SAN DIEGO -- Donna Childs had stopped at a local pharmacy on her way to work when she felt the foundation shake. A longtime Manhattanite, the commotion that immediately followed convinced her that a bomb had detonated in the underground parking garage, as had happened in the 1993 World Trade Center attack. So instead of heading to the tiny financial firm she founded called Childs Capital LLC, she walked the four blocks back to her apartment and braced for a chaotic day.
First, she called her Wall Street office to send her 14 employees home. Next, she called to cancel a lunch date. It was only then that her friend filled her in: The building she'd been in -- one of the World Trade Center towers -- had been hit by a jetliner while she was picking up her prescription. Childs went to her window and watched as the crowds' fascination suddenly turned to fear and everyone began running as a tower collapsed. Childs' Battery Park apartment was engulfed in blackness, throat-clogging soot seeping through the cracks.
Childs Capital -- located four blocks from Ground Zero -- was also hit hard but survived the disaster with minimal financial losses, inspiring Childs to co-write Contingency Planning and Disaster Recovery: A Small Business Guide (Wiley & Sons, 2002) with IT consultant Stefan Dietrich. This summer she launched a multi-city speaking tour sponsored by Hewlett-Packard to help small businesses get back on their feet in the event of an interruption. The need for such preparedness hit home again this week with the catastrophic losses along the Gulf Coast from Hurricane Katrina.
If recent statistics are any indication, half of the SMBs impacted by the hurricane will go out of business within three years if they can't get back their damaged data within 24 hours. That's if they had backups at all. Gartner Group says nearly 40% of SMBs nationwide do not. Some recent surveys say close to 75% of small businesses have no formal plan in the event of an IT disaster, despite more than half also reporting such a disrupting incident in the previous year.
"While we didn't suffer any human casualties our office was badly damaged. But we were dramatically better off than most companies," Childs said during an interview earlier this summer at the HP campus in San Diego, the first stop on the tour to share her experiences. Childs, a Yale University graduate who also holds an MBA from Columbia University and a master's degree in international economics and finance from Brandeis University, can relate to those charged with sustaining a business following a disaster. She herself invested her life savings in her company, which provides financial consulting to developing countries, and felt responsible for every employee on her payroll.
At the free session in San Diego, which attracted 45 companies, Childs explained how small businesses -- which she defines in her book as less than 500 employees; HP sets the bar higher at under 1,000 -- are eager for information because the economic losses can easily bankrupt an underinsured business. She offered the following advice to get companies' IT departments started:
Plan ahead, way ahead
Within a day, Childs Capital was operating from remote sites. Employees knew to work from home if possible. Childs had duplicated all her insurance policies and digitized other critical, paper documents using a scanner. These and digital photographs of the office and its equipment were stored in secured files, with the data mirrored on three host sites for redundancy, each physically removed from the main office by at least 500 miles.
Childs understood the need for such planning as a former risk officer for a Zurich insurance company. She said companies must set aside time to map out a disaster recovery and contingency plan well before an incident, whether it be a network break-in or an earthquake. Periodic review and updating is equally important, as is continuous education for all employees. This way, when chaos erupts, everyone knows the backup plan and each's role in trying to get the business back online as soon as possible.
Build a buddy system
Childs worked from borrowed office space in a New Jersey SMB after establishing a relationship with another company and agreeing that in the event of an emergency, each was available to help the other. She had a similar arrangement with a company in Westchester, N.Y.
SMBs should find such partners to set up similar buddy systems. Get the names and direct numbers for key personnel. "Ideally, talk to them and build a relationship before you need their help," she advised. "It helps if your first contact isn't in your moment of dire need." A good starting point is small business trade associations that provide networking opportunities, such as chambers of commerce or the National Association of Small Business Owners. Make sure the places are geographically close enough to be feasible.
Perform spot checks
The financial firm periodically perused its critical data for signs of file losses or corruption. They even ran mock drills to see how quickly they could access select mission-critical information.
"It takes an hour and it's really worth it because, God forbid, the last thing you want to find out during an emergency is that all your hard work is for nothing," Childs said.
Train people in advance
Childs Capital has a .pdf of their disaster recovery plan that employees are required to read online quarterly. The CEO said she uses the version control feature to allow a document to roll back to the last version to ensure people are not working off obsolete documents.
Similarly, make sure your company use policies are clear on who can and cannot use enterprise-owned equipment, such as laptops and PDAs brought home. Childs Capital, for instance, has a strict policy against family members, especially children, accessing laptops when an employee works remotely.
Strongly consider business interruption insurance
Money may be tight, but Childs knows from her years in the insurance industry that standard policies don't always cover all economic losses, such as lost income or revenue when a business is displaced or inaccessible to customers. She noted a dentist whose practice remained opened during the 9/11 aftermath but who nonetheless took a huge financial hit because his patients couldn't make their appointments. Clients must ask their insurance companies for the supplemental insurance. "Insurance is basically ordered a la carte," she said.
Keep compliance in mind
Many industries now require far tighter record-keeping, and safeguards on those records, to meet various regulations. The government also provides deadlines to get certain processes back on track following a disaster. For instance, many states require businesses to have a payroll system running within two weeks of a major event. By following the above steps, particularly those involving storing documents in multiple places offsite, an SMB stands a better chance of meeting the letter of the laws.