with Deloitte & T ouche LLP who specializes in resilience and
recovery planning, says Hurricane Sandy reminded business leaders that thoughtful disaster
preparation can pay dividends for a company’s ability to weather a storm. He identified 10
lessons from the recent hurricane that can help businesses better prepare for the next crisis.
Lesson 1: Take care of your employees. When disaster strikes, employees will rightfully put the
safety of their families and homes first. “It’ s impossible for employees to think about work when
they don’t have heat or electricity, water is rising in their basements, their homes have been
destroyed, or they need to account for loved ones,” says Sarabacha. “T o the extent a company
can either help employees prepare for a disaster or get back on their feet after one, the sooner it
can return to business as usual.”
Sarabacha advises organizations to do more for employees than simply provide them with
suggestions for personal preparedness and home safety. For example, he urges companies to
offer alternate communications capabilities to decision-makers. He also recommends providing
basic necessities such as water , food, shelter, and daycare to af fected families, since private
companies may be able to mobilize faster than relief organizations. And he counsels companies
to help employees find or get priority service from contractors who can repair or rebuild their
homes.
CIO Insights and Analysis from Deloitte
CONTENT FROM OUR SPONSOR
Please note: The Wall Street Journal News Department was not involved in the creation of the content below .
Disaster Recovery: 10 Lessons from
Hurricane Sandy 6/15/2019 Disaster Recovery: 10 Lessons from Hurricane Sandy - CIO Journal - WSJ
https://deloitte.wsj.com/cio/2012/11/29/disaster-recovery-planning-10-lessons-learned-from-hurricane-sandy/ 2/6
While acknowledging that these “above-and-beyond” ef forts can grow costly, Sarabacha also
argues that the added investment may be justified if business activities are truly time sensitive
and hinge on critical personnel.
Lesson 2: Crisis management, business continuity , and disaster recovery plans should be
detailed. Sarabacha notes that many businesses’ disaster recovery plans are fairly high level.
“Executives assume they’ll figure out the details when an event takes place,” he says. “But if
business leaders don’t have sufficient lines of communication available to share information,
make decisions, and disseminate instructions, their ability to implement their plans will be
impaired.”
Sarabacha says disaster recovery plans should establish clear chains of decision-making and
empower employees in the field to take action. They shouldn’t have to wait for direction from a
senior leader, whose communications may be out of commission.
“The sooner a company can take decisive actions in the event of a disaster , the faster they may
be able to recover,” he says.
Lesson 3: Plan for different impacts, both in magnitude and duration. One mistake
businesses make when drafting disaster recovery plans is assuming an event will only af fect their
organizations for 24 to 48 hours.
“Sandy brought to light the need for short-, medium-, and longer-term business continuity plans,”
says Sarabacha. “Companies will likely need different disaster recovery strategies for events of
different durations.”
For example, a two-day power outage may not require renting back-up of fice space, but a two-
week power outage may. An investment bank may need to transfer work to another of fice so that
it can process trades during a two-day or week-long outage, but transferring work for longer
periods could result in burn-out for the employees taking on additional responsibilities, notes
Sarabacha.
Lesson 4: Businesses can’t rely on employees’ ability to work from home. Many
companies’ business continuity plans direct employees to telecommute if they can’t get into the
office, according to Sarabacha. But, as Sandy illustrated, that approach quickly falls apart if
employees lack power and can’t access the corporate network from their homes.
One potential solution for large companies is to transfer work to individuals at of fices that haven’t
been affected. T o implement this strategy ef fectively, says Sarabacha, companies need to know
which individuals possess the skills to take on various activities. Because their human resources
will be constrained and overwhelmed, they’ll also have to prioritize what work gets done. 6/15/2019 Disaster Recovery: 10 Lessons from Hurricane Sandy - CIO Journal - WSJ
https://deloitte.wsj.com/cio/2012/11/29/disaster-recovery-planning-10-lessons-learned-from-hurricane-sandy/ 3/6
“For example, if a company can only serve 50 percent of its customers because it lacks capacity
in its call centers, the company needs to decide how it will prioritize service,” says Sarabacha.
“Companies should seek to avoid a situation in which they are devoting their scarce resources to
their least critical activities.”
Another possible solution is to set up alternate work sites through real estate or insurance
companies that rent “just in time of fice space” on an hourly, daily, or weekly basis. Companies
need to plan how they’ll get critical employees to these sites, which may be located in
neighboring states, in the event air traf fic or mass transit systems are compromised, notes
Sarabacha. They will also need to board employees and their families in hotels while employees
are working out of state, and they’ll have to cover , track, and reimburse employees for incidentals
required while working off-site.
Lesson 5: Employ alternate forms of communication. During Hurricane Sandy, the Federal
Communications Commission reported that 25 percent of cell phone towers lost power , rendering
many mobile phones useless. Sarabacha advises companies to use other communication
mechanisms, including satellite phones. “Be sure you can get a suf ficient uninterruptable power
supply (UPS) battery, diesel or other fueled generator to keep the satellite phones charged,” he
says.
Lesson 6: Two alternate data center recovery sites are ideal. After 9/1 1, many companies in
the Northeast moved their back-up data centers to sites closer to home, in New Jersey , according
to Sarabacha. They switched from distant backup data centers to closer ones because the
terrorist attacks shut down air travel, and companies wanted to make sure their back-up locations
were within a commutable distance, he adds.
Because Sandy took out companies’ primary data centers in New York and their back-up data
centers in New Jersey, the hurricane demonstrated the need to ideally have two fallbacks, one
nearby and one far away . Sarabacha notes that not every company can af ford multiple data
centers, and some companies may have to accept that it could take several days or a week to
recover their data centers.
Lesson 7: The cloud isn’t a panacea. Cloud-based applications and storage have mitigated
some of the impact of disasters on companies. Because those applications and data can still be
stored in the provider’s data center , the applications may still be available to clients provided they
have power, and the data is at least theoretically recoverable or protected.
“Too many organizations don’t fully understand what their cloud providers of fer in terms of
disaster recovery,” says Sarabacha. “They assume cloud data is available. They need to know for
sure they can get their data and their apps, not to mention when they can access them.” 6/15/2019 Disaster Recovery: 10 Lessons from Hurricane Sandy - CIO Journal - WSJ
https://deloitte.wsj.com/cio/2012/11/29/disaster-recovery-planning-10-lessons-learned-from-hurricane-sandy/ 4/6
Lesson 8: Understand your vendors’ disaster recovery plans. The Thursday after Sandy ,
Sarabacha spoke with a client based in southern California whose business was scrambling to
re-route products from its mid-Atlantic distribution center after a logistics provider in the region
was shut down by the storm.
Sarabacha says his client’ s conundrum illustrates the importance of having insight into vendor
and service providers’ business continuity plans. His client needed to know when and how the
logistics provider would restore service, given the pent-up demand the storm created.
“Even if an event like a hurricane has a limited impact on your organization, you need to realize
how it might affect your third parties and their plans for a response given your reliance on them,”
he says.
Lesson 9: Test your plan. Sarabacha says few companies extensively test their business
continuity and disaster recovery plans. They might test one data center , but not another. They
might test data recovery , but not their ability to actively restore dependent applications or to
synchronize disparate systems.
“I rarely see an integrated test that reflects what many organizations were dealing with a few
weeks ago,” he says. “Realistic exercises and war games must be developed and executed to
simulate both the anticipated and unknown circumstances an organization may face.”
Lesson 10: Don’t make the same mistakes again. When companies recover insurance money
for facilities lost or damaged by a natural disaster , they often repair or rebuild those facilities
without applying lessons learned. Consequently, says Sarabacha, those companies could find
themselves in the same position following the next storm.
In the aftermath of a disaster, Sarabacha advises clients to make strategic and tactical
modifications to their operations and assets (e.g., buildings, equipment, inventory , technology,
human resources, and vendors). For example, if a company kept one kind of product in each
warehouse before a disaster , it might decide to diversify its product mix across warehouses.
Making strategic and tactical changes might also mean eliminating single points of failure,
upgrading equipment, hardening facilities, and using multiple vendors for dif ferent services.
Companies that lack core competencies in crisis and disaster risk management may consider
outsourcing or co-sourcing arrangements with third parties that can help them plan, prepare, and
respond.
“Often it takes a swift reminder, whether an extreme weather event such as Sandy or a
significantly lingering economic crisis, to demonstrate that disaster preparations will continue to
be a good investment in protecting an organization’ s personnel, assets, and stock price.” 6/15/2019 Disaster Recovery: 10 Lessons from Hurricane Sandy - CIO Journal - WSJ
https://deloitte.wsj.com/cio/2012/11/29/disaster-recovery-planning-10-lessons-learned-from-hurricane-sandy/ 5/6
November 29, 2012, 12:01 am
Questions? Write to deloitteeditor
Follow us on Twitter @Deloitte
This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting,
business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such
professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before
making any decision or taking any action that may affect your business, you should consult a qualified professional advisor .
Deloitte shall not be responsible for any loss sustained by any person who relies on this publication. About Deloitte: Deloitte refers
to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ("DTTL"), its network of member
firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also
referred to as "Deloitte Global") does not provide services to clients. In the United States, Deloitte refers to one or more of the US
member firms of DTTL, their related entities that operate using the "Deloitte" name in the United States and their respective
affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see
www.deloitte.com/us/about to learn more about our global network of member firms. Copyright © 2019 Deloitte Development LLC.
All rights reserved.
Searc h C IO J o urn al SEARCH
Related Deloitte Insights
DRaaS Offers Recovery Assurances V ia Cloud
Most businesses would be crippled by an IT outage, yet building and maintaining failover
capabilities is an expensive and daunting task. Businesses can now leverage the cloud through
disaster recovery as a service to gain strategic business continuity and disaster recovery
assurances.
How to Create IT Resilience
Without an effective IT resilience strategy , companies stand to lose millions of dollars if critical systems fail. Learn
steps CIOs can take to help enhance and refine existing business continuity and disaster recovery plans, and
lessen the impact of service disruption.
Editor's Choice
Cloud Accelerates AI Adoption
The cloud is democratizing access to AI, enabling more companies to enjoy its benefits. Deloitte
Global predicts that organizations will accelerate their usage of cloud-based AI software and
services this year, resulting in more cognitive-enabled implementations, greater AI investments,
and increased rewards.
How Third-Party Data Can Enhance Analytics
A growing number of companies are seeking an analytical edge by employing outside data
sources. Incorporating third-party information ef fectively, however , can be tricky . To boost the
value of their companies’ analytics ef forts, business leaders may want to adopt some key
practices to navigate the complexity.
TMT CIOs: Business, IT Out of Sync on Cyber , Talent
An analysis from Deloitte’ s Center for Technology, Media, and T elecommunications (TMT) finds that many TMT
CIOs are looking to reshape their workforces by hiring talent with problem-solving abilities, social aptitude, and
other soft skills. Survey results also indicate a need for more collaboration related to cybersecurity and risk among 6/15/2019 Disaster Recovery: 10 Lessons from Hurricane Sandy - CIO Journal - WSJ
https://deloitte.wsj.com/cio/2012/11/29/disaster-recovery-planning-10-lessons-learned-from-hurricane-sandy/ 6/6
TMT CIOs, CISOs, and other leaders.
About Deloitte Insights
Deloitte Insights for CIOs couples broad business insights with deep technical knowledge to help
executives drive business and technology strategy , support business transformation, and
enhance growth and productivity. Through fact-based research, technology perspectives and
analyses, case studies and more, Deloitte Insights for CIOs informs the essential conversations
in global, technology-led organizations. Learn more
Copyright ©2017 Dow Jones & Company, Inc. All Rights Reserved
This copy is for your personal, non-commercial use only . To order presentation-ready copies for distribution to your colleagues, clients or customers visit
http://www .djreprints.com.