Resource Articles Back to Article List

Is Your Organization Zombie-Resilient?

As published in the November 2012 issue of The Greater Lansing Business Monthly.

Michigan State University recently offered an online course called Surviving the Coming Zombie Apocalypse: Catastrophes and Human Behavior. Using concepts of risk assessment and countermeasures, students worked together in groups to develop ways to survive a zombie pandemic.

Using the same theme, the Center for Disease Control has run a very successful zombie campaign that consists of posters, a blog and even a graphic novella. It was created to encourage being proactive in preparation of a disaster, as most put it off until it’s too late.

So why should you care about the zombie apocalypse? While the likelihood of a literal zombie attack may be zero, it has obvious advantages as a metaphor for being prepared and surviving a catastrophe. Business continuity planning is also about survival — the survival of your organization. Zombies sound a lot more interesting than risk analysis, business continuity, or disaster recovery planning, though.

Some believe that all you need to do to prepare for a catastrophe is develop a disaster recovery plan. It is often considered solely a function of the IT department. After all, isn’t it about computers, internet connections and all manner of arcane IT acronyms?

For those who feel this way, the good news is that you don’t need a disaster recovery plan. You do, however, need a business continuity plan, of which a technology-oriented disaster recovery plan is but one part. By focusing solely on the technology aspect you’ll end up with a serviceable means of making the computers run … for a business that may no longer need them.

In the context of a widespread catastrophe, survival is everyone’s responsibility. It is a matter in which senior executives and the board of directors must be involved. It starts with an enterprise risk management policy. It starts with governance. Defining your business’ risk management policies solely in terms of information technology is like pretending that when the zombies come, they’ll only want to eat the brains of your IT staff.

Following a disaster, a resilient organization continues essential functions at all times. To be prepared to do so, it must evaluate risk in the context of business strategy. A comprehensive business continuity plan includes all of the following:

  • Succession plan
  • Risk assessment
  • Critical systems analysis
  • Business impact analysis
  • Disaster recovery plan
  • Pandemic response plan
  • Emergency response plan
  • Incident response plan
  • Key contacts by position
  • Vendor lists
  • Workflow

These items identify risks and then describe how you will deal with them.

Begin your planning by identifying the most probable threats and analyzing the related vulnerabilities of the organization to these threats. Evaluate existing physical and environmental security and controls, then assess their adequacy relative to the potential threats.

Apply these lessons with a business impact analysis. Identify critical business functions, then determine the impact of being unable to execute beyond some maximum period.

Criteria that you can use to evaluate impact include customer service, internal operations, legal exposures, and statutory and financial issues. These criteria change. The threat you weren’t worried about last quarter may now be very important.

Remember, planning is not an event. It is a continuous process of improvement. Evaluate threats that could cause harm to your organization. Look for the vulnerabilities in your contingency plans and the methods (controls) you’ve chosen to avoid or reduce damage.

Finally, while it can be daunting to start an enterprise risk management effort, there are many sources of information to get you started:

  • ISO – International Organization of Standardization Standard 22301
  • NIST – National Institute of Standards and Technology
  • AICPA – American Institute of CPAs
  • ISACA – Information Systems Audit and Control Association
  • ITIL – Information Technology Infrastructure Library
  • Disaster Recovery Journal

In using these sources, it is important not to approach them as “boxes to be checked off.” If you are not willing to put serious thought and effort into your enterprise risk management policies and procedures, don’t waste time on it. After all, it’s only your livelihood the zombies are after. .

Duane Hershberger, CRISC is a Manager with Andrews Hooper Pavlik. He has more than 40 years experience in information technology. His career has been focused on the collaborative examination of complex business processes, developing business cases for identified improvements, and managing the resulting projects.