Unit 4: Disaster Management: Structure

Disaster Management 179
Notes
Unit 4: Disaster Management
Structure:
4.1 Types of Disasters
4.1.1 Disaster Prevention
4.2 Disaster Management and Mitigation Strategies
4.2.1 Disaster Preparedness
4.2.2 Action Planning Checklist
4.3 Understanding Disaster Recovery
4.3.1 Classification of Disasters
4.3.2 Importance of Disaster Recovery Planning
4.3.3 Control Measures
4.3.4 Strategies
4.4 Business Continuity Management
4.4.1 Disaster Recovery and Business Continuity Auditing
4.4.2 Metrics
4.4.3 Mission Statement
4.4.4 The DR Committee and Auditor
4.4.5 Documentation
4.4.6 Strategies
4.4.7 Other Considerations
4.4.8 Planning
4.4.9 Media Management
4.4.10 BCP vs. DRP
4.4.11 Business Continuity Plan (BCP)
4.4.12 Disaster Recovery Plan (DRP)
4.5 Business Continuity Plan Ten Steps
4.5.1 Ten Steps to an Effective Business Continuity Plan
4.6 Summary
4.7 Check Your Progress
4.8 Questions and Exercises
4.9 Key Terms
4.10 Check Your Progress: Answers
4.11 Case Study
4.12 Further Readings
Objectives
After studying this unit, you should be able to understand:
Ɣ Disaster Management
Ɣ Disaster Recovery and business continuity
Amity Directorate of Distance and Online Education

180 Information Security and Risk Management
Notes Ɣ Encryption
Ɣ BCP
Ɣ A case study based on this unit
Disaster
Disaster is a sudden, calamitous event bringing great damage, loss, destruction and
devastation to life and property. WHO defines Disaster as “any occurrence, that causes
damage, ecological disruption, loss of human life, deterioration of health and health
services, on a scale sufficient to warrant an extraordinary response from outside the
affected community or area”.
The damage caused by disasters is immeasurable and varies with the geographical
location, climate and the type of the earth surface/degree of vulnerability. This influences
the mental, socio-economic, political and cultural state of the affected area. Generally,
disaster has the following effects in the concerned areas:
1. It completely disrupts the normal day-to-day life.
2. It negatively influences the emergency systems.
3. Normal needs and processes like flood, shelter, health, etc. are affected and
deteriorate depending on the intensity and severity of the disaster.
4. It may also be termed as “a serious disruption of the functioning of society,
causing widespread human, material or environmental losses which exceed
the ability of the affected society to cope using its own resources”.
Disaster Management
The United Nations defines a disaster as a serious disruption of the functioning of a
community or a society. Disasters involve widespread human, material, economic or
environmental impacts, which exceed the ability of the affected community or society to
cope using its own resources.
The Red Cross and Red Crescent Societies define disaster management as the
organization and management of resources and responsibilities for dealing with all
humanitarian aspects of emergencies, in particular preparedness, response and
recovery in order to lessen the impact of disasters.
4.1 Types of Disasters

There is no country that is immune from disaster, though vulnerability to disaster
varies. There are four main types of disaster:
(a) Natural disasters: Including floods, hurricanes, earthquakes and volcano
eruptions that have immediate impacts on human health and secondary
impacts causing further death and suffering from (for example) floods,
landslides, fires and tsunamis.
(b) Environmental emergencies: Including technological or industrial accidents,
usually involving the production, use or transportation of hazardous material,
and occur where these materials are produced, used or transported, and forest
fires caused by humans.
(c) Complex emergencies: Involving a breakdown of authority, looting and
attacks on strategic installations, including conflict situations and war.

(d) Pandemic emergencies: Involving a sudden onset of contagious disease that

Notes
affects health, disrupts services and businesses, and brings economic and
social costs.
Any disaster can interrupt essential services, such as health care, electricity, water,
sewage/garbage removal, transportation and communications. The interruption can
seriously affect the health, social and economic networks of local communities and
countries. Disasters have a major and long-lasting impact on people long after the
immediate effect has been mitigated. Poorly planned relief activities can have a
significant negative impact not only on the disaster victims but also on donors and relief
agencies. So it is important that physical therapists join established programmes rather
than attempting individual efforts.
Local, regional, national and international organizations are all involved in mounting
a humanitarian response to disasters. Each will have a prepared disaster management
plan. These plans cover prevention, preparedness, relief and recovery.
4.1.1 Disaster Prevention

These are activities designed to provide permanent protection from disasters. Not all
disasters, particularly natural disasters, can be prevented, but the risk of loss of life and
injury can be mitigated with good evacuation plans, environmental planning and design
standards. In January 2005, 168 Governments adopted a 10-year global plan for natural
disaster risk reduction called the Hyogo Framework. It offers guiding principles, priorities
for action, and practical means for achieving disaster resilience for vulnerable
communities.
The Hyogo Framework for Action 2005-2015: Building the Resilience of Nations and
Communities to Disasters (HFA) is the first plan to explain, describe and detail the work
that is required from all different sectors and actors to reduce disaster losses. It was
developed and agreed on with the many partners needed to reduce disaster risk –
governments, international agencies, disaster experts and many others – bringing them
into a common system of coordination. The HFA outlines five priorities for action, and
offers guiding principles and practical means for achieving disaster resilience. Its goal is
to substantially reduce disaster losses by 2015 by building the resilience of nations and
communities to disasters. This means reducing loss of lives and social, economic, and
environmental assets when hazards strike.
Priority Action 1: Ensure that disaster risk reduction is a national and a local
priority with a strong institutional basis for implementation.
Countries that develop policy, legislative and institutional frameworks for disaster
risk reduction and that are able to develop and track progress through specific and
measurable indicators have greater capacity to manage risks and to achieve widespread
consensus for, engagement in and compliance with disaster risk reduction measures
across all sectors of the society.
Priority Action 2: Identify, assess and monitor disaster risks and enhance
early warning.
The starting point for reducing disaster risk and for promoting a culture of disaster
resilience lies in the knowledge of the hazards and the physical, social, economic and
environmental vulnerabilities to disasters that most societies face, and of the ways in
which hazards and vulnerabilities are changing in the short and long term, followed by
action taken on the basis of that knowledge.
Priority Action 3: Use knowledge, innovation and education to build a culture
of safety and resilience at all levels.

Disasters can be substantially reduced if people are well informed and motivated
Notes
towards a culture of disaster prevention and resilience, which in turn requires the
collection, compilation and dissemination of relevant knowledge and information on
hazards, vulnerabilities and capacities.
Priority Action 4: Reduce the underlying risk factors.
Disaster risks related to changing social, economic, environmental conditions and
land use, and the impact of hazards associated with geological events, weather, water,
climate variability and climate change are addressed in sector development planning and
programmes as well as in post-disaster situations.
Priority Action 5: Strengthen disaster preparedness for effective response at
all levels.
At times of disaster, impacts and losses can be substantially reduced if authorities,
individuals and communities in hazard-prone areas are well prepared and ready to act
and are equipped with the knowledge and capacities for effective disaster management.
Disaster Preparedness
These activities are designed to minimize loss of life and damage – for example by
removing people and property from a threatened location and by facilitating timely and
effective rescue, relief and rehabilitation. Preparedness is the main way of reducing the
impact of disasters. Community-based preparedness and management should be a high
priority in physical therapy practice management.
Disaster Relief
This is a coordinated multi-agency response to reduce the impact of a disaster and
its long-term results. Relief activities include rescue, relocation, providing food and water,
preventing disease and disability, repairing vital services such as telecommunications
and transport, providing temporary shelter and emergency health care.
Disaster Recovery
Once emergency needs have been met and the initial crisis is over, the people
affected and the communities that support them are still vulnerable. Recovery activities
include rebuilding infrastructure, health care and rehabilitation. These should blend with
development activities, such as building human resources for health and developing
policies and practices to avoid similar situations in future.
Disaster management is linked with sustainable development, particularly in relation
to vulnerable people such as those with disabilities, elderly people, children and other
marginalized groups. Health Volunteers Overseas Publications address some of the
common misunderstandings about disaster management.
4.2 Disaster Management and Mitigation Strategies

Disaster Management is the discipline of dealing with and avoiding risks. It is a
discipline that involves preparing for disaster before it occurs, disaster response (e.g.,
emergency evacuation, quarantine, mass decontamination, etc.), as well as supporting,
and rebuilding society after natural or human-made disasters have occurred. In general,
any disaster management is the continuous process by which all individuals, groups, and
communities manage hazards in an effort to avoid or ameliorate the impact of disasters
resulting from the hazard.
Mitigation efforts attempt to prevent hazards from developing into disasters
altogether, or to reduce the effects of disasters when they occur. The mitigation phase

differs from the other phases because it focuses on long-term measures for reducing or
Notes
eliminating risk. The implementation of mitigation strategies can be considered as part of
the recovery process if applied after a disaster occurs.
4.2.1 Disaster Preparedness

Disasters happen anytime and anywhere. And when disaster strikes, you may not
have much time to respond. An earthquake, flood, tornado, winter storm, highway spill or
hazardous material or any other disaster could cut water, electricity, and telephones—for
days, require evacuation or confine your family at home for days.
After a disaster, local officials and relief workers will be on the scene, but they
cannot reach everyone immediately. You could get help in hours, or it may take days. So,
we should be aware and prepared to cope with the emergency until help arrives.
Creating the Disaster Prevention and Response Plan

A sound disaster prevention and response plan reflects the common and the unique
needs of educators, students, families, and the greater community. The plan outlines
how all individuals in the school community—administrators, teachers, parents, students,
and support staff—will be prepared to spot the behavioural and emotional sighs that
indicate a child is troubled, and what they will need to do. The plan also details how
school and community resources can be used to create safe environments and to
manage responses to acute threats and incidents of violence.
Forming the Prevention and Resource Team

It can be helpful to establish a school-based team to oversee the preparation and
implementation of the prevention and response plan. This does not need to be a new
team; however, a designated core group should be entrusted with this important
responsibility.
The core team should ensure that every member of the High School Community
accepts and adopts the disaster prevention and response plan. This buy-in is essential if
all members of the school community are expected to feel comfortable sharing concerns
about children who appear troubled. Too often, caring individuals remain silent because
they have no way to express their concerns.
Typically, the core team includes the building administrator, general and special
education teachers, parent(s), and a pupil support services representative (a school
psychologist, social worker, or counselor), and a doctor. It is the role of a teacher to
contact these persons and make a part of the team. The teachers should encourage
having health camps in the school every six months. The core team could also have a
member from the local police station for its smooth functioning.
The core team also should coordinate with any school advisory boards already in
place. For example, most effective schools have developed an advisory board of parents
and community leaders that meets regularly with school administrators. While these
advisory groups generally offer advice support, that role can be expanded to bringing
resources related to disaster prevention and intervention into the school.
While we cannot prevent disasters from occurring, we can do much to reduce the
likelihood of its occurrence. Through thoughtful planning and the establishment of a
school disaster prevention and response team, we can avert many crises and be
prepared when they do happen.

Notes 4.2.2 Action Planning Checklist
A Step-by-step Guide for Teachers

School fire drills are held in order to provide for the day and well-being of students
and staff. Fine codes address many aspects of life safety, including school fire drills at
least once each month during school session. Let’s continue to provide a fire safe
environment for our children by activity participating in monthly school fire drills.
1. Plan Ahead
Ɣ Know your school district’s policy: Most school district include the following:
an assigned meeting place for students: individual class rosters so that
students can be accounted for; that windows and doors be closed to prevent
the spread of fire; and provisions for assigning an adult assistant or a student’s
buddy to assist classmates with special needs.
Ɣ Know your school’s fire protection system: Be familiar with the type of fire
protection system at your school. Know the location of pull stations and
whether your school is protected by fire sprinklers.
Ɣ Know the alarm sound: Learn your school fire alarm’s sound so you can
respond quickly.
Ɣ Know the school floor plan: Every room in your school should have a map
posted showing at least two ways out so you can escape, even if one exit is
blocked. Know alternate routes of escape.
Ɣ Know the escape plan: Time is a critical factor in a fire emergency. Learn
which exit to use. It’s important to know exactly what to do when the fire alarm
sounds. Elevators should never be used during a fire.
2. Discuss Procedures with Students
Ɣ Be orderly: Students should know how to quietly line up and leave the room
when the alarm sounds.
Ɣ Test doors before opening: Kneel or crouch and feel the door. If the door is
warm, use another escape route. If it is cool, open it slowly. Be prepared to
close the door if there is smoke or flame on the other side.
Ɣ Crawl low under smoke: Since heat rises and carries toxic smoke with it, the
air will be cooler and cleaner near the floor during a fire. If you find smoke, try
another escape route. If you must exit through smoke, crawl on your hands and
knees and keep your head 12 to 24 inches above the floor.
Ɣ Know where you’re going: Know which exit to use and go to the assigned
meeting place outside the building.
Ɣ Helping others: Plan for students who need special help leaving the building.
Discuss these procedures with the class.
3. Practice
Ɣ Monthly School Fire Drills: Fire drills are required at least once each month
during the school year. Fire drills include the complete evacuation of all
persons from the building. No one should re-enter the building until directed a
designed person.
Ɣ Home Fire Drills: School fire drills are a model for children to use their own
homes. Home fire escape plans are important and should be practiced twice a
year. Practice is essential.
The Government of India over the years formulated strategies to cope with, prevent
and mitigate disasters because of the frequency of disasters affecting the country. These

policies consist of long- and short-term prevention and preparedness measures and
Notes
immediate response mechanisms. They also include appropriate administrative
structures to manage disaster response, financial systems to fund and facilitate them, the
mechanisms to ensure that policies and strategies are continuously reviewed and revised
in the light of experiences within the country and in other parts of the world. We, as
teachers as responsible citizens of our country, should be a part and parcel of the
disaster preparedness drive taken up in the country.
4.3 Understanding Disaster Recovery

Disaster Recovery (DR) involves a set of policies and procedures to enable the
recovery or continuation of vital technology infrastructure and systems following a natural
or human-induced disaster. Disaster recovery focuses on the IT or technology systems
supporting critical business functions, as opposed to business continuity, which involves
keeping all essential aspects of a business functioning despite significant disruptive
events. Disaster recovery is, therefore, a subset of business continuity.
Disaster recovery developed in the mid- to late 1970s as computer center managers
began to recognize the dependence of their organizations on their computer systems. At
that time, most systems were batch-oriented mainframes which in many cases could be
down for a number of days before significant damage would be done to the organization.
As awareness of the potential business disruption that would follow an IT-related disaster,
the disaster recovery industry developed to provide backup computer centers, with Sun
Information Systems (which later became Sungard Availability Systems) becoming the
first major US commercial hot site vendor, established in 1978 in Philadelphia. During the
1980s and 90s, customer awareness and industry both grew rapidly, driven by the advent

of open systems and real-time processing which increased the dependence of
Notes
organizations on their IT systems. Regulations mandating business continuity and
disaster recovery plans for organizations in various sectors of the economy imposed by
the authorities and by business partners, increased the demand and led to the availability
of commercial disaster recovery services, including mobile data centers delivered to a
suitable recovery location by truck.
With the rapid growth of the Internet through the late 1990s and into the 2000s,
organizations of all sizes became further dependent on the continuous availability of their
IT systems, with some organizations setting objectives of 2, 3, 4 or 5 nines (99.999%)
availability of critical systems. This increasing dependence on IT systems, as well as
increased awareness from large-scale disasters such as tsunami, earthquake, flood, and
volcanic eruption, spawned disaster recovery-related products and services, ranging
from high-availability solutions to hot-site facilities. Improved networking meant critical IT
services could be served remotely; hence on-site recovery became less important.
The meteoric rise of cloud computing since 2010 continues that trend: nowadays, it
matters even less where computing services are physically served, just so long as the
network itself is sufficiently reliable (a separate issue and less of a concern since modern
networks are highly resilient by design). ‘Recovery as a Service’ (RaaS) is one of the
security features or benefits of cloud computing being promoted by the Cloud Security
Alliance.
4.3.1 Classification of Disasters

Disasters can be classified into two broad categories. The first is natural disasters
such as floods, hurricanes, tornadoes or earthquakes. While preventing a natural
disaster is very difficult, risk management measures such as avoiding disaster-prone
situations and good planning can help.
The second category is manmade disasters, such as hazardous material spills,
infrastructure failure, bio-terrorism, and disastrous IT bugs or failed change
implementations. In these instances, surveillance, testing and mitigation planning are
invaluable.
4.3.2 Importance of Disaster Recovery Planning

Recent research supports the idea that implementing a more holistic pre-disaster
planning approach is more cost-effective in the long run. Every $1 spent on hazard
mitigation (such as a disaster recovery plan) saves society’s $4 in response and recovery
costs. As IT systems have become increasingly critical to the smooth operation of a
company, and arguably the economy as a whole, the importance of ensuring the
continued operation of those systems, and their rapid recovery, has increased. For
example, of companies that had a major loss of business data, 43% never reopen and
29% close within two years. As a result, preparation for continuation or recovery of
systems needs to be taken very seriously. This involves a significant investment of time
and money with the aim of ensuring minimal losses in the event of a disruptive event.
4.3.3 Control Measures

Control measures are steps or mechanisms that can reduce or eliminate various
threats for organizations. Different types of measures can be included in Disaster
Recovery Plan (DRP).
Disaster recovery planning is a subset of a larger process known as business
continuity planning and includes planning for resumption of applications, data, hardware,
electronic communications (such as networking) and other IT infrastructure. A Business

Continuity Plan (BCP) includes planning for non-IT related aspects such as key
Notes
personnel, facilities, crisis communication and reputation protection, and should refer to
the Disaster Recovery Plan (DRP) for IT related infrastructure recovery/continuity.
IT disaster recovery control measures can be classified into the following three
types:
1. Preventive measures: Controls aimed at preventing an event from occurring.
2. Detective measures: Controls aimed at detecting or discovering unwanted
events.
3. Corrective measures: Controls aimed at correcting or restoring the system
after a disaster or an event.
Good disaster recovery plan measures dictate that these three types of controls be
documented and exercised regularly using so-called “DR tests”.
4.3.4 Strategies
Prior to selecting a disaster recovery strategy, a disaster recovery planner first
refers to their organization’s business continuity plan which should indicate the key
metrics of Recovery Point Objective (RPO) and Recovery Time Objective (RTO) for
various business processes (such as the process to run payroll, generate an order, etc.).
The metrics specified for the business processes are then mapped to the underlying IT
systems and infrastructure that support those processes. Incomplete RTOs and RPOs
can quickly derail a disaster recovery plan. Every item in the DR plan requires a defined
recovery point and time objective, as failure to create them may lead to significant
problems that can extend the disaster’s impact. Once the RTO and RPO metrics have
been mapped to IT infrastructure, the DR planner can determine the most suitable
recovery strategy for each system. The organization ultimately sets the IT budget and
therefore, the RTO and RPO metrics need to fit with the available budget. While most
business unit heads would like zero data loss and zero time loss, the cost associated with
that level of protection may make the desired high availability solutions impractical. A
cost-benefit analysis often dictates which disaster recovery measures are implemented.
Some of the most common strategies for data protection include:
1. Backups made to tape and sent off-site at regular intervals.
2. Backups made to disk on-site and automatically copied to off-site disk, or made
directly to off-site disk.
3. Replication of data to an off-site location, which overcomes the need to restore
the data (only the systems then need to be restored or synchronized), often
making use of Storage Area Network (SAN) technology.
4. Private Cloud solutions which replicate the management data (VMs, Templates
and disks) into the storage domains which are part of the private cloud setup.
These management data are configured as an xml representation called OVF
(Open Virtualization Format), and can be restored from the database once a
disaster occurs. For example, Disaster Recovery with oVirt.
5. Hybrid Cloud solutions that replicate both on-site and to off-site data centers.
These solutions provide the ability to instantly fail-over to local on-site
hardware, but in the event of a physical disaster, servers can be brought up in
the cloud data centers as well. Examples include Quorom, rCloud from
Persistent Systems or Ever Safe.
6. The use of high availability systems which keep both the data and system
replicated off-site, enabling continuous access to systems and data, even after
a disaster (often associated with cloud storage).

7. In many cases, an organization may elect to use an outsourced disaster
Notes
recovery provider to provide a stand-by site and systems rather than using their
own remote facilities, increasingly via cloud computing.
In addition to preparing for the need to recover systems, organizations also
implement precautionary measures with the objective of preventing a disaster in the first
place. These may include:
1. Local mirrors of systems and/or data and use of disk protection technology
such as RAID
2. Surge protectors — to minimize the effect of power surges on delicate
electronic equipment
3. Use of an Uninterruptible Power Supply (UPS) and/or backup generator to
keep systems going in the event of a power failure
4. Fire prevention/mitigation systems such as alarms and fire extinguishers
5. Anti-virus software and other security measures
4.4 Business Continuity Management

Recent events such as terrorist attacks and high profile disasters together with an
increased need for corporate governance have changed the emphasis of Business
Continuity and Disaster Recovery Planning away from towards what was predominantly
Information Technology (IT) recovery. This emphasis is coming from several areas
including customers, insurance and financial institutions, stakeholders and those who
need to ensure there is a plan in place to deal with the "unexpected" so that the
organization can recover from a disastrous event quickly.
Business Continuity Planning is now high on the list of senior management and
executives' agendas and is increasingly becoming an integral part of an organization’s
good business practice processes. By having a plan, an organization can minimize the
impact of such an event on its personnel, assets, market share and finances. Research
into business continuity has shown that the likelihood of an organization surviving a major
event without a plan is less than 20%. Conversely, with a documented plan there is an
80% survival rate.
Standby’s Business Continuity Management process follows the professionally
recognized series of steps, recommended by the Disaster Recovery Institute
International (USA) and the Business Continuity Institute (UK).
4.4.1 Disaster Recovery and Business Continuity Auditing

Disaster Recovery (DR) and business continuity refers to an organization’s ability to
recover from a disaster and/or unexpected event and resume operations. Organizations
often have a plan in place (usually referred to as a “Disaster Recovery Plan”, or
“Business Continuity Plan”) that outlines how a recovery will be accomplished. The key to
successful disaster recovery is to have a plan (emergency plan, disaster recovery plan,
and continuity plan) well before disaster ever strikes.
Given ever-changing business objectives, one common need in disaster recovery is
to perform an audit of the disaster recovery capacity of an organization. The purpose of
such audit is to discover how closely an organization’s disaster recovery readiness aligns
to actual organizational objectives. When conducting an audit of a disaster recovery plan,
factors such as alternate site designation, training of personnel, and insurance issues are
considered. In conducting a disaster recovery audit, the individual or team performing the
audit uses a number of procedures and processes to achieve the objectives of the audit.
Successful disaster recovery audits clearly state their objectives in an audit plan.

4.4.2 Metrics Notes

Some of the key metrics to be measured in a disaster recovery environment are the
Recovery Time Objective (RTO) and Recovery Point Objective (RPO). RTO is a metric
that measures the time that it takes for a system to be completely up and running in the
event of a disaster. RPO measures the ability to recover files by specifying a point in time
restore of the backup copy.
4.4.3 Mission Statement

A disaster recovery mission statement is used to identify the purpose and goals of
the disaster recovery plan. The mission statement can also help an auditor obtain a
better understanding of the organization’s environment. An auditor examined the mission
statement to determine the objectives, priorities, and goals of the disaster recovery plan.
4.4.4 The DR Committee and Auditor

The organization appoints individuals responsible for designing and implementing
the disaster recovery plan when needed. Generally, this consists of a team headed by a
project manager, with a deputy manager who has the capability to take over the
responsibilities, if needed. The qualities needed for this position vary depending upon the
organization. A good disaster recovery plan project manager is often someone who has
good leadership abilities, strong knowledge of company business, strong knowledge of
management processes, experience and knowledge in information technology and
security, and of course, good project management skills. Other members of the team
need to have a clear understanding and ability to perform the requisite procedures.
An auditor is assigned to examine and assess the project manager and deputy
project manager’s training, experience, and abilities as well as to analyze the capabilities
of the team members to complete assigned tasks and that more than one individual is
trained and capable of doing a particular function. Tests and inquiries of personnel can
help achieve this objective.
Organizations, particularly large organizations, ordinarily assign the task of
determining, on an ongoing basis, if the procedures stated in the disaster recovery plan
are actually consistent with real practice to a specific individual within the organization.
This individual may be referred to as the disaster recovery officer, the disaster recovery
liaison, the DR coordinator, or some other similar title. Some of the techniques used to
determine such consistency are direct observation of procedures, examination of the
disaster recovery plan, and inquiries of personnel.
4.4.5 Documentation
To maximize their effectiveness, disaster recovery plans are documented in written
form and in a manner that is easily understood by those who will need to use it. In
addition, the plan must also be readily available as well, since digging for a hard-to-find or
misplaced disaster recovery plan at a time of a disaster can complicate the effect of the
disaster. Furthermore, because of the constant changes that occur in the modern
business environment, disaster plans are most effective when updated frequently. This
way, the plans will also cover new and existing threats as such threats develop.
Adequate records need to be retained by the organization. The auditor examines records,
billings, and contracts to verify that records are being kept. One such record is a current
list of the organization’s hardware and software vendors. Such list is made and
periodically updated to reflect changing business practice. Copies of it are stored on-site
and off-site and are made available or accessible to those who require them. An auditor
tests the procedures used to meet this objective and determine their effectiveness.

Notes 4.4.6 Strategies
Site Designation
A hot/cold site is a location that an organization can move to after a disaster if the
current facility is unusable. The difference between the two is that a hot site is fully
equipped to resume operations while a cold site does not have that capability. There is
also what is referred to as a warm site which has the capability to resume some, but not
all operations. The decision a company makes when determining what type of site to
establish often hinges on the results of a cost-benefit analysis as well as the needs of the
organization. A disaster recovery plan spells out how relocation to a new facility is to be
conducted. Companies perform occasional tests and conduct trials to verify the viability
and effectiveness of the plan and to determine if any deficiencies exist and how they can
be dealt with. An audit of a company’s Disaster Recovery Plan primarily looks into the
probability that operations of the organization can be sustained at the level that is
assumed in the plan, as well as the ability of the entity to actually establish operations at
the site. A review of the disaster recovery plan generally involves examining and testing
the procedures included, conducting outside research relating to Disaster Recovery,
determining reasonable standards relating to implementation, touring, examining, and
researching the outside facility.
The auditor can verify this through paper and paperless documentation and actual
physical observation. Testing of the backups and procedures is also performed to
confirm data integrity and effective processes. The security of the storage site is also
confirmed.
Data Backup
Data backups are central to any disaster recovery plan. An audit of backup
processes determines if: (a) they are effective, and (b) if they are actually being
implemented by the involved personnel. Some techniques that are used to accomplish
this include direct observation of the processes in question, analyzing and researching
the backup equipment used, conducting computer-assisted audit techniques and tests,
examining of paper and paperless records.
The continual backing up of data and systems can help minimize the impact of
threats. Even so, the disaster recovery plan also includes information on how best to
recover any data that has not been copied. Controls and protections are put in place to
ensure that data is not damaged, altered, or destroyed during this process. Information
technology experts and procedures need to be identified that can accomplish this
endeavour. Vendor manuals can also assist in determining how best to proceed.
Drills
Practice drills conducted periodically to determine how effective the plan is and to
determine what changes may be necessary. The auditor’s primary concern here is
verifying that these drills are being conducted properly and that problems uncovered
during these drills are addressed and procedures designed to deal with these potential
deficiencies are implemented and tested to determine their effectiveness.
Backup of Key Personnel

A disaster recovery plan includes clearly written policies and specific communication
with employees to ensure that both regular and replacement personnel is selected,
documented, and informed should a disaster occur. There must also be confirmation that
the replacement personnel can actually do the duties assigned to them in an event of an
emergency. Periodic training and cross-training is often used to accomplish this. This

training includes updates to existing job positions and testing to confirm proficiency.
Notes
Some of the issues related to this activity verify that: (1) policies are being enforced,
(2) testing is effective, and (3) training is adequate.
4.4.7 Other Considerations
Insurance Issues
The auditor determines the adequacy of the company’s insurance coverage
(particularly property and casualty insurance) through a review of the company’s
insurance policies and other research. Among the items that the auditor needs to verify
are: the scope of the policy (including any stated exclusions), that the amount of
coverage is sufficient to cover the organization’s needs, and that the policy is current and
in force. The auditor also ascertains, through a review of the ratings assigned by
independent rating agencies, that the insurance company or companies providing the
coverage have the financial viability to cover the losses in the event of a disaster.
Effective DR plans take into account the extent of a company’s responsibilities to
other entities and its ability to fulfill those commitments despite a major disaster. A good
DR audit will include a review of existing MOA and contracts to ensure that the
organization’s legal liability for lack of performance in the event of disaster or any other
unusual circumstance is minimized. Agreements pertaining to establishing support and
assisting with recovery for the entity are also being outlined. Techniques used for
evaluating this area include an examination of the reasonableness of the plan, a
determination of whether or not the plan takes all factors into account and a verification of
the contracts and agreements reasonableness through documentation and outside
research.
Communication Issues
Good disaster recovery planning ensures that both management and the recovery
team have disaster recovery procedures which allow for effective communication. This
can be accomplished by ensuring contact information is easily accessible and that drills
conducted test for communication abilities. A good disaster recovery plan includes not
only internal communication considerations but external issues as well. Such external
communications considers issues related to communication between the organization
and outside individuals and organizations, such as business partners. Procedures to test
this communication capability generally mirror those of the organization itself. The
disaster recovery evaluates these procedures and assumptions to determine if they are
reasonable and likely to be effective. Some techniques used by a DR auditor in
evaluating readiness include testing of procedures, interviewing employees, making
comparison against the DR plans of other company and against industry standards, and
examining company manuals and other written procedures. The auditor can verify
through direct observation that emergency telephone numbers are listed and easily
accessible in the event of a disaster.
Emergency Procedures
Procedures to sustain staff during a round-the-clock disaster recovery effort are
included in any good disaster recovery plan. Procedures for the stocking of food and
water, capabilities of administering CPR/first aid, and dealing with family emergencies
are clearly written and tested. This can generally be accomplished by the company
through good training programs and a clear definition of job responsibilities. A review of
the readiness capacity of a plan often includes tasks such as inquires of personnel, direct
physical observation, and examination of training records and any certifications.

Environmental Issues
Notes
Disaster recovery plans may also involve procedures that take into account the
possibility of power failures or other situations that are of a non-IT nature. Such plan
indicates what procedures to be used in this situation and also includes information on
storage of flashlights and candles, as well as additional safety procedures in case of gas
leaks, fires or other such phenomena. Trial runs are conducted to test the procedures’
effectiveness and viability. The readiness of an organization in this regard can be
assessed by examining and testing procedures for reasonableness, making inquiries on
personnel, and conducting outside research.
Business Continuity Management

Before even starting to create a Business Continuity Plan, it is of vital importance to
get the full support of the management and governance of your organization. Without it, it
will be very difficult to push BCP plans through the entire company. Furthermore, directors
should be involved in the strategic design of the BCP as it will help to create a realistic
plan which will be focused on the business interests of the company.
After that, one should start to man the team which will be responsible for designing
the BCP and to initiate the business continuity management process. This is important as
the team will serve as central focus point during the entire Business Continuity
Management Process. It is also important to set a time scale for the BCP delivery and
create a budget for the process.
Next the BCP team has to identify threats and conduct a risk assessment, which will
help to design the areas on which the plan should focus as it impossible to avoid or
mitigate all risk. Hence, the team will have to prioritize depending on likelihood of the risk
and business impact. It is very important to analyze all risks and threats whether they be
technical, economic, internal, external, human or natural.
Once the risk assessment has been done, one has to do manage the risks.
Preventive, detective and reactive means have to be put in place in order to protect the
company. For example, it might be possible to mitigate risks by using insurance,
contracting out some services, implementing safeguards and controls and so. High
impact, but low probability risks which cannot be mitigated are prime candidates for
Business Continuity Planning.
Business Impact Analysis

A business impact analysis will help to define critical business processes. This is
useful, since once a major incident happens, all efforts must be invested to return the
primary business functions to a predetermined level during the critical business
resumption phase and to establish the time span to achieve these objectives. Both of
these objectives must be determined by management beforehand for the process to
proceed as smoothly as possible. One has to collect data in order to decide which the
primary business processes are and which are the secondary. As a company has limited
resources, it is critical to understand where it needs to focus on in order to recover in
case of an incident.
4.4.8 Planning
Once that has been done, the team can design the Business Continuity Plan(s). It is
important to make the plan simple enough so that it can be executed without any
problems during a crisis and it needs to be based on steps previously described. Also
one has to define the threshold for every incident so that appropriate measures can be
taken depending on the incident. Once the BCP plans has been designed and approved,

it needs to be tested under realistic conditions as untested BCPs historically fail. David
Notes
Spinks, Director of Information Assurance EDS, stresses that, “we see far too many
Business Continuity Plans and/or Disaster Recovery Plans that whilst they have been
tested were done so in unrealistic ideal conditions and thus we do not truly recognize
what really happens in a crisis.”
It is important to always tie aims during the Business Continuity Management
Process to the business needs. For example, it is not the function of an Information
Security to protect all information. They just need to protect the information which the
business needs to protect. The same needs to be done with Business Continuity
Planning.
Once the plan has been tested and designed, it is important to revaluate the plan
and retest it as business processes change periodically as the requirements of
companies are changing from time to time. For example, a company buys new
equipment on which it is heavily dependent. Thus, a BCP should be revised after
purchases, upgrades of equipment and so on. It is, therefore, important to realize that the
Business Continuity Plan is a living document, which needs to be changed and adjusted
if business requirements change.
Finally, it is equally important to educate everyone in the company of the BCP.
Since it will be the employees who are there to react to (or in some cases prevent) an
incident, a BCP’s success or failure depends largely on the way it is implemented by the
employees. If not properly trained regarding the BCP, its likelihood of success is
seriously diminished.
4.4.9 Media Management

One aspect of BCP which deserves special attention is media management.
Business Continuity not only deals with putting all the company’s effort in recovering the
critical business processes. It is of as much importance to have good media
management during this process, whether you do it yourself in a small company, or have
professional help in a larger company. This is because a company which recovered after
an incident, but did not communicate with its customers, suppliers, stakeholders,
shareholders, employees, or affected public will have lost the trust of these groups. This
will have an adverse impact on the company’s public perception, lead to a deterioration
of faith in the company, and in the end, it will translate itself into revenue losses. So, BCP
should also focus on what the military like to call “hearts and minds” operations where the
company tries to maintain its public standing. Businesses should prepare public
statements beforehand as it would be very bad to have no comments during a crisis as it
will not prevent journalists from writing about the event and turn the event into a PR
nightmare.
Manufacturers are highly dependent on their suppliers; hence, it is important to work
together with the important ones (at least the ones that support the primary business
functions) and make sure that they have good BCP plans in place as it is of little use to
have effective BCP plans in place whilst the main suppliers have none.
In conclusion, businesses should have BCP in place in order to resume functionality,
and procedures in place in case of an incident which affects the company and which will
enable them to recover far quicker and with less losses than a company who disregards
such plans, thinking ‘it would never happen to us’. Business Continuity needs to be seen
as safety net for businesses. Even though there are costs involved, it is well worth having
such plans as it will save the business during an incident and help it react in an ordered
and timely matter. Good BCP plans, which are implemented successfully during a crisis,

will give the company good return of investments and hence BCP can be seen as a
Notes
business enabler.
4.4.10 BCP vs. DRP
Business Continuity Plan versus Disaster Recovery Plan

When people start on the journey to develop plans to deal with a major event, they
are confronted by two different terms – Business Continuity Plan and Disaster Recovery
Plan. There is quite a difference between these two plans and it is important that an
organization clearly understands what sort of planning it requires.
4.4.11 Business Continuity Plan (BCP)

Business Continuity Planning is best described as the processes and procedures
that are carried out by an organization to ensure that essential business functions
continue to operate during and after a disaster. By having a BCP, organizations seek to
protect their mission-critical services and give themselves their best chance of survival.
This type of planning enables them to re-establish services to a fully functional level as
quickly and smoothly as possible. BCPs generally cover most or all of an organization’s
critical business processes and operations.
Conceptually, the thinking for the test of if it is a Business Continuity Plan is: “if we
lost this building, how would we recommence our business?”
4.4.12 Disaster Recovery Plan (DRP)

As part of the business continuity process, an organization will normally develop a
series of DRPs. These are more technical plans that are developed for specific groups
within an organization to allow them to recover a particular business application. The
most well-known example of a DRP is the Information Technology (IT) DRP.
The typical test for a DR Plan for IT would be: “If we lost our IT services, how we
would recover them?”
IT DR plans only deliver technology services to the desk of employees. It is then up
to the business units to have plans for the subsequent functions.
A mistake often made by organizations is that “We have an IT DR Plan, we are all
OK”. That is not the case. You need to have a Business Continuity Plan in place for
critical personnel, key business processes, recovery of vital records, critical suppliers
identification, contacting of key vendors and clients, etc.
It is critical that an organization clearly defines what sort of plan it is working on. It is
one of the first questions that we will ask as it defines the approach that needs to be
taken and the processes required. We are very familiar with both types of plans; we know
the process and profiles and can consult and assist your organization.
4.5 Business Continuity Plan Ten Steps

A Business Continuity Plan (BCP) is the process whereby financial institutions
ensure the maintenance or recovery of operations, including services to customers, when
confronted with adverse events such as natural disasters, technological failures, human
error, or terrorism.
The objectives of a BCP are to minimize financial loss to the institution, continue to
serve customers and financial market participants, and mitigate the negative effects’
disruptions can have on an institution’s strategic plans, reputation, operations, liquidity,
credit quality, market position, and ability to remain in compliance with applicable laws

and regulations. Changing business processes (internally to the institution and externally
Notes
among interdependent financial services companies) and new threat scenarios require
financial institutions to maintain updated and viable BCPs.
New business practices, changes in technology, and increased terrorism concerns
have focused even greater attention on the need for effective business continuity
planning and have altered the benchmarks of an effective plan. For example, an effective
BCP should take into account the potential for wide area disasters that impact an entire
region and for the resulting loss or inaccessibility of staff.
The threat of pandemics, in particular, an outbreak of influenza caused by the bird
flu virus, is causing many financial institutions to update their BCPs. Citibank’s Action
Plan, outlined in a July 2006 presentation by Greg Gist, Senior Policy Advisor in
Citibank’s Office of Business Continuity, includes a pandemic preparedness plan,
headed by a Pandemic Preparedness Task Force consisting of senior staff from each
region. The plan, which includes triggers and actions based on World Health
Organization Pandemic Phases, provides all employees with pandemic preparedness
communications and kits, modifies existing business continuity plans (e.g., to reflect high
absenteeism rates associated with pandemics), and integrates pandemic awareness in
financial and risk planning.
Citibank’s plan also includes assumptions about the effect on customers, such as
increased delinquencies, increased requests for additional credit, and an increase in
Internet banking volume.
Key to any BCP is an impact analysis differentiating between critical and non-critical
functions. A function may be considered critical if the implications for stakeholders or
damage to the organization are regarded as unacceptable. Perceptions of the
acceptability of disruption may be modified by the cost of establishing and maintaining
appropriate business or technical recovery solutions. A function may also be considered
critical if dictated by law. Next, the impact analysis results in the recovery requirements
for each critical function. Recovery requirements consist of the time frame in which the
critical function must be resumed after the disaster, the business requirements for
recovery of the critical function, and/or the technical requirements for recovery of the
critical function.
A BCP should consider and address interdependencies, both market-based and
geographic, among financial system participants as well as infrastructure service
providers. In most cases, recovery time objectives are much shorter than they were even
a few years ago, and for some institutions, recovery time objectives are based on hours,
minutes and seconds.
BCP requirements within a firm can vary from application to application. In financial
services, applications deemed critical require a high available and redundant architecture
to meet ever-demanding service level agreements. The more critical the application is,
the greater the need for continuous availability. For example, in the case of a fixed
income trading system, it is imperative that trading can resume within seconds following
a systems interruption. Rapid resumption of trading mitigates loss of business and
preserves business reputation. The cost of downtime not only affects the lost trades but
also impacts the financial services business reputation.
4.5.1 Ten Steps to an Effective Business Continuity Plan

Step 1: Define strategy objectives by performing needs analyses and create a
framework for strategy implementation.
Step 2: Determine the business value of the organization’s applications and define
recovery objectives through data risk and recovery time profiles.

Step 3: Match technologies for safeguarding data, including backup, disaster recovery,
Notes
vaulting, snapshot and replication, based upon business value.
Step 4: Define infrastructure and personnel plans, including organizational and
communications processes.
Step 5: Implement technologies and educate critical personnel as to which business
processes are impacted.
Step 6: Test the documented plan continuously and under different circumstances.
Step 7: Measure and validate test results relative to the plan’s overall objectives.
Step 8: Implement required enhancements that have been prioritized as a result of
continuous testing and evaluation.
Step 9: Continuously review and enhance the business continuity plan to reflect
organizational changes, fluctuating business conditions and the addition of new
technologies.
Step 10: Finally, remember to repeat the entire process continuously.
4.6 Summary
Disaster management (or emergency management) is the creation of plans
through which communities reduce vulnerability to hazards and cope with disasters.
Disaster management does not avert or eliminate the threats, instead it focuses on
creating plans to decrease the impact of disasters. Failure to create a plan could lead to
damage to assets, human mortality, and lost revenue. Currently, in the United States,
60% businesses do not have emergency management plans. Events covered by disaster
management include acts of terrorism, industrial sabotage, fire, natural disasters (such
as earthquakes, hurricanes, etc.), public disorder, industrial accidents, and
communication failures. The development of emergency plans is a cyclical process,
common to many risk management disciplines, such as Business Continuity and Security
Risk Management, as set out below:
Ɣ Recognition or identification of risks
Ɣ Ranking or evaluation of risks
Ɣ Resourcing controls
Ɣ Reaction planning
Ɣ Reporting and monitoring risk performance
Ɣ Reviewing the Risk Management framework
4.7 Check Your Progress

I. Fill in the Blanks
Session 1: Introduction to Risk Management
1. Through actions termed __________, communities (and individuals residing in
those communities) either reduce the chances that a disaster will occur, or
reduce the damages that will result if in fact the event does occur.
2. We often look to trends to find how hazard risks__________ over time.
3. Changes in __________ cause the most significant increases in the
consequences of disasters.
4. A__________ is any event, object, situation, or other condition that has the
potential to cause or result in some negative impact.

5. When a hazard event is of such great magnitude that its consequences

Notes
overwhelm the response capacities of all administrative levels from local to
Federal, the event is considered a __________.
Session 2: Risk Management and the Greater Emergency Management
Discipline
1. The Roman Corps of Vigiles is considered the roots of the modern _________.
2. During the past century, __________ were the most common and costly
natural hazard.
3. The United Nation has noted a strong link between disaster risk management,
climate change, and sustainable __________.
4. The concept of the __________ approach is based on the idea that there are
generic processes for addressing most kinds of hazards and disaster.
5. FEMA was absorbed into the __________ as per the Homeland Security Act of
2002.
Session 3: Hazards Risk Management in the United States
1. After Hurricane Agnes, the National Flood Insurance Program became
__________ for all federally-backed mortgages.
2. The __________ is the largest source of funding for state and local mitigation
activities.
3. FEMA’s Property Acquisition Program allowed for FEMA funds to be used to
remove properties from the__________.
4. “__________ is an approach to emergency management that reinforces the
fact that FEMA is only one part of our nation’s emergency management team;
that we must leverage all of the resources of our collective team in preparing
for, protecting against, responding to, recovering from and mitigating against all
hazards; and that collectively we must meet the needs of the entire community
in each of these areas.”
5. Australia Risk Management describes __________ as “those who may affect,
be affected by or perceive themselves to be affected by the [hazards] risk
management process.”
Session 4: Risk Management Lessons from the Private Sector
1. A __________ Program is a continuously evolving group of interrelated and
coordinated functions, sub-functions and processes that support the strategic
imperatives of business survival and the return of a reasonable profit.
2. __________ is the coordination of efforts to control a crisis event consistent
with strategic goals of an organization.
3. The Critical Infrastructure Assurance Office (CIAO) was created in response to
Presidential Decision Directive number __________ in May of 1998 to
coordinate the Federal Government’s initiatives on critical infrastructure
assurance.
4. The Federal Department that established the voluntary private sector
accreditation and certification preparedness program (PS-Prep) was
__________.
5. __________ is the development of a business culture and support
mechanisms that allow the business and its members to gain insight and
understanding from individual and shared experience with a willingness and
capability to examine and analyze both successes and failures for the purpose
of organizational improvement.

Session 5: Risk Management Lessons from Outside the United States
Notes
1. The two countries represented in the name of the risk management standard
AS/NZS 4360:1995 are __________ and __________ .
2. AS/NZS 4360:2004 describes risk management as “a process that identifies
the level of __________ a group has for a specific risk.”
3. In the AS/NZ Risk Management Process, __________ and __________ occur
at every step of the process, not just the beginning and the end.
4. Practitioners at the Asian Disaster Preparedness Center (ADPC) reported that
__________ risk management approaches ultimately resulted in poorer
outcomes than were possible through more locally-based efforts.
5. Community __________ involves building up a picture of the nature, needs
and resources of a community with the active participation of the community.
Session 6: A Hazards Risk Management Approach
1. __________ focuses on separating the individual pieces of what is being
studied, while __________ focuses on how the thing being studied interacts
with the other constituents of the system – a set of elements that interact to
produce behaviour – of which it is a part.
2. Unlike the management of community-wide risks, many risks that affect us as
individuals require little more than __________ decisions.
3. A systems approach is one that takes a more __________ view of the process
for solving problems, rather than simply prescribing a linear ‘step-by-step’
process.
Session 7: The Mitigation Plan
1. The end goal of the comprehensive Hazards Risk Management (HRM) process
is, as the name suggests, __________.
2. Mitigation Planning communicates to all community stakeholders the risk
reduction __________ of the community.
3. While there is no standard __________ (format) according to which Mitigation
Plans must be developed, there is something of a standard set of Mitigation
Plan __________ that is seen in almost all plans developed today.
4. The Community Rating System (CRS) is a program that provides __________
to communities that implement certain flood mitigation measures, including
Mitigation Planning.
5. The Risk __________ methodology helps to inform the user how risk rankings
were obtained.
II. True or False
1. The key organization representing state or state-level emergency managers is
the International Emergency Management Association.
2. Haddow and Bullock’s chapter on emergency response says that under current
law the President can Commandeer State National Guard units, effectively
removing them from the control of respective governors.
3. US Disaster Policy is more “event-driven” than it is driven by interest group
politics and political lobbying.
4. Sylves Chapter 3 on Historical Trends claims the Federal Civil Defense Act of
1950 placed most of the civil defense burden on the states.
5. Today, once a president approves a governor’s request for a major disaster
declaration, that state and its counties included in the declaration become

eligible for federal assistance under the National Response Plan or

Notes
Framework.
6. FEMA has major federal zoning powers it applies to local governments across
the US.
7. Governors must prepare a damage assessment for FEMA and the president
when they request presidential declarations of “emergency”.
8. Most of FEMA’s individual and family assistance programs geared toward
housing repair or reconstruction are “means tested” (the more money you
make the less likely you are to qualify for aid.)
9. In the process of FEMA’s creation in 1979, President Carter made sure that
FEMA would be a “civilian agency” that would not inherit secret civil defense
duties of its predecessor federal agencies.
10. The US Coast Guard is now part of the Federal Emergency Management
Agency.
III. Multiple Choice Questions
1. People live in dangerous areas for what reasons?
(a) for the views
(b) because of cheap land
(c) because the land is fertile
(d) for proximity to recreational opportunities
(e) for all of these reasons
2. Catastrophic natural disaster losses in developed countries involve which of
the following?
(a) large numbers of deaths
(b) large financial costs to individuals and companies
(c) primarily losses borne by insurance companies
(d) large numbers of deaths and large financial costs
(e) primarily losses borne by state governments
3. Areas of cities that are subjected to significant natural hazards should be used
for which of the following?
(a) office buildings because they can withstand the effects of the hazard
(b) inexpensive single-family houses
(c) parks and golf courses
(d) shopping malls
(e) factories and industrial complexes
4. When people or government agencies try to control the activities of natural
events, the common result is which of the following?
(a) The effect is the opposite of that intended.
(b) The effort is wasted because it is impossible to do.
(c) We have become quite effective at such control.
(d) This doesn’t happen since the federal government doesn’t permit
tampering with nature.
(e) Our problem with nature is transferred elsewhere, to someone else, or
postponed.

5. Natural disasters generally involve which of the following?
Notes
(a) events with a single clear-cut cause
(b) events that involve overlapping natural causes
(c) events wholly caused by the activities of man
(d) events that are unaffected by the activities of man
(e) events that always involve interaction between closely related processes
6. Most natural disasters are which of the following?
(a) cyclic, in that they occur at predictable intervals
(b) rarely if ever cyclic because there are too many overlapping effects
(c) completely random in that they involve processes that we cannot hope to
understand
(d) interactions between two closely related events
(e) processes that start small and build toward a climax at a more-or-less
constant rate
7. A fractal system is one that involves which of the following?
(a) numerous intersecting fractures
(b) similarity in form at a wide range of scales
(c) completely unrelated processes that interact to produce an event
(d) closely related processes that interact to produce a larger event
(e) processes that are unrelated and static
8. An insurance company decides on the cost of a policy for a natural hazard by
__________.
(a) adding up the total cost of the most recent disaster of the type
(b) multiplying the probability of the loss by the number of policies sold
(c) averaging their probable dollar loss for all disasters that they insure
(d) calculating the cost of the probable loss times the probability of that event
(e) multiplying the cost of the largest loss of that type times the number of
times that loss has occurred
9. The costs of catastrophic events continue to increase primarily because
__________.
(a) more people are moving into more hazardous areas
(b) not enough people pay for insurance in hazardous areas to even out the
costs
(c) insurance companies are not making enough profit to satisfy their
shareholders
(d) insurance companies are refusing to insure most natural hazard losses
(e) natural hazards are becoming more difficult to understand
10. Why are most people who live on southeast-coast beaches unconcerned about
hazards?
(a) There are few significant hazards in those areas.
(b) Disasters in those areas come along only about every one hundred years.
(c) They have never experienced a significant disaster.
(d) They are well insured for the types of hazards that affect those areas.
(e) They have built strong shoreline defenses against hazards that might
affect them.

11. What kind of natural hazards are not normally insurable?

Notes
(a) earthquakes
(b) volcanoes
(c) landslides
(d) floods
(e) windstorms
12. Why don’t many coastal communities try to educate visitors and new residents
about natural hazards in their areas? They view such information as
__________.
(a) bad for business
(b) too difficult for most people to understand
(c) a national security issue
(d) information an insurance company might use to their advantage
(e) classified information to be used only by the Federal Emergency
Management Agency
13. What is the normal relationship between the number of a particular type of
event and the size of such events?
(a) There is an equal number of small, medium and large events of any given
type.
(b) There are few small events, a moderate number of larger events and
many giant events of any given type.
(c) There are many small events, many medium-size events, but for most
hazards no giant events.
(d) There are many small events, a moderate number of larger events and
few giant events of any given type.
(e) For most types of natural hazards, there are medium and large events but
no small events of equivalent type.
14. When is a large event such as a major earthquake not a disaster?
(a) when it happens in a far-away country that we do not care about
(b) when it happens to less than 10,000 people
(c) when it happens to less than 1,000 people
(d) when it happens in an area without any people
(e) when it happens in a third world country in which more than 20% of the
population subsists on less than $2 per day
15. Who is most commonly to blame when people incur a significant loss from a
natural disaster?
(a) the US Army Corps of Engineers for not building protective structures
(b) the federal government for not doing something about it
(c) the people themselves for choosing to live there
(d) the local county for permitting them to build there
(e) the realtor for selling them the property
16. What can happen to make a moderate-size event into a large natural disaster?
(a) cyclic events that tend to get stronger with time
(b) overlapping events that amplify the effect
(c) cyclic events that get progressively bigger as each one adds to the next in
the series

(d) the multiplying effect of events of a given type in the same area
Notes
(e) overlapping events that interfere with one another
17. If you erect a barrier for protection against some natural event, what
detrimental effect can follow?
(a) You shouldn’t try to do so because such barriers typically cost more than
the structures they are designed to protect.
(b) National laws require that anything that interfaces with natural processes
be done by federal agencies.
(c) Similar projects by others nearby will make your efforts ineffective.
(d) Nature is strong enough to immediately overwhelm your efforts, which are
then wasted.
(e) It can have detrimental effects on others nearby.
18. Which of the following is an example of the domino effect?
(a) a landslide caused by a sudden precipitation event
(b) an increase in the cost of gasoline that causes people to drive less
(c) global warming that causes more rapid melting of Arctic sea ice that
results in further sea ice melting
(d) when a feature looks the same across a wide range of scales
(e) an earthquake that occurs in a developing nation that causes health,
social, and economic problems
19. Which of these natural hazards causes the LEAST amount of fatalities in the
United States annually?
(a) volcanoes
(b) heat and drought
(c) lightning
(d) winter weather
(e) tornadoes
20. Which is NOT a way that government policy mitigates natural hazards?
(a) using research and studies to predict storms and floods
(b) congress funding expensive Army Corps of Engineers projects to build
levees along rivers
(c) relocating natural disaster victims to more stable areas
(d) utilizing computer systems to determine risk levels
(e) organizing central emergency management agencies to bring order to
chaotic relief efforts
4.8 Questions and Exercises

1. Why are people who live on coastal beaches so poorly aware or concerned
about hazards in those environments?
2. What kind of natural hazards are not normally insurable?
3. Why do many coastal communities not educate visitors and new residents
about natural hazards in their areas?
4. What is the normal relationship between the number of occurrences of a
particular type of event and the size of such events?
5. When is a large event such as a major earthquake not a disaster?
6. When people incur a significant loss from a natural disaster, who is most
commonly to blame and why?

7. What can happen to make a moderate-size event into a large natural disaster?
Notes
8. If you erect a barrier for protection against some natural event, what
detrimental effect can follow?
9. How does government policy sometimes act counterproductively in reference
to mitigating natural hazards?
10. A natural disaster is fractal. Explain what this means and how it provides
insight into larger events.
11. ‘Sustainable management of natural resources is essential to provide livelihood
and environmental security.’ Discuss.
12. Define Total Disaster Risk Management Approach and refer to its pertinence
for Disaster Management Cycle.
13. Highlight development perspective to disaster management with focus on
disaster management in riverine regions.
14. Discuss major issues involved in disaster preparedness,
15. Discuss the role of Information Technology in disaster prevention.
16. Discuss the importance of Rescue and highlight various rescue methods.
17. ‘Shelter rehabilitation is concerned with various aspects.’ Discuss.
18. What are the major features of Emergency Operations Centre?
19. ‘Various types of damages are required to be considered for undertaking
effective damage assessment.’ Discuss.
20. Highlight guiding principles of rehabilitation and reconstruction.
21. Define the term ‘disaster’ and describe its classification.
22. Write a note on disaster cycle.
23. Describe the trends in disaster management.
24. Explain the different methods of risk mapping.
25. Describe structural and non-structural mitigation measures in disaster
management.
Critical Thinking Essay Questions

1. You are on the zoning board for a small town near an active fault line. The
board is deciding how to efficiently accommodate a larger student body by
either choosing to: (1) renovate the town’s existing high school or (2) build a
new school for the same cost on cheap land closer to the fault line. Explain why
it would be better to renovate the school at the current location than to build a
new school for the same price.
2. Your mother, who has lived in central Ohio for her entire life, really wants to
purchase a beach house along the Gulf coast of the southeastern United
States because of the natural beauty of the area. Explain to her why this is not
a financially or safety-related decision.
3. Would you rather live in an area that has historically experienced a natural
hazard, a natural disaster, or a catastrophe? Is there any environment in which
these processes do not exist?
4. After a hurricane devastates a coastal community, you are a part of a team of
people going in to help victims cope with the disaster and rebuild their lives.
One victim is very set on rebuilding his home in the exact same location as
before the disaster. What would you say to that victim and what advice would
you give him?

5. When you are buying a home, what types of landscapes can you look for to
Notes
determine if the home you are looking into purchasing is potentially susceptible
to natural disasters?
4.9 Key Terms

Ɣ Disaster risk: The potential disaster losses, in lives, health status, livelihoods,
assets and services, which could occur to a particular community or a society
over some specified future time period.
Comment: The definition of disaster risk reflects the concept of disasters as
the outcome of continuously present conditions of risk.
Ɣ Disaster risk management: The systematic process of using administrative
directives, organizations, and operational skills and capacities to implement
strategies, policies and improved coping capacities in order to lessen the
adverse impacts of hazards and the possibility of disaster.
Ɣ Disaster risk reduction: The concept and practice of reducing disaster risks
through systematic efforts to analyze and manage the causal factors of
disasters, including through reduced exposure to hazards, lessened
vulnerability of people and property, wise management of land and the
environment, and improved preparedness for adverse events.
Ɣ Disaster risk reduction plan: A document prepared by an authority, sector,
organization or enterprise that sets out goals and specific objectives for
reducing disaster risks together with related actions to accomplish these
objectives.
Ɣ Early warning system: The set of capacities needed to generate and
disseminate timely and meaningful warning information to enable individuals,
communities and organizations threatened by a hazard to prepare and to act
appropriately and in sufficient time to reduce the possibility of harm or loss.
Ɣ Ecosystem services: The benefits that people and communities obtain from
ecosystems.
Ɣ Emergency management: The organization and management of resources
and responsibilities for addressing all aspects of emergencies, in particular
preparedness, response and initial recovery steps.
Ɣ Emergency services: The set of specialized agencies that have specific
responsibilities and objectives in serving and protecting people and property in
emergency situations.
Ɣ Environmental degradation: The reduction of the capacity of the environment
to meet social and ecological objectives and needs.
Ɣ Environmental impact assessment: Process by which the environmental
consequences of a proposed project or program are evaluated, undertaken as
an integral part of planning and decision-making processes with a view to
limiting or reducing the adverse impacts of the project or program.
4.10 Check Your Progress: Answers

I. Fill in the Blanks
Session 1:
1. hazard mitigation or mitigation
2. change or shift
3. human activities or development

4. hazard
Notes
5. Catastrophe
Session 2:
1. Fire Department
2. floods
3. development
4. all hazards
5. DHS or Department of Homeland Security
Session 3:
1. mandatory or required
2. Hazard Mitigation Grant Program
3. floodplain
4. Whole Community
5. stakeholders
Session 4:
1. Business Crisis and Continuity Management (BCCM)
2. Crisis Management
3. 63
4. DHS or The Department of Homeland Security
5. Organizational learning
Session 5:
1. Australia, New Zealand
2. tolerance
3. monitoring and reviewing
4. top-down
5. profiling
Session 6:
1. Traditional Analysis, systems thinking
2. split-second
3. holistic
Session 7:
1. managed risk
2. priorities
3. contents
4. credits
5. Assessment
II. True or False
1. True
2. True
3. True
4. True
5. True
6. False
7. False

8. True
Notes
9. False
10. False
III. Multiple Choice Questions
1. (e) for all of these reasons
2. (b) large financial costs to individuals and companies
3. (c) parks and golf courses
4. (e) Our problem with nature is transferred elsewhere, to someone else, or
postponed.
5. (b) events that involve overlapping natural causes
6. (b) rarely if ever cyclic because there are too many overlapping effects
7. (b) similarity in form at a wide range of scales
8. (d) calculating the cost of the probable loss times the probability of that event
9. (a) more people are moving into more hazardous areas
10. (c) They have never experienced a significant disaster.
11. (c) landslides
12. (a) bad for business
13. (d) There are many small events, a moderate number of larger events, and
few giant events of any given type.
14. (d) when it happens in an area without any people
15. (c) the people themselves for choosing to live there
16. (b) overlapping events that amplify the effect
17. (e) It can have detrimental effects on others nearby.
18. (c) global warming that causes more rapid melting of Arctic Sea ice that
results in further sea ice melting
19. (a) volcanoes
20. (b) congress funding expensive Army Corps of Engineers projects to build
levees along rivers
4.11 Case Study
Case Study on WTC

We are rapidly approaching the fourteenth anniversary of that tragic day in
September when terror struck New York City and Washington D.C., friends and
acquaintances were lost forever, and crisis management, business continuity and
disaster recovery were no longer thought of as obscure business practices.
Time has a way of healing wounds and allows the pain and suffering to fade.
Unfortunately, time also has a way of making us forget the lessons we learned and
permits us to return to the bad habits and practices we held prior to September 11, 2001.
The German writer Johann Goethe said, “The greatest tragedy in all of life is to
experience the pain, but miss the lesson.” As we remember those who died in the World
Trade Center, Pentagon and United Flight 93, we should also revisit the lessons to come
out of this event — to ensure that we have not regressed back to our old ways.
Communications, Communications, Communications

One of the most important lessons learned from 9/11 was the importance of reliable
communications tools and practices during a crisis. In Manhattan, landlines were

compromised and cell phone towers overburdened — inaccessible for the most part. At
Notes
the time, some were able to communicate on their Blackberry devices; this was largely
due to the fact that the user community was not so large as to over -tax the infrastructure
in place to support it.
The waterfalls are tested at the National September 11 Memorial at the World Trade
Center site, Friday, July 15, 2011 in New York. The memorial will be dedicated in a
ceremony on September 11, 2011, the tenth anniversary of the terrorist attacks. One
World Trade Center, center, rises above the site. (AP Photo/Mark Lennihan).
Regardless of the particular communications tool you use, the lesson here is to
ensure that you have alternatives and contingencies in place should one or more
communications channels be impacted by an event.
We also learned the importance of communicating with the right people. Many
organizations communicated with their impacted employees and customers, but — as I
learned from talking with a number of large, international firms after the event — the
importance of communicating with remote regions and offices outside the immediate
footprint of the crisis was often overlooked.
In many cases, companies’ domestic and foreign offices complained that they were
not in a position to answer questions about their own New York offices — the head office,
in many cases — because they were not getting any direct information. Many were
forced to gather information through the media and other channels.
Since 2001, the phenomenon of social networking has revolutionized
communications. News about a crisis and your ability to adequately respond to it will be
broadcasted from numerous sources through a variety of social networking tools. The
way that you use these tools to get your message out and monitor what is being said
about your organization should be addressed in your crisis management and business
continuity plans. A poorly implemented and orchestrated corporate communications plan
can undermine the efforts of your crisis response team.
Accounting for Employees

Another lesson to come out of 9/11 was the inability of companies to account for
employees. Previously, most business continuity plans established congregation points

where employees would gather and be accounted for. In Manhattan, the footprint of the
Notes
tragedy was so large that it impacted the congregation points. The events of 9/11 proved
that this technique is not practical for large-scale crises or locations where many
companies occupy the same facilities.
Following the evacuation of downtown New York City and practically all of
Manhattan, many employees returned to their homes and simply waited to be contacted
by their company. As a result, many organizations eventually implemented a “reconnect
process” whereby employees could call a central number — ideally a number supported
outside of the targeted location — to account for themselves. Reconnect process or
otherwise, it is important for organizations to have a process that all employees are
familiar with this June 16, 2011 picture, firefighter Richard Browne, with the Perrysburg,
Ohio Fire Department, places his hand on a damaged New York Fire Department truck in
Hangar 17 at John F. Kennedy International Airport in New York. The Port Authority of
New York and New Jersey is preserving and storing artifacts from the September 11,
2001 attacks in the airport hangar. Browne toured the hangar while picking up a piece of
9/11 steel destined for a memorial in Wauseon, Ohio (AP Photo/Mark Lennihan).
Who’s in Charge?
Another challenge that large, multi-divisional companies experienced was in trying
to manage the crisis in a consistent manner. Many buildings near the World Trade Center
were occupied by numerous companies or autonomous divisions of the same corporation.
As a result, inconsistent decisions were made regarding whether to evacuate or stay in
place.
In some cases, management made the decision to not only stay in place, but to
continue to function as a normal work day. Employees became confused and concerned
when others began evacuating.
There were also problems with employees being directed by an anonymous
figurehead who claimed to be in charge. In times of crisis, people look for direction from
those they know and trust — the day-to-day management that they are in the trenches
with every day. When someone new starts shouting orders, employees look to their
management — people they know — to confirm and validate these commands.
Wherever possible, companies’ crisis management framework should provide for
corporate-wide response decisions to be communicated through the normal
organizational structure.

Leadership Styles
Notes
Most senior level executives in a firm have achieved success because of their ability
to perform long-term strategic planning. The most effective leadership style for these
individuals is “participatory management,” where they solicit information from a wide
group of resources, process the information and determine the proper course of action.
This management style takes time and is effective for decisions that are not
time-sensitive.
During times of crisis, the most effective leadership style is “command and control.”
People look for someone in authority to make decisions for them, quickly and confidently,
without having to form committees and perform studies on possible courses of action.
Not all senior-level executives have the skills to lead under these conditions.
An article in the July edition of Continuity Insights (Turning Disaster Response on Its
Head) discusses the advantages of a structured network over a top-down, command and
control style of response. While the article makes many valid points, the thing we learned
from 9/11 was not that command and control was ineffective, but rather that the
command and control resources were not adequately prepared for or provisioned to
effectively guide us through such a crisis. Improvements to an organization’s response
can be achieved by being better prepared for a transition to command and control
management — not by abandoning the strategy altogether.
The Mental Health Factor

Many organizations overlooked the potential impacts of stress, fear and other
emotional contagion that are experienced during times of extreme crisis. For those that
had internal employee assistance programs, the scope and breadth of the crisis quickly
surpassed the ability of these programs to meet the resulting mental health demands.
Also, mental health problems were equally distributed amongst management and
staff. People at all levels of an organization are susceptible to breaking under the
pressures of such an unusual and traumatic event — even crisis management team
members.
Succession Plans
Companies need to ensure they have complete and updated succession plans for
all levels of management. After 9/11, many organizations’ leadership teams were either
geographically separated without the means to communicate, victims of the mental
health issues noted above or tragically killed in the event.
Business continuity planners need to identify all managerial positions that
require immediate succession, maintain up-to-date succession plans and ensure
that the identified next-in-command is adequately trained and prepared to assume
that role if required. Failure to achieve this, in some cases, may have contributed to
the shortcomings in the command and control aspects of crisis management during
9/11.
External Single Points of Failure

Many companies were lulled into a false sense of security because they utilized
multiple communications vendors or had dual power and communications feeds into their
building. However, many of these vendors used the same underground infrastructure or
power lines.
In other words, companies may have done a good job of eliminating Single Points of
Failure (SPOFs) within the walls of their own building, but all they did was move the
SPOF to some external entity.

Disaster recovery and business continuity planners should ensure that they are not
Notes
promoting this same level of false security. Make sure you know where your SPOFs are
and whether they are internal or external.
Program Assumptions, Scope and Scale

Prior to 9/11, most disaster recovery and business continuity plans were based on
the assumption that, following a disaster, a company could function with about 20% to
25% of the workforce and infrastructure relocated to an alternate site, and that it would
eventually be able to move back into its production facility.
The events of 9/11 shattered those assumptions, and many plans based on this
premise were virtually useless. Companies were scrambling to find temporary — and
then permanent — real estate to house 100% of their surviving workforce and to recover
100% of their operational capacity.
Most companies take months or years to plan and execute a corporate move.
Business continuity and disaster recovery programs are challenged to achieve that same
result in a matter of days, and during times of stress, panic and confusion.
Ensure that your management team is well aware of how much and how little your
plans address, what assumptions are being made and how much functionality can be
recovered in short time frames. If your plans do not match your management team’s
expectations for a worse-case scenario, you may find your solutions to be inadequate in
meeting their demands.
Perfect Practice
In the aftermath of 9/11, I spoke with numerous companies that were surprised by
their limited recovery capability — even with years of testing and exercising. The problem
was that they did not perform “perfect practice.”
One large financial services firm had been exercising successfully for years out of
their alternate trading floor facility. At least twice a year, they would set up operations in
their alternate trading floor and actually conduct production operations from this facility.
What they had failed to do, however, was to completely sever access to the production
data center in the same building that housed the trading floor. So yes, the alternate
trading site had all the desktop tools and phones to support a trading floor operation, but
without connectivity back to the production office, these devices were little more than
paperweights.
This issue is closely tied to the SPOF issue discussed earlier. As contingency
planners, we need to identify the SPOFs in alternate facilities as well as any resources
and infrastructure shared with your production facilities. During recovery exercises, all
connections back to infrastructure and technology in the home office must be severed.
Additionally, be aware of how much time and effort it takes to prepare for a recovery
test. Many organizations that were testing for years before 9/11 were only successful with
their tests because of special backups or special configurations they mirrored in the test
preparation process. Of course, disaster events do not come with advanced warning and
there is no time for pre-recovery preparations. Ensure that you can successfully recover
with a moment’s notice — without relying on pre-recovery setups.
A Word of Caution
Whenever I discuss lessons learned from the events of 9/11, I always like to add a
word of caution. As tragic and devastating as it was, in terms of business continuity
issues, it could have been worse due to the nature of the event and the impact it had
worldwide. There were few expectations that companies would be fully operational and

responsive the next day. Organizations were afforded the luxury of time and
Notes
understanding as they struggled to get back to normal operations.
The events that impact only your organization; that are not necessarily newsworthy;
where your customers do not share the tragedy or hardship; where the expectation that
you should be responsive to your customers’ demand for products and services
remains — will challenge you above and beyond, and in different ways, than an event like
9/11. Think about potential crisis situations that could be limited to your organization —
ones that may not impact your customers, vendors or competition.
Changed Forever
As I solemnly await the fourteenths anniversary of the tragic events of 9/11, my
thoughts are with the loved ones I lost and the business associates that perished. As a
crisis management, business continuity and disaster recovery professional, I remember
that day as a turning point for how we conduct our business. I hope that the lessons we
learned are not lost with the passing of time.
4.12 Further Readings

1. Encyclopaedia of Disaster Management by S.L. Goel, Deep & Deep
Publications Pvt. Ltd.
2. Disaster Management by G.K. Ghosh, A.P.H. Publishing Corporation.
3. Disaster Management by R.B. Singh, Rawat Publications.
4. Disaster Management: Through the New Millennium by Ayaz Ahmad, Anmol
Publications.
5. Emergency Medical Services and Disaster Management: A Holistic Approach
by P.K. Dave, Jaypee Brothers Medical Publishers (P) Ltd.
6. Disaster Management by B. Narayan, A.P.H. Publishing Corporation.
7. Modern Encyclopaedia of Disaster and Hazard Management by B.C. Bose,
Rajat Publications.
8. Disaster Management by Nikuj Kumar, Alfa Publications.
9. Disaster Management Recent Approaches by Arvind Kumar, Anmol
Publications.
10. Tsunamis: Threats and Management by Dr. Jagbir Singh, I.K. International.
11. Disaster Management Future Challenges and Opportunities by Dr. Jagbir
Singh, I.K. International.
12. Solid Waste Management by Dr. Jagbir Singh, I.K. International.

Unit 4: Disaster Management: Structure

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Unit 4: Disaster Management: Structure

Hochgeladen von

Copyright:

Verfügbare Formate

Disaster Management 179

Unit 4: Disaster Management

Amity Directorate of Distance and Online Education

4.1 Types of Disasters

Amity Directorate of Distance and Online Education

(d) Pandemic emergencies: Involving a sudden onset of contagious disease that

4.1.1 Disaster Prevention

Amity Directorate of Distance and Online Education

4.2 Disaster Management and Mitigation Strategies

Amity Directorate of Distance and Online Education

4.2.1 Disaster Preparedness

Creating the Disaster Prevention and Response Plan

Forming the Prevention and Resource Team

Amity Directorate of Distance and Online Education

Notes 4.2.2 Action Planning Checklist

A Step-by-step Guide for Teachers

Amity Directorate of Distance and Online Education

4.3 Understanding Disaster Recovery

Amity Directorate of Distance and Online Education

4.3.1 Classification of Disasters

4.3.2 Importance of Disaster Recovery Planning

4.3.3 Control Measures

Amity Directorate of Distance and Online Education

Amity Directorate of Distance and Online Education

4.4 Business Continuity Management

4.4.1 Disaster Recovery and Business Continuity Auditing

Amity Directorate of Distance and Online Education

4.4.2 Metrics Notes

4.4.3 Mission Statement

4.4.4 The DR Committee and Auditor

Amity Directorate of Distance and Online Education

Notes 4.4.6 Strategies

Backup of Key Personnel

Amity Directorate of Distance and Online Education

4.4.7 Other Considerations

Amity Directorate of Distance and Online Education

Business Continuity Management

Business Impact Analysis

Amity Directorate of Distance and Online Education

4.4.9 Media Management

Amity Directorate of Distance and Online Education

4.4.10 BCP vs. DRP

Business Continuity Plan versus Disaster Recovery Plan

4.4.11 Business Continuity Plan (BCP)

4.4.12 Disaster Recovery Plan (DRP)

4.5 Business Continuity Plan Ten Steps

Amity Directorate of Distance and Online Education

4.5.1 Ten Steps to an Effective Business Continuity Plan

Amity Directorate of Distance and Online Education

4.7 Check Your Progress

Amity Directorate of Distance and Online Education

5. When a hazard event is of such great magnitude that its consequences

Amity Directorate of Distance and Online Education

Amity Directorate of Distance and Online Education

eligible for federal assistance under the National Response Plan or

Amity Directorate of Distance and Online Education

Amity Directorate of Distance and Online Education

11. What kind of natural hazards are not normally insurable?

Amity Directorate of Distance and Online Education

4.8 Questions and Exercises

Amity Directorate of Distance and Online Education

Critical Thinking Essay Questions

Amity Directorate of Distance and Online Education