Category Archives: Business Interruption

Building Effective IT Disaster Recovery Plans

Posted on by

No matter how well-managed IT infrastructure is, there is always the risk that a tiny hiccup could ultimately turn into a real emergency. Given the increasing reliance on technology tools and access to business-critical data to continue operations, every business should have an effective IT disaster recovery plan in place to minimize disruption when disaster strikes. Risk professionals must consider and plan for this situation with regular testing and run-throughs to ensure that all team members understand the recovery plan and know their responsibilities.

As natural disaster season begins, risk professionals should assess the risks and mitigation strategies in place to minimize disruption and losses. The following tips can help ensure that IT disaster recovery plans are as effective as possible:

Plan in the Risk Management Context

Instead of thinking too much about what a disaster would mean for your company, frame your recovery plan in the context of risks. Start by examining which risks your company faces, and what steps you can take to minimize each one. This will ensure that all teams are fully aware of what the risks are, and how they can make a difference in eliminating potential problems.

Prioritize Communication

Nothing exacerbates a disaster like a communications breakdown, so all good recovery plans should focus on communication. The onset of an IT disaster could impact communication systems, so plan an alternative way of communicating with teams in the event of an emergency. Ensure that all team members know the backup communication method, and that everyone understands who they need to contact to inform them of the situation. 

Protect Data Continuity and Backups

Data continuity planning is critical to minimize losses during a crisis. At its essence, data continuity ensures companies have alternative processes and infrastructure in place to allow key IT operations to remain intact, taking into account both hardware and software. A first step is often to invest in failover systems across multiple locations as well as backup generators and power supplies, and ensuring you keep them all in working order.

Data continuity also involves backing up all important data and storing it in a location away from potential disruption. Methods range from server replication to continuous protection (continually backing up data on a separate server). For data back-ups, businesses often choose disk-to-tape or disk-to-cloud models. Either way, the most crucial element of backing up data is knowing what to replicate and what to leave. Archiving everything available can mean greater expense, but being selective can increase the risk of losing information. The rule of thumb is that, as a minimum, any backed-up data should be capable of restarting business operations from scratch.

Define Acceptable Downtime 

The amount of downtime that a company can feasibly take varies considerably depending on the company’s size and the products or services it provides. Think about how a disaster could affect your company, then decide on the steps that you’d need to take in different potential scenarios. In most cases, a few minutes of downtime rarely constitutes a total disaster, so focusing on recovery plans that can get systems back up and running as quickly as possible will help keep losses as low as possible. Cloud-based technology can be very helpful in such disaster scenarios since data is off-site and services stay operational even if your physical location is impacted.

8 Steps to Create Strong Disaster Management Plans

Posted on by

A core responsibility of any risk professional is planning for any possible disasters your business might face. These could be man-made, such as a data breach or accidents involving machinery, or natural, like a tornado or flood.

Disasters and crises affect different organizations in different ways—one company might consider something a catastrophe, while another may not even notice a change in its workflow. It is important to look at your own business operations and evaluate what you would consider a crisis. Generally, business crises fall into one of three categories:

  1. A danger to the physical safety of employees or customers
  2. Loss of income or means of making income
  3. Events or people negatively affecting your business reputation

In many cases, the crisis may fall into more than one of these categories. An accident in the workplace that is hazardous to employees can impact the company’s income because the factory has to shut down. This can also negatively affect the company’s reputation if it turns out that the company did not provide a safe working environment.

With even the best risk management programs, no organization can avoid all disasters completely. Risk mitigation often comes down to crafting the best plans possible for the moment disaster inevitably strikes. These eight steps can help risk professionals develop strong crisis and disaster response plans:

1. Define The Types of Crises You Could Face: There is not a one-size-fits-all approach to a crisis management plan. Working out what is likely to affect your business specifically can relate to your geography—areas that get hit by severe storms or earthquakes must include those potential disasters, and what knock-on effects they may cause. For example, storms may cause flooding, loss of power, or blocked roads that make it difficult to reach your premises. The type of crisis can also be specific to your industry. Employees in a manufacturing facility are likely at greater risk in a physical disaster than those working in a tax consultancy, for example. Security should also be a consideration. Is your business likely to get robbed of cash or equipment? Do you have high-profile proprietary information that makes you more likely to be the victims of cybercrime?

2. Triggering the Plan: Including levels of urgency in your plan will help people responding to the crisis pinpoint how significant the event is, and how much of the plan must be put into action. A step-by-step approach for specific scenarios can be helpful and cover dealing with man-made and natural disasters in different ways. The risk for each will be unique to the situation and knowing when and how to trigger a response is key. The plan should include how and when to escalate the response should the crisis worsen, as well as how to identify when the crisis has passed. It can be helpful to use red, yellow and green system to indicate severity and urgency, and this classification approach is easy to adapt to any scenario.

3. The Base of Operations Location: Accidents or natural disasters may cause your usual place of business to close temporarily or permanently. In your plan, designate a backup command center in an alternate location for dealing with the crisis until you can get back to work. This location can be your company’s operations hub, a point for gathering after a crisis, or where you know your sensitive and important data backs up. If a natural disaster has made travel dangerous or roads impossible to navigate, you will also need a virtual base of operations—some possibilities include message boards, chat apps or email. With so many employees working remotely because of COVID-19, this may be easier to implement now.

4. The Chain of Command: Ensuring a clear chain of command so that there is no arguing or confusion when people and the business are at risk. Wherever possible, appoint a back-up for each person in charge so if someone cannot perform their duty, it falls to the next in line.

5. Internal and External Communication: When a crisis compromises an office or business, communication can become tricky. Have a clear set of rules for how you get information to and from your employees, what information you must and must not share with those outside of the company, and how to achieve that. This part of your crisis management plan can save lives and stop rumors from spreading.

6. Necessary Resources: Though this will depend on the nature of the business, consider first aid and safety equipment if you are likely to have injuries or get cut off because of poor weather. Also, think about alternate communication methods if mobile phone towers go down or the electricity gets cut, as well as access to your sensitive data, such as employee contracts and supplier agreements.Include all necessary resources you would need to operate and highlight any alternate replacements. For example, if a storm knocks out your power, you may have a generator.

7. Training: It is no good putting a crisis management plan together and not giving the relevant people the training they need to execute it. For example, the people you name as first aid providers or unit leaders need to know what is expected of them and undergo the necessary training. If you have safety equipment on your premises, like fire extinguishers or emergency release valves for machinery, you need to educate all stakeholders how these work.

8. Testing the Plan: Finally, test that your plan actually works. Review it with staff and conduct safety drills regularly—every two months at least. Look for any weak points or flaws in the plan before an actual crisis.While it may not be possible to anticipate everything a disaster brings, you can set up several response plans and test each one individually. These plans can tie in with your standard safety drills, or stand alone, depending on the nature of the event anticipated.

A crisis management plan is integral to every business, no matter its size, scope, or sector. By preparing for various potential disasters, you can take action when needed without putting your organization, employees, or yourself at unnecessary risk. 

Data Backup Strategy Tips for World Backup Day

Posted on by

As tomorrow’s World Backup Day should remind us all, there is one risk mitigation measure every company should have in place and regularly reevaluate: a data backup strategy. A data backup is an archive or copy of a company’s information, sensitive or otherwise, and presents a critical part of any enterprise’s disaster recovery plan, especially in the event of a data loss. Data loss can come in many forms, including physical theft, hard drive failures, simple human mistakes, and ransomware attacks. Given the range of potential risk scenarios, risk professionals and business leaders assess their backup strategy as part of all disaster preparation and response plans. 

While 93% of small businesses use cloud-based backup solutions, there are many options for risk professionals or IT leaders to consider. For example, there are also smaller storage methods like removable media like USB flash drives or external hard drives that you might encourage remote employees to use to protect their data. There are also backup services companies can use to outsource their data backup strategy altogether. 

When creating or reassessing a company’s data backup approach, there are few concepts business leaders should familiarize themselves with:

Recovery Point Objectives

RPO, or recovery point objective, is the amount of time between your routine data backups. This can also translate into the amount of data that may be at risk in the event of a data loss. If you backup your company’s data once a week, for example, you potentially could lose a week’s worth of data. Choosing to back up more frequently can thus help reduce data loss risks. 

Recovery Time Objectives

RTO, or recovery time objective, is the time it takes for your business to restore its data from a backup. This is entirely dependent on how robust your data backup is and how much data you need to recover from it. Generally, the more streamlined your data backup strategy is, the faster your recovery time will be. Putting all of your data in the same type of storage solution can also improve your RTO.

The 3-2-1 Backup Strategy

Whether your business is large or small, one data backup strategy is considered best practice—the 3-2-1 backup strategy:

    • Create three copies of your data.
    • Put those copies of your data on at least two types of data storage solutions.
    • Store at least one of those storage solutions in a remote location. 

In honor of World Backup Day on March 31, check out the infographic below for more data backup tips and data loss statistics from Norton:

an infographic summing up data backup solutions and storage options, plus data loss statistics

Texas Cold Crisis: Insurance Options for Severe Weather Disruption

Posted on by

On February 15, a massive and unseasonal storm with frigid temperatures spiked the demand for power and outpaced the supply, severing power to 26 million Texans. Unpredictable weather patterns present risks for business owners, but also create an opportunity to improve their risk mitigation strategies to address future uncertainties. 

Power outages are not caused by storms alone. Heat waves, hurricanes and wildfires can also create power outages—and outages are more common than business leaders may think. S&C’s 2018 Commercial and Industrial Power Reliability Report found that one in four businesses experience at least one power outage per month. The Department of Energy estimates that these outages cost companies $150 million per year. Although companies may face spoilage-related losses, data centers often experience the most severe consequences. When a data center goes down, it can impact a business’s most vital proprietary assets. According to a Ponemon Institute study, the cost of an unplanned data center outage is $5,600 per minute with an average recovery time of 119 minutes resulting in a loss over $690,000.

The cost for businesses goes beyond damage. Litigation tends to run rampant, and with the recent Texas power outages, businesses are already facing lawsuits. The family of an 11-year-old boy who died of hypothermia is suing energy company Entergy and grid operator Electric Reliability Company of Texas. Multiple wrongful death lawsuits are predicted from incidents including carbon monoxide poisonings, house fires and shelter closings.

A range of insurance options can help businesses protect themselves from complex, evolving and completely unpredictable risks such as natural disasters and climate change.

Property insurance protects the building and physical assets like equipment, supplies, inventory, fixtures and computers. However, property insurance may not provide all the coverage needed. Exclusions like floods, sink holes, earthquakes, terror incidents, and chemical, nuclear, biological and environmental events are likely not covered. An unexpected policy exclusion can be devastating and result in a claim being denied, leaving business owners and leaders feeling helpless and infuriated.

Business interruption insurance is helpful but may not be enough. Typically, when damage obstructs business operations, it is covered by property insurance, and business interruption insurance covers losses from interruption. However, a natural disaster can create a perfect storm, so to speak. For example, if an establishment is forced to close due to lack of power, there can be a denial of claims. Business owners may be able to have property repaired, but cannot recoup the lost revenue through insurance.

Another option for businesses is to choose captive insurance and own their own insurance company. This establishes a more robust approach to risk management, and enables the business or business owner to own a profitable second business. This can help lower commercial insurance costs, build up assets and loss reserves, enhance critically needed cash flow and liquidity, and help prevent losses from hollowing out the total business entity. Importantly, successful captive insurance companies are filled with liquid assets that back the reserves for potential future losses, owned by the business or business owner. Liquid assets are often more desirable than durable assets that depreciate and may be difficult to sell. Finally, a captive insurance company is a regulated entity.

A captive primarily insures its parent company or related companies, so the parent company can purchase insurance from its wholly owned captive. Such purchases may replace all, or a portion, of its commercial insurance. Additionally, risks that are unable to be insured, are cost prohibitive, or are underinsured in the commercial insurance market can be placed in the captive insurance company. The captive can also insure gaps in third-party commercial insurance policies.

Benefits of Captives in Natural Disasters

While businesses with claims for property insurance or business interruption coverage are denied, a business with a captive insurance company would not face exclusions that leave them vulnerable. Since a captive insurance policy can be written to be broad and robust, it has more triggers than third-party commercial insurance, sos an event may covered where business interruption might not provide coverage.

Captive insurance also serves as a valuable financial strategy. When captives build up loss reserves, backed by corresponding assets, those assets are available for dealing with a catastrophic event. When a business has to restart or relocate their operations, assets are readily available to help it navigate the challenges and pursue big changes. The business owner can use the asset buildup in successfully managed captive insurance companies to help grow the business by funding acquisitions, growth strategies and enhanced risk mitigation strategies via a dividend from the captive insurance company to the business owner.

Before another crisis strikes, businesses should review insurance policies, determine whether current policies offer adequate coverage, and determine if a captive will help them face the next worst-case scenario.