Disaster Resource Guide Advertisers   Disaster Resource Guide Advertisers   Disaster Resource Guide Advertisers   Disaster Resource Guide Advertisers   Disaster Resource Guide Advertisers

Challenges, Collaboration, and Continuity
A 20 Year Perspective

By Alison Dunn

Editor, Disaster Resource Guide

Ask any industry expert how they got into this profession, and you're likely to hear a variation on a common theme: It's just something I fell into.

"I was called by a friend in the spring of 1985, who asked if I'd be interested in disaster recovery," recalls Graeme Jannaway, managing director of Jannaway and Associates in Toronto, Canada. "I said I didn't know anything about DR. He replied, 'No one does.' "

Jannaway's story is a common one. Many of our industry's most highly-regarded professionals say they happened upon the industry by chance. And now, 20 years later, these industry pioneers have paved the way for a profession with a lofty goal: To prevent, mitigate, prepare for, respond to and recover from disasters - creating resilient communities and organizations in the process.

The different disciplines have come a long way in the past 20 years, from a group of disparate, virtually unknown professions to a more cohesive, holistic profession. But there is still more room for growth in the next 20 years.

Recently, we asked some of the "veterans" to give us their thoughts on the past, present and future of the industry. Here's what they had to say.

The Origins of a Profession
Emergency management. Disaster recovery. Business recovery. Information Security. No matter how you define them, 20 years ago, each discipline was a distinct and separate function with little to no overlap.

Take emergency management, for one. Encompassing the areas of emergency planning, first response and recovery, the discipline tended to focus specifically on life safety and the protection of property.

Claire Rubin, a noted author and president of disaster research and consulting firm Claire B. Rubin & Associates, was one of those people who began in the field of emergency management.

"Almost 30 years ago, I became involved in the field of emergency management when I was asked to help organize some meetings of local public officials to explain to them the new National Earthquake Hazard Reduction program," she says. "Gradually, I became interested in making connections between scientists and public officials."

But emergency management was very different from disaster or business recovery. Those disciplines grew out of the Information Technology (IT) sector and were focused on recovering technology - whether the mainframe or the data center - in the event of disaster.

"I started doing recovery planning in 1972," recalls Norman Harris, chairman and CEO of HARRIS Recovery Solutions, Inc. "I was going to teach the first seminar on the subject, and I needed a name for what I foresaw as a new industry. I decided to call it Disaster Recovery Planning."

Paul Kirvan, with Marsh Inc., adds, "During the late 1970s, the height of the mainframe era, a number of visionaries in the US, UK and other parts of the world realized that they had to develop ways not only to protect their massive investments from potential disasters, but also to devise procedures for recovering and restoring systems and data to their original pre-disaster state."

Gerry Nolan and Marv Wainschel, with Eagle Rock Alliance, tell a similar story. "In 1987, contingency planning was primarily the enablement of alternate site solutions for the data center," they say. "The planning was technical ' mostly how to use hotsite and data backup facilities to restore limited systems. In so-called disaster recovery plans, batch processing reigned, online was a small, yet growing concern, recovery was measured in days to weeks" and user recovery plans were non-existent."

Silos and Stove-pipes: The Way We Were
With each discipline so different, what was the state of the industry in those days? For emergency management, it was a matter of dealing with a lack of resources and a focus on local emergencies.

"Emergency management was primarily site-level emergency response planning," says James M. Connolly, managing director of Marsh Inc. "High-hazard industries like the nuclear, energy and chemical industries understood the risks and generally developed comprehensive emergency response plans? but I don't believe there was significant integration of the EM, BC and DR disciplines. Generally, these were viewed as independent skills and exercises."

Lieutenant Colonel Scott Tanner, US Army, entered active military service more than 20 years ago and has been a medical operations contingency planner for most of that time. He recalls the early days of his profession, where there was little, if any, collaboration.

"Everything was very much "stove-piped," Tanner says. There was very little cross talk, and certainly no cross training! I remember in one exercise, an air evacuation crew repacking a patient with actual injuries before accepting him because they didn't want to give up their medical equipment for ours in a tailgate med supply exchange."

The state of business recovery wasn't much better. The scope of planning was fairly limited and didn't connect with the idea of large-scale disasters and emergency management.

"The scope of the business contingency plan was an interruption that only affected a specific business group or department," says Mark Haimowitz, director of business continuity management with Comcast in Philadelphia. "Considerations such as crisis management or emergency response planning were, in most cases, not part of anyone's plan. It wasn't that these components weren't considered. It was more that the planning effort was so new and overwhelming that you focused on what you could control and did not plan for what you could not control."

And where was business continuity in all of this? In the early days of the industry, it just didn't exist.

"There is no mention of corporate business continuity efforts in this early history, because there was none," says James W. Morentz, Ph.D., an industry expert with more than 30 years experience. "The biggest corporate disaster was Three Mile Island, but the public perceived this as a failure of government. Insurance and cover-ups satisfied the need of corporate America until Johnson & Johnson showed the value and benefits of managing a commercial disaster in the Tylenol tampering incident. In one fell swoop, J&J transformed the idea of crisis response from a wall of lawyers to corporate communication as the way to handle the crisis."

Outside of the US, the story remains the same. Business continuity, as it exists today, had yet to evolve. "Disaster recovery planning is [all we were doing] in 1986," says Canada's Graeme Jannaway. "I would go to a large IBM mainframe users conference to hear the few talks on DRP and IT security, and introduce myself as a manager, business resumption planning for New York Life Canada. The normal reply was, 'Wow, you guys must be way ahead of us. We're only doing disaster recovery.' I'd reply that I was only doing DRP, too."

"We called it contingency planning back then, and the only books around were those written by IBM," recalls Dave Austin, principal consultant with UK-based Insight Consulting, a division of Siemens Enterprise Communications Limited. "Certainly there were government emergency plans, but these were largely about responding to a nuclear attack and the like, and were rapidly falling into disuse. All of what we did revolved around IT ' by which I mean the mainframe. The business side was hardly considered."

What about other parts of the world? In Latin America, the whole concept of emergency management wasn't well known, says Carlos E. Musse, president of Peru-based consulting firm MusseCorp.

"At that time, emergency management was a concept used more in Europe or the US," Musse says. "In Latin America, EM is still a rather esoteric term. When we started the business, we were the first ones talking about the Incident Command System."

The Evolutionary Process
What, then, changed the industry? What made it evolve into what it is today?

"In the 1980s, most public agencies had hazard-specific response plans," says Judy Bell, president and CEO of Disaster Survival Planning Network (DSPN). "However, as the 1980s progressed, the public sector realized that an all-hazards approach addressed major disaster situations more comprehensively. During that same time, the private sector referred to the industry as disaster recovery. By the early '90s, a distinction began to emerge between systems recovery and business recovery."

Industry insiders point to events such as the 1988 First Interstate bank fire in Los Angeles, Hurricane Andrew in 1992, the 1994 Northridge earthquake, Y2K planning and, more recently, 9/11 as just a few of the events that have been catalysts for change.

For the private sector, these events meant a shift from disaster recovery to business continuity. According to Chris Glebus, vice president of State Street Corporation, the industry's emphasis used to be on DR, centered around network and system redundancies.

"I believe Y2K was the first shift for the business continuity profession," Glebus says. "This provided a lot of visibility for our industry with potential vulnerabilities' Then, of course, came 9/11. There was a new risk identified in the industry after 9/11 called intellectual capital vulnerability ' what does a corporation have in place to ensure having sufficient staff to perform critical functions?"

Another key event was the creation of the US Department of Homeland Security after the 9/11 terrorist attacks. The Department brought together diverse government departments, including border and transportation security, emergency preparedness and response, science and technology, and information analysis and infrastructure protection. Most notably for the industry was bringing the Federal Emergency Management Agency (FEMA) under the umbrella of the DHS.

But most of the experts say it wasn't any one thing that brought the industry together into a more cohesive whole. "In the '80s, DR planning was a project that ended with a plan. In 2007, IT/DR and BCP fall within enterprise resilience programs, and are projects that implement repeatable process within a formal program," say Nolan and Wainschel. "No single event caused this 'project to program' evolution. Rather, it was a maturation process."

The State of Today's Industry
"From my perspective, BCP has evolved from IT/DR-specific planning to a total resiliency model that encompasses all the recovery and response business partners generating a holistic reality recovery," says Clyde Berger, director of business continuity management, Pfizer. "We really have come a long way from business recovery plans that more closely resembled procedure manuals to plans that concentrate on core processes, interdependencies and action-based strategies."

Berger is one of many industry experts who agree the industry has progressed in the past 20 years. The diverse disciplines are growing into one, and it makes for very strong, resilient plans.

"All the best-in-class programs today are business-driven," says Mark Haimowitz. "Recovery objectives are determined first by the business, with IT objectives following suit. 'In addition, a BCP program today would not be complete without a crisis response component. More and more corporations are hiring planners to establish programs to address the company's initial emergency response elements."

Today's regulatory environment is also pushing organizations toward business continuity. With the advent of legislation such as the Sarbanes-Oxley Act and standards like NFPA 1600, businesses are getting on board with business continuity.

And it's not just the regulations pushing organizations to adopt BC plans, says John Ames, director of business continuity practices for IT-Lifeline.

"Yes, we have regulatory drivers by industry, but we also see quasi-regulatory, client-driven, common sense and insurance-related drivers surfacing that didn't exist years ago," Ames says. "I believe BC management has no boundaries. Issues relative to a business's size, public/private organizations and whether it is regulated or non-regulated no longer apply."

The increased awareness may also be due to the fact information and training ' and our ability to access it ' are far more abundant today. "Twenty-five years ago, it was difficult to find a strictly educational program on disaster recovery, business recovery, resumption and/or continuity without ties to a vendor resource," says industry veteran Pat Williams Moore. "Today, there is a wealth of strictly educational information available on these topics through formal academic organizations, conference seminars and workshops, the internet and a number of professional publications on these subjects."

The More Things Change...
What's improved in today's industry versus 20 years ago' For one thing, top executives, right up to the CEO, are recognizing that EM, BC and DR are more than just unavoidable costs. They're realizing that having a good plan in place is critical to doing business.

Not only that, they're also realizing just how broad their preparedness efforts should be, says Jim Connolly. "C-Suite executives' are beginning to focus as much effort on recovering their people as they did on recovering their data centers," he says. "CEOs and their direct reports are beginning to understand that they have a significant role to play during an event that threatens the company."

The focus of the industry has also shifted, with a move toward strategy, global issues, pandemic planning, electronic data protection and internal solutions, says John A. Jackson, EVP & chief risk management officer with Fusion Risk Management. He also sees a growing focus on IT risk management and "finding ways to measure and monitor DR/BC programs, as never done before," he says.

Among the important trends today are the raised awareness of Human Resources departments to planning for personnel needs, the growth of NFPA 1600 as the industry standard and a growth in training and certification in the industry, according to Judy Bell.

Legislation, regulation and standards are another big trend today, for every part of the world. "High reliance on technology means society is becoming increasingly dependent on resilient systems," says UK-based Dave Austin. "Consequently, we're seeing legislation and regulation of key sectors, which means we must have standards to ensure we all have common terms and approaches."

Partnerships between the public and private sector have also improved over the years. "Public/private partnership efforts have played a key role in the advancement of our industry," says Haimowitz. "Today, many companies are represented at the table of local emergency management offices during a crisis. Communications between police, fire and OEM offices with the community businesses has taken off. There are government offices dedicated to work with the private sector on planning programs."

...The More They Stay the Same
But the more things change, the more they stay the same. While the industry has progressed, those involved in the day-to-day work of EM, BC and DR still face a number of challenges.

"I am struck by the thought that we have not come very far since my early days in this business," says Avagene Moore, president of the Emergency Information Infrastructure Project (EIIP). "As a county emergency manager 20 years ago, we struggled with public education, effective warning systems, training and preparing the school systems, hospitals' the list goes on. It all sounds very familiar, doesn't it'"

Moore's point is clear. While the industry has made great strides, there are certain issues that are still a struggle, particularly the ever-present funding issues. Beth Armstrong, executive director of the International Association of Emergency Managers (IAEM) says her organization is still struggling to get adequate funding for local emergency planning, "because all emergencies are local."

In particular, the debate over an "all-hazards" approach to funding is a contentious issue today. Funding for terrorism efforts has reduced the money available to prepare for other, more likely hazards such as flooding and hurricanes. "I have seen much of the evolution from the Civil Defense days to the creation of the Department of Homeland Security," says Moore, "where the threat of terrorism and its consequences overshadow other segments of the all-hazards program in terms of program emphasis, training, exercise, planning and funding."

Communication is similarly an issue. According to COMCARE, a non-profit organization dedicated to advancing emergency communication, today's emergency information technology systems are still less sophisticated, and far less interoperable, than most commercial systems. Large parts of the country still lack rudimentary voice interoperability; even fewer have inter-organizational data interoperability.

"Through improvements in communication ' such as the internet, cell phones and other emergency applications ' the ability to coordinate multi-disciplined needs and issues has become far easier than in the past," says Jim McGovern, senior adjuster for McLarens Young International. "But having the tools and using the tools are two different things."

And the changing world has led to changes in loss control and mitigation, particularly in the insurance industry ' and it's not all good, says Michael Mies, president of Technical Recovery Solutions LLC.

"From my perspective, the most disheartening shift has been the erosion of initial loss control/mitigation," Mies says. "A 'perfect storm' of sorts has left a wake of inadequacies in claim management, most notable since 9/11."

Mies sees a number of elements in this "storm front," including: higher insurance premiums and deductibles; corporate streamlining, downsizing and just-in-time operational structures, and a shift in risk management from a focus on physical assets and operational resources to what he calls "higher-level" exposures such as corporate liability issues, terrorism and supply chain disruptions. The final element Mies sees eroding loss control/mitigation is what he calls "off-the-shelf" business continuity and disaster response plans.

"It's not only the major disruptions that can cause major problems, it's the small incidents that go unchecked that are more likely to impact operations. The game has changed," Mies says. "Organizations must take control of losses earlier and become more familiar with identifying the potential hazards of loss conditions."

Looking Forward
If the industry has changed so much over the past 20 years, it stands to reason a lot will change in the next 20 as well. What does the future hold for the industry?

For one thing, today's existing threats like hurricanes, tornadoes, earthquakes and extreme weather aren't going away. Neither is the newer threat of terrorism. The world is also facing a number of new threats that may affect the industry over the next 20 years. One of the biggest concerns for the future is the threat of a pandemic, particularly a flu pandemic. The rise in awareness over global warming issues could also play a part in tomorrow's threat landscape.

Despite the industry's advancement, many experts believe we will still be faced with many of today's challenges in the years ahead. Funding, for one, will likely always be a contentious issue. Other challenges ahead include the continuing quest toward interoperable communications, identity theft, data privacy and hackers.

And don't expect attitudes toward disaster to change. "People still make the same mistakes," says Andrew Hiles, managing director of Kingswell International. "People still ignore risks and say 'it won't happen to me.' People still try to get a 'check in the box' rather than do BC properly."

While no one has a crystal ball to see into the future, the experts we asked did offer up their opinions on what advancements the industry will make over the next 20 years.

"In the future, technology will play an even bigger role in the industry than it does today," says Norm Harris. "[We'll have] better back-up methods, better communication methods and more wireless capabilities along with a lot more education available for the staff who work on DR/BC plans."

"Technology will advance to the point where instant communications will be commonplace, providing a solution to the most challenging element of emergency response and recovery," says Judy Bell. "Wireless capabilities covering campuses, cities and other interdependent groups will allow information to flow quicker and more accurately to those who need it."

Others see a growing recognition of the need for personal preparedness, which will have a dramatic effect on emergency response. "Individuals and families will create personal emergency management plans that focus on fire evacuation and life safety," says Graeme Jannaway. "This will be because of a general recognition that most of us will be on our own for the first 72 hours after a disaster."

"Response issues will be different in that most people will become self-sufficient out of necessity," agrees Robert Lee, with Borden/Lee Consulting. "We will be the first responder, not fire, EMS or law enforcement."

"One of the most important things I see is the education of our populations," says Scott Tanner. "Everything from websites like Ready.gov and the availability (and popularity) of weather radios to the rise of Community Emergency Response Teams (CERTs) and the national attention to disaster response (albeit good and bad), makes a more educated and better prepared citizenry. I've always considered the average citizen as the weakest link in the chain of preparedness. Recent events demonstrate that our work is paying off and that our "customers" are taking a more active role in their own preparedness."

Education is also on the forefront of the IAEM's plans for the coming years ' only it hopes to see a continued focus on educating and professionalizing emergency managers and emergency management.

"The areas in which we hope to see significant advancement include the professionalization of emergency managers and programs, through the provision of international networking and training via regular meetings and events," says IAEM's Beth Armstrong. "Credentialing such as certification for individuals and accreditation for programs is a key way to promote professionalization, and IAEM's Certified Emergency Manager' program was created to establish and promulgate standards in our field. "

And most experts agree: The merger between the various disciplines will continue over the next 20 years.

"I see that the merging of EM and BC will continue," says Peru's Carlos Musse. "And now that disaster management programs are very common in major universities, surely it will become as common as a Business Administration or Law degree ' and a very expensive one."

"EM, BC, DR" and other planners will finally understand that they are all touching different parts of the same elephant," says Jim Connolly. "They will take off their blindfolds and create a truly integrated solution to overall preparedness."

Acknowledgements

The Disaster Resource GUIDE would like to thank the following contributors:
John Ames, IT-Lifeline
Beth Armstrong, IAEM
Dave Austin, Insight Consulting
Janette Ballman, Disaster Recovery Journal
Judy Bell, Disaster Survival Planning Network
Clyde Berger, Pfizer
James M. Connolly, Marsh Inc.
Steven P. Craig, Consortium of Business Continuity Professionals, Inc.
Ed Devlin, Devlin Associates, Inc.
Chris Glebus, State Street Corporation
Mark Haimowitz, Comcast
Norman Harris, HARRIS Recovery Solutions, Inc.
Andrew Hiles, Kingswell International
John A. Jackson, Fusion Risk Management
Graeme Jannaway, Jannaway & Associates
Paul Kirvan, Marsh Inc.
Robert G. Lee, Borden/Lee Consulting
Victoria Lochowski Craig, Consortium of Business Continuity Professionals, Inc.
Jim McGovern, McLarens Young International
Michael Mies, Technical Recovery Solutions
Avagene Moore, EIIP
Pat Williams Moore
James W. Morentz
Carlos E. Musse, MusseCorp SAC
Gerry Nolan, Eagle Rock Alliance, Ltd.
Charles F. Rodger, Disaster Management Center
Claire B. Rubin, Claire B. Rubin & Assoc.
Scott Tanner, US Army
Marv Wainschel, Eagle Rock Alliance, Ltd.
Stephen Zee, Wilmington Trust

 

 

 

 

 

 

 

 

 

 

 
1987
E V E N T  T I M E L I N E
2007
1987

Whittier, California Earthquake
This earthquake caused $358 million in damage and left eight people dead. This, combined with two previous earthquakes, brought "blind thrusts" to the attention of seismologists.
1988

First Interstate Bank Fire in L.A.
A fire in a 62 story high-rise office building in downtown L.A. caused emergency planning to be put to the test. First Interstate's Business Resumption Plan went into effect the morning after the fire. Business was resumed that same morning, and full operations were resumed within two working days. This fire proved the need for an effective emergency communications system.
1989

San Francisco Earthquake
The Loma Prieta Earthquake was the first in the US to be broadcast on live television while it was happening. Directly causing 57 deaths and 3,757 injuries , this 6.9 magnitude quake caused more than $6 billion in damage.
1990

New Madrid Earthquake Prediction That Didn't Happen
This earthquake prediction by Iben Browning was based largely on tidal patterns. It received significant media attention and caused enough of a panic that increased earthquake awareness and emergency preparedness in the Missouri region.
1991

NFPA 1600 1st Edition Issued
The committee to write the 1st edition was created. In 1995, it published the first ever recommended emergency response planning document. In 2000, the document elevated to an "official standard."
1992

Hurricane Andrew
Hurricane Andrew crossed through part of the Carribean, the Southern part of Florida, into Louisiana. There were 26 deaths, and $26.5 billion in damage. The majority of the damage in Florida was caused by winds, which were sustained at 165 mph.
1993

Midwest Floods
150 major rivers and tributaries flooded in nine states. Heavy winter snowfall melted in the spring to cause more than $15 billion in damage, 50 deaths, and the damage/destruction of more than 55,000 homes.

First WTC Bombing
A terrorist car bomb detonated in the parking structure, causing six deaths and injuring 1,042. Lower Manhattan's main electrical power line and telephone was disrupted for about a week.
1994

Northridge Quake in California
This 6.7 magnitude earthquake caused 57 deaths and injured more than 9,000. The quake was caused by a previously unknown blind-thrust fault. This quake had the highest ground acceleration ever recorded in North America.
1995

Oklahoma City Bombing
A truck bomb terrorist attack on a US government office complex caused the deaths of 168 people and injured more than 800. This led to the enactment of the Antiterrorism & Effective Death Penalty Act of 1996.

Sarin Attack Tokyo Subway
Five terrorists with sarin boarded trains during rush hour. Twelve died and more than 1,000 were affected. Issues included not recognizing the symptoms as sarin poisoning and not stopping trains despite passenger illness.

Kobe, Japan Earthquake
This 6.9 magnitude quake killed approximately 5,500 people and caused more than $200 billion in damage. Due to the damage to the infrastructure, the Japanese government made major changes in its disaster prevention program, including building quake proof shelters and establishing reinforced disaster prevention travel routes.
1999

Columbine School Shooting
The third deadliest school shooting in the US, thirteen died and 27 were wounded. This caused increased interest in gun control laws and increased school security.

Y2K planning
Some computer programs read the year as two digit years, so the year 2000 (00) would be read as 1900. This could have caused failure of infrastructure systems. Due to special planning, it was averted.
2001

September 11th
On 9/11/01 four commercial airliners were hijacked by teams of al-Qaeda terrorists. Two planes hit the towers of the WTC, one hit the Pentagon. Passengers on the final plane fought for control and crashed it into a field in Pennsylvania. 2,973 people died. Twenty-four more are still missing. This prompted the passing of the Homeland Security Act of 2002 and the USA Patriot Act, as well as the creation of the Department of Homeland Security.

Sarbanes-Oxley
Passed in response to corporate and accounting scandals involving companies such as Enron and Tyco, this establishes new standards for all US public companies.
2002

Creation of the US Department of Homeland Security
Created on November 25, 2002 from the Homeland Security Act of 2002, this was the largest government reorganization in 50 years. Homeland Security is responsible for protecting the US and territories from terrorist attacks and for responding to natural disasters. They maintain the color coded terrorism risk advisory scale.
2004

Asian Tsunami
Caused by a 9.1-9.3 earthquake under the Indian Ocean, this tsunami is the most deadly in recorded history. At least 186,983 died and 42,883 are still missing, while 1,126,900 people were displaced. Economic loss exceeds $10 billion.

Florida Hurricanes Charley, Frances
Category four and two hurricanes, respectively, caused 65 direct/indirect deaths. Combined, they caused $21.82 billion in damage.

Madrid Bombing
During peak rush hour, religious fanatics wearing backpack bombs boarded four different trains. They left behind a total of 13 improvised explosive devices (IEDs). 191 people died and 2,050 were injured.
2005

7/7 bombings in London
On the first full day of the G8 Summit during rush hour, four suicide bombers boarded three trains and a double decker bus. The explosions killed 52 people and injured at least 700 more. This resulted in a day long disruption of transport and mobile communication infrastructure.

Hurricanes Katrina, Rita, and Wilma
These three hurricanes, combined with Emily, caused at least 2,280 deaths and more than $128 billion in damage. All four were Category five hurricanes. Wilma was the most intense ever recorded, with 185 mph winds, while Katrina was the costliest and caused a 30-foot storm surge to flood New Orleans and the Mississippi coastline.
 
 
Copyright ©2008 DISASTER RESOURCE GUIDE P.O. Box 15243, Santa Ana, CA 92735 714/558-8940
Fax 714/558-8901