What’s the Strategy?

A disaster is a bad thing! But there are many forms and extremes that disasters come in and there are only some that you can recover from. Let’s just focus on disaster management from an organizational perspective. There are many things that companies do that are wrong, but they also get some things right. While all companies focus on their physical security and safety, only a handful actually focus on taking precautionary measures to safeguard the integrity of their data. But you know all this already.

A few days prior to the printing of this issue of CIO Pakistan, we ran a brief survey to assess exactly how ready we are. Of the people we spoke to, 8% were from the Education sector, 21% from Finance, 3% from the FMCG sector, 3% from Healthcare and Industry, 26% from the IT sector, 8% from the Media and 31% from other sectors.

23% of the companies we spoke to were Small and Medium Businesses. A surprising 54% have spent less than $10,000 on a Disaster Recovery or Business Continuity strategy. 21% have spent between $10,000 and $20,000 on developing a DR and BC strategy or implementation. 72% have a DR or BC strategy in place, while 18% are still developing something that meets the requirements.

For mission critical information systems, it is a best practice to have a DR site in a secondary location and 24% of the sample size has at least one remote site. 13% have a DR site but it is online and 26% haven’t reached that part of the plan as yet.

Not surprisingly, almost 100% believed that “Disaster Management” meant some sort of natural disaster such as flooding or fire and the same number of people associated “terrorism” with DM and BC. Only 40% associated DM with data corruption and an even less percentage, associated with an internal threat such as a

disgruntled employee. When asking about vendors, most people thought of Cisco when they thought of Disaster Management solutions, followed by IBM, CubeXS-Weatherly and Oracle. When we asked which local, Pakistani companies came to mind when they thought of a DR or Business Continuity consultancy, most people said Oracle, followed by NCR, CubeXS Weatherly, EMC, Business Beam and IBM. A few mentioned Cybernet, Infotech and Netsol was mentioned once.

The biggest hindrance in developing or deploying a BC Strategy for any sized company is the cost factor.
47% of the sample population claimed that it was much too expensive to hire a DM consultant or buy a solution. At the same time, 31% of the population marked that they didn’t know how to do it themselves and 19% said that they didn’t know much about what solutions or consultant were available in the local market. If vendors and consultants would have a more concerted approach on a larger platform, perhaps the awareness level would increase.

Sharing and Privacy Issues
An interesting discussion with a group of IT heads over at the CIO Pakistan group on LinkedIn revealed the number one reason why companies are hesitant to share their DM plans. It becomes, quite obviously, a security risk. Few companies are willing to share a platform with competition to be able to tell them what DM or BC practices are in place. IT heads don’t really want to share the specifics about what strategies they have in place, but at the end of the day, the knowledge that the service provider I am working with, can guarantee the integrity of my data, helps more business to be generated. But yes, privacy and knowledge share is an problem that a lot of people face.

However, if you think about it, the DM strategy might involve all departments, the actual core implementation group is very small. Most departments don’t usually need to be aware of the minute details and strategies that can be put into place to have redundancy within the core group.

DM Strategies for SMBs
How many businesses have any solutions that specifically cater to the Small and Medium Business sector, is relatively non-existent. Small and Medium Businesses usually have a one-man IT department that is usually doubling up on some other critical functions within the organizations. The best option for them is to outsource the entire Disaster Management strategy, implementation and training to someone who can perhaps work with them to develop something at a larger level.

Unfortunately, there are very few companies who offer leased services. Since most of the vendors are sales-oriented, it is very difficult to get them to focus on the smaller companies who might not be a chunky sale on the balance sheet at the time of the quarter closing. One recurring reaction that a lot of small businesses have is that the larger companies simply do not focus on them. Perhaps more investigation is required but the complaint has been received on various occasions, from the larger companies also. Because economies of scale do not have the same effect for the smaller companies as on the larger ones and the size of the market is only so much, there is very little that the vendor can do. His sale will rarely be millions of dollars from one customer so vendors do have to grab more numbers rather than focus on just the larger clients. Every vendor is already approaching them and unless the dynamics of the Pakistani enterprises and markets don’t open up, chances are the ‘size challenge’ will remain.

Packaged Services
There are a number of packaged services that the multinational companies bring to customers in any country. Vanilla solutions are ready to go to the market as soon as the organization is ready to deploy it, however there are very few local companies who perhaps have the expertise and size to be able to provide end-to-solutions that have been homegrown in the country. Packaged solutions are usually expensive because they cater to larger organizations. There doesn’t seem to be any local companies who can provide the managed services so that the smaller companies can simply lease out space and expertise, as opposed to hiring something larger and outside of their budget.

Lack of hardware that can be readily leased out is also a constraint that companies face. Though you do have organizations such as CubeXS-Weatherly, they have a tier-4 data center facility that the smaller companies simply cannot get to. Until such time that smaller data centers come up on the map, these services can simply not be offered.

More Than Technology
But Disaster Management also has a great deal to do with security; both the physical as well as safeguarding the integrity of the intellectual property. A city that has congested roads and unplanned growth, is always going to be a threat to the safety of its citizens. 70% of Pakistan’s commercial growth is derived from Karachi, and the city did not even have a master plan until a year ago.

Coordination amongst the various departments is critical to the smooth information and task flow in a time of disaster. Enter a hotel and ask what their evacuation plan is, and you’ll get a different response from every shift manager you speak to. Go to a school and enquire what they will do in the event of a disaster, and they will tell you something to the effect that they will first call you, and then clear the kids from the building. When are these guidelines penned down on paper as a blueprint and, more importantly, how frequently are all these guidelines practiced by all the people involved.

The PTA is quick to run continuous announcements that unregistered SIMS must be destroyed, but they don’t come down hard enough on the cellular operators who cannot maintain uptime during times of crisis. Networks become flooded with callers worried about one another, jamming the infrastructure to a halt.

As citizens of a country or residents of a city, we don’t know what is safe in the time of a disaster, what emergency numbers are, how our information and data flow will be managed. There is such a lack of information sharing and collaboration, it is painful.

Things to Keep in Mind When Building Strategies
Don’t work in isolation: You create a plan for your office and don’t take into the account, the situation of the building or the road will not yield in a successful strategy. Know what is and isn’t available to you.

Collaborate, Implement and Organize: Work with the various departments and stakeholders in your organization. Once you run through a planned scenario or two, then you will be able to tweak the process.

Set Standards, Measure Up: You should be able to benchmark against certain actions. Be precise so you can measure your rate of success. Evacuation should, for example, take place within 3 minutes; replacement of hardware should take place within 10 minutes of a system going down.

Worst Case Scenario and Up: Plan for the worst so you are more prepared than you would be otherwise. There is no harm in running through multiple scenarios and then figuring out what to do from there.

Assign Tasks to Departments, Not Individuals: In times of crisis, you can prepare as much as you want, but no matter what, there is only so much of the emotional trauma you can be prepared to handle. Therefore when assigning tasks for departments, whether for physical trauma or an intellectual property disaster, assign departments to contribute their role to your overall recovery.

Plan B: Having a Plan B so you know what to do if your first line of defense doesn’t kick into action. This includes being redundant in the people within departments as well as having a backup internet connection for a rainy day.