Disaster Recovery Planning - Time Well Invested! An earthquake, a war, a hurricane… I survived those three life events by the age of thirteen. Even though each one of those experiences left a mark in my life, they taught me many lessons and created an awareness that not many people possess. I became very appreciative of everything I have and of every person in my life. At the same time, it created a sense of “being ready” at any time for “what could happen” and what I would need to do to bring things back to normal again.

When I hear a train go by, my memories bring me back to the noise of an earthquake back when I was six years old in Nicaragua. A deep sound from beneath the earth, a sound of destruction. Your home, your office, and everything around you becomes distorted and destroyed right in front of your eyes. Your own life could be gone if you’re in the wrong place at the wrong time. I learned that all your possessions and what you worked so hard to attain can be “torn to pieces” in a matter of seconds.

When I hear the noise of a helicopter, it reminds me of the sound of machine guns in the background when I was twelve years old and lived through the war in Nicaragua. I remember going to bed with the rattling noise of the windows with each bomb that was dropped. They were close to my house and some days it felt as if they were fighting right in my own backyard. The terror you feel when you are helpless, only a victim of someone else’s war, is indescribable. You learn to appreciate life in a new way.

When I hear the sirens announcing the possible tornado coming to your city, it reminds me of the hurricane David I lived through in the Dominican Republic when I was thirteen years old. I observed from a fourth floor apartment about three miles away the waves from the ocean that destroyed the island and the noise of the wind getting through the windows in our apartment. I learned that everything you own can literally “blow away” in a matter of seconds too.

But I choose to look at life from the positive perspective and I’m grateful to God that I’m still here so I can help others in many ways. That’s one of the reasons I founded Malzahn Strategic. The three key things we focus on—strategic planning, enterprise risk management (ERM), and talent management—all have to do with disaster recovery planning. From the strategic planning perspective, you have to put strategies in place to protect your business from ANY disaster and to keep the company safe. From the enterprise risk management perspective, you need to have strategies to mitigate ALL risks that can potentially affect your company. And from the talent management perspective, you need a plan to protect your company from losing your KEY talent, protect it from internal fraud, and also to plan ahead for future talent to bring your company to the next level.

Disaster Recovery Planning falls under your IT Security Program most of the time, which in turn is part of your ERM program. Below is a simple way to start with a Disaster Recovery Risk Assessment:

Conduct a risk assessment based on your business location and probability of any type of incident happening:

• Threat/Vulnerability (include fire, flood, earthquakes, riots, tornadoes, etc.)
• Probability of incident (how probable is for this natural disaster to occur in your area)
• Severe Rating (how severe would it be if it were to ever occur – low, medium or high)
• Criticality (how critical would this incident be to your business – low medium or high)
• Confidentiality (this refers to data breach due to a disaster)

Conduct the following risk assessment based on the type of asset and then risk rate each asset:

• Asset Type: Application/Software, Process, System
• Asset Medium: Paper or Electronic
• Vendor Name
• Controls/Procedures in Place
• Description of Risks Associated with Asset
• Risk Mitigation: Description for Mitigation of Risks
• Risk Rating: Low, Medium, High
• Criticality to Bank or organization: levels 1 to 5 with 5 being the most critical
• Residual Risk: Low, Medium, High
• Information Classification: Public, Non-Public, Confidential
• Threats/Vulnerabilities: Level of Damage, Type of Vulnerability
• Threat/Vulnerability Likelihood: Low, Medium, High
• Vital Resources: Description of Vital Resources to the Bank Operations
• Recovery Point Objective (RPO): Description of How the Information or Asset Will be Recovered
• Recovery Time Objective (RTO): Approximate Time of Recovery

Something else to consider is that there are other types of disasters that are not “natural disasters” and they relate to your key talent in your company. I call that “Disaster Recovery for People.” I wrote another article called “Succession Planning – Is It Only for the CEO?” where I urge readers to consider the other key positions in the organization to have a backup for and be ready in case you lose those employees unexpectedly. Part of the DRP is also to include a Pandemic Disaster Plan. Regulators were very focused on that topic several years ago and for obvious reasons, it should still be part of your plan. The same way, having a data breach could be disastrous for your company as we all learned from recent incidents at large corporations that suffered a cyber attack. The biggest disaster is your damaged reputation and the financial damage that derives from that as a consequence.

I want to conclude by encouraging you to appreciate everything you have and the people in your life. I also want to encourage you to create a Disaster Recovery Plan for your institution and update it and test it annually. We don’t want to live in fear but we live in a world where life happens to all of us and we must be prepared at all times.

Does your CIO or IT Leader Understand Your Corporate Strategic Plan? I love IT people. They are talented individuals who have a gift to understand technology and “how things work” behind the scenes that not many people have. And we also know that their number one gift is usually not communications nor being “touchy/feely” type people. From experience, being married to an IT person, having been an IT Director for a nonprofit and a community bank, plus having managed many IT personnel through the years, I have learned how to communicate with them and also how to engage them in the strategic discussions of the organization.

“IT people" as we call them, are very smart people but so are the rest of us. In many corporations, there is a noticeable gap in communication between the leadership team and the CIO. This manifests itself in the gap between the corporate strategic plan and the technology strategic plan—if there is one in place. For example, if your institution wants to grow 15-20% in assets in the next fiscal year, do you have the technological infrastructure to support that growth? How soon do you start planning for the continuous growth you are projecting in your strategic plan? What type of infrastructure (both physical and logical) do you need? Do you have the appropriate security controls in place to handle new customers and to offer brand new products or services? Do you have an enterprise risk management risk assessment process in place that incorporates how the new technology will or could impact the organization?

These and many other important questions need to be part of your risk assessment and strategic planning process in order to coordinate and have an integrated IT infrastructure to support your organization. To bridge the gap, therefore, IT professionals need to learn corporate talk, company politics, become very familiar with the company’s strategic plan/goals. At the same time, the leadership team needs to learn about technology—not only what systems they need to run their companies but also what type of technology would benefit their company most in order to ensure continued success.

Communication is the crucial component for a successful marriage between IT and the company’s strategic plan. Including the IT Director/CIO (or whatever title you choose for your company’s IT leader), is key to successful communication. Once the IT leader understands the needs of the company, where the company is going, and feels like a valuable team member, he or she will come up with the right technology solutions to support the company. Your IT strategies will then align with the company’s strategies

The IT infrastructure of a company is the foundation of the organization and all the pipes/framework have to be in place correctly—and from the start—just as you build your own home. I used to tell my team, “Our pipes can be full of customers but if our pipes are broken, we’re all going home!” Meaning, the sales staff and processes are just as important as the organization’s infrastructure. We’re all in this together and are part of one team, one company!

The IT Security Program includes having a strong IT Strategic Plan, which in turn should be integrated with your overall company’s Strategic Plan.