ITIC Americas: Disaster preparedness

ITIC Americas 2023 Disaster Preparedness Panel

In the second of our ITIC Americas sessions, Jose Marchand, Yanni Jota and Edmund Santiago discuss what have we learned from the pandemic

Jose Marchand, Continuity Coordinator for the Caribbean Area Office, FEMA

Marchand looked at lessons learned from catastrophic and pandemic incidents, focusing on Puerto Rico. He said that in the Caribbean area office there are approximately 3.194 million people in 100x35 miles; that there are 78 municipalities, 10 emergency management zones and multiple hazards and threats – hurricanes, earthquakes, Covid-19, etc. They can never prepare enough.

He also spoke of various disastrous incidents, starting with Hurricane Maria in September 2017. It made landfall as a Category 4, with 155mph sustained winds and 175mph gust winds. It dropped 12 to 25 inches of rain, with isolated locations receiving up to 40 inches, causing catastrophic flooding.

Hurricane Maria resulted in: 100 per cent of Puerto Rico Electric Power Authority (PREPA) clients without service; 80 per cent of all PREPA infrastructure destroyed; 80 per cent of the Puerto Rico Aqueduct and Sewer Authority (PRASA) clients without water service; and only 15–20 per cent of communication towers operational.

Marchand referred to Puerto Rico’s Guánica earthquakeson 28 December 2019, affecting the southern region of Puerto Rico; and on 7 January 2020, a magnitude 6.4 earthquake shook the island 89km south of Guánica, at a depth of 10km.

When Covid-19 arrived on 12March 2020, the Governor declared a state of emergency, and on 15 March, the executive order was amended for a total shutdown.There was a daily 24-hour curfew, except for emergencies.On 27 March, US President Donald Trump signed a Major Disaster Declaration for Puerto Rico.

On 17 September 2022, Hurricane Fiona hit Puerto Rico and remained over the island through to 19 September 2022. On 21 September, President Trump announced a Major Disaster Declaration, FEMA-4671-DR-PR Hurricane Fiona.

Lessons learned

Marchand considered the key learnings and how to move forward – by having a general business continuity and disaster response, continuity of government, good human resources and strong private sector integration.

He said that to prepare, good advice is to:

  • Establish a working group
  • Conduct business process and impact analyses
  • Identify and prioritise critical functions
  • Identify, document and implement mitigation and recovery alternatives.

Marchand concluded that while we cannot avoid natural disasters, we can reduce their impact. Identify all threats – no hazard is too small to be considered. “We need to improve and work on our readiness and response postures, and that the best preparedness for disasters begins with individual protection and security.”

Cameron asked if it’s possible to actually be prepared. Marchand said that organisations must learn from the past, have a list, and be as ready as you can. Jota added that a good foundation really helps – along with an agile attitude. Santiago said that since Hurricane Maria, they are much more prepared, having suffered huge consequences.

Yanni Jota, Sales Vice President, Aetna International Health Services

Jota began by saying that companies need to build resiliency in this age of disruption, and that a people-first approach to disaster preparedness and crisis response is imperative. She discussed resiliency – that it doesn’t just mean not giving up, but also adapting to change.

She added that ‘organisational resiliency means withstanding setbacks and bouncing back from adversity’. Building a framework that puts people first is essential.Jota asked the question: “Which employee or industry factors pose the biggest challenge to your business? Would it be skills and talent shortage, talent retention, or mentally/physically exhausted employees?” She also asked what factors are most important as your business prepares for a disaster – operational processes, agile decision-making and innovations, or a healthy, productive workforce?

At the World Economic Forum in Davos, it was highlighted that there are big changes in workforce behaviour. Employee priorities have changed, and they want a say in how and where to work.

Organisations need to be prepared to respond to pressure and uncertainty, Jota said. A skills and talent shortage, supply chain problems, geo-economic clashes, climate change, short- to long-term planning, finite resources, cost of living crisis and new tech must be taken into account.

Jota said that if companies are rolling out a remote-work solution, then people-first planning is a priority. She said to consider: Who’s already remote? What tech do they have or need? What support do they have or require? Communicate with your team what to expect, ramp up privacy and security, monitor and measure, then prepare for the rollout. They did this for their call centres during the pandemic and ran a short pilot first.  

It should only take seven days to move all service-critical personnel – such as claims processors, leadership and admin – and there should only be two or three days of mitigated service disruption.

The result will be a seamless transition for employees and members, and Jota said that steps to building organisational resilience include:

  • Reviewing your foundations and harnessing technology
  • Enabling agility and empowering with autonomy
  • Improvising and promoting collaboration and connectivity
  • Adopting a people-first approach to resilience.

Finally, she said that a robust, resilient workforce will work if you listen and respond, are a role-model, if you guide and educate, empower and protect, and retain. 

Cameron asked Jota how to deal with digital nomads. She responded that good tech and clear information is vital. Santiago added that it’s difficult to find good people in many areas currently, but that you have to service your staff, no matter where they are.

Edmund Santiago, Chairman and CEO, Redbridge Assist

Santiago posed the question: what has actually been learned from the pandemic? He said that globally we worked out how to adopt important digital technology changes. There is now a necessity to have a much better and faster IT support system, so people can work effectively remotely.

Travel and health insurance has also become a must-have in every suitcase. “New benefits were created for health and travel assistance plans – finding solutions to cover new risks. All institutions must work together and carry out awareness campaigns amongst the population about the importance of being prepared and covered for any unforeseen event.”

Preparedness – a Disaster Recovery (DR) plan

Companies should establish a data protection strategy, prioritise risks and assets, and determine the best way to recover normal operations. A business can lose millions of dollars on systems downtime.

The top causes of data centre downtime include:

  • Human error
  • Unexpected updates and patches
  • Server room environment issues
  • Power outages, fire or explosion, natural disasters such as hurricanes or earthquakes, and malicious cyber attacks.

IT Disaster Recovery (DR) plan

Santiago said that for a DR plan,it’s vital tohave a clear vision, assess the risks, know what you need to protect (hardware and software inventory), have a list of disaster recovery sites, understand procedure restoration, budget, know who has responsibility for what, and test the plan.

A clear vision will help identify what you need to protect: network equipment, hardware, software, cloud services and, most importantly, critical data.

Santiago also said it’s important to identify which threats are likely to face the business as a whole and specific assets. That to assess the risks you must ask:

  • What are the threats most likely to occur?
  • Is there data or history to support them?
  • Are these threats specific to an asset or the whole organisation?
  • What are the likely causes of disruption of service operations?

Organisations should: have a list of disaster recovery sites – what and where, plus an alternative data centre in a remote location that has all critical systems replicated or frequently backed up. Operations can be switched over to the hot site when required.

What needs to be protected? The most important aspects are: critical and sensitive data – Personally Identifiable Information (PII), credit cardholder data and Intellectual property (IP).

Organisations should think aboutMulti level Protection – ISO 27001 Certification – this guarantees the confidentiality, protection, security, integrity and continued availability of essential information and data of the company, its customers and associates. He also talked of the importance of infrastructure hosted in the cloud – Virtual Environment (Microsoft Azure leader in security) which helps with a complete migration of physical technological systems, its data and applications, as well as email capacities, conserving documents for 10 years. Santiago said that multi-layered protection is crucial as security threats multiply daily around the world.

Cloud infrastructure means a reduction in operating costs, it is flexibile, it’s targeted, secure, with training for developers and an availability of effective solutions.

It is important that businesses control the IT budget when migrating to cloud services, Santiago added. “The cost may be the reason why Microsoft Azure is so attractive for so many businesses. The payment model used allows PYMES to better manage their IT budgets, since they can buy all they need.”

Testing the plan

Santiago advises companies to conduct a drill every six months – a plan might look great on paper, but fail in a realistic scenario. Analyse staff response according to the plan, rearrange roles if needed, then update the plan at least once per year. Finally, ensure that the plan reflects the current structure and IT set-up.

Cameron asked if we managed the challenges of the pandemic by accident, and if we can ever be prepared for things like Covid-19? Santiago replied that we can never be 100 per cent prepared, but if we have a base of preparedness, it is a start. Jota added that we don’t know what we don’t know – to be OK with being flexible. Marchand said not to be reliable on just local services.

Finally, Cameron asked for the most important thing regarding disaster preparedness. Marchand said not to eliminate risks, but to be as prepared as you can. Jota said to have a good base which you can change and adapt. Santiago said to prepare to prepare.