– Henry Kissinger
Recent events such as Hurricane Katrina, the BP oil spill in the Gulf of Mexico and the flooding in Australia remind us that solid business continuity plans can keep a company up and running, whether the disruption or crisis lasts a few days, a week or even a month.
When your company’s reputation is on the line, half-hearted disaster recovery planning can cost anywhere from $1,000 to more than $1 million in lost time, according to one benchmark report. (See “By the Numbers”.) And that cost does not include a company’s reputation, which is priceless.
Even further, the ramifications extend beyond a company’s reputation, as outlined in Security’s January 2011 cover story. Business risk is significant and constantly emerging. Today, a problem on one side of the globe – a crop failure, an earthquake, an oil spill, a coup, a faulty supply chain or vendor – can radiate out and threaten to undermine even strong enterprises. For example, Standard & Poor’s redefined its ratings process in 2009 to include a review of enterprise risk management as practiced at non-financial companies. A global “Risk and Crisis Management” rating from S&P or even a poor rating from the Dow Jones North American Sustainability Index (DJSI) can add or take away from a company’s bottom line.
So how prepared are most companies when disaster strikes, when a physical location is temporarily shut down or completely destroyed?
A report by Marsh Risk Consulting shows that many firms actually appear to be over-confident in their ability to manage the business continuity and supply chain risks facing their organizations, leaving them vulnerable to physical disruption and economic conditions.
The 2010 Business Continuity Benchmark Reportexamined the perceptions of business continuity management of more than 220 business continuity and risk managers from 11 industry sectors, including financial services and manufacturing, across Europe, the Middle East and Africa (EMEA).
Although 83 percent of respondents believed that business continuity management was integral to their risk management and that it was understood and supported by senior management, only 41 percent said that it had given them a better understanding of their business. Moreover, just 29 percent felt that it had led to improved risk-intelligent decision-making.
The findings also highlighted that firms concentrate business continuity plans on physical supply chain risks over non-damage related risks, such as those caused by the Icelandic volcano and air traffic disruption.
“These results show that firms value BCM much more highly than when we last conducted this survey two years ago,” explains Hugh Morris, managing consultant in Marsh Risk Consulting. “However, our experience is that many organizations overrate their BCM capabilities and their perceptions often do not match reality. The more obvious nature of physical supply chain risks is apparent to manufacturing firms, while only the most advanced financial services firms realize how important and vulnerable their supply chain can be. Service firms can be equally, if not more, at risk from supply chain disruption than manufacturers due to the complex network of inter-dependencies with other financial institutions.
BCM plans are not exclusive to company’s size, either. Symantec Corp.’s 2011 SMB Disaster Preparedness Surveymeasured the attitudes and practices of small- and mid-sized businesses (SMBs) and their customers toward disaster preparedness. The survey findings show that though SMBs are at risk, they are not making disaster preparedness a priority until they experience a disaster or a data loss. The data also reveals that the cost of not being prepared is high, putting an SMB at risk of going out of business.
Downtime not only costs SMBs hundreds of thousands of dollars, it damage customer relationships. ”Disasters come when least expected, but the recent Symantec survey revealed that SMBs in the Philippines still have not recognized the negative impacts of these unforeseen circumstances in their businesses. Most of them do not act until it’s too late,” says Luichi Robles, senior country manager, Symantec Philippines.
Says Systems Engineering and Customer Advisory Services, Asia South region Raymond Goh: “SMBs need to be proactive and plan ahead to prepare themselves in facing business disruptions due to disasters because these have negative impacts such as business disruptions, data loss, financial loss and the loss of trust with customers. By doing some simple planning, SMBs can protect their information and minimize downtime during disasters.”
The findings show that many SMBs (51 percent) do not have a disaster preparedness plan in place. Reasons cited for not having a plan include not thinking computer systems are critical to business, it never occurred to have a plan, disaster preparedness is not a priority and lack of skills or qualified personnel.
According to the survey findings, half of the SMB respondents from the Philippines who have implemented disaster preparedness plans only did so after experiencing an outage and/or data loss. Only thirty-eight percent put together their plans within the last six months. And only 39 percent have actually tested their recovery plans, which is a critical component of being prepared.
In the Asia Pacific region the average cost of downtime for an SMB is $14,500 per day. Outages also cause customers to leave – 50 percent of SMB customer respondents in the Philippines reported they have switched SMB vendors due to unreliable computing systems. This downtime can also put them out of business. Thirty-nine percent of SMB customers surveyed stated that their SMB vendors have shut down due to a disaster. SMB customers also reported considerable effects to their own businesses. In addition to direct financial costs, 33 percent of SMB customers from the Philippines stated that they lost “some” or “a lot” of important data as a result of disasters impacting their SMB vendors.
In fact, says Jerome P. Ryan, senior manager and global lead for Worldwide Business Continuity Management Group for Pfizer Incorporated, a vendor’s business continuity plan is often as important as Pfizer’s. “We do look at vendor continuity,” he says. “We need to understand how well prepared a vendor is at recovering from a disaster just as much as we are. We could have the best business continuity plan in the world, but if our supply of nitrogen gas is interrupted, well, that’s a problem for our facilities as well. That’s when you move up the maturity scale from internal focus to external, and you include a right to audit a business continuity plan clause in a supplier’s service-level agreement. We require [suppliers] to show us that they have a plan in place. In the past, people were comfortable with the yes or no answer, but that is just not good enough any longer. We want to evaluate the level of business continuity plans that you have. And that can become a negotiation point. I wouldn’t want to give up confidential information, but we need to move beyond yes or no; we need recovery strategies in place and after identifying those, I want to know if a company has exercised those plans to meet our plans.”
As global lead of business continuity planning, Ryan’s role is on the operations side of building, evaluating and exercising Pfizer’s business continuity plans on a regular basis. “A lot of times it’s pulling together the right players,” he says of the preparation that he and his team does. “Once the earthquake hits it’s too late to test the business continuity plans.”
In place of an ‘All Hazards’ approach, Pfizer uses an outage methodology called BETH3, which stands for building-equipment-technology-human resources-third-party vendors suppliers. A business interruption can affect any or all of the BETH3 outage scenarios. For example, with the recent flooding in Queensland, Australia, while Pfizer buildings, equipment and technology were not affected, the local government shut down the city. This shutdown created potential human resource problems with employees getting to work and third party problem with getting supplies to Pfizer’s well-protected facilities that need 24/7 attention. BETH3 helped Pfizer’s local employees in Queensland to work remotely and without interruption to critical business processes.
While vendor continuity is normal for Pfizer, it’s an area where Baker Hughes continues to update and improve their plans. Russ Cancilla, vice president & CSO of Health, Safety, Environment & Security at Baker Hughes Houston, tells Security, “Given the changing risks and political environments in many of the locations we operate, we’ve recently embarked upon an initiative to evaluate our vendors’ BCP and become more engaged with them to ensure our contingency plans are mutually supportive in the same manner as our security and safety programs support each other’s goals. We must have a sense of our customer’s ability to react to a catastrophic event and they must understand our ability and plans.”
As an oil-field services company that works in 94 countries with 55,000 employees, crisis management in disaster situations is an ever present threat. “We have an excellent process for understanding the evolution and development of geopolitical events and weather activities. Not only does this process assist us in monitoring global events but, it helps us identify the 'trigger points' that reveal predictive indicators of crisis events. We have invested a significant amount of time in this proactive process and we feel our company is better prepared as a result,” he says. “Maintaining updated plans is always a challenge as trained employees rotate to other locations, the size of the business changes and the global market place is dynamic. In spite of the constant flux, the success of disaster management hinges upon the preparedness of the organization’s ability to respond. As leaders of BCP process and contingency planning we must work with a number of constituents across the company to ensure they are prepared.”
The key to being a leader, he says, is to realize that you can’t know about everything that could happen but to prepare for if it happens. “From a weather perspective, you have to brainstorm the range of disasters and catastrophic events, look at the probabilities and historical data, trend analysis and then make decisions – based on the information available – about the timing and extent to which you execute your plan,” he says.
Another factor on which he relies upon, he says, is his colleagues. “The benefit of BCP and security is that we are always collaborating.” he says. “We know who we can call upon to benchmark, brainstorm and if necessary, gain access to temporary work facilities if one of ours goes down. In fact, with the recent situation in Egypt, I received several calls and called several colleagues to access information and share resources for evacuation and BCP. It’s like the old adage that when someone applies for a job in security, look at his or her Rolodex first and their resume second. What contacts and access does he/she have? Generally, when there is a disaster, the security discipline pulls together.”
Business Continuity and Natural Disasters: A Checklist
According to Dr. Linda Hunt King, president & CEO of Hunt-King & Associates, Inc., a consulting firm that specializes in insurance and business continuity risk management consulting, five things can help keep your business resilient.
1. Conduct a Continuity Self-Assessment. Every business regardless of size, whether a for-profit or not-for-profit organization should assess its level of preparedness on a regular basis. The beginning of the New Year is a great time to assess and make adjustments to your continuity program. A quick checklist is a good place to start, but an in-depth self-assessment conducted with a preparedness expert is advisable.
2. Update and Test Your Disaster Preparedness Program. The Department of Homeland Security (DHS) has established standards for private sector preparedness (PS-Prep), a nationally-recognized certification of preparedness that supports Public Law 110-53, Title IX. Companies who fail to certify under PS-Prep risk losing business to their competitors. Organizations that are disaster ready gain a strategic advantage.
3. Train Employees for Work and Home. One of the most common mistakes in continuity planning is the failure to ensure that appropriate human resources are going to be available to implement the corporate plan when the time comes. Having a plan at home is a fundamental building block for a plan at work, says Dr. King. Employees who are disaster ready at home return to work more quickly.
4. Add a Disaster Preparedness Expert to Your Team of Professional Advisors. You are an expert in your business. If your role as CSO does not include business continuity, put together a team. Dr. King says that often this includes a CPA, attorney, financial planner and insurance professional.
5. Develop a Culture of Preparedness in Your Organization. Fiduciary responsibility, compliance, prudence...these are the standards by which directors and officers are often measured. A culture of preparedness will help your organization to exceed the expectations of your stakeholders and outperform your competitors, says Dr. King. Intensive identification of vulnerabilities and threats, comprehensive planning and the training to build a culture of preparedness are an investment in good corporate governance. The result is a stronger and more resilient organization.
Handling the Media During a Crisis
In most crisis situations, handling the media would be the responsibility of your company’s communication, public relations or even HR team. But what do you say – and not say – when there is no PR or HR department and the media asks you to comment on an event? What do you do if you suddenly find yourself in the limelight of negative publicity?
Gina Cuclis, owner of Cuclis PR, a public relations firm, has several rules for handling the media. They include:
1. Respond Immediately
The old rule was respond within 24 hours. Media now works a round-the-clock news cycle. You have no choice but to start responding as soon as the crisis hits. Otherwise your organization will look guilty, like it’s hiding something. Plus, negative publicity is more likely to penetrate public opinion the longer you ignore it.
2. Leadership Must Be Visible
During a crisis, the chief executive is the spokesperson. Even if he or she has little information, the chief executive must talk to the media to demonstrate leadership by assuring the public your organization is addressing the problem. This is very important in order to protect your organization’s credibility. Examples of what to say: “We’re investigating why this happened and will provide you with the facts as soon as we understand them.” “Our hearts go out to the victims and their families. We are establishing a system to keep in close communication with the families, and we will provide information to the public when we have it.” “We are working to understand what happened. I will provide you with updates as I get new information.”
3. Show Concern
The second example demonstrates this point. Communicating that your organization cares about the people affected will help win the public’s understanding.
4. Be Honest
Be truthful about what you know and what you don’t know. Never lie. You will be caught, and your crisis will worsen. A common mistake that people not familiar with responding to the media make when they’re confronted with questions they can’t answer, or don’t have the answer to, is to say, “No comment.” That is the worst thing you could say. During a crisis, it makes you look like you don’t know what you’re doing or that your organization is guilty or has something to hide.
If you can’t answer a question because you don’t have the information yet, Cuclis says, which is common in the beginning hours of a crisis, be honest about that. For example, say, “We don’t have that information at this time. We are working to get more details, and as soon as I have the answer to your question, I will make the information available.”
Also, you may be asked when you think more information will be available. Don’t say you don’t know, she suggests. Again, this will make your organization look like it doesn’t have a handle on the situation. Provide at least an estimate or a timeframe, such as “within 24 hours” or “by the end of the day.”