Most firms, financial and
other, focus disaster recovery planning on the assumption of an isolated building or data center problem, or a more focused
regional power or property outage. The SARS outbreak, 9/11 and the 2003
Northeast power grid outage highlighted some new issues: how does a firm respond when a majority of their employees do not
come to work (and the employees of their provider /outsourced firms). How do firms communicate with global employees, and
with other firms and providers that are also in disaster recovery mode? A
worldwide health crises, or a broader regional power outage, will have a far deeper and different impact than a focused regional
disaster. This problem requires different levels of interrelated planning and communication.
In the instance of a pandemic health crisis, a firm's power does not go out and there is no disruption to a company's
data center, so typical DR plans will not help.
In the instance of a broad health
crisis, a large number of employees, globally, either cannot or will not come to work due to illness or the threat of illness. In addition, every provider, counterparty, market participant and client potentially
has the same problem, and the impact to a company's day-to-day operations could be staggering.
Any operation or system that is outsourced could potentially be unavailable, depending on the ability for a provider
to keep systems operational with reduced staff levels.
Aside from a broad heath pandemic,
many disaster recovery plans assume that outages will be isolated and contained, and not impact the entire US or other countries. Similar thinking occurred in the mortgage community in the last few years -- regional market downturns were anticipated -- an across the board decline in housing prices was not.
The Financial Services industry has sponsored broad exercises where staff outages scenarios were simulated. The exercises have highlighted how reliant and interconnected our service economy is, and how difficult
it can be to plan for every eventuality.
Have we done enough vetting of the disaster work plans of the companies we rely on a daily basis...service providers,
web providers, software providers.... do not just review how they back up their systems and data, but do they have plans to
operate if large numbers of employees are not at work? Do providers have good
communication plans with their staff and clients in case employees are widely scattered or cell phone towers and standard
communication modes are inoperable (as in 9/11)? Should companies look to get
more remote computing capability? Do companies have robust plans for day-to-day
credit monitoring of clients during time of crises. And, do they have the ability to communicate and analyze credit problems
versus those failing due to operational problems?