Business Continuity: Survey Gauges Government's Ability to Survive Disaster

Governments deliver some of society's most vital services. In an emergency, citizens look to public agencies to continue providing public assistance checks and public utilities, in addition to emergency services, including medical care or shelter. In today's technological age, governments must ensure vulnerabilities are found and mitigated before disaster strikes.

In April, Government Technology surveyed our readers and found that respondents were mostly confident in their ability to rebound after a catastrophe. Of the 121 readers who responded, about 60 percent were highly confident in their organizations' ability to maintain operations during a disaster. Eighty-one percent were at least moderately confident.

Although many of the responses showed a positive trend in government's preparedness, some experts warn that truly being prepared is more than ticking items off a checklist.   

For example, 95 percent of respondents said they had identified key staff to be contacted in an emergency. But there often is confusion among those key staff members when an emergency happens, said Eric Holdeman, principal with ICF International's Emergency Management and Homeland Security Practice.

"You've identified staff," he said, "but do the staff know they've been identified? That happens much more than you'd ever believe."

Even when staff members are aware they've been identified, they don't always know what's required of them, added Holdeman. "They've never received any information about what that duty might be or received any training on what it would mean." In addition, planners must consider whether those key staff members will be available during an emergency. For instance, they may be the primary caretaker for a family member or are unable to leave their children because they have no alternate care, said Holdeman, who was director of the King County, Wash., Office of Emergency Management prior to joining ICF International.

"It's one thing to have a name on a roster; it's another thing to really have a plan in place and be prepared," Holdeman said, adding that names on the roster should belong to people who know they will be expected to perform some duty and be committed to doing so.

Practice Is Essential
David Taylor, CIO of the Florida Department of Health, said the survey results are encouraging and show improvement from a few years ago, though he believes the most important thing about having a disaster recovery plan is practicing with it.

"The risk in all of these plans is that folks create a plan and then put it on the shelf and don't pull it off until the first time they're in a crisis situation," Taylor said. "It is imperative that they practice the plan, the individuals who are involved in the plan know exactly what their role is and what the relationship of their role is to other people's roles in the plan. Unless that's practiced, people really don't understand how to implement their role in a disaster."

Tabletop exercises can be helpful, he said, but real-life simulations are the most valuable for identifying vulnerabilities. "Actually using the stuff in a closest to real-life simulation as possible - that's where the real learning takes place and the real value happens," Taylor said.

In Florida, agencies are required to test their plans at least once per year, he said. The Florida Department of Health tests its plan biannually.

Since Taylor's agency is responsible for coordinating emergency health and medical care in a disaster, the agency must be able to have necessary systems up and running in a very short time. "It's important for us to set up treatment areas regardless of the physical location - buildings, warehouses, campgrounds, etc. - so we practice that," he said. "We bring out the satellite systems, the 800 MHz radio and get all of that in place, and we test that twice a year."

For the most recent test, Taylor's staff went to a 4-H Club camp, where they simulated a mass evacuation due to falling satellite debris and in fewer than 30 minutes set up the technology equipment necessary to administer emergency medical care to evacuees. "We revise our processes and procedures each time we do it," he said.

Drew Leatherby, issues coordinator of the National Association of State Chief Information Officers (NASCIO), said the need for education throughout an organization is something NASCIO has tried to emphasize at the state level.

"You must have an education program in place not only to educate your critical staff, but so that even your rank-and-file staff should be aware that there is a disaster recovery plan and at least be marginally aware of what's going to be expected of them if there is a shutdown," said Leatherby, who has written several papers on the topic for NASCIO.

In addition to educating internal staff, state CIOs should work across organizations to coordinate across the state as a whole, he said.

"The state probably has its own disaster recovery plan. As an IT organization, the CIO's office should cross that boundary and make sure its [disaster recovery] plans are in sync with what's going on in the state as well," Leatherby said. "I think that may be where some of the CIO offices fall short: They just look at their critical staff when they're looking at [disaster response/business continuity] and education."

Understanding interdependencies when planning for continuity of government operations is an important component to preparation, said Holdeman. For example, even though most survey respondents (81 percent) said key staff members can access resources they need remotely, it's likely they won't be able to remotely access the network all at once. In some cases, this is due to infrastructure issues the organization cannot control. In a pandemic flu situation, if everyone signs on from home, providers may not be able to keep up, he said.

"If you're in a cable-based system, you're actually sharing bandwidth with everybody in your neighborhood," he said. "So it isn't just based on what you've put into place; it's the infrastructure that's within your community."

Working with other public and private organizations can help planners' understanding of these interdependencies, he said.

"Some would say, ‘Well we're doing what we can within our realm of control,' which is appropriate, but then you have to understand - through these public-private partnerships - what the limit is," Holdeman said. "Don't just be thinking, ‘We're going to save our bacon by having this in place.'"

Cross-organizational relationships are difficult, however, and require time and energy. According to survey results, close to 60 percent of respondents have relationships in place with other government agencies to assist with disasters, and the variance between state and local respondents was negligible. But when it comes to having similar relationships with private-sector entities, the response between state and local governments varied significantly: More than 50 percent of state respondents claimed those relationships existed, while only a third of local government respondents had relationships in place with private-sector entities to assist in a disaster.

Leatherby, who is also the author of two NASCIO reports on disaster recovery - IT Disaster Recovery and Business Continuity Tool-kit: Planning for the Next Disaster and Pandemic Planning and Response for State IT: Where's My Staff? - said communicating with private-sector partners before an incident is critical.

"One of the big recommendations we made in our report was to make sure that you have prepositioned contracts in place with your vendors and to make sure all your ducks are in order with your outside contractors and things of that nature," said Leatherby.

According to Holdeman, a lack of resources is one reason local governments may struggle more when working with the private sector.

"It's probably a degree of how many resources the local government has opposed to the state," he said, adding that often local government emergency management organizations consist of only one person, and in some cases, organizations devote less than a full-time equivalent (FTE) position to the job. "It's part of an FTE, and it's not his or her primary duty."

Reaching outside of the organization to find solutions also can be a cultural challenge for government, Holdeman added. Sometimes it's merely a factor of how much energy managers are willing to expend creating those relationships.

"It sounds simple, but it's really hard gaining and maintaining relationships across the board within and between governments. Then with the public-private sector, it just adds a whole new dimension."

Getting resources for those planning efforts also isn't easy, he said. "We compete against all these other daily needs for something that might happen at some point in the future."

Making the Financial Case
Judging by the survey results, disaster recovery planning in local governments is harder hit by the current budget crunch - only 12 percent of local government respondents said continuity of government projects are being maintained at previous funding levels. By contrast, nearly 30 percent of state government respondents said their continuity of government projects are maintained at the same level or exceed previous funding levels.

Holdeman said funding for disaster recovery and continuity is a difficult case to make, but planners should watch for opportunities.

"Be prepared for the windows of opportunity - even if it's not an opportunity you want - where disaster impacts or comes close to impacting your jurisdiction," said Holdeman. "If it is a televised event, those types of things call people to action, and for a short period of time you have constituencies asking their elected officials, ‘What about us?'"

For example, he pointed to a situation when a major earthquake hit California and he was working for the Washington State Emergency Management Division.

"It happened on a holiday," Holdeman said. "I called the director and said, ‘Hey, they just had an earthquake in California. We need to get into work and figure out what we want to ask the Legislature for because they're in session.' And sure enough, that afternoon they were calling and saying, ‘What is it we should be doing?'" Holdeman said the agency requested a 24-hour duty officer and a new emergency operations center [EOC], and received the 24-hour duty officer. "It wasn't until the next big disaster in the state that we got funding for a new EOC."

NASCIO's Leatherby said part of the reason his organization produces information on continuity of government and disaster recovery planning is to help decision-makers understand the need for this type of planning.

"If all the IT functions for the state go down, they're going to be feeling the pinch from their constituents when people aren't receiving their welfare checks, when they're not able to access services and things like that," he said.

"I think you kind of have to scare the decision-makers, especially in light of all the budget problems you're having, into realizing that this is an essential line item," Leatherby continued. "It's not just a luxury."