Scott McPherson's Web Presence

I spend a considerable amount of my "free time" lecturing on avian flu and pandemic preparedness, especially when it comes to information technology.  Those are my twin specialties:  I am a Chief Information (technology) Officer by profession, and I also have considerable experience in developing massive disaster recovery and business continuity plans (many of you know I developed and ran the largest State government Y2K project in the nation, Gov. Jeb Bush's statewide Y2K preparedness and awareness effort).

So this morning, as I scanned Crawford Kilian's Blogsite http://crofsblogs.typepad.com/h5n1/ , I was directed to an IT story that, quite frankly, doesn't surprise me at all.  Today's Computerworld blog title pretty much sums it up:

Pandemic disaster planning: We give ourselves a grade of C-minus, and that's generous.

The blog can be found at http://www.computerworld.com/blogs/node/6214 , and it should concern everyone who reads it.  Disaster recovery firm Sungard underwrote the cost of the survey of IT leaders, which was conducted by IDG Research and is published by CIO and CSO (that's Chief Security Officer) magazines.  Sungard is taking a strong interest in pandemic planning, if for no other reason than they understand that data centers may fail for lack of trained personnel, and frustrated executives may reluctantly order the implementation of an organization's IT disaster recovery plan just to keep the ol' mainframes and server clusters hummin'.  I recently sat through such a Sungard presentation and it was quite refreshing to hear someone other than me talk about IT failures during pandemics.

OK, the short form is that most business and government CIOs are aware of the threat of avian flu, but their own pandemic planning efforts  -- and those of their bosses -- are woefully lacking.  Nothing new there:  We all know pandemic planning lags far behind other disasters. 

My latest Powerpoint presentation (which can be found and downloaded at http://bpr.state.fl.us/pandemic/ is titled The First Pandemic of the Information Age deliberately, and with good reason.  We have never had a pandemic in the 21st Century, and we dodged a huge bullet with SARS (and its extremely scary 10% Case Fatality Rate).  We have no idea how IT will operate in the wake of 20%+ absenteeism and in the era of the Just-in-time economy.  But we all know that no entity can operate without IT.  It might as well try to conduct its operations by gaslight.  IT is the fuel that drives the modern economy, the modern government, the modern everything.  That is one major reason I strongly advocate government data center people being classified as "second responders" for purposes of antivirals.  Without IT, governments will lose their ability to effectively serve their citizens within 24 hours.  That is because in a pandemic, after medical help, citizens will demand sustenance.  The assistance will come in the form of checks, drafts, and warrants, usually via direct deposit.  The era of people with green eyeshades, writing checks manually, does not exist anymore.  And to move that money requires data centers, with mainframes and server clusters working overtime to produce the ones and zeros necessary to convert digital cash into real cash. Try to do THAT in the midst of a major pandemic.

Katrina showed us what happens when government cannot complete its most essential tasks in the most urgent time frame.  Imagine what will happen if/when governments fail to take care of their citizens' most basic needs.  Those needs include unemployment compensation; aid to families with dependant children; emergency food stamps (although whether or not there will be food to buy in a JIT-failed supply chain is debatable); and housing subsistence.  Without those direct deposits/swipe cards/ checks, people will invariably resort to other, more drastic measures to survive.

Which brings us to the source of the title of today's blog.  According to Computerworld and IDG,

Among those respondents with plans in place, most organizations plan to allow employees to work from home (76%) and/or will use their current business continuity/disaster recovery plans (72%), while 38% will geographically disperse their operation and personnel and 13% will outsource operations.

Has anyone bothered to ask Sungard or any of the Alphabet Soup Gang (IBM, KPMG, et al) if they have bought Tamiflu for their data center and network employees?  What is their strategy for a pandemic?  Just because they are selling pandemic services does not mean that they, too, will be ready.  So ask them! 

Here in sunny Florida, we constantly hear about taking an "All Hazards Approach" to disaster recovery planning.  It is preached to us day in and day out.  But until I am convinced otherwise, neither Florida, nor any other state with a similar mantra, is prepared for a pandemic.  The reason is simple: taking an "all hazards approach" should mean planning for a pandemic as the human equivalent of a 9.0 earthquake or a major terrorist attack or an ice storm of long duration or a Category 5 hurricane.  And unless the planning bookends a pandemic as the twin of the "other" Worst Case Scenario, the planning is fatally flawed.  Thinking you can manage a pandemic the same way you can manage a hurricane's aftermath is both arrogant and wrong. Pandemic planning and earthquake/hurricane/tornado/terrorist planning should be the twin bookends of disaster and business contunuity planning.  Pandemics should not be something you throw into the mix the same way you throw that extra piece of laundry into the washer. 

Yet that is exactly what people are doing when they say they will manage a pandemic using their existing DR plans.  Because they never planned for a pandemic in the first place, they think they can somehow try to look up "Supply chain failures" on Tab Three of their DR plan and have a solution.  Sadly mistaken, they will realize that plan called for massive reinforcements of goods and services from areas outside the affected zones.  There will be no mutual aid, no assistance pouring in from the outside world.  Government cannot stockpile what it needs, let alone what the population will need. 

Also, current disaster recovery and business continuity plans have an event horizon of a few days to a few weeks.  There is a conclusion to all these plans.  But with a pandemic, the event horizon will stretch for three months.  The event will not have a tidy conclusion; it will consist of sporadic, then massive influenza cases, coupled with equivalent sporadic-then-widespread supply chain failures, topped by failures in government's ability to cut checks and serve its people, capped with severe shortages of food and water. 

Gradually, as the first wave passes over the nation, people recover and go back to work, and slowly life returns to normal.  But unless all disaster recovery and business continuity plans embrace pandemic as the bookend of human suffering and hurricanes and earthquakes as the other bookend, the management of the event will fail.  The trucks full of ice will stop.  The trucks full of food and medical supplies will run out.  And patience with government as a relevant entity will also have run its final course. 

The appropriate question to ask governments and businesses is this:  "Have you embraced pandemic planning as the human equivalent of your hurricane, ice storm, terrorist and earthquake planning, with the same zeal and gusto and with the same allocation of resources, training and practice?"

If the answer is "No," or worse yet if you get no answer, then their plans will fail miserably. I guarantee it, sadly.