Katrina's Lessons
November 2005
This year's record hurricane season presents
an opportunity to plan.
by David
Nicastro
Secure Source,
Inc.
Since Hurricane Katrina, my life has been a blur. Immediately after the storm
wreaked havoc on New Orleans, Mississippi, and Alabama, we deployed security
personnel to protect news crews, terminal facilities, media transmission sites,
hotels, and other businesses. Our people worked day and night assisting companies
in the recovery effort.
During this period, we had two types of clients—those who had planned for
a crisis situation and those who had not. The difference was astonishing.
Those companies with business continuity plans were able to safely get restoration
crew's escorted and vital equipment protected almost immediately after the storm.
They brought what they needed in essential supplies, such as satellite communications,
emergency generators, cleanup crews, fuel, food, and the like. Our role was
to protect people, property, and materials from looting and to coordinate the
safe passage of crucial supplies. Because of sound planning and preparation,
there were no adverse incidents.
Other companies called on our services once they heard we were on the ground.
However, they did not have existing business continuity plans. As a result,
they were operating in a vacuum, just trying to survive.
Like all modern-day disasters, the destruction of Katrina was unveiled live
on televisions across America and around the globe. But even those powerful
images didn't capture the chaos of the scene. Unlike the events of September
11, this disaster was unique because there was no presence of law enforcement
at the scene long after the initial storm had passed. Armed gangs were shooting
at rescue teams and looters ran amok. Perhaps the most tragic aspect of the
looting was that some of the participants were sworn police officers.
Many businesses failed because they had no plan for organizing a response
and, as a result, their assets were left unsecured. Others tried, but they were
too late in finding essential materials, such as generators. Once the skies
cleared, they realized they could not communicate with their employees or even
get into their property, which was destroyed by water and mold, ransacked by
looters, or even seized by authorities.
Our modern computer technology, which makes our lives so much easier, created
a new problem: Many businesses had not backed up critical data systems. Basic
business support needs such as payroll, accounting, materials management, and
data processing were shut down. With no backup plan and no way to communicate,
make payroll, or pay other bills and expenses, these businesses were sunk.
A number of business owners hired our security teams to escort their people
downtown, and assist them in recovering data and materials that were in high-rise
buildings. With no power, no lighting, and no air-conditioning, this was very
dangerous and horrible experience for all involved. Other locations were even
worse due to the rapid growth of mold and the stench of rotting food and sewage.
During my lifetime, I have worked through a lot of crises and disasters.
While I have never witnessed a more devastating natural disaster than Katrina,
the problems the storm created were not altogether new. In fact, they are the
exact types of problems we anticipate when assisting our clients in drafting
their business continuity plans.
Although enterprise risk management (ERM) is an emerging field, crisis management
and business continuity is not. However, many firms still fail to plan and prepare
themselves in the event that the unthinkable happens. Whether it's a natural
disaster, fire, sabotage by a former employee, theft of critical proprietary
information, or an act of terrorism, the bottom line is that it is very dangerous
to not have a plan in place before catastrophe strikes your business.
As the citizens of New Orleans continue with the challenge of rebuilding
their city, other companies should take this opportunity to study Katrina's
lessons. Following are seven security steps stakeholders should take before
a catastrophe strikes their business.
- Conduct a Security Risk Analysis. This can be done internally or with the assistance of a consultant. The
enterprise risk analysis should include a detailed risk assessment to identify
the impact of negative consequences to people, property, and information.
It is an analytical process that details catastrophic events and quantifies
the probability of expected consequences. The effect of a loss event can
range from fatal, resulting in total discontinuance of the business, to
relatively unimportant. Your company will need to identify critical business
processes and recovery time objectives for each of those processes.
- Develop Options To Mitigate Security Risks. Study cost effective countermeasures to mitigate risks identified in the
risk analysis. Determine the best options available to prevent and respond
to losses through physical, procedural, and technological security processes.
You will need to identify key support services and emergency equipment needed
to sustain the business. The best crisis is one prevented.
- Integrate Key Functional Business Leaders. Get the right people in the organization involved in the planning process.
Senior managers from risk management, legal, finance, human resources, health
safety, media relations, and operations need to work together to keep the
business running. Evaluate the role and relationship of law enforcement
and public services in the context of knowing what they can and cannot do
for you in supporting your needs. Understand the assets at risk in relationship
to threats that pose the most harm, including the loss of reputation and
goodwill of the business.
- Create an Enterprise Security Plan. Within the culture of the organization, institute effective security policies
and standards that address the critical asset protection needs of the enterprise.
The risk analysis will point out vulnerabilities and what gaps needs to
be filled.
- Develop a Crisis Management Plan. This is an ongoing planning process but one that must be championed by top
management. The objective is to ensure that the proper measures are taken
to analyze the adverse impact of an acute crisis situation, identify viable
recovery strategies, and provide management of the organization's timely
and effective response to the problem.
- Establish a Crisis Management Team. All business critical support functions should be represented on the team.
The team should consist of local incident specific personnel along with
a management team consisting of the general counsel, human resources manager,
directors of facilities, information technology, finance, media relations,
security, and operations. The team supports the crisis management plan and
is convened following notification of an acute crisis. The team keeps the
CEO and president apprised of the status of the business continuity effort.
- Practice the Plan. In the context
of a real world scenario, exercise how the crisis management team works
together under pressure. The objective of the exercise to identify problems
and to correct those problems before an actual disaster occurs.
Remember, you wouldn't want to learn navigation in the middle of the sea
during a squall. Successful businesses learn from their mistakes and those made
by others. Many businesses failed as a result of Katrina because they failed
to plan for the worst. They did not believe it could happen to them. Consistent
focus and consistent action can pay off in the event that an unexpected catastrophic
loss event occurs.
Ultimately, as individuals, we are responsible for our own security and safety.
But who is responsible for security in your company? If that person is you,
then now is the time to start planning.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author’s employer or IRMI. This article does not purport
to provide legal, accounting, or other professional advice or opinion. If such advice
is needed, consult with your attorney, accountant, or other qualified adviser.