Use a Safety Net

When more than 150 federal information technology decision-makers were asked by Forrester Research Inc. to select their top tech-related themes for 2007, upgrading disaster recovery capabilities ranked the highest. More than 60 percent said it was their most pressing priority, followed by mobility initiatives and upgrading security.

Perhaps the reason is a little thing called Homeland Security Presidential Directive 20-an order circulated last year by President Bush that calls for a comprehensive national policy on the stability of government structures and operations. A mandate for continuity of operations planning, or COOP, followed a string of related regulations aimed at helping agencies bounce back quickly after a terrorist attack, tornado, fire or flood.

HSPD-20 lays out a number of continuity requirements for departments and agencies, including the assurance that vital resources, facilities and records are safeguarded and official access to them is provided. Critical communications capabilities must be made available at alternate sites to ensure connectivity among key government leaders, offices and the public.

To gauge COOP effectiveness, the Government Accountability Office examined eight agencies that took part in a wide-ranging June 2006 exercise that let them put their preparedness plans to work. At the request of House Oversight and Government Reform ranking member Rep. Tom Davis, R-Va., the watchdog agency analyzed materials and conducted interviews and found that planning efforts were lacking.

The Federal Emergency Management Agency, the Homeland Security Department arm responsible for helping agencies develop COOP plans, should have done more, according to GAO's report (GAO-08-185). While FEMA encouraged documentation, it failed to require participating agencies to report their activities during the exercise. Without adequate records of what has been tested, agencies lack assurance that they have prepared for a real emergency situation, GAO says. DHS agreed with the report and promised to refine its assessment program.

Heightened adoption of telework practices could be part of a winning COOP plan, and pending legislation could give agencies the incentive. The bill, sponsored by Rep. Danny K. Davis, D-Ill., would allow authorized federal employees to telework at least 20 percent of the time during a two-week period. The proposal, which awaits action by the Oversight and Government Reform Committee, preceded an Office of Personnel Management report released in December 2007 that showed telework numbers are down.

According to the study, 110,592 employees telecommuted and more than half did so multiple times per week. While telework increased at more than half the 49 agencies studied, about 10,000 fewer workers telecommuted at least one day per month in 2006 than in 2005. The number of agencies that integrated telework into emergency planning grew to 42 percent from 35 percent in 2005.

A March report by IT solutions provider CDW-G showed federal employees' ability to work remotely during a natural or man-made disaster has declined, with 59 percent of workers indicating they could telework during a disruption, down from 75 percent in 2007. In the private sector, continuity of operations capability increased but still trails government. About 46 percent of respondents said they could work during a disruption, up from 33 percent in 2007. The value of telework to continuity of operations is clear, CDW-G's report stated. More than half of federal employees who can continue working during a disruption indicated that they are eligible to telework. In the private sector, the benefit is even more dramatic, with more than 70 percent reporting that their company has a telework program.

"Continuity of operations alone could justify the investment, and improved employee satisfaction is icing on that cake," says Ken Grimsley, CDW-G's vice president of strategic sales. "Still, many businesses remain unprepared for recovery from disruptions or are failing to take advantage of affordable, advanced security technologies that are justifiable even without telework. We have a long way to go."

A sample continuity and disaster preparedness plan is posted on Homeland Security's Web site, Ready.gov. Some pointers:

• If your primary location is not accessible, determine where you'll be working.
• Assign a primary crisis manager and a backup if that person is unavailable.
• Determine what natural and man-made disasters could affect business.
• Make a list of those who will participate in emergency/crisis planning.
• Select several people from neighboring offices to assist in emergency/crisis planning.
• Create a list of critical operations, staff and procedures for recovering from a disaster.

Ready.gov also recommends drafting an evacuation plan that details how many times a year the procedures and warning systems are tested and where to go if leaving the workplace is required. Also, designate a shutdown manager and an all-clear official to let people know when it is safe to return. When it comes to protecting networks and infrastructure, determine how you will protect hardware and software, Ready.gov says. Formulate a plan in the event that computers are destroyed, detailing the location of backup computers and how they would be accessed. Make someone responsible for backing up critical data, including payroll and accounting records, as well as copies of the preparedness plan, site maps and insurance policies.

Andrew Noyes is a reporter for National Journal's CongressDaily.