Disaster Recovery in Hospitality...
The Risks in Computerization and Information Management
by Christian E. Hempell and Nicole R. Wendland (Spring, 1999)

Hotel managers awakened in the early morning hours to news of an earthquake, fire or explosion are unlikely to think first of saving the hotel's AS400 information system or retrieving computer data tapes from off-site locations. Evacuating guests and employees is paramount. Disaster plans put people first. Nevertheless, loss of a property's information technology (IT) functions can plunge any company into operational disarray, triggering revenue losses and negative publicity that may take years to overcome. Technology systems rendered inoperable in one location can ripple through an entire hotel organization, forcing the company to fall back on manual operations. Reservations, property management and communications systems must be quickly replaced and guest data recovered to avoid major losses.

A case in point involved the bombing of New York's World Trade Center in 1993. The terrorist act inflicted physical damage to a large area of downtown Manhattan, including an adjacent hotel. Although the hotel was evacuated in less than fifteen minutes with no fatalities, the telephone and computer system was damaged. The hotel could not account for guests and employees. Communications failures prevented management from communicating with emergency services. The loss of heat could have caused further damage to existing systems from the bursting of frozen water pipes. The hotel's experience points to one of the key elements in a technology disaster recovery plan - maintaining critical operational and financial data at an off-site storage facility. Following a disaster, off-site facilities that maintain reservation and accounting information would be available immediately for retrieval of in-house guest records, financial documents, guest history and sales information, minimizing a disaster's effect on a hotel's data and information.

Prompted by insurance companies or experience, most companies have addressed the need for a disaster recovery plan (DRP), if not put one in place. Few, however, create and maintain written plans on IT disaster recovery. In a survey conducted by Comdisco, Inc., one of the largest disaster recovery companies, it was estimated that only 45 percent of companies maintain a formal plan in the event of computer disruption. The survey addressed the level of corporate readiness for disaster recovery, concluding that only 12 percent of enterprises have an effective disaster recovery plan. Another 6 percent were partially prepared. Fully 82 percent of companies were ineffectively prepared for a technology disaster. The survey measured: 1) data centers, 2) local area networks, and 3) enterprise wide area networks. While the survey itself was cross-industry, hospitality companies rely heavily on all three of the technology components measured. A disaster recovery plan specifically addressing technology is essential to any hotel's risk management programs.

Threats to Technology Systems

One of the most destructive events for hospitality companies occurred in September 1992 as Hurricane Iniki unleashed winds up to 200 miles per hour on the Island of Kauai, Hawaii. The damage amounted to $1.6 billion and resulted in 85 percent of the island's hotel rooms shutting down for at least two months. With 30-foot waves and complete power outages, all hotel technology systems on the island were lost. Particularly in areas with potential for destructive weather, the need for disaster recovery and off-site back up systems cannot be overstated. Hotel properties without technology disaster recovery plans may be closed for much longer periods of time than other companies.

Of the 320 technology recoveries supported by Comdisco since 1985, hardware failure was the largest cause at 24 percent, followed by hurricanes and power outages at 16 percent each, and floods accounting for another 15 percent. The seeds of major technology failures may occur within the systems themselves. One of the largest providers of global distribution of airline and hotel reservations experienced an outage in mid-1998 due to a software error, resulting in the complete cessation of new reservations bookings for more than five hours. An outage on a system that processes an hourly average of 45,000 airline and hotel reservations can cause major service disruptions and customer dissatisfaction. Even a supplier with a system that is 99.9 percent reliable must expect and plan for a system failure. Senior management may be unaware of the need to maintain detailed back-up plans for systems and data. Only a
select few in the if department may consider systems recovery as a primary function in the event of a disaster.

Disaster Categories
320 Recoveries Supported
Hardware Problems 24%
Power Outage 16%
Hurricane 16%
Flood 15%
Miscellaneous 12%
Fire / Explosion 7%
Bomb 5%
Earthquake 5%
Source: Comdisco

Almost all hospitality companies have one main database for reservations and guest history. Both are at risk if a disaster occurs. In addition, the industry's reliance on technology and communication creates several less traditional risks. The global distribution system, the importance of customer data, productivity heavily reliant on terminals and information, and the long-term effect on loyalty of a single negative experience, are additional risks particularly present in the hospitality industry. In addition, companies are racing to build information about customer and spending patterns, investing millions of dollars in systems to institutionalize this knowledge. Loss of these systems and databases is analogous to organizational memory' loss. While rebuilding physical property may take several years, guest loyalty and behavioral history' may often require more time and money.

Creating a Disaster Recovery Plan

Clearly, the development of a technology disaster recovery' plan is an essential part of any company/s risk management program. Its development and documentation at a minimum will require the following steps:

Take an Inventory - Include items critical to the business, including the reservation system, database and the systems that support it. Telecommunications (dial-up lines, frame relay, dedicated lines and the Internet) can be included as support systems.

Assess Unavailability - Assess what will occur if critical systems are absent over specific periods of time. Ask key questions for each system. What foreseeable impact exists if accounting functionality is down, for example, or the property management system applications are non-responsive? Determine the maximum amount of downtime for these critical items before there will be a significant impact on the business.

Identify Alternatives - Identify disaster recovery alternatives for critical functions. Hospitality companies might decide that a "hot site" is a reasonable alternative with the loss of a reservation system. A hot site is a computer and data processing center with computers in place and waiting to be used by a company experiencing a disaster. Most hot sites are permanent facilities where the company can recreate its computing environment. 

Determine Alternative Requirements - Identify what is needed for an alternative to be implemented. Minimum requirements may involve telecommunications with certain bandwidths or dial-up lines. A specified level of power redundancy may be required for servers. Agreements with hardware vendors or vendors who provide disaster recovery sites may also be an option.

Identify Costs - Gain an understanding of the total cost for each alternative. Examples of common costs include arranging hardware agreements with vendors or the cost of having a disaster recovery site available for use. Installation fees, purchase of redundant telecommunications, and the purchase of upgrading telecommunications (i.e., increasing bandwidth) are other common costs. Some hospitality companies may have additional costs relating to reservation system development time as a minimum alternative requirement. 

Estimate the Recovery Period  - Estimate the amount of time until the critical systems become available. Each alternative should have a specified recovery period. 

Define the Limitations - Determine the limitations of each system back-up or alternative, including vendor agreements or hot sites. The plan needs to address questions of hardware replacement, especially if it is rare, discontinued, or a lag time exists between the purchase order and its delivery. The cost of an alternative or the length of time until availability may also be limitations. 

Determine the Benefits - Weigh the benefits of each alternative. Use the benefits of a faster recovery in the event of a disaster as a competitive advantage.

Test the Plan Annually - Document the test and test results as a best practice to provide a record of any problems encountered and their resolution.

IT Training in Disaster Recovery - Provide proper training of IT personnel for implementation of the disaster recovery plan.

When a disaster or hardware failure does occur, planning rigor will make all the difference in the speed of recovery. A completed disaster recovery plan for technology systems allows companies to realize large returns on a relatively small investment - minimizing what may otherwise be an unnecessary and costly outcome of disasters.

(Christian E. Hempell is a Senior Consultant in the firm's Hospitality and Leisure Services Group, with a focus on hospitality technology and related strategy. Nicole R. Wendland is a Senior Consultant in the Computer Risk Managernent practice, with a focus on information system audits and disaster recovery reviews. They are based in Arthur Andersen's Los Angeles office.)

©Arthur Andersen 

Also See
The Battle for Electronic Shelf Space on the Global Distribution Network / Arthur Andersen / Summer 1998 
Managing Fraud and Integrity Risk… Best Practices Offer Key / Arthur Andersen / Spring 1999
Back to Arthur Andersen Article Index
Search Hotel Online

Home| Welcome!| Hospitality News| Classifieds|
Catalogs & Pricing| Viewpoint Forum| Ideas/Trends
Please contact Hotel.Online with your comments and suggestions.