The likelihood that an organization will face a potentially business-ending catastrophe is growing more certain every year. According to the National Oceanic Atmospheric Administration (NOAA), 2021 saw the second-most billion-dollar disasters on record. From wildfires to floods, hurricanes to a pandemic, and even the rise of cybercrimes, organizational leaders need to be more than just prepared for the deluge of possible disasters. Their planning must go beyond preparation and mitigation and include how their organizations will continue when the clouds part, or the waters recede, or the smoke clears.
An Ounce of Preparation, a Pound of Cure
Being prepared for a menagerie of threats can seem like a daunting task, but Benjamin Franklin said "by failing to prepare, you are preparing to fail." Organizational leaders should review the following in an effort to ensure they are prepared for success in protecting their people, property, and operations.
Complete a risk assessment and business impact analysis. Completing these two reviews will help your organization identify the possible hazards you face and then analyze what may happen in the event the hazard occurs, including the potential impacts resulting from the interruption of critical processes.
Develop hazard- and threat-specific emergency response plans. Each hazard presents its own sets of challenges and considerations. While every response plan comes with certain aspects, such as communication and training, how an organization responds to a weather event is vastly different from steps taken after a cyber-hack. Some steps to remember when creating these plans include:
- Assess the availability and capabilities of resources for incident stabilization including people, systems, and equipment available within your business and from external sources.
- Talk with public emergency services (e.g., fire, police, and emergency medical services) to determine their response time to your facility, knowledge of your facility and its hazards, and their capabilities to stabilize an emergency at your facility.
- Determine if there are any regulations pertaining to emergency planning at your facility; address applicable regulations in the plan.
- Develop protective actions for life safety (evacuation, shelter, shelter-in-place, lockdown).
- Coordinate emergency planning with public emergency services to stabilize incidents involving the hazards at your facility.
Plan to Carry On
While disaster preparedness is about keeping people and property safe during and immediately after an event, business continuity planning, a risk mitigation method, is about keeping critical aspects of the organization going once the event has passed. According to the Federal Emergency Management Agency (FEMA), 40% of small and mid-sized businesses never reopen after a natural disaster, and an additional 25% reopen but fail within a year.
The U.S. Department of Homeland Security's Ready.gov website is a powerful resource for organizations and businesses to help build these plans. The site lays out four important steps for organizations to consider while completing their business continuity planning:
- Conduct a business impact analysis to identify time-sensitive or critical business functions and processes and the resources that support them.
- Identify, document, and implement the plan to recover critical business functions and processes.
- Organize a business continuity team and compile a business continuity plan to manage a business disruption.
- Conduct training for the business continuity team and testing and exercises to evaluate recovery strategies and the plan.
An organization's reliance on information technology (IT) and enterprise software adds an important element to business continuity planning. From physical assets such as servers and laptops to digital information, losing these important systems can cripple an organization. Ready.gov devotes an entire page to IT, highlighting that recovery strategies for information technology should be developed so technology can be restored in time to meet the needs of the business. Manual workarounds should be part of the IT plan so business can continue while computer systems are being restored.
The Phoenix is a mythical bird that would engulf itself in flame, and then rise again from its ashes reborn. Preparing for the worst, and then making a business continuity plan for after the worst has happened, will help organizations rise again from the ashes, or flood, or debris, and carry on.
Additional Resources
Resources for Business Continuity Planning
Standard on Disaster/Emergency Management and Business Continuity Programs - National Fire Protection Association (NFPA) 1600
Professional Practices for Business Continuity Professionals - DRI International (non-profit business continuity education and certification body)
Continuity Guidance Circular - Federal Emergency Management Agency
Open for Business Toolkit - Institute for Business & Home Safety
Additional blogs in PHLY's Disaster Preparedness Series
Summer Safety - Pools, Playgrounds, and Grilling- Philadelphia Insurance Companies (phly.com)
Hurricane Preparedness- Philadelphia Insurance Companies (phly.com)
Wildfire Prevention- Philadelphia Insurance Companies (phly.com)
Tornado Safety- Philadelphia Insurance Companies (phly.com)
Winter Weather Risks- Philadelphia Insurance Companies (phly.com)
Pipe Freeze Prevention- Philadelphia Insurance Companies (phly.com)
Residential Fire Safety- Philadelphia Insurance Companies (phly.com)
IMPORTANT NOTICE - The information and suggestions presented by Philadelphia Indemnity Insurance Company are for your consideration in your loss prevention efforts. They are not intended to be complete or definitive in identifying all hazards associated with your business, preventing workplace accidents, or complying with any safety related, or other, laws or regulations. You are encouraged to alter them to fit the specific hazards of your business and to have your legal counsel review all of your plans and company policies.