Disaster Recovery

How would your organization cope today – this very minute – in dealing with:

  • major property damage to your facility,
  • major property damage to a key customer’s or supplier’s facilities,
  • an emergency evacuation and immediate loss of use of your main or only facility,
  • a chemical release at or near your facility,
  • injuries or deaths from the use of your products,
  • a government ordered mandatory recall of your product,
  • a major incident involving the loss of a key customer
  • an airplane crash that was carrying several senior executives, or supplier,
  • workplace violence or
  • a major fraud investigation of your organization?
  • a terrorist attack,
  • a bomb threat,

Would chaos reign supreme? Would operations cease? Would communications be handled haphazardly with some staff contradicting others regarding internal communications or worse, in front of the public media and the world? Do you know what to do should your firm be the lead story on the six o’clock news? Would your firm’s stock price plummet? Would members of the Board Of Directors tender their resignations en masse? Would your employees be running around aimlessly because no one had informed them of what to do or where to go in such an emergency? Will the firm’s insurance programme “repair the damage” and indemnify the organization? How will the media represent your organization? How long will it be before your operations return to normal? Can your organization withstand the financial burden of such an event?

  • Will your organization survive?

    These questions are angled, painful and certainly not cheerful in nature, but behind them an eerie truth exists. Many readers would probably not be able to answer these pointed questions definitively or in a positive light, since their organizations do not have effective crisis management or disaster plans nor comprehensive enough insurance programmes.

    These major negative impact events occur more frequently than one might think. In recent years several organizations did not survive such an event. Others barely survived on a much reduced and restrained scale and still others worked exceptionally hard over several years to recover from an event.

    senior management and funded to ensure that the necessary steps are taken to identify the impact of potential losses, maintain viable recovery strategies and recover plans and ensure continuity of services through personnel training, plan testing and maintenance.”

    While an essential and generally a critical component of any plan, the computer systems aspect is but one element in an overall Crisis Management and Disaster Recovery Plan. Unfortunately, many organizations confuse IT or EDP Recovery Plans with Crisis Management and Disaster Recovery Plans. A crisis is an event or set of circumstances that if left to proceed unrestrained on the current course will likely result in disaster. It commonly consists of the following features:

    • an event that upsets normal operations;
    • an occurrence requiring immediate action to restore
      normal operations;
    • temporary lack of control;
    • real or perceived threat of harm to employees, the public, or
      clients, to the firm’s real or personal property, public property,
      or the environment, to the organization’s reputation,
      finances, production, sales, or the industry as a whole.

    Rudin’s Law states that, “In crises that force people to choose alternate courses of action, most people will choose the worst one possible.”

    This may not, of course, always be true, but it indicates how crisis handling is perceived and managed by many people. The speed of business today is light speed – or at least the speed of your high-speed Internet connection. We have a global economy. Customer loyalty notwithstanding, cyberspace access, e-commerce and the necessity for survival would empower your customers to research, enquire, negotiate and replace your products or services in short order should they lose access to your corporation’s goods and services for more than an inconsequential amount of time. The loss of one of your organization’s key suppliers should also be examined. For example, a fire that occurred in a computer chip manufacturing plant in Japan a few years ago affected the supply and price of chips worldwide. A global economy means global exposures that can negatively impact an organization’s performance. Senior management compensation is routinely tied to corporate performance.
    Has your organization prepared to minimize the impact of a disaster on corporate performance?

    Rudolph W. Giuliani, the former mayor of New York City, and mayor on September 11, 2001 during and for 31⁄2 months after the World Trade Centre attack, has these five golden rules for success. Consider applying these when developing your organization’s Disaster Recovery Plan.

    1. Determine your personal philosophy.
      “Know what you personally believe in. Once you have defined your principles, you can communicate them to the outside and show others where you stand.”
      Corporate goals and objectives need to be established and communicated, especially during a crisis. What will the corporate position be during your organization’s next crisis?
    2. Be courageous.
      “Being courageous, however, does not mean being fearless. We should recognize risks and move ahead in spite of them.”
      This means that during a crisis, some difficult, painful and costly decisions may have to be made. Do you order a product recall, cease product manufacturing and shipping thus eliminating your income, admit mistakes were made or borrow large sums of money for rebuilding efforts?
    3. Prepare yourself as well as you can.
      “We can never prepare ourselves for catastrophes. Before September 11, an attack on the World Trade Center was inconceivable. But, in the seven years and nine months I was in office, I and my senior staff practiced for emergencies twelve times. We simulated airplane crashes and atom bomb and gas attacks. This preparation helped us in the days after the tragedy of the World Trade Center. So what many people thought was an instinctive reaction had actually been prepared in detail long before.”
    4. Put together a good team.
      “First, analyse your strengths and weaknesses.” Mayor Giuliani hired experts in their field and subsequently, “On September 11th, I knew I had a strong team, which gave me tremendous confidence.”
      Organizations need to find the experts wherever they may be, from the executive suite to front line operations to the mailroom to outside consultants and suppliers – even competitors.
    5. Communicate honestly.
      “Be honest. Have the courage to call things by their names and speak without being afraid that your words won’t be perfect. No matter how difficult the situation, always be optimistic.” death, or sudden staff changes. The plan should ensure that lines of succession for key management positions are established to ensure continuous leadership and authority for actions and decisions during crisis or disaster conditions.
      A formal Chain of Command must exist for the organization, just as there is for federal governments. This Chain of Command must be established, recorded and publicized within the organization if it is going to be effective during a disaster.
  • The Crisis Team

    Potential candidates for a corporate crisis management team should include the high-level managerial positions such as the president, executive vice-president, vice-president of operations, vicepresident of human resources, vice-president risk and insurance, chief risk officer, vice-president of finance or CFO, vice-president marketing/communications, vice-president manufacturing, the corporate counsel and at least one senior front-line manager. The recommended number of members on the team should be kept to between five and eight.

    Several respected insurance and risk management industry spokespersons have recently been proponents of the concept that large organizations require a Chief Risk Officer which would combine the duties of a V.P. Risk Management or Risk Manager in addition to the responsibilities of security, health and safety and business continuity planning. This position should be ranked accordingly on the corporate hierarchy and report directly to the highest levels – EVP, COO or CEO. This view has been gaining momentum since 9-11. Smaller organizations may have this role performed by the EVP, COO or CEO themselves.

    The actual planning by the crisis management team should be performed under stressful conditions, otherwise it may not be known how these candidates might react in a real crisis.

  • Resource Management:

    Another important subject that the crisis management team will have to confront is resource management. All firms possess resources in various forms: financial, personnel, real estate, stock, data and equipment. These resources must be protected from harm (if they are threatened) and also allocated in order to alleviate the crisis or initiate recovery procedures. Since resources will almost certainly be strained and at a premium during the course of a crisis, proper allocation is critical. Surviving resources may be overtaxed and other resources will require replacement after many disasters. Preplanning for resource allocation or replacement could make the difference between survival or demise.

  • Translating Words into Action

    Many businesses use a Business Impact Analysis (BIA) to determine what staffing and physical resources are required to maintain a necessary level of performance for functional units or areas within an organization. This BIA can also assist to determine the impact on the organization’s overall performance without that particular function for short or longer-term stoppages.

    Each location, depending on jurisdiction, will be subject to different exposures, and as such will require a specialized disaster plan. Local authorities, police, hospitals, airports, media and local contractors will all need to be identified and should be kept informed during a disaster, especially when their respective services are required.

    Unfortunately, even with some advance planning, not all disasters can be managed without error. Previously unforeseen events can occur that destroy any chance the organization might have – such as the entire loss of the only facility with the loss of the entire executive and/or Crisis Team.

    Other areas that Disaster Recovery Plans must consider are:

    • vital records back-up,
    • contingency plans for internal and external influences such as
      failed equipment replacement and interruption of utilities,
    • setting up a command centre,
    • emergency services,
    • required services for disaster recovery, and
    • up-to-date contact lists of personnel including other building occupants that you may be responsible for, which can be distributed to the necessary public authorities.

    Simulations and rehearsals are an essential element to ensure that a disaster plan works smoothly during an actual crisis, and they serve to indicate possible rough spots in the strategy that might require further attention.

    Practice drills should be conducted at least annually, under as realistic disaster conditions as possible, in tandem with a review of the Crisis Team members’ performance. For site disaster simulations, the strategy should be distributed to all site managers, supervisors and tenant representatives at each site, as well as to outside customers and suppliers, the fire department, police and ambulance services.

    The emerging study and application of Disaster and Emergency Planning has progressed rapidly during the past decade and has proceeded almost exponentially since September 11, 2001.

    Astute management teams have begun to allocate significant resources to this once ignored area. They have also developed plans that deal with risks other than computer systems. Stakeholders expect and deserve no less.

    A discussion on Disaster Planning would not be complete without an examination of one of the key risk management tools of risk transfer. The most common form of risk transfer for a corporation is usually insurance. A complete, comprehensive corporate insurance programme can provide an essential element of disaster recovery through the proceeds of claims made on insured losses