Super Storms and ITAM – Lessons Learned from Hurricane Sandy

By Frank Venezia & Steffani Lomax, Siwel Consulting

ITAK V8 I3

In the aftermath of Hurricane Sandy, the largest Atlantic hurricane on record, countless metro New York area businesses were severely affected.  Some companies lost valuable equipment and deployed software, while others experienced severe data center interruptions.

Recovering from a natural disaster such as Sandy is a time-consuming and costly endeavor.  In a situation like this, having a solid IT Asset Management (ITAM) process can make a tremendous difference in an organization’s ability to quickly identify its IT assets and maximize the options available to repair or replace them.  The organization that is well-prepared will save itself significant time and money.

In this article, we will walk through some of the basic steps necessary to recover from a devastating event like hurricane Sandy by comparing and contrasting two companies – one with a mature ITAM program (Company A) and the other with an incomplete or poorly implemented process (Company B).

1:  Which IT assets have been affected?

The first step in disaster recovery is to determine what has been affected in the technology environment.

Let’s compare and contrast the conditions of Company A and Company B.

With mature ITAM processes and tools in place, Company A identifies the specific locations impacted and searches the ITAM repository for a report of all IT assets – both hardware and software – at each location.  Company A is able to generate this information quickly.

With minimal or no ITAM processes and tools in place, Company B identifies the specific locations affected but must then manually check emails, spreadsheets and databases for any information that may indicate what hardware and software was deployed in these environments.  The result is an incomplete and potentially inaccurate report that takes significant time and effort to consolidate.

2:  What are the contract terms, conditions and warranties for the affected IT assets?

The next step in the recovery process is to understand the contract terms, conditions and warranties for all IT assets that were affected by the disaster.

Due to their solid ITAM processes, Company A knows exactly which IT assets were affected and searches the ITAM repository for hardware purchase orders, contracts, warranties and software licenses installed on the compromised hardware.  Company A can quickly pinpoint key terms, conditions and warranties applicable for the devices in question.

In contrast, Company B is able to distinguish a partial list of possible IT assets affected and proceeds to search emails, spreadsheets and databases for any purchase or contract information describing deployed hardware and software.  In the end, Company B can identify only a partial list of the suppliers they need to work with, supported by only a few snippets of contract and warranty information.

3:  How is the hardware and software replaced?

Now that the suppliers and associated contracts have been pinpointed, it’s time to work with insurance companies and vendors to replace or update the IT assets that were affected by the disaster.

Company A provides insurers and suppliers with all of the required information confirming damaged hardware as well as software licenses that need to be harvested.  They notify their internal finance department and update contracts and the ITAM repository with information on the new equipment.  Company A acquires replacement equipment, making hardware purchases only where necessary with minimal deployments of new software.

Company B works with insurers and suppliers on replacement hardware and software; however, because they lack the information to validate their losses, more new equipment and software downloads are required.  Funding must be approved before the requisitions can be issued.

In this situation, Company B is forced to rely on supplier records for accurate inventory status and replacement equipment is not available until manual verification of lost assets takes place.  Company B can only harvest software licenses that can be verified as installed, so additional licenses will need to be deployed off the existing contracts.  If additional licenses are not available per the terms of the contract, Company B will need to procure new software, probably at a higher cost.

4:  What is the time to recover and re-deploy the IT assets?

There is a huge difference in time to recover and re-establish IT assets to pre-storm levels for the organization with the mature versus the ad hoc ITAM program.

For example, Company A identifies ITAM assets in a few hours and purchase records and contracts in a few days, and orders replacement equipment within a few weeks.  As a result of the centralized repositories for assets, contracts and purchasing records, information is verified as complete and accurate within hours.  Reviewing information to determine appropriate terms and conditions takes a few days.  Notifying vendors and insurers with final details and then proceeding to order and obtain replacement equipment takes just a few weeks because the data is complete and easily verified.

Once again, Company B struggles along at a snail’s pace due to the manual effort and lack of process.  They identify ITAM assets, purchasing records and contracts in a few weeks and ultimately order replacement equipment within a few months.  With no single centralized source of truth, all IT assets must be verified manually and the list may be inaccurate in the end.  Contract and purchasing information is typically scattered and incomplete.  Reviewing information to determine appropriate terms and conditions for the assets may take a few weeks as suppliers may need to assist with gathering and consolidating information.  Additionally, suppliers and insurers may challenge replacement requests, thus extending the process for months.

5:  What is the cost to recover and re-deploy IT assets?

The cost to replace IT assets and re-establish the affected environments will vary significantly depending on the reliability of the ITAM processes.  An unreliable or non-existent ITAM program can often result in an additional significant unbudgeted expense.

Company A replaces hardware assets subject to a proven warranty, with minimal additional expenditure.  Accurate deployment records enable harvesting of software licenses, subject to terms and conditions, with minimal additional costs.  As described earlier, internal resources are able to verify and process data within a short timeframe.

On the other hand, Company B struggles to verify all warranty information in a reasonable timeframe, which may result in additional expenditures.  Due to the inability to verify current license deployments, the firm may be forced to burn down software from the current contracts or issue new purchase orders.  The company must dedicate internal resources to this task for weeks, or even months.

It is likely that Company B will overspend due to incomplete or unavailable documentation and data.  The inability to locate all software licenses on its own results in a large unbudgeted expense – even before accounting for hardware losses, warranties, the incremental time and effort that must be invested in this task, as well as other expenses.  Here’s an example:

Let’s assume Company A and Company B have $20 million each in software license inventory before the disaster.  Company A is able to account for all its pre-disaster licenses by accessing information from its ITAM repository.  Conversely, after weeks of digging and piecing together information from disparate sources, Company B is only able to account for 50%, or $10 million in licenses.  Company B enlists the assistance of their software vendors, who use their records to identify another $2 million in licenses, and offer another $1 million in discounts.  The result is still a $3 million unbudgeted expense compared to Company A, who simply harvested the pre-disaster licenses.

6:  How does the disaster impact future supplier audits?

The aftermath of a natural disaster is likely to prompt audits from suppliers who wish to ensure that their end users are in compliance.

Company A is able to readily provide confirmation of compliance to their suppliers because they are able to generate accurate deployment information quickly.  The risk of an audit is minimized when the supplier is confident that their customer has solid controls in place for tracking and managing their IT assets.

When Company B produces only partial documentation and IT asset information, this raises a red flag for suppliers and can often trigger an audit.

In reviewing the scenarios of Company A and Company B, which organization resembles yours?  If you are Company B, what can you do to build and improve your ITAM program?  Is the effort mostly manual?  Do you have process and tools in place?  Is there internal staff available to support the effort?  Is there an executive sponsor and funding for the ITAM program?

If you lack in-house expertise to build your program, seek third-party ITAM experts who can help you with the transformation from Company B to Company A.  You can save your organization tens of thousands or perhaps millions of dollars in unnecessary costs as well as months of recovery time, and ultimately provide positive impact to your firm’s financial bottom line.

About Frank Venezia

Frank Venezia is the VP of Siwel Consulting, Inc.