The DR essential IT leaders can’t overlook

Several years ago, an earthquake struck a West Coast community and threw almost everyone’s data center offline. There were regional electrical outages and communications disruptions, and systems failed.

It’s a vivid memory because I was the CIO of an area financial institution at that time.

We went into disaster recovery failover mode, with everyone in IT focused on getting systems back up and running. Our battery backups, system backups, and contingencies were good, so we were confident that we would have everything back online as soon as the regional electrical and communications grids were restored — but we didn’t quite see the other side of the disaster.

That other side was public relations — the communications out to stakeholders and the public about what was going on and when we expected to have systems back.

And as any CIO who has dealt with a similar experience knows, the often-overlooked PR piece can put even the most bullet-proof of disaster recovery plans in peril.

Anatomy of a PR DR disaster

Here’s how a rather difficult PR and communications scenario unfolded in the wake of that disaster recovery scenario.

When the earthquake struck and systems first went offline, customers at bank branches were concerned about systems being offline because they wanted to complete their transactions. We were able to continue business without the IT systems because we had personnel at branches who still remembered how to keep manual ledgers so they could key in transaction data later when systems came back online.

Of course, customers were still concerned about systems being unavailable and wanted to know that their money was safe. One customer asked a teller at a local branch when the teller thought systems would be back, and the teller responded, “I really don’t know. I think I heard that the data center was damaged.”

Within minutes, local radio and newspaper reporters were calling. They had heard that the financial institution’s data center was damaged and wanted to know whether we could continue operations. Anxiety built in the community, and it began to cause a run on the bank. Since landlines were still working, we got to work calling stakeholders, the board, the local media, local government officials, and so on, so we could calm the situation.

We realized then that the real disaster we were fighting was PR, not DR. It made us rethink our approach to disaster recovery. Since then, I’ve taken this lesson with me as I’ve consulted with other organizations about the importance of having a well developed public relations strategy that can match what you do with system recovery in a disaster.

7 steps for solidifying your PR DR plan

The lesson learned was that it wasn’t only what you did to recover from a business interruption, but how you communicated about it. This lesson is timely today, because l still encounter many companies and branches that have IT disaster recovery plans nailed down, but that operate without a formal disaster communications plan.

Here are seven steps you can take to solidify the PR side of your DR plan:

1. Develop a communications script and include it in your DR plan

Communications will vary depending on the nature of the business interruption, but there are basic message elements that should be conveyed, such as the company committing to keep everyone updated on progress, or informing stakeholders and customers of the problem, etc. The generic portions of these communications can be scripted in advance. Doing so will assist communicators, who may be nervous in their own right and unsure of what to say. It also assures that communications throughout the organization remain consistent. The message scripts can be included in the PR/DR plan.

2. Define a communications chain of command

When a disaster strikes, it is reported by those who first experience it and then communicated to others. In the PR communications plan, there should be a defined chain of command for communication that designates who receives the DR information first, and then the order of how the news is disseminated.

In many cases, IT — or whoever is immediately experiencing the business interruption — reports the disaster. Using a communications chain of command, the DR information should then be conveyed to executive management. From there, Marketing/PR can take over message distribution to the outside world and to middle managers, who can then convey it to their supervisors and staff.

It’s important to maintain this communications chain of command, because if it is broken, the message can get confused, generating needless panic in employees, customers, and stakeholders.

3. Identify backup spokespersons for designated communicators

For every person who is designated as a spokesperson in a DR/PR communications tree, there should be backup personnel. Some years ago, I was visiting with an IT manager at a company that had been hit by Hurricane Katrina. During the disaster, the company lost several key personnel in IT and in Marketing, so others had to step in and cover.

4. Identify communication outlets

The local media and the public will want to know what happened. They might even call IT directly. This can be avoided when Marketing/PR takes charge and contacts the outside

world first. If the disaster is an IT issue, IT management should aggressively work with Marketing to develop appropriate messaging for outside sources on the nature of the disaster, when recovery is anticipated, and how updates will be given.

5. Rehearse the PR/DR plan

IT and HR often coordinate annual meetings with the management team to walk through the DR plan as a refresher, and to ensure the plan covers everything. A similar walkthrough should be done with the PR portion of the DR plan.

6. Train employees to delegate upward

Employees who are not assigned DR communications responsibilities — this includes IT staff — should refer customers and stakeholders to their managers. This helps to ensure accurate communications, and it reduces the possibility of disseminating inaccurate information.

7. Remember that DR is a business issue — not an IT issue

There are probably some CIOs wondering why the PR portion of a disaster recovery should concern IT at all — but it does. This is because too many companies still feel that IT owns DR.

Disaster recovery and business continuity are not solely owned by IT. This is a subject that the CIO may need to discuss with the CEO, the board, and other executive management.

The message is that IT can shoulder the role of recovering from a system-induced disaster, but the other piece of disaster recovery is assuring outside stakeholders and customers that the company does indeed, have a grip on the disaster.