erspective P Insights for America’s Business Leaders Disaster Preparedness Planning: Maintaining Business Continuity During Crisis, Disruption and Recovery Executive Summary: – Planning for the Unplanned – Raising Your Readiness Level – Business Resilience Strategies – Best Practices “By failing to prepare you are preparing to fail.” – Ben Franklin It Can Happen on Your Watch Disasters can strike at any time – often with little or no warning – and the effects can be devastating. The cost in human lives and property damage is what makes the evening news because of the powerful tug of human interest. Much less coverage, however, is given to the disruption, struggle and survivability of business operations. A study fielded by the Institute for Business and Home Safety revealed that 25 percent of all companies that close due to disasters – hurricanes, power failures, acts of terror and others – never reopen. What are the factors that determine a company’s ability to weather and survive a disaster? Most business leaders who have experienced a catastrophic event would agree that it was their level of preparedness and ability to mitigate risk. This issue of Perspective will provide you with insight, planning strategies and best practices to help your organization: • Maintain business continuity during crisis, disruption and recovery • Provide for the safety and protection of your employees • Communicate effectively across your value chain • Secure its infrastructure • Ensure liquidity and access to operating capital Preparing for uncertainty takes time, money and resources, but it trumps the alternative and is surely preferable to facing your stakeholders and having to tell them, “We could and should have been better prepared.” Not Your Typical Snow Day On June 11, 2009, the World Health Organization officially raised its infectious disease alert to Phase 6 – its highest level – acknowledging that the outbreak of the H1N1 swine flu virus, based on its global spread, had become a pandemic. Despite some unfortunate fatalities, all evidence to date indicates that the virus is moderate in its effects. Experts believe, however, that it’s not yet safe to go back in the water. As it makes its way across the globe and passes through populations, the current H1N1 strain could mutate into something more virulent and return with greater severity during the winter influenza season. It could have been much worse. Experts advise that you must plan for the long-term, 500-800 days minimum for the pandemic period. Add in bans on travel, school closings, strains on the healthcare system plus fear, and suddenly many business leaders see the swine flu outbreak as their 3 a.m. wake-up call. 2 Planning should focus on the effects – not the cause. Planning for the Unplanned and Unexpected The terror attacks of 9/11 brought risk management front and center. Business continuity and disaster recovery plans suddenly emerged from their slumber and now cover more than floods and high winds. Hurricane Katrina provided the exclamation point. There are a myriad of hazards that could potentially disrupt your business – from natural disasters and extreme weather to power failures and terror events – which makes preparing for every “what-if” contingency virtually impossible. Regardless of the source, planning should focus on the effects – not the cause – since all effects tend to fall into one of four categories: • Workforce shortage caused by infectious outbreak, labor strike, extreme weather or a breakdown in transportation • Loss of technology due to cyber attack, interruption in communications, power outage or flood • Loss of facilities resulting from fire, workplace violence, hurricanes, floods and other natural disasters “What Were the Causes of the Invocations?” (multiple responses accepted) Natural Disaster/Extreme Weather 59% Power Outage 54% IT Failure 39% Telecommunication Failure 32% Fire 24% Flood 21% Utility Outage 15% Terrorist Event 8% IT Security Incident 7% 6% Environmental Accident Other 6% Employee Health and Safety Incident Supply Chain Disruption 5% 3% Sabotage (external) 1% Negative Publicity Coverage 1% Pandemic 1% Sabotage (internal) 0% Base: 151 Global Business Continuity Decision-Makers and Influencers Who Have Had to Invoke a Business Continuity Plan Source: Forrester Research, Inc. 3 “Manage the threat or it will manage you.” • Failure in the supply chain that prevents the shipping and receiving of products and raw materials Where to start? Often, your location will determine your efforts, energy and resources and help you plan for the greatest percentage of disasters. Companies based in the South and along the Gulf Coast will focus on hurricanes and floods, while those in the upper Midwest will concentrate on blizzards and ice storms. Government agencies will prepare for cyber attacks on their IT infrastructure, while businesses in major metropolitan areas like New York City and Washington, D.C. plan for power outages, labor strikes and terrorism. Cumulative Abnormal Returns (%) i.e., change in market cap adjusted for market movement Raising Your Readiness Level In the wake of the recent swine flu outbreak, Michael Thomson, President of the South Texas chapter of the Association of Contingency Planners (ACP), reports that a study by researchers at Fayetteville State University found that of all the businesses surveyed, “at least half had The Impact on Shareholder Value no plans in place to sustain payroll, maintain 20 After initial reflex (10 days) regular operations or serve customers in market begins to assess emergencies.”3 company’s response. 15 10 5 Effective Crisis Response 0 +7% Ineffective Crisis Response -5 -15% -10 -15 -20 25 50 75 100 125 150 175 200 225 Trading Days After the Event Source: Improving Communications in Emergency Situations, Mobile Business Continuity Planning Solutions. “A company’s ability to respond to emergency situations directly impacts whether that share valuation can be recovered.”1 A study conducted by British authors Rory Knight and Deborah J. Pretty and research firm Oxford Metric proved this claim. It showed “an immediate decline of 8 to 11 percent in company shareholder value following a crisis”2 and a 22 percent positive difference in stock price for those companies classified as having a recovery plan. 4 Those results are simply unacceptable. Hedging against risk means that identifying possible hazards, assessing their potential impact, assigning priorities and developing responses to protect your employees and your infrastructure are paramount. Preparedness Planning Principles In a simpler time, the word “disaster” meant that the company mainframe had crashed. Natural catastrophes, growing workplace violence and the threat of terrorism have forced U.S. business leaders to broaden their definition. Planning does not need to be complicated or costly – just realistic. Here is a blueprint that can help. The following guidelines provide a practical foundation for identifying your areas of vulnerability and then planning accordingly. “No battle plan ever survives contact with the enemy.” – Helmuth von Moltke the Elder Project Initiation Responsibility for driving your company’s business continuity plan starts at the top with you and members of your management team. Championing a disaster preparedness plan policy that provides for the safety of your employees, vital facilities and critical operations gives it currency throughout your organization. There is no room for ambivalence. Either manage the crisis or it will manage you. Clearly define plan goals by taking a global view of your organization – from its facilities and infrastructure to its mission-critical operations and job functions. Then set objectives that are realistic and achievable. Assess the Risks/Analyze the Impacts “How Many Times in the Past Five Years Have You Had to Invoke a Business Continuity Plan?” Three times 6% Four Five times times 3% 3% Twice 11% Never 50% Greater than five times 12% Once 15% Base: 295 Global Business Continuity Decision-Makers and Influencers Source: Forrester Research, Inc. A general disaster plan purchased off the shelf is a bad idea that serves no one. To clearly understand the individual needs of your company, conduct a business impact analysis to identify the hazards that occur in your geography, determine their frequency and magnitude, and convert their potential impacts into realistic planning scenarios. The analysis will also help you benchmark cost-per-hour for downtime should you be forced to halt operations. The business impact analysis should: • Pinpoint the critical contributions, production and service processes of each department that could be disrupted and rank them in order of importance for sustaining operations. • Establish recovery time objectives (RTOs) for critical processes, making sure to identify the employees who will be responsible for executing them. This should include a list of trained alternates in case some employees are unavailable or can’t reach their designated location. • Include a master list of all internal and external resources required to get your business up and running within your RTOs. This would include hardware and software applications, voice and data communications, customer and vendor information – even security procedures and floor plans. • Mandate formal training sessions. Each employee should know his or her role and responsibilities in a crisis situation. Plans should initially be tested informally, followed by a more disciplined execution so that weaknesses can be exposed and corrected. 5 “Updated and practiced plans and staff expertise is the key to securing a corporation’s ability to recover in a timeframe that will assure continuity of critical business.”4 Managing the Crisis Emergencies that are not swiftly dealt with can spiral out of control. Creating a team of emergency responders to manage the initial shock will help deal with evacuation and first aid when firefighters, utility crews and emergency medical services are overwhelmed. Your team’s ability to calm a difficult situation can minimize fear and restore employee morale. When choosing employees for your emergency response team, look for distinctive qualities like decisiveness, communication skills and the ability to think quickly on their feet. While your emergency responders are handling tactical issues, someone needs to take a leadership role to manage the strategic business issues that arise during and after a crisis. Forming an executive crisis management team enables you to make quick decisions, set priorities for restoration, allocate resources, calm stakeholders and work with government agencies. Dealing with the Media A media blitz is sure to follow any crisis event. To prepare for it, set a single-spokesperson policy and assign that role to a member of your executive crisis management team. By speaking with one voice, you’ll avoid the dissemination of conflicting information. These simple rules should guide you: • Be honest, be clear, never lie. • Stick to discussing only who, what, where, when, why and how. • Once the event takes on a life of its own, let the CEO take over. Business Resilience Strategies Geographic Separation One of the lessons learned from the 9/11 terror attacks in New York City was that many companies that had their data facilities located near their headquarters unwittingly increased their own vulnerability. Case in point was the experience of two financial institutions with offices in the World Trade Center. One was back in operation a few days after the attack because it had set up its emergency operations and data back-up center several miles away while the other had theirs located a stone’s throw from ground zero. Two years later, they still had not recovered. The bottom line for disaster preparedness planners: geographic concentration is out and geographic separation is in. Increase the distance between your primary business site and your recovery and/or IT back-up site to get them on different power grids. 6 Wireless communication has become the emergency technology of choice during a crisis. Health Savings Accounts at a Glance Voice Communications Wireless communication has become the emergency technology of choice during a crisis because it is not dependent on the wired infrastructure of the large telecommunications carriers. Should local power go out and regular voice communication be interrupted, a wireless strategy can temporarily fill the breach. Depending on the magnitude of the disaster, communication and coordination between you, team leaders and their direct reports can be achieved using a number of wireless options: Satellite phones have the advantage of not being reliant on localized hardwire infrastructure, as are cellular systems, and are less likely to fail. However, satellite phone services can be costly, they may not work properly in some buildings and may be unable to meet peak demand during an emergency. Cellular phone networks could be an option based on the severity of the disruption. Don’t forget text messaging. It actually became the dominant method of communication for residents and businesses alike after Katrina made landfall and normal landline communications went down. Short-range radios can be used on either licensed or unlicensed frequencies. Having a low cost but a limited range of about two to six miles, they are a good choice for local coordination. If you operate on an unlicensed band frequency, you could experience chatter on the channel. Should you choose the short-range radio option, be sure that they are tested regularly and that batteries are fresh. Mobile radios are temporary radio systems that present a short-term solution not wed to any infrastructure. Easy to set up and break down, they can provide city-wide coverage and are used primarily by government and non-government agencies. The Recovery Center: Data Access, Integrity and Security According to DisasterRecoveryPlanning.org, “A company denied access to mission-critical data for more than 48 hours will be out of business within one year.” If local branch offices are not available and you are not location dependent, make arrangements to set up and maintain one or more back-up facilities where you could resume some or all of your operations. A shared disaster recovery facility used by multiple businesses could be a solution that offers infrastructure, enabling technologies and scalability to meet your needs. Managed by a third party vendor, they are remote, secure and separated from your main data facility. 7 Require or encourage suppliers to have their own business continuity plans. If you need a dedicated facility, it is likely you will need to lease or purchase computer hardware and replace your software. Estimate your needs in advance and then request written quotes for rental or purchase of equipment and delivery times. Also make arrangements with these vendors to quickly replace ruined hardware and software at your primary facility once damage assessment is completed and/or coordinate the set-up of the hardware and software at your temporary location. Address workforce continuity. Provide employees with secure, remote access to data applications and communications to stay productive. You might require all employees with laptops to travel with them so they have the option of working from home. Protecting the Supply Chain Your ability to resume operations is directly linked to the ability of your suppliers to deliver what you need on time. Make sure: • Principal suppliers, or alternate suppliers, are dispersed and not all in the same geographical location as you. “In the Past 12 Months, Have Any External Parties Demanded Proof of Your Company’s Business Continuity Readiness? If so, Which Ones” (multiple responses accepted) 42% Regulatory Auditors-Government 42% Regulatory Auditors-Industry Customers 38% 23% Strategic Partners (i.e., suppliers) 8% Other First Responders (i.e., police, fire, etc.) 5% Base: 295 Global Business Continuity Decision-Makers and Influencers Source: Forrester Research, Inc. • Critical suppliers of services and materials will be available when you need them. This could include requiring them to have mutual aid agreements in place with similar companies to fulfill obligations to you. • Credit checks, purchase accounts and other vendor requirements are done in advance so replacement goods can be shipped immediately. • Back-up suppliers are ready in case your main ones are disabled and place periodic orders so they’ll consider you an active customer. • Suppliers are required or encouraged to have their own business continuity plans and audit them yourself to ensure they are up to date. The Role of Treasury Restoring business operations is dependent on liquidity and ensuring that your organization has access to both working capital and the means of disbursing it. Both good reasons why your treasury group should have a seat at the continuity planning table from the beginning. 8 As stewards of your banking relationship, Treasury will provide a level of fiscal preparedness and expertise to ensure that you can process payments and sustain business operations across your supply chain with a high degree of confidence while handling all internal financial processes, including payroll. Test your plan against a range of realistic scenarios that present escalating degrees of disaster impacts. To help Treasury prepare itself in the event of a business disruption or crisis, a readiness audit should be conducted to identify and correct deficiencies in critical operational areas. The audit should assess whether: • Contingency plans are in place to support accounts payable and receivable • Bank account information, including authorized signers, security and access, has been reviewed • Treasury operations can be transferred to a remote site • Your bank(s) have dispersed payment centers Best Practices Test and Re-test Your Plan In order to have any real chance of succeeding in the face of a disruptive event, your disaster preparedness plan must be regularly tested and refined. However, testing is often considered a low priority based on cost, logistics and the down time required. This view assumes that the plan would work, and does nothing more than put an organization at greater risk than the event(s) it is planning for. Be proactive. Test your plan against a range of realistic scenarios that present escalating degrees of disaster impacts. These might range from your IT server going down or a chemical hazard that shuts down your facility to a fire that destroys your office or the worst-case scenario – a terror event or severe weather that strikes the entire city or region where your company is located. The outcomes of your scenario testing will help determine whether your: • Server can be virtualized or must be replaced • Employees can work remotely • Operations can be sustained and restored • Company is unable to recover and forced to shut down Put Your Employees First People are essential to the recovery of operations. Since your business cannot resume unless employees are able to return to work, you might consider providing them with: • Alternate forms of transportation such as carpooling or vanpooling • Emergency lodging if they become displaced • Short-term financial aid to meet immediate emergency cash needs • Childcare at your primary or alternate site 9 You can sustain high levels of awareness and keep your employees focused on the prize through a variety of tactics, including rewards, incentives and ongoing communication. Providing payroll is key to maintaining the loyalty and trust of your employees. It helps them handle disaster-related challenges and meet personal financial obligations. You might establish a company-wide policy for: • Direct deposit of paychecks for all employees • Overtime pay during a disaster • One week’s pay (or other amount) even if your business is temporarily closed Plan ahead to deal with security/worksite access issues for your primary or alternate site. If employees need badges or security clearances, be prepared to provide them. If your employees need special licenses to move or operate equipment, be sure you have a plan in place to obtain or replace them. Meet with your employees at least once a year to review emergency plans and to share information on disaster preparedness and protection at home. Give them wallet cards with instructions on how to get company information in an emergency situation. Consider Your Physical Resources Have your facilities manager regularly inspect the physical structure and assess the impact a natural disaster would have on your facility. If your business operates out of an older building, have it evaluated by a professional engineer. This will help safeguard your building from potential hazards. Whether you are planning to re-fit your existing facility or build new from the ground up, make sure your plans conform to local building code requirements that reflect lessons learned from past catastrophes. Maintain Key Contacts Make sure that those who help administer your business, such as your banker, insurance broker, accounting firm and outside legal counsel, etc., are readily available to you. This also includes organizations and services within your community. Maintain a good relationship with municipal authorities, utilities and other service providers before disaster strikes. Your customers are an essential part of this list since your economic recovery depends on retaining them. Consider the following outcomes and ask yourself: • What happened to my customers/clients? • Were they affected by the disaster? • Will their buying habits change? Your product or service may be a discretionary purchase or not essential at the time. 10 A typical policy will cover your Internet liability, business interruption, network security and web content liability. Keep Insurance Coverage Up to Date Most property and casualty policies do not provide for flood or earthquake damage, so depending on your location, you might purchase separate policies to cover these threats. Consider business interruption and extra expense insurance to hedge against having to shut down operations for a few days. While you are closed, customers will go elsewhere, and as your revenues decrease, you will have both ongoing and new expenses. That’s a double whammy that might be tough to handle without this incremental coverage. Another consideration is cyber insurance. As the private sector invests more in Internet infrastructure and e-Commerce, more organizations are budgeting for it. According to the 2008 CSI/FBI Computer Crime and Security Survey, “34 percent of U.S. companies say they have external insurance policies to manage cyber security risk, up from 29 percent in 2006.”5 These policies are underwritten to deal specifically with technology and, like commercial insurance, can be customized to your organization’s needs. A typical policy will cover your Internet liability, business interruption, network security and web content liability. Although insurance can help protect your assets, it cannot by itself assure the survivability of your business following a catastrophic event. Without a pre-defined plan to protect people and property, and to resume business, most organizations find it very difficult to survive a business shutdown. History has shown that disasters come in many forms, can strike unexpectedly and leave a trail of devastation behind. You can either make the decision to plan for a severe business disruption or catastrophic event or accept the risks. One final thought: planning strategies are transferable and the cost can be amortized. In the event that you prepare for a hurricane that never materializes but experience a severe blackout like the massive power failure that hit the Northeast U.S. in 2003, you’ll still be prepared to sustain operations until the situation returns to normal. This issue of Perspective is part of a series of publications for executive business leaders, compliments of Chase Commercial Banking. Each in-depth report is designed to present you with relevant news you can use on emerging business issues. For more information, please contact your Chase Commercial Banker or visit us online at www.chase.com/NewsYouCanUse. 11 References 1. Moffat, Rob, Improving Communications in Emergency Situations: Mobile Business Continuity Planning Solutions, Industry White Paper, Research In Motion Limited, 2007. 2. Ibid. 1. 3. Thomson, Mike, Newswire, From the President’s Pen, Association of Contingency Planners, South Texas Chapter, June 2009. 4. Harris, Norman, CBHP, CRP, During a Recession, Reliable BC/RP Plans are a Must, Disaster Recovery Journal, Spring 2009. 5. Richardson, Robert, 2008 CSI Computer Crime and Security Survey, Computer Security Institute, 2008. © 2009 JPMorgan Chase & Co.  All rights reserved.   Chase is a marketing name for certain businesses of JPMorgan Chase & Co. and its subsidiaries worldwide.