David Lacey's IT Security Blog

Thank you for your post. Quoting only one portion:

"Good crisis planning is about addressing the unthinkable. That’s how you ensure the long-term survival of your organisation."

And another quote from Bruce's article:

"In general, you can only reasonably prepare for disasters that leave your world largely intact. If a third of the country's population dies, it's a different world. The economy is different, the laws are different -- the world is different. You simply can't plan for it; there's no way you can know enough about what the new world will look like. Disaster planning only makes sense within the context of existing society."

IMHO, both yours and Bruce's article raise valid and interesting points but make assumptions about the scope of disaster that plans are directed towards.

My interpretation of Bruce's article was that he was interested in disasters of sufficient scale to render capitalism irrelevant and to dissolve the ability of states to project power and protect their populaces. Indeed, to quote Thomas Hobbes's from "Leviathan":

"Whatsoever therefore is consequent to a time of war, where every man is enemy to every man, the same consequent to the time wherein men live without other security than what their own strength and their own invention shall furnish them withal. In such condition there is no place for industry, because the fruit thereof is uncertain: and consequently no culture of the earth; no navigation, nor use of the commodities that may be imported by sea; no commodious building; no instruments of moving and removing such things as require much force; no knowledge of the face of the earth; no account of time; no arts; no letters; no society; and which is worst of all, continual fear, and danger of violent death; and the life of man, solitary, poor, nasty, brutish, and short."

If a "third of the country's population dies", do you really think ROI and managerial concepts trump basic human survival?

Thank you.

Ah, but when an incident takes out a third of the population, that's just when you need all organisations to be as functional as possible.

It sounds like Bruce is saying that there is no effective plan for recovering from a 1/3 population loss and you are saying that it still needs to be addressed. I tend to agree with you, but that may just be the optimist in me hoping that it is a solvable problem. Maybe Bruce is the realist here.

If you have time, I'd be interested to hear your top 10 list of what could be done to plan effectively. Not a top 10 of what needs to be addressed, but exactly how to address some of the big issues. Such a list would be proof that Bruce is wrong.

The only effective things I think of aren't really targeted towards a pandemic, but are useful in many different situations. For example, planning on a micro scale of families and small communities for 72-hour kits, food storage, etc.

Good idea. I've posted a new entry setting my Top 10.

http://www.computerweekly.com/blogs/david_lacey/2007/08/more-on-pandemic-planning-1.html#more

By the way, most organisations can survive a 30% cut in resources. McKinsey do this kind of exrecise all the time.

Your top 10 list is a good read, and all the points are valid. Perhaps you should consider adding some material on preparations for interfacing with the relevant governmental agencies. I think it's rather obvious that certain firms, such as utilities and medical care providers, must have a dedicated office to interact with the government at state/federal levels in the event of a disaster.

The reason I posted to this article is to give it another shot to explain what my original point was. Your comment that "most organisations can survive a 30% cut in resources" strikes me as plausible but symptomatic of your particular perspective. I don't see the loss of a third of the populace simply as a loss of resources.

Again, to quote Bruce's original article:

If a third of the country's population dies, it's a different world. The economy is different, the laws are different -- the world is different.

A sufficiently large disaster may result in the breakdown of civil society. For example, an inevitable delay in the deployment of federal troops to a disaster area where local law enforcement is unable to operate implies, inevitably, a scenario where looting and crime will rampage. (You may think I'm exaggerating, in which case I urge you to look at http://tinyurl.com/3y6bq7).

Which of your 10 points addresses a parent's concern that their children may not be safe in their own homes as mobs roam a city?

Add the panic of an exogenous event causing mass death, and perhaps the collapse of the federal government's armed forces' ability to project power, and that's the point I'm trying to raise.

Thanks again, keep up the good work.

Thanks for the comments. We certainly need a lot more debate about these issues. There are many dimensions to this problem and I'm not qualified to advise on all of them. My expertise is in helping organisations rather than personal protection.

I still believe that the focus needs to be on maintaining and resuming business as usual. Advance planning and well-considered responses are needed, both to contain the spread and minimise its impact on essential services. Knee-jerk panic reactions are not the answer. All government and law enforcement authorities have contingency plans for emergencies, riots and wars. Of course there will be service failures, supply problems and a change in the pattern of crime. But it dosen't have to lead to a complete breakdown of control and day-to-day business. The aftermath of Katrina was badly managed, but that in my view was exceptional.

I don't agree that we need to start preparing the public at this stage. I think it's way too early to start securing premises and stocking up on supplies. My point about surviving a 30% cut was aimed at the fact that many services can be maintained with such a cut in staff. Of course the impact on families and communities is devastating. But such figures are no more than planning assumptions. With good preparations the number of casualties can be minimised.

Thanks for your reply. I agree whole-heartedly that simply shrugging in the face of what may be an extraordinary disaster is unacceptable for an organisation. There is no substitute for sound, flexible planning.

I've enjoyed this conversation, so thanks again. Incidentally my father was the lead manager for Y2K contingency planning for the national oil company of the country where I grew up, so this topic has some personal relevance to me. He showed me around his office once day, with this giant whiteboard divided into three columns (green, yellow, red) and explained what each item was.

He had a funny story about how, even though all the objectives had been achieved, one component was unresolved the week before the Y2K boundary. Apparently the company doctor had a habit of unplugging his computer and locking it in a cupboard overnight, and had up to now refused to install the necessary software updates to make this machine Y2K compliant. My father had to get the company to threaten the man's cupboard with an axe to compel him to release the computer.