‘Don’t panic’ is the first piece of advice to remember in a data loss emergency, and ‘do nothing’ – except call the experts – is the second. However, there are a number of simple steps you can take to protect your company against disaster.
ឣ Put in place a regular, reliable back-up regime and make sure that it is strictly imple- mented by trained personnel. This should include a verification process to make sure that the back-ups work and are recording the correct files.
ឣ Duplicate the back-up to a second type of media so that if one fails the other is available.
ឣ Monitor the back-up to ensure that it has taken place and watch out for signs of anything unusual in the way the system operates. Record on hard copy the results of back-ups to help make this comparison.
ឣ Keep at least one set of back-up tapes off site so that, if your premises burn down or are flooded, you will not lose your data. This is standard business continuity best practice and easy to implement.
ឣ Back up before installing any new software. This may be a chore but it is essential!
ឣ If possible, leave your systems on all the time in consistent environmental conditions – hardware failure happens most often at start-up and shut-down.
ឣ Keep up with technology. Back-up tapes that can only be read with a drive that hasn’t been manufactured since 1989 will be inaccessible when the elderly device breaks down.
Computers are not infallible and any piece of hardware will eventually fail. No company would fail to protect its business premises by not installing smoke detectors, burglar alarms and fire extinguishers, or by leaving its doors unlocked overnight. Protecting data, and knowing what to do in the event of an emergency, should be as much a priority for all organ- isations.
Vogon International has rapidly become a global leader in data recovery from all types of computer storage media, as well as data conversion and computer investi- gation. Its client base ranges from commercial business to law enforcement agencies and tax authorities throughout the EU, Asia and North America. With over 17 years’
experience, Vogon operates worldwide from its base in Oxfordshire, England.
Vogon GmbH is based in Munich, Germany, and Vogon LLC is based in Oklahoma, USA; both are wholly-owned subsidiaries of Vogon International.
For further information contact: Sandie Stevenson. Tel: +44 (0)1869 355 255, or see the website at www.vogon-international.com
Crisis management
Disasters are usually a result of organisations failing to prevent a crisis from getting worse, says Peter Power, Managing Director at Visor Consultants Limited.
‘There cannot be a crisis next week. My schedule is already full’, said Henry Kissinger in June 1969 at a time when the US faced many potential crises. Humorous yes, but is there some truth in what he said? How many potential disasters are already on your corporate radar screen that you are too busy to notice?
There you are, convinced that you have planned for just about everything. Your risk analysis is complete and all your information and data processing seems watertight. You are confident that you are as prepared as you can be for most eventualities. Even the chairman has shown an interest. But what if fate delivers you a low ball and you have a crisis that really is out of the blue? How would you cope?
There is a worrying tendency, especially in the US, that assumes any ‘out of the blue’
crisis means just that: aircraft leaving the sky and deliberately hitting tall buildings – and we have all seen many post-9/11 business continuity plans that now focus exclusively on this threat to the exclusion of all others.
Whilst it is true that our notion of terrorism as a form of limited violence was shattered by the terrible events in 2001, previous attacks by equally less predictable terrorist organi- sations – like the Aum sect in Japan, responsible for the Tokyo subway nerve gas attack and fanatical groups in the Middle East – had already challenged our previous assumptions about terrorism. It was, and will always be, a threat that is surprisingly hard to define.
Almost by definition, terrorism will continually seek to change its face. But enough has already been written on this subject and before we also slide towards overindulging our concern with just one type of threat, let us return to the subject of this chapter: can you really handle any crisis?
6.3
In March 2000, a lightening bolt caused a blaze at a Philips electronic factory in Albuquerque in the United States. Ten minutes later the fire was out, but far away in Scandinavia this small event sparked a corporate crisis that shifted the balance of power between two of Europe’s largest electronics companies.
Nokia and Ericsson both depended on computer chips from the Philips factory. Indeed, the supply was critical to each company. After the fire Philips needed weeks to return to normal capacity, but with mobile phone sales booming, neither company in Scandinavia could afford to wait. What happened next is a lesson for us all.
Nokia (Europe’s largest corporation by market capitalisation) immediately switched on their crisis management skills. Before Philips said anything, all they noticed was a glitch in the flow of chips – but it was on their radar screen. Within a few days they had scoured Europe for alternate suppliers, flexed the company muscle to squeeze more out of them and patched together a solution that ensured manufacture of handsets kept going. Pertti Korhonen, the chief trouble-shooter for Nokia, said afterwards. ‘A crisis is the moment when you improvise.’ He was correct.
Ericsson, on the other hand, were probably too busy to notice anything. By the time it was realised that their supply of chips from Albuquerque was in jeopardy it was too late.
Nokia had been there days before and taken all that was left, and had done the same with most other suppliers. In the end, Ericsson lost around US$600 million of revenue and 50 per cent of market share and subsequently had to be rescued by linking with Sony to sell any handsets.
In my experience, the majority of disasters are caused by organisations that fail to prevent a crisis from getting worse, and then only wake up when things have deteriorated to the point of disaster. My own belief is that crisis prevention is considerably more effective than disaster recovery, but many organisations are encouraged by some consultants to spend a disproportionate amount of time and money on recovery options, without first looking at reducing risks, as well as preparing for the unforeseen. So what are the drivers for crisis management? Here are a few:
ឣ protection of reputation and brand;
ឣ customer service;
ឣ shareholder value;
ឣ legislation, regulation and corporate governance;
ឣ increased complexity of business operations;
ឣ increased interdependencies;
ឣ insurance conditions.
The last point, about insurance, also includes a potential reduction in premium if you can demonstrate that, should a catastrophe appear, being able to work at the speed of a crisis rather than at the speed of the organisation, the likelihood of a subsequent claim on your policy is much reduced. It is also worth bearing in mind that most insurers accept that for every pound or dollar of insured costs, there is anything between 8 and 36 times this amount in uninsured costs. Typically these costs are:
ឣ management time;
ឣ investigation costs;
ឣ adverse publicity;
ឣ loss of reputation;
ឣ loss of brand;
ឣ loss of image;
ឣ fines and penalties;
ឣ loss of expertise.
But realising this is not enough. It is also important to know that stakeholders and customers will now want to measure board proposals on issues such as succession, accounting irregularities, fraud and resilience. In 2003, as global threats and risks become more diverse and worrying, we might assume that being able to work instantly as crisis managers links more to profit than to cost. Nokia thought so. It follows that none of this should be seen as a ‘grudge purchase’ but as an extension of sound corporate governance executive stewardship – especially in a post-Enron/Worldcom world. So how do you do it?
Over the years we have helped many organisations in the UK, US and Europe to create, train and test their own ‘crisis teams’ and have realised that there are a few important points that should always be borne in mind:
ឣ When you are analysing data and researching the best options on how to prepare, always remember to ‘keep your eye on the ball’ and not let the project get hijacked by some- thing else. All the plans, mission statements, recovery options and supply chain goodwill counts for nothing if executives cannot switch to ‘quick time’ thinking and form a ‘crisis management cell’ without delay. It is, therefore, a subject where selection, coaching, testing and exercising counts for everything.
ឣ Your own suppliers may cause you to have a crisis. These days many companies operate
‘just-in-time’ (JIT) procedures, which probably means they cannot deal with ‘just-in- case’ events since there is little or no slack left in the process. Add to that fragile supply and data routes up- and down-stream from your sites and the knock-on effect of someone else’s crisis seems all too obvious.
ឣ Getting board-level agreement is not enough. You must get board-level commitment and hands-on involvement.
ឣ Make sure that crisis management becomes a truly operational tool and not just a reference whose purpose is to reassure everyone when things are calm. It must be an integral part of management and a continuous process, of which the document marked
‘plan’ is simply a written presentation of management competence.
ឣ Avoid lack of motivation and inspiration. What do I mean by this? Well, take the story of an important visitor who some years ago called into a stone quarry to see what the workers were up to. All around him apprentices were busy chipping at granite blocks.
‘What are you doing?’ he asked one of them. ‘I’m making a stone block that will be two feet long by a foot wide’, came the answer. Turning to another apprentice he asked the same question but got a different answer: ‘Oh, I’m part of the team building a magnif- icent cathedral’.
ឣ Manage your risks properly and recognise that the key to successful crisis management is to realise that containing a crisis is more effective than recovering from a disaster.
Oddly enough, many organisations have disaster recovery plans, but not enough have crisis management options. Perhaps that is because you can more easily measure recovery? This leads to the last point: