Hurricane Sandy. 1. Review the key phases of disaster recovery as outlined in chapter 10 of your textbook 2. Briefly discuss the disaster recovery phases in chapter 10 and their relation to the lesso

6/15/2019 Disaster Recovery: 10 Lessons from Hurricane Sandy - CIO Journal - WSJ

https://deloitte.wsj.com/cio/2012/11/29/disaster-recovery-planning-10-lessons-learned-from-hurricane-sandy/ 1/6

One year ago, Hurricane Sandy struck, highlighting the crucial role employees and

communications play in business continuity and the need to create short-, medium-, and long-

range disaster recovery plans.

As Hurricane Sandy tore up the Atlantic coast in late October , 2012, 8.5 million homes and

businesses lost power, according to the U.S. Energy Department . The protracted power outages,

widespread damage, and lost business wrought by the hurricane—estimated to cost between

$30 and $50 billion, according to IHS Global Insight —taught many companies unfortunate

lessons about the importance of disaster recovery planning.

David Sarabacha, a principal with Deloitte & T ouche LLP who specializes in resilience and

recovery planning, says Hurricane Sandy reminded business leaders that thoughtful disaster

preparation can pay dividends for a company’s ability to weather a storm. He identified 10

lessons from the recent hurricane that can help businesses better prepare for the next crisis.

Lesson 1: Take care of your employees. When disaster strikes, employees will rightfully put the

safety of their families and homes first. “It’ s impossible for employees to think about work when

they don’t have heat or electricity, water is rising in their basements, their homes have been

destroyed, or they need to account for loved ones,” says Sarabacha. “T o the extent a company

can either help employees prepare for a disaster or get back on their feet after one, the sooner it

can return to business as usual.”

Sarabacha advises organizations to do more for employees than simply provide them with

suggestions for personal preparedness and home safety. For example, he urges companies to

offer alternate communications capabilities to decision-makers. He also recommends providing

basic necessities such as water , food, shelter, and daycare to af fected families, since private

companies may be able to mobilize faster than relief organizations. And he counsels companies

to help employees find or get priority service from contractors who can repair or rebuild their

homes.

CIO Insights and Analysis from Deloitte

CONTENT FROM OUR SPONSOR

Please note: The Wall Street Journal News Department was not involved in the creation of the content below .

Disaster Recovery: 10 Lessons from

Hurricane Sandy 6/15/2019 Disaster Recovery: 10 Lessons from Hurricane Sandy - CIO Journal - WSJ

https://deloitte.wsj.com/cio/2012/11/29/disaster-recovery-planning-10-lessons-learned-from-hurricane-sandy/ 2/6

While acknowledging that these “above-and-beyond” ef forts can grow costly, Sarabacha also

argues that the added investment may be justified if business activities are truly time sensitive

and hinge on critical personnel.

Lesson 2: Crisis management, business continuity , and disaster recovery plans should be

detailed. Sarabacha notes that many businesses’ disaster recovery plans are fairly high level.

“Executives assume they’ll figure out the details when an event takes place,” he says. “But if

business leaders don’t have sufficient lines of communication available to share information,

make decisions, and disseminate instructions, their ability to implement their plans will be

impaired.”

Sarabacha says disaster recovery plans should establish clear chains of decision-making and

empower employees in the field to take action. They shouldn’t have to wait for direction from a

senior leader, whose communications may be out of commission.

“The sooner a company can take decisive actions in the event of a disaster , the faster they may

be able to recover,” he says.

Lesson 3: Plan for different impacts, both in magnitude and duration. One mistake

businesses make when drafting disaster recovery plans is assuming an event will only af fect their

organizations for 24 to 48 hours.

“Sandy brought to light the need for short-, medium-, and longer-term business continuity plans,”

says Sarabacha. “Companies will likely need different disaster recovery strategies for events of

different durations.”

For example, a two-day power outage may not require renting back-up of fice space, but a two-

week power outage may. An investment bank may need to transfer work to another of fice so that

it can process trades during a two-day or week-long outage, but transferring work for longer

periods could result in burn-out for the employees taking on additional responsibilities, notes

Sarabacha.

Lesson 4: Businesses can’t rely on employees’ ability to work from home. Many

companies’ business continuity plans direct employees to telecommute if they can’t get into the

office, according to Sarabacha. But, as Sandy illustrated, that approach quickly falls apart if

employees lack power and can’t access the corporate network from their homes.

One potential solution for large companies is to transfer work to individuals at of fices that haven’t

been affected. T o implement this strategy ef fectively, says Sarabacha, companies need to know

which individuals possess the skills to take on various activities. Because their human resources

will be constrained and overwhelmed, they’ll also have to prioritize what work gets done. 6/15/2019 Disaster Recovery: 10 Lessons from Hurricane Sandy - CIO Journal - WSJ

https://deloitte.wsj.com/cio/2012/11/29/disaster-recovery-planning-10-lessons-learned-from-hurricane-sandy/ 3/6

“For example, if a company can only serve 50 percent of its customers because it lacks capacity

in its call centers, the company needs to decide how it will prioritize service,” says Sarabacha.

“Companies should seek to avoid a situation in which they are devoting their scarce resources to

their least critical activities.”

Another possible solution is to set up alternate work sites through real estate or insurance

companies that rent “just in time of fice space” on an hourly, daily, or weekly basis. Companies

need to plan how they’ll get critical employees to these sites, which may be located in

neighboring states, in the event air traf fic or mass transit systems are compromised, notes

Sarabacha. They will also need to board employees and their families in hotels while employees

are working out of state, and they’ll have to cover , track, and reimburse employees for incidentals

required while working off-site.

Lesson 5: Employ alternate forms of communication. During Hurricane Sandy, the Federal

Communications Commission reported that 25 percent of cell phone towers lost power , rendering

many mobile phones useless. Sarabacha advises companies to use other communication

mechanisms, including satellite phones. “Be sure you can get a suf ficient uninterruptable power

supply (UPS) battery, diesel or other fueled generator to keep the satellite phones charged,” he

says.

Lesson 6: Two alternate data center recovery sites are ideal. After 9/1 1, many companies in

the Northeast moved their back-up data centers to sites closer to home, in New Jersey , according

to Sarabacha. They switched from distant backup data centers to closer ones because the

terrorist attacks shut down air travel, and companies wanted to make sure their back-up locations

were within a commutable distance, he adds.

Because Sandy took out companies’ primary data centers in New York and their back-up data

centers in New Jersey, the hurricane demonstrated the need to ideally have two fallbacks, one

nearby and one far away . Sarabacha notes that not every company can af ford multiple data

centers, and some companies may have to accept that it could take several days or a week to

recover their data centers.

Lesson 7: The cloud isn’t a panacea. Cloud-based applications and storage have mitigated

some of the impact of disasters on companies. Because those applications and data can still be

stored in the provider’s data center , the applications may still be available to clients provided they

have power, and the data is at least theoretically recoverable or protected.

“Too many organizations don’t fully understand what their cloud providers of fer in terms of

disaster recovery,” says Sarabacha. “They assume cloud data is available. They need to know for

sure they can get their data and their apps, not to mention when they can access them.” 6/15/2019 Disaster Recovery: 10 Lessons from Hurricane Sandy - CIO Journal - WSJ

https://deloitte.wsj.com/cio/2012/11/29/disaster-recovery-planning-10-lessons-learned-from-hurricane-sandy/ 4/6

Lesson 8: Understand your vendors’ disaster recovery plans. The Thursday after Sandy ,

Sarabacha spoke with a client based in southern California whose business was scrambling to

re-route products from its mid-Atlantic distribution center after a logistics provider in the region

was shut down by the storm.

Sarabacha says his client’ s conundrum illustrates the importance of having insight into vendor

and service providers’ business continuity plans. His client needed to know when and how the

logistics provider would restore service, given the pent-up demand the storm created.

“Even if an event like a hurricane has a limited impact on your organization, you need to realize

how it might affect your third parties and their plans for a response given your reliance on them,”

he says.

Lesson 9: Test your plan. Sarabacha says few companies extensively test their business

continuity and disaster recovery plans. They might test one data center , but not another. They

might test data recovery , but not their ability to actively restore dependent applications or to

synchronize disparate systems.

“I rarely see an integrated test that reflects what many organizations were dealing with a few

weeks ago,” he says. “Realistic exercises and war games must be developed and executed to

simulate both the anticipated and unknown circumstances an organization may face.”

Lesson 10: Don’t make the same mistakes again. When companies recover insurance money

for facilities lost or damaged by a natural disaster , they often repair or rebuild those facilities

without applying lessons learned. Consequently, says Sarabacha, those companies could find

themselves in the same position following the next storm.

In the aftermath of a disaster, Sarabacha advises clients to make strategic and tactical

modifications to their operations and assets (e.g., buildings, equipment, inventory , technology,

human resources, and vendors). For example, if a company kept one kind of product in each

warehouse before a disaster , it might decide to diversify its product mix across warehouses.

Making strategic and tactical changes might also mean eliminating single points of failure,

upgrading equipment, hardening facilities, and using multiple vendors for dif ferent services.

Companies that lack core competencies in crisis and disaster risk management may consider

outsourcing or co-sourcing arrangements with third parties that can help them plan, prepare, and

respond.

“Often it takes a swift reminder, whether an extreme weather event such as Sandy or a

significantly lingering economic crisis, to demonstrate that disaster preparations will continue to

be a good investment in protecting an organization’ s personnel, assets, and stock price.” 6/15/2019 Disaster Recovery: 10 Lessons from Hurricane Sandy - CIO Journal - WSJ

https://deloitte.wsj.com/cio/2012/11/29/disaster-recovery-planning-10-lessons-learned-from-hurricane-sandy/ 5/6

November 29, 2012, 12:01 am

Questions? Write to deloitteeditor

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting,

business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such

professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before

making any decision or taking any action that may affect your business, you should consult a qualified professional advisor .

Deloitte shall not be responsible for any loss sustained by any person who relies on this publication. About Deloitte: Deloitte refers

to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ("DTTL"), its network of member

firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also

referred to as "Deloitte Global") does not provide services to clients. In the United States, Deloitte refers to one or more of the US

member firms of DTTL, their related entities that operate using the "Deloitte" name in the United States and their respective

affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see

Searc h C IO J o urn al SEARCH

Related Deloitte Insights

DRaaS Offers Recovery Assurances V ia Cloud

Most businesses would be crippled by an IT outage, yet building and maintaining failover

capabilities is an expensive and daunting task. Businesses can now leverage the cloud through

disaster recovery as a service to gain strategic business continuity and disaster recovery

assurances.

How to Create IT Resilience

Without an effective IT resilience strategy , companies stand to lose millions of dollars if critical systems fail. Learn

steps CIOs can take to help enhance and refine existing business continuity and disaster recovery plans, and

lessen the impact of service disruption.

Editor's Choice

Cloud Accelerates AI Adoption

The cloud is democratizing access to AI, enabling more companies to enjoy its benefits. Deloitte

Global predicts that organizations will accelerate their usage of cloud-based AI software and

services this year, resulting in more cognitive-enabled implementations, greater AI investments,

and increased rewards.

How Third-Party Data Can Enhance Analytics

A growing number of companies are seeking an analytical edge by employing outside data

sources. Incorporating third-party information ef fectively, however , can be tricky . To boost the

value of their companies’ analytics ef forts, business leaders may want to adopt some key

practices to navigate the complexity.

TMT CIOs: Business, IT Out of Sync on Cyber , Talent

An analysis from Deloitte’ s Center for Technology, Media, and T elecommunications (TMT) finds that many TMT

CIOs are looking to reshape their workforces by hiring talent with problem-solving abilities, social aptitude, and

other soft skills. Survey results also indicate a need for more collaboration related to cybersecurity and risk among 6/15/2019 Disaster Recovery: 10 Lessons from Hurricane Sandy - CIO Journal - WSJ

https://deloitte.wsj.com/cio/2012/11/29/disaster-recovery-planning-10-lessons-learned-from-hurricane-sandy/ 6/6

TMT CIOs, CISOs, and other leaders.

About Deloitte Insights

Deloitte Insights for CIOs couples broad business insights with deep technical knowledge to help

executives drive business and technology strategy , support business transformation, and

enhance growth and productivity. Through fact-based research, technology perspectives and

analyses, case studies and more, Deloitte Insights for CIOs informs the essential conversations

in global, technology-led organizations. Learn more

This copy is for your personal, non-commercial use only . To order presentation-ready copies for distribution to your colleagues, clients or customers visit

http://www .djreprints.com.