Why don’t companies apply more risk analysis – Part 2

And while on that subject …

“Consult Human Resources when making disaster recovery plans”

Every DR plan I’ve seen has failed to take into account human factors.
The most basic of which is that if there is any one of a large number of disaster scenarios, how are staff going to get in to the DR site?

360-degree panorama of Toronto, Canada, as see...
Image via Wikipedia

So: here we are in Toronto and the DR site is in Arizona
what sort of disaster will take out Toronto and let all the staff here track down to Arizona in order to run the IT services to support the customers in, guess where?
Right: Toronto

So: here we are in Toronto and a disaster takes out the primary site.
What makes you think that the secondary site the other side of Toronto or few blocks away, as is the case for one major bank, isn’t also going to be affected?

So: the primary site is OK but a tractor-trailer overturned in the highway, the 401 (see google maps) across the city and half or more of you staff can’t get in to work and can’t telecommute ‘cos they are trapped on the congested but unmoving highway

I’m not being very imaginative here. The first two are from actual clients and the third has occurred quite a few times.

I know here the IT sites and call centres of the primary banks and Telecom firms are here in Toronto and from a DR/BC perspective there’s a great deal of stupidity. They may have the technology side worked out,
backups, UPS, hot, warm and cold, accelerator microcode, routing and all that, but not the people side.

That’s why I said in an earlier post in this thread

No, technology is easy, people are hard to figure.

Some DR plans I’ve seen even admit they can’t address the people side of things, they say so in their ‘assumptions’ section, but do so in a mealy-mouthed way that downplays the fact that these plans are unworkable.

Reblog this post [with Zemanta]

About the author

Security Evangelist

Leave a Reply