We continue to fight through a brutal economy with a highly paid search marketingpaid search marketing, fears of a double-dip recession and constant political gridlock. The northeast has just experienced a very unexpected but powerful earthquake and a devastating hurricane with massive flooding and property damage. Add to that, we are facing the 10th anniversary of 9/11 with renewed threats of a terrorist attack.
It occurs to me that it’s a good time to step back and take stock as to whether your business is prepared to handle a disaster. Many businesses do not recover from disasters and many of the devastating losses and related business failures could have been avoided with better planning. Some disasters may be anticipated such as those that are weather-related. You can track the forecasts and prepare to some degree. Many disasters are completely unexpected. So, it is critical to the future health of your business to be ready if the unexpected happens.
If your office were not accessible due to a natural disaster, would you and your staff know what to do to keep the business going? If your computer system crashed today, do you know how recover the data to get your business up and running again and how long it would take, and the cost to your business? If you lost a key employee unexpectedly, do you have a person ready to take over those key duties?
It’s a tough sell in this economy to ask business owners to spend money to protect against events that may never happen. Yet, the consequences of not having disaster preparedness can be fatal. I recall an incident that occurred years ago when I was working in Hong Kong for an international bank. We were pushing the need for contingency planning with the head of a major business unit in Australia. They ran large securities trading business and their trading desks (and extensive computer equipment) were located directly above a floor with higher than normal risk of fire. We were not able to convince local management of the need for disaster recovery planning. He felt that it was a waste of money.
The head of that business unit was visiting our headquarters in New York and was staying in a hotel a few blocks from the main office. On his way to the office one morning, he was unable to get through the police and fire barricades blocking the surrounding streets. As it happened, a building was on fire up ahead and he couldn’t get to the office. He soon found out that the building on fire was our headquarters and a substantial amount of assets and information were destroyed (fortunately, no one was injured!). The business head returned to Australia, having been converted into a disaster recovery believer, and made contingency planning a priority.
The obvious lesson to be learned is to not wait for a disaster to happen before taking action to protect your business. Rather, it is necessary to prepare for all reasonably possible contingencies and put in place the necessary steps to enable quick recovery so that your business can return to normal as quickly as possible and at as minimal a cost as possible.
Provided below is an overview of key issues to consider in planning for, and protecting against, disasters that may occur. You should have more extensive discussions with your outside advisors and technology professionals to develop and implement contingency plans tailored for your organization.
People often describe contingency or disaster recovery planning in two ways and they mean different things. Many use the phrase “disaster recovery” to refer to a disaster involving the failure of technology systems (PCs, servers, computer networks). You may also hear the phrase, “contingency planning” or “business contingency (or continuity) planning”. These phrases refer to the plans associated with the effect of a disaster on the business in general, beyond just the technology systems. For example, this may include the inability to access your office due to a natural disaster, and it may also include protecting your employees from security threats.
Ideally, a business should have a broad contingency plan that considers all aspects of the business, its operations, and it’s people and key assets. The technology systems should be considered as a key component of that plan. Every business contingency plan should be documented and periodically updated. At a minimum, the contingency plan should include the following:
Designated Business Contingency Officer
The company should designate a person to be responsible for developing a written plan (including obtaining the involvement of key department heads) for keeping the plan updated, and for ensuring that the implementation of the plan is effective.
The plan should include the names of key individuals and the specific tasks they are responsible for once the plan is put in motion during a disaster. The plan should indicate the people to call and in what order to inform them as to the events taking place. The plan should also indicate where each person should go and what action they should take when they get there. Consideration should be given to arranging for back-up office space with appropriate levels of technology to be available so that key aspects of the business can continue to operate.
The plan should include how and where key company documents are backed-up and maintained. The use of optical imaging and offsite storage facilities should be considered. In addition, the location of off-site storage facilities needs to be considered. The facility needs to be far enough away that it is not subject to the same area if an earthquake or natural disaster occurred, but it needs to be accessible when needed.
A comprehensive review of insurance policy coverage should be undertaken, identifying key locations, nature and extent of insurance coverage, and related deductibles, if any. Most companies have workers compensation, general liability and excess umbrella coverage. But, do you also have an appropriate amount of business interruption insurance and does it provide the coverage needed in a natural disaster.
It is important to know what is included and excluded in the event an insurance claim needs to be filed. How many times have we experienced rejected claims when we need the coverage the most? Have an independent insurance consultant review the adequacy of coverage and determine gaps in coverage and the risks and related costs of such gaps. By the same token, determine where excess coverage is in place that can be reduced so the costs of insurance may be reallocated to other insurable risks.
The plan should consider steps to protect assets in various geographic locations, particularly overseas “hot-spots” as well as factoring in the safety of employees travelling overseas. Consideration should be given to travel announcements from the government that cover travel restrictions to various overseas locations. Some companies put restrictions on how many employees may travel on the same flight to reduce the risk of losing key employees in an accident.
Technology Systems – Disaster Recovery
There are many critical steps in preparing for and protecting against a disaster in the technology area. Systems may crash at any time for any number of reasons. If your system crashed right now and key information was lost, or if the system failure prevented your employees from doing their jobs, the adverse affect on your business, cash, customer relationships and reputation could be devastating.
Whether you have a Chief Information Officer or outsource your technology service provider as many small businesses do, the following should be performed at a minimum.
An inventory of all technology hardware and software should be in place and kept current. A determination should be made as to what hardware and software should be redundant and be available for the offsite back-up site referred to above.
A “criticality” chart should be developed that shows the systems, programs, and computer files that are most critical down to those that are least. The chart should show the systems that need to get up and running immediately and those that can get back up later. The amount of time required for each system or program to be restored should also be estimated and any significant differences should be addressed to minimize the gaps.
A schedule showing how and when each system, program, or computer file is normally backed up should be included. Offsite back-up must be maintained and the plan should indicate the off-site storage procedures. Consideration should be given to moving key systems to the “clouds” where practical.
System redundancy both on-site and off-site should be considered and addressed. Cost considerations need to be factored into the plan, and the key is to address the total cost of a loss versus the cost of the disaster recovery plan. Again, remember that the total cost of a loss includes not just the cash-related cost of the loss today, but the future loss of business from damage to your reputation and relationships, not to mention that some businesses may not recover timely or at all without an effective plan in place.
Testing – Is the Plan Effective?
You may develop a great plan but if it doesn’t work effectively when needed, it’s as good as not having a plan at all. Obvious, right? But then, again, we’ve all seen fire drills that are not taken seriously or staff not working because the computer systems are down. You can build the best controls to protect your business but how do you know they will be effective when needed?
You have to test the plans to make sure they work. But I’m not just talking about walk-throughs that are well planned and the staff knows are scheduled. Those are necessary for sure, but that is not going to ensure that in a crisis, when people are panicking, that your business and key assets will be protected and losses are minimized.
Best practices of the most successful companies include testing contingency plans via simulated emergencies on a surprise basis. It is understood that there is some cost associated with this, but it is important for every employee to know what to do in an emergency, where to go, and the next steps, particularly when stress and fear is high. Some panic may be inevitable in a disaster (we all have the images of 9/11 forever ingrained in our memories) but effective contingency plans will in most cases ensure that the risk of loss in a disaster is reduced and also ensures the continuation of your business.
* * * * * * *
I have highlighted some of the key points to consider in developing contingency plans to protect your business in a disaster. Some of these are relevant to your personal residences as well, particularly for small business owners that work from home. Your Chief Financial Officer, Chief Technology Officer, and Insurance Professionals should participate with you in ensuring that you are best protected should a disaster occur. We at CFO Strategies LLC have the experience to work with you to help build and maintain that protection. Please contact me at firstname.lastname@example.org to discuss your particular circumstances and help ensure that your business survives the unexpected.