Tag Archives: planning and preparedness

Immediate Vault

8 Steps to Create Strong Disaster Management Plans

Posted on by

A core responsibility of any risk professional is planning for any possible disasters your business might face. These could be man-made, such as a data breach or accidents involving machinery, or natural, like a tornado or flood.

Disasters and crises affect different organizations in different ways—one company might consider something a catastrophe, while another may not even notice a change in its workflow. It is important to look at your own business operations and evaluate what you would consider a crisis. Generally, business crises fall into one of three categories:

  1. A danger to the physical safety of employees or customers
  2. Loss of income or means of making income
  3. Events or people negatively affecting your business reputation

In many cases, the crisis may fall into more than one of these categories. An accident in the workplace that is hazardous to employees can impact the company’s income because the factory has to shut down. This can also negatively affect the company’s reputation if it turns out that the company did not provide a safe working environment.

With even the best risk management programs, no organization can avoid all disasters completely. Risk mitigation often comes down to crafting the best plans possible for the moment disaster inevitably strikes. These eight steps can help risk professionals develop strong crisis and disaster response plans:

1. Define The Types of Crises You Could Face: There is not a one-size-fits-all approach to a crisis management plan. Working out what is likely to affect your business specifically can relate to your geography—areas that get hit by severe storms or earthquakes must include those potential disasters, and what knock-on effects they may cause. For example, storms may cause flooding, loss of power, or blocked roads that make it difficult to reach your premises. The type of crisis can also be specific to your industry. Employees in a manufacturing facility are likely at greater risk in a physical disaster than those working in a tax consultancy, for example. Security should also be a consideration. Is your business likely to get robbed of cash or equipment? Do you have high-profile proprietary information that makes you more likely to be the victims of cybercrime?

2. Triggering the Plan: Including levels of urgency in your plan will help people responding to the crisis pinpoint how significant the event is, and how much of the plan must be put into action. A step-by-step approach for specific scenarios can be helpful and cover dealing with man-made and natural disasters in different ways. The risk for each will be unique to the situation and knowing when and how to trigger a response is key. The plan should include how and when to escalate the response should the crisis worsen, as well as how to identify when the crisis has passed. It can be helpful to use red, yellow and green system to indicate severity and urgency, and this classification approach is easy to adapt to any scenario.

3. The Base of Operations Location: Accidents or natural disasters may cause your usual place of business to close temporarily or permanently. In your plan, designate a backup command center in an alternate location for dealing with the crisis until you can get back to work. This location can be your company’s operations hub, a point for gathering after a crisis, or where you know your sensitive and important data backs up. If a natural disaster has made travel dangerous or roads impossible to navigate, you will also need a virtual base of operations—some possibilities include message boards, chat apps or email. With so many employees working remotely because of COVID-19, this may be easier to implement now.

4. The Chain of Command: Ensuring a clear chain of command so that there is no arguing or confusion when people and the business are at risk. Wherever possible, appoint a back-up for each person in charge so if someone cannot perform their duty, it falls to the next in line.

5. Internal and External Communication: When a crisis compromises an office or business, communication can become tricky. Have a clear set of rules for how you get information to and from your employees, what information you must and must not share with those outside of the company, and how to achieve that. This part of your crisis management plan can save lives and stop rumors from spreading.

6. Necessary Resources: Though this will depend on the nature of the business, consider first aid and safety equipment if you are likely to have injuries or get cut off because of poor weather. Also, think about alternate communication methods if mobile phone towers go down or the electricity gets cut, as well as access to your sensitive data, such as employee contracts and supplier agreements.Include all necessary resources you would need to operate and highlight any alternate replacements. For example, if a storm knocks out your power, you may have a generator.

7. Training: It is no good putting a crisis management plan together and not giving the relevant people the training they need to execute it. For example, the people you name as first aid providers or unit leaders need to know what is expected of them and undergo the necessary training. If you have safety equipment on your premises, like fire extinguishers or emergency release valves for machinery, you need to educate all stakeholders how these work.

8. Testing the Plan: Finally, test that your plan actually works. Review it with staff and conduct safety drills regularly—every two months at least. Look for any weak points or flaws in the plan before an actual crisis.While it may not be possible to anticipate everything a disaster brings, you can set up several response plans and test each one individually. These plans can tie in with your standard safety drills, or stand alone, depending on the nature of the event anticipated.

A crisis management plan is integral to every business, no matter its size, scope, or sector. By preparing for various potential disasters, you can take action when needed without putting your organization, employees, or yourself at unnecessary risk. 

Resiliency in 2018: Q&A With BCI’s David Thorp

Posted on by

Organizational resiliency is a focus of the Business Continuity Institute (BCI) and executive director David Thorp. It was the theme of this year’s annual Business Continuity Awareness Week, which Risk Management Monitor covered in May, and was the focus of BCI’s updated manifesto.

We reached out to Thorp to get his insight on organizational resiliency, how businesses can improve their continuity plans and for ways to better incorporate them into their culture.

Risk Management Monitor: What companies have best demonstrated resilience?

David Thorp: A few examples of organizations that have displayed a high level of resilience are Apple, TomTom, and PostNL.

Apple displayed resilience when they reemployed Steve Jobs to reshape the company.

TomTom started by making software for Palm computers. It has dealt with a rapidly changing marketplace and over the years it has:

  • produced navigation software for PDAs (personal digital assistant)
  • produced its own navigation devices
  • developed live traffic information
  • acquired a digital mapping company
  • developed navigation software for smartphones
  • struck up deals with car manufacturers

PostNL (formerly TNT) has had to adapt to the decline in regular mail as well as tapping into the requirement to deliver more packages (outside working hours) as a result of an increase of web shops.

RMM:  What do organizations most commonly overlook in their continuity planning?

DT: Two most commonly overlooked aspects are keeping plans up to date and exercising/testing.

Business continuity management is often initiated as a project, usually assisted with external expertise. Internal personnel frequently have this role in addition to their “normal” functions. As the organization changes, these plans often get overlooked. After one or two exercises have been carried out, the focus on exercising quickly diminishes.

Unfortunately, these two aspects have a large impact on the ability to recover as planned. It could be argued that this is an indication of a lack of management commitment.

RMM: Why do so many companies overlook their continuity planning and emergency preparedness?

DT: The biggest reason is that it is not a requirement for many organizations. When not required by a regulator or a customer, the organization must:

  1. know about continuity planning and emergency preparedness
  2. understand their risk
  3. understand its value before there is a possibility of it being implemented

By not having done a risk or impact analysis, it is also easy for organizations to think that a disruptive event will not happen to them and therefore not worth the hassle and investment.

RMM: How much time and effort does creating and initiating a business continuity plan take?

DT: This depends on the size and complexity of the organization, the ambition level and the resources available. For small organizations, it is possible to create and exercise plans within a month—but this would typically take a little longer as the required people will also have other tasks. For a large and more complex organization, it may take two-to-three years to reach the desired maturity level.

RMM: What advances would you like to see the global risk management community achieve with regard to planning and preparedness?

DT: I would like to see a better understanding of each other’s disciplines and a better collaboration between them. There is much overlap between the two disciplines and with better collaboration, we can more efficiently and effectively minimize risks and improve the continuity. We are currently working on better understanding how we achieve synergy between business continuity and risk management. We see this as being a prerequisite for achieving organizational resilience. Collaboration with other disciplines is also necessary.

RMM: We’ve seen examples of reputation crises that have in some cases forced companies to close. How can organizations avoid these pitfalls?

DT: A major factor in managing the extent of the reputation damage is the quality of the crisis communication. How well and honestly you inform those affected and of course how you deal with social media makes the difference in how you are perceived. The subsequent actions need to be in line with the messages communicated.

RMM: What has changed in the BCI’s Manifesto for Organizational Resilience that risk professionals should know about?

DT: The manifesto is built on the simple premise that resilience is not the responsibility of one part of the organization—it is the responsibility of discipline within an organization working closely together toward a common purpose. Risk Management, emergency planning, disaster recovery, security, facilities management, business continuity management, supply chain management, IT management, HR management…all have an equal role to play in delivering resilience.

The manifesto contains our undertaking to seek out alliances with other professional bodies along the spectrum of what might be termed “resilience disciplines” in order to work collaboratively. This would make organizations more resilient than if we each work within our own silo.