Is Your Organization Prepared for a Disaster

Services | Clients | Articles | Upcoming Events | Links

Is Your Organization Prepared for a Disaster?

June 2007 (More monthly articles)

I Increasingly, organizations are asking themselves whether they are ready to face a major disaster. It’s a question that needs to be addressed, yet many non-profits still haven’t given it the attention it deserves. Too often, this issue doesn’t appear on the radar screen until catastrophe strikes. In the not-for-profit world, spending money to prepare for a calamity that may never happen might seem hard to justify in the minds of executives. To overcome this way of thinking, management must consider disaster preparation as a cost of doing business, a cost, by the way, that doesn’t have to be expensive.

A good place to start is to ask yourself how long your organization can survive if your infrastructure were completely wiped out. The amount of resources needed to adequately plan for such an occurrence increases the shorter that timeframe becomes. The inverse is also true. The longer you can go without a computer network, phones, building, etc., the less time and money will be needed to plan for an adverse event.

Keep in mind that over time, stakeholder expectations for the organization to be fully functional after disaster strikes tend to increase. Today, a few weeks or even a few months might be an acceptable amount of downtime. Tomorrow, the expectation could very well change to days or possibly hours. I once worked for an organization where a month was an acceptable amount of downtime. Today, that organization is prepared to be back on line in hours.

Once you answer the key question, your next step should be to take an inventory of all the resources that need to be protected. These probably include your phones, email, membership / donor database, user documents, website, accounting database, payroll system, and more. At a minimum, the data should be backed up and stored offsite. Therefore, a good data backup strategy is imperative if your organization is to successfully recover from a major disaster. For about $700 in hardware costs, you can purchase an excellent backup system that will hold about 70gb of data. That’s equivalent to 70 billion characters of data and plenty of space for most small organizations having only one or two servers. For about $3,000 an organization can get a solution that will hold about 300gb of data.

Be sure to test your backups on a regular basis by restoring from the backup disks. I’ve read horror stories of businesses discovering only after the 9/11 attack and Hurricane Katrina that their backups did not contain what they expected when they tried to restore from them.

While data is certainly important, it is not the only item with which to be concerned. You also need to protect your software investment. Where will you get the CDs to reinstall Microsoft Office, QuickBooks, SQL Server, Exchange, etc.? Even if you borrow someone else’s disks, you can’t use their licenses. A good idea is to scan all your software licenses and CD Keys, then store them electronically as part of your data backup. In addition to software licenses, you’ll need access to all those administrative passwords. A good practice is to store all your passwords in a password-protected Word or Excel document, stored in a secure location. Be sure to back it up too.

Consider having someone make a diagram of your computer network, showing the applications on each computer. Along with the diagram, document how the servers are configured. Similarly, make an inventory of all software installed on your servers. Another good idea is to document important business processes and backup those up on a regular basis. Such processes might include making payroll, handling cash receipts, and cutting accounts payable checks. Be sure to document home numbers, cell numbers, and personal email addresses of all employees, key consultants, business partners, board of directors, and other stakeholders so you can communicate with them during a crisis.

Disasters can be broken down into five categories, with ‘1’ being considered minor and ‘5’ being counted as catastrophic. A best practice is to identify the specific types of disasters that you could face, then assign each to one of the five categories. Events falling into a Category 5 might include a fire, a flood for those in low lying areas, or even an airplane crashing into the data center for those in the flight path of an airport. A Category 1 event, on the other hand, might include something as minor as a hard disk failure on a server, a utility worker cutting an Internet line running to the data center, a software update patch that causes a program to stop working, or even a key employee being out sick.

As you identify scenarios, try to document how you will recover from the event. To the extent possible, determine what will be the trigger for each scenario to declare a disaster. You should also be clear on who will be the one to declare the emergency, who will be the one to manage the crisis, and who will be the one to communicate with everyone. All three roles could be played by the same person or different individuals. Be sure to backup this documentation so that you can retrieve it in the event of a real emergency. Better yet, create an Intranet website that’s hosted offsite and store the information there. Finally, to the extent possible, test your plans by having a mock disaster drill from time to time.

Remember, the worst thing to do is nothing. As someone once said, those who fail to plan, plan to fail. Be encouraged, you can be prepared.