Schneier on pandemic planning: Why bother?

July 17, 2007 12:02 PM EDT
Security expert Bruce Schneier has special advice for businesses thinking about pandemic planning: Don’t bother.

In a Computerworld story this week, Schneier, chief technology officer at BT Counterpane in Mountain View, Calif. stated that if a pandemic hits the scope of the disaster would be so large that contingency planning by businesses would be useless. The comments were made in the context of a Computerworld story that focused on the results of a study from Ipsos showing that while the risk of pandemic remains, public concern has faded.

Schneier's is using what I would call the nuclear war argument for doing nothing. If there’s a nuclear war nothing will be left anyway, so why waste your time stockpiling food or building fallout shelters? It's entirely out of your control. It's someone else's responsibility. Don't worry about it.

I’m not sure pandemic really falls into the same category. Yes, a global outbreak of bird flu could be catastrophic. Yes, the government would need to spearhead a national response. And anyone reading the scary scenarios set out by public health expert Dr. Michael T. Osterholm in this interview might feel overwhelmed. But a pandemic is likely to play itself out in such a way that companies that prepare come out ahead – and possibly ensure their own survival.

Doing something is better than doing nothing.

Health experts have stated that during a pandemic as much as 40% of the workforce could be out for a period of weeks at a time (for an in-depth look at the issues, see my story, Heads in the Sand: IT isn’t ready for the Bird Flu). That's exactly the problem with planning at the individual business level, says Schneier. “If everyone loses 40% of their workforce it’s a different economy. The world is different. You cannot prepare for the world is different and you’re wasting your time if you try,” Schneier said. Such planning can only be done by governments, not businesses, he says. "That kind of world altering disaster you can’t prepare for and you shouldn’t.”

That said, Schneier isn’t even optimistic that government will be up to the job. “If you’re a politician and you spend money on preparation and nothing happens you’ve wasted your money. As a politician you are much more savvy doing something after the fact.” But that doesn’t mean corporations can step in. “There’s a lot of stuff in play here. But corporations simply can’t deal with the threat. It’s not their threat,” he says.

Not so, counters Michael Rasmussen, an analyst with Forrester Research Inc. who covers governance, risk and compliance research.  “There are a lot of things I would agree with Bruce on – this is NOT one of them,” he says. He wouldn’t rely on government do all the planning either, but he thinks there’s plenty that business can do to prepare. “We see many of our clients preparing for a pandemic, as much because they recognize the threat of a disruption caused by absenteeism from any source, not just disease. To that extent, concern about a pandemic has awoken the corporate community to the more generalized risk of people-impacting events that can disrupt business operations.”

A pandemic is likely to occur in waves and affect different regions at different times. At any given time one facility may be in the middle of an outbreak, another may be recovering while a third could be unaffected. Good planning can help businesses adjust resources as needed. Furthermore, no one knows what a pandemic will look like. It doesn’t have to be a doomsday scenario. What if just 10% of employees are out during a pandemic? You still need a plan.

The biggest problem with many existing disaster plans is that they are good at responding to structural disasters but not very good at the extended “labor strike” scenario, where a significant percentage of employees suddenly can’t - or won’t - show up for work. “We see many of our clients preparing for a pandemic, as much because they recognize the threat of a disruption caused by absenteeism from any source, not just disease,” says Steven J. Ross, Firm Director at Audit and Enterprise Risk Services/Security & Privacy Services at Deloitte & Touche.

As an aside, I asked Ross about this week's story. He disagreed with the premise this week’s story that interest in planning for a bird flu outbreak is waning.

While that may be true with the general public, as reflected in the Ipsos poll cited in our story, he says Deloitte’s own survey of enterprises shows that many corporations are in fact paying attention. “The research performed by the Deloitte Center for Health Solutions shows the opposite result: There is a greater understanding of the risk of a pandemic currently (as of the end of 2006) than the year before and a considerably greater number of companies have developed plans for dealing with one.”

But even assuming the worst case scenario, Rasmussen thinks businesses with a plan will come out ahead. “To not prepare means the organization shuts down and the organizations really resembles anarchy. Even if society should be in a state of anarchy itself and government is the sole respondent there needs to be plans in place for bringing the business back as society stabilizes.”

How would Schneier, a risk management expert, respond to all of this? Perhaps pandemic planning would be a good subject to revisit in his blog.