Can Your Business Survive A Major Disruption?
In the past several years, we've experienced unthinkable disasters resulting from terrorist activity. The September 11 attacks on the World Trade Center and the Pentagon struck on a peaceful, sunny morning with no warning. Today, war in Iraq has made us more vulnerable to terrorist activity and, even with the war at an end, the Department of Homeland Security warns that terrorism remains a very real threat for the foreseeable future. The bombing of the federal building in Oklahoma City was a shocking demonstration of domestic terror. Natural disasters have taken their toll as well… Tornadoes have leveled parts of Kansas, Missouri, and Tennessee, and Maryland. Ohio residents are still recovering from February ice and snow storms. A massive natural gas explosion in Toronto in April reduced a strip mall to a huge crater. Wildfires in California, Colorado and Arizona destroyed homes and businesses and threatened the tourism industries in those areas.
Could your business survive this kind of disaster? Your organization should be prepared for anything that could happen - to protect your critical resources, your employees, and, to the greatest degree possible, to ensure the continuity of your business. It's not just the major disasters, either… it's downtime, employee error, denial-of-service attacks, and many other "minor" disasters that endanger your operations. For many businesses, even a few hours of downtime could be critical to their ability to continue. It's not just the cost of downtime, the economic impact on your business - it's the survival factor.
How much downtime would it take to put you out of business? Companies participating in Contingency Planning Research's 2001 Cost of Downtime Survey indicated that downtime would cost them $50,000 to $1 million per hour. Of even greater concern, 7% of companies indicated their survival would be at risk after only one hour of downtime. The majority of companies projected that they could not survive 72 hours of downtime. Given that most disasters, natural or otherwise, can easily close things down for three days, this is pretty scary information.
If you haven't done so already, now's the time to dust off your Business Continuity Plan (BCP) and make sure it's up to date. Can your plans get you through the critical 72 hours? If you don't have a plan, it's not too late to develop one… it may not be perfect, but any continuity planning is better than none. It's a good idea to test your plans to ensure that they actually are viable… better to find out now than on the heels of a disaster. In this article, we offer some tips for your plan, whether you're updating it or starting fresh. In addition, at the end of this article you will find links to articles and other resources to help you pull it all together.
Remember that your primary goal is business continuity and prevention of business disruption, not disaster recovery. Disaster recovery should be your contingency plan, in case disaster cannot be averted. Focus on these critical components of your organization:
Reservists - There are close to one million reservists working full-time jobs in the United States today, and more than 100,000 of them were called to active duty in the Iraq war. Reservists are being activated more frequently now -- not only because of war, but to combat the never-ending war on terrorism. Businesses in New York were hit with a "double whammy" in 2001 when, reeling from the events of Sept. 11, critical staff members were called to active duty in the wake of that disaster.
You must plan for the fact that your employees -- or their family members -- could be called to service. What impact this will this have on your organization? If you have reservists in critical positions, you need to back them up to prevent loss of information or productivity. If you have a replacement at the ready, the impact would be far less -- and you'll also be protected if they decide to take other jobs. Training existing employees to cover any critical positions will give you some protection, and temporary-staffing replacements can provide relief for lost manpower. If you have an Employee Assistance Program (EAP), it can provide counseling and assistance to alleviate the impact on your employees and, thereby, your organization.
Employee Safety and Security - Your employees spend 1/3 or more of their day in your offices, and you want to ensure their safety while they're there. Start by making sure you have a complete employee roster and contact information for everyone. Because evacuation is a possibility, have a complete evacuation plan and practice it - make sure every employee is familiar with it and knows what to do. If the government issues a "shelter in place" directive, you're going to have a lot of folks who'll need food, water, blankets, etc. Build up emergency supplies for them and don't forget a battery-powered radio, batteries, flashlights, and other necessities.
Because employees will be concerned about their families' well-being, encourage them to develop family preparedness plans for the safety of their homes and their loved ones. The more prepared their families are, the less stress and worry employees will be subject to while at work. While it may cause some loss of productivity to be understanding and lenient if your employees need to take care of pressing family matters, their peace of mind will improve their productivity. When possible, providing telecommuting resources can help alleviate these competing pressures. Please refer to the links at the end of this article for some information on personal and business safety and security.
Traveling Employees - When terrorism threatens, if employee travel -- especially overseas travel -- can be postponed or canceled, do it. If employees must travel, maintain complete contact and passport information and itineraries for them, including hotels and all ground and air travel. This might prove to be important to track someone down or to confirm their safety for their family back home. Employees on travel should be given a company contact they can call 24 hours a day for assistance, if necessary. And this is one time when the US State Department's advice about filling your itinerary with the US Embassy wherever you are traveling should be heeded without fail.
The SARS epidemic that has killed 400 people in China has migrated to other areas -- as close as Toronto -- and is making travel extremely risky. How will you mitigate this risk and protect your people? What technologies, for example, could you put in place to reduce the need for travel to certain areas of the world? Teleconferencing? Video conferencing?
Physical Plant - While not every company will become a target of terrorist activity, your offices may be located in an area otherwise at high risk. If you're in close proximity to major cities, airports, water treatment or nuclear plants, high visibility landmarks, military bases, and other civic or government institutions, terrorist activities aimed at them may mean that you won't be able to open for business. Do you have an alternate location from which you can operate? To help keep the premises safe, consider controlling access to your offices via badges or other means. Have visitors sign in and account for them. If you're vulnerable for any reason, check all packages carried in or delivered and report anything suspicious to authorities. Implement safe mail-handling procedures.
Floods, earthquakes, hurricanes, or tornadoes also could keep you out of your building or your employees stranded in their homes, unable to get to work. You need to plan what needs to be done before, during and after any such disaster strikes.
Network and Data Protection - Although most experts don't see terrorist activity bringing down the entire Internet, various forms of cyber terrorism could be enacted. Malicious worms and viruses can be transmitted -- via email or downloaded files --throughout your network infrastructure, destroying valuable data and applications. Firewalls and virus protection are initial steps to protect your critical resources. And if you don't have any backup and recovery system in place for your network, now's the time to implement one. Again, something is better than nothing. At the very least, backup crucial customer, financial and other critical data and keep at least one copy somewhere safe outside of -- and some distance from -- your office. You also can investigate remote, online backup vendors who can do near real-time backup and reliable recovery that would be accessible via any IP address.
Telecommuting - What if critical employees can't get to work? Plan now to provide a number of employees with remote access to your critical applications and data in the event travel is restricted, "shelter-in-place" directives are enacted, or your building/data center is not accessible.
Transportation - If your organization relies on meetings or conferences, or extensive just-in-time shipping, now is the time to consider alternative ways to move items and look into replacing face-to-face meetings with teleconferences or Webcasts. Both war and the threat of terrorist activity could affect travel. Air travel could be more restricted while ground transportation could be seriously delayed for extensive scrutiny of people and goods. If the "Just-In-Time" business model has been the backbone of your company's success, plan to have some extra supplies and materials on hand, so JIT doesn't become your downfall.
Supplies - One of the realities of war or disaster is shortages… either because of restrictions or lack of supply. Consider how shortages of various materials and supplies could affect your business and plan to compensate for them. Since fuel easily could be in short supply, you might want to have a backup supply on hand if you need it for emergency generators. We recommend the same three-day rule that is used for natural disasters. For critical shipments, are you prepared to pay additional charges for local or long-distance shipping if prices increase? Or does it make more sense to overstock just in case? If certain items are perishable, do you have the resources to keep them protected if shipping methods are halted? Whatever the answers, you must decide how to handle these contingencies, and these decisions should be part of your business continuity plan.
Once you have a plan in place, you need to communicate with employees, customers, vendors, members, and other stakeholders. Let them know what you're going to be doing to maintain operations. Will your location change temporarily? Your contact information? How will procedures be different, if at all? Make sure all your critical stakeholders know what is going on… how they can contact you and continue to do business with you. And make sure you contact your critical suppliers regarding their contingency operations. If appropriate, communicate with media via news releases or other means. If newspapers and magazines are publishing, and if the Internet is operational, news about your organization also will let people know you're open for business.
It's all about surviving, particularly the first 72 hours. It may not be business as usual, but, if you plan and implement carefully, you'll still be in business -- and your employees and other critical resources will be safe.
Resource and Information Links
Business Continuity Planning:
The Small And Medium Size Businesses Guide To A Successful Continuity Program
Ready.gov - Plan Ahead for Disasters
How To Protect Intangible Business Assets
Set disaster-recovery objectives
Business Continuity Resources
Terror in the Workplace
Telecommuters Have Unique Security Needs
Prepare Remote Access For Disaster Recovery
Family Disaster Planning
American Red Cross Homeland Security Advisory System (HSAS) Recommendations for Individuals, Families, Neighborhoods, Schools, and Businesses
[The above three items are made available through the American Red Cross and the Federal Emergency Management Agency. They are available to view at the URLs above, but they also may be downloaded as PDF files.]
Last but not Least… Don't Forget the Pets!
Office Building Security
Guidance Issued on Building Safety
An executive summary of the document, 'Risk Management Guidance for Health, Safety and Environmental Security Under Extraordinary Incidents', can be found at http://xp20.ashrae.org/ABOUT/Summary.pdf. The full document is available at http://xp20.ashrae.org/ABOUT/extraordinary.pdf
USPS: Handling and Processing Mail Safely
Data and Cyber Threats:
'It's The Restore, Stupid!'
Data Protection Strategy: Backup + Recovery = Survival
Data protection risk analysis self-test http://searchstorage.techtarget.com/tip/0,289483,sid5_gci874814,00.html
How to Build A Data Protection Strategy for Availability and Recovery (Adobe PDF)
© Bob Mellinger, Attainium Corp
# # #