P erspective Disaster Preparedness

erspective
P
Insights for America’s Business Leaders
Disaster
Preparedness
Planning:
Maintaining Business
Continuity During Crisis,
Disruption and Recovery
Executive Summary:
– Planning for the Unplanned
– Raising Your Readiness Level
– Business Resilience Strategies
– Best Practices
“By failing to
prepare you are
preparing to fail.”
– Ben Franklin
It Can Happen on Your Watch
Disasters can strike at any time – often with little or no warning – and the effects can be
devastating. The cost in human lives and property damage is what makes the evening news
because of the powerful tug of human interest. Much less coverage, however, is given to the
disruption, struggle and survivability of business operations.
A study fielded by the Institute for Business and Home Safety revealed that 25 percent of all
companies that close due to disasters – hurricanes, power failures, acts of terror and others –
never reopen.
What are the factors that determine a company’s ability to weather and survive a disaster? Most
business leaders who have experienced a catastrophic event would agree that it was their level
of preparedness and ability to mitigate risk.
This issue of Perspective will provide you with insight, planning strategies and best practices
to help your organization:
• Maintain business continuity during crisis, disruption and recovery
• Provide for the safety and protection of your employees
• Communicate effectively across your value chain
• Secure its infrastructure
• Ensure liquidity and access to operating capital
Preparing for uncertainty takes time, money and resources, but it trumps the alternative and is
surely preferable to facing your stakeholders and having to tell them, “We could and should have
been better prepared.”
Not Your Typical Snow Day
On June 11, 2009, the World Health Organization officially raised its infectious disease alert to
Phase 6 – its highest level – acknowledging that the outbreak of the H1N1 swine flu virus, based
on its global spread, had become a pandemic.
Despite some unfortunate fatalities, all evidence to date indicates that the virus is moderate in
its effects. Experts believe, however, that it’s not yet safe to go back in the water. As it makes its
way across the globe and passes through populations, the current H1N1 strain could mutate into
something more virulent and return with greater severity during the winter influenza season.
It could have been much worse. Experts advise that you must plan for the long-term, 500-800
days minimum for the pandemic period. Add in bans on travel, school closings, strains on the
healthcare system plus fear, and suddenly many business leaders see the swine flu outbreak as
their 3 a.m. wake-up call.
2
Planning
should focus on
the effects –
not the cause.
Planning for the Unplanned and Unexpected
The terror attacks of 9/11 brought risk management front and center. Business continuity
and disaster recovery plans suddenly emerged from their slumber and now cover more than
floods and high winds. Hurricane Katrina provided the exclamation point.
There are a myriad of hazards that could potentially disrupt your business – from natural
disasters and extreme weather to power failures and terror events – which makes preparing
for every “what-if” contingency virtually impossible.
Regardless of the source, planning should focus on the effects – not the cause – since all
effects tend to fall into one of four categories:
• Workforce shortage caused by infectious outbreak, labor strike, extreme weather or a
breakdown in transportation
• Loss of technology due to cyber attack, interruption in communications, power outage
or flood
• Loss of facilities resulting from fire, workplace violence, hurricanes, floods and other
natural disasters
“What Were the Causes of the Invocations?” (multiple responses accepted)
Natural Disaster/Extreme Weather
59%
Power Outage
54%
IT Failure
39%
Telecommunication Failure
32%
Fire
24%
Flood
21%
Utility Outage
15%
Terrorist Event
8%
IT Security Incident
7%
6%
Environmental Accident
Other
6%
Employee Health and Safety Incident
Supply Chain Disruption
5%
3%
Sabotage (external)
1%
Negative Publicity Coverage
1%
Pandemic
1%
Sabotage (internal) 0%
Base: 151 Global Business Continuity Decision-Makers and Influencers Who Have Had to Invoke a Business Continuity Plan
Source: Forrester Research, Inc.
3
“Manage
the threat
or it will
manage you.”
• Failure in the supply chain that prevents the shipping and receiving of products and
raw materials
Where to start? Often, your location will determine your efforts, energy and resources and
help you plan for the greatest percentage of disasters.
Companies based in the South and along the Gulf Coast will focus on hurricanes and floods,
while those in the upper Midwest will concentrate on blizzards and ice storms. Government
agencies will prepare for cyber attacks on their IT infrastructure, while businesses in major
metropolitan areas like New York City and Washington, D.C. plan for power outages, labor strikes
and terrorism.
Cumulative Abnormal Returns (%)
i.e., change in market cap adjusted for market movement
Raising Your Readiness Level
In the wake of the recent swine flu outbreak, Michael Thomson, President of the South Texas
chapter of the Association of Contingency Planners (ACP), reports that a study by researchers
at Fayetteville State University found that of
all the businesses surveyed, “at least half had
The Impact on Shareholder Value
no plans in place to sustain payroll, maintain
20 After initial reflex (10 days)
regular operations or serve customers in
market begins to assess
emergencies.”3
company’s response.
15
10
5
Effective Crisis Response
0
+7%
Ineffective Crisis Response
-5
-15%
-10
-15
-20
25
50
75 100 125 150 175 200 225
Trading Days After the Event
Source: Improving Communications in Emergency Situations,
Mobile Business Continuity Planning Solutions.
“A company’s ability to respond to emergency situations directly impacts whether that share
valuation can be recovered.”1 A study conducted by British authors Rory Knight and Deborah
J. Pretty and research firm Oxford Metric proved this claim. It showed “an immediate decline
of 8 to 11 percent in company shareholder value following a crisis”2 and a 22 percent positive
difference in stock price for those companies classified as having a recovery plan.
4
Those results are simply unacceptable.
Hedging against risk means that identifying
possible hazards, assessing their potential
impact, assigning priorities and developing
responses to protect your employees and your
infrastructure are paramount.
Preparedness Planning Principles
In a simpler time, the word “disaster”
meant that the company mainframe had
crashed. Natural catastrophes, growing
workplace violence and the threat of terrorism
have forced U.S. business leaders to broaden
their definition.
Planning does not need to be complicated or
costly – just realistic. Here is a blueprint that
can help. The following guidelines provide a
practical foundation for identifying your areas of
vulnerability and then planning accordingly.
“No battle plan
ever survives
contact with
the enemy.”
– Helmuth von
Moltke the Elder
Project Initiation
Responsibility for driving your company’s
business continuity plan starts at the
top with you and members of your
management team. Championing a disaster
preparedness plan policy that provides for
the safety of your employees, vital facilities
and critical operations gives it currency
throughout your organization.
There is no room for ambivalence. Either
manage the crisis or it will manage you.
Clearly define plan goals by taking a global
view of your organization – from its facilities
and infrastructure to its mission-critical
operations and job functions. Then set
objectives that are realistic and achievable.
Assess the Risks/Analyze the Impacts
“How Many Times in the Past Five Years Have You
Had to Invoke a Business Continuity Plan?”
Three times
6%
Four Five
times times
3% 3%
Twice
11%
Never
50%
Greater than
five times
12%
Once
15%
Base: 295 Global Business Continuity Decision-Makers and Influencers
Source: Forrester Research, Inc.
A general disaster plan purchased off the
shelf is a bad idea that serves no one.
To clearly understand the individual needs of your company, conduct a business impact
analysis to identify the hazards that occur in your geography, determine their frequency and
magnitude, and convert their potential impacts into realistic planning scenarios. The analysis
will also help you benchmark cost-per-hour for downtime should you be forced to
halt operations.
The business impact analysis should:
• Pinpoint the critical contributions, production and service processes of each department
that could be disrupted and rank them in order of importance for sustaining operations.
• Establish recovery time objectives (RTOs) for critical processes, making sure to identify the
employees who will be responsible for executing them. This should include a list of trained
alternates in case some employees are unavailable or can’t reach their designated location.
• Include a master list of all internal and external resources required to get your business up
and running within your RTOs. This would include hardware and software applications, voice
and data communications, customer and vendor information – even security procedures and
floor plans.
• Mandate formal training sessions. Each employee should know his or her role and
responsibilities in a crisis situation. Plans should initially be tested informally, followed
by a more disciplined execution so that weaknesses can be exposed and corrected.
5
“Updated and
practiced plans and
staff expertise is the
key to securing a
corporation’s ability
to recover in
a timeframe that
will assure
continuity of
critical business.”4
Managing the Crisis
Emergencies that are not swiftly dealt with can spiral out of control. Creating a team of
emergency responders to manage the initial shock will help deal with evacuation and first
aid when firefighters, utility crews and emergency medical services are overwhelmed. Your
team’s ability to calm a difficult situation can minimize fear and restore employee morale.
When choosing employees for your emergency response team, look for distinctive qualities
like decisiveness, communication skills and the ability to think quickly on their feet.
While your emergency responders are handling tactical issues, someone needs to take a
leadership role to manage the strategic business issues that arise during and after a crisis.
Forming an executive crisis management team enables you to make quick decisions, set
priorities for restoration, allocate resources, calm stakeholders and work with government
agencies.
Dealing with the Media
A media blitz is sure to follow any crisis event. To prepare for it, set a single-spokesperson
policy and assign that role to a member of your executive crisis management team. By
speaking with one voice, you’ll avoid the dissemination of conflicting information. These
simple rules should guide you:
• Be honest, be clear, never lie.
• Stick to discussing only who, what, where, when, why and how.
• Once the event takes on a life of its own, let the CEO take over.
Business Resilience Strategies
Geographic Separation
One of the lessons learned from the 9/11 terror attacks in New York City was that many
companies that had their data facilities located near their headquarters unwittingly
increased their own vulnerability.
Case in point was the experience of two financial institutions with offices in the World Trade
Center. One was back in operation a few days after the attack because it had set up its
emergency operations and data back-up center several miles away while the other had theirs
located a stone’s throw from ground zero. Two years later, they still had not recovered.
The bottom line for disaster preparedness planners: geographic concentration is out and
geographic separation is in. Increase the distance between your primary business site and
your recovery and/or IT back-up site to get them on different power grids.
6
Wireless
communication
has become the
emergency
technology of
choice during
a crisis.
Health Savings Accounts at a Glance
Voice Communications
Wireless communication has become the emergency technology of choice during a crisis
because it is not dependent on the wired infrastructure of the large telecommunications
carriers. Should local power go out and regular voice communication be interrupted, a
wireless strategy can temporarily fill the breach.
Depending on the magnitude of the disaster, communication and coordination between you,
team leaders and their direct reports can be achieved using a number of wireless options:
Satellite phones have the advantage of not being reliant on localized hardwire infrastructure,
as are cellular systems, and are less likely to fail. However, satellite phone services can
be costly, they may not work properly in some buildings and may be unable to meet peak
demand during an emergency.
Cellular phone networks could be an option based on the severity of the disruption.
Don’t forget text messaging. It actually became the dominant method of communication
for residents and businesses alike after Katrina made landfall and normal landline
communications went down.
Short-range radios can be used on either licensed or unlicensed frequencies. Having a
low cost but a limited range of about two to six miles, they are a good choice for local
coordination. If you operate on an unlicensed band frequency, you could experience chatter
on the channel. Should you choose the short-range radio option, be sure that they are tested
regularly and that batteries are fresh.
Mobile radios are temporary radio systems that present a short-term solution not wed to any
infrastructure. Easy to set up and break down, they can provide city-wide coverage and are
used primarily by government and non-government agencies.
The Recovery Center: Data Access, Integrity and Security
According to DisasterRecoveryPlanning.org, “A company denied access to mission-critical
data for more than 48 hours will be out of business within one year.”
If local branch offices are not available and you are not location dependent, make
arrangements to set up and maintain one or more back-up facilities where you could resume
some or all of your operations.
A shared disaster recovery facility used by multiple businesses could be a solution that offers
infrastructure, enabling technologies and scalability to meet your needs. Managed by a third
party vendor, they are remote, secure and separated from your main data facility.
7
Require or encourage
suppliers to have
their own business
continuity plans.
If you need a dedicated facility, it is likely you will need to lease or purchase computer
hardware and replace your software. Estimate your needs in advance and then request
written quotes for rental or purchase of equipment and delivery times. Also make
arrangements with these vendors to quickly replace ruined hardware and software at your
primary facility once damage assessment is completed and/or coordinate the set-up of the
hardware and software at your temporary location.
Address workforce continuity. Provide employees with secure, remote access to data
applications and communications to stay productive. You might require all employees with
laptops to travel with them so they have the option of working from home.
Protecting the Supply Chain
Your ability to resume operations is directly linked to the ability of your suppliers to deliver what
you need on time. Make sure:
• Principal suppliers, or alternate suppliers, are dispersed and not all in the same geographical
location as you.
“In the Past 12 Months, Have Any External Parties Demanded Proof of Your Company’s
Business Continuity Readiness? If so, Which Ones” (multiple responses accepted)
42%
Regulatory Auditors-Government
42%
Regulatory Auditors-Industry
Customers
38%
23%
Strategic Partners (i.e., suppliers)
8%
Other
First Responders (i.e., police, fire, etc.)
5%
Base: 295 Global Business Continuity Decision-Makers and Influencers
Source: Forrester Research, Inc.
• Critical suppliers
of services and
materials will be
available when you
need them. This could
include requiring them
to have mutual aid
agreements in place
with similar companies
to fulfill obligations
to you.
• Credit checks, purchase accounts and other vendor requirements are done in advance so
replacement goods can be shipped immediately.
• Back-up suppliers are ready in case your main ones are disabled and place periodic orders so
they’ll consider you an active customer.
• Suppliers are required or encouraged to have their own business continuity plans and audit
them yourself to ensure they are up to date.
The Role of Treasury
Restoring business operations is dependent on liquidity and ensuring that your organization
has access to both working capital and the means of disbursing it. Both good reasons why
your treasury group should have a seat at the continuity planning table from the beginning.
8
As stewards of your banking relationship, Treasury will provide a level of fiscal preparedness
and expertise to ensure that you can process payments and sustain business operations
across your supply chain with a high degree of confidence while handling all internal
financial processes, including payroll.
Test your plan
against a range of
realistic scenarios
that present
escalating degrees
of disaster impacts.
To help Treasury prepare itself in the event of a business disruption or crisis, a readiness
audit should be conducted to identify and correct deficiencies in critical operational areas.
The audit should assess whether:
• Contingency plans are in place to support accounts payable and receivable
• Bank account information, including authorized signers, security and access,
has been reviewed
• Treasury operations can be transferred to a remote site
• Your bank(s) have dispersed payment centers
Best Practices
Test and Re-test Your Plan
In order to have any real chance of succeeding in the face of a disruptive event, your
disaster preparedness plan must be regularly tested and refined. However, testing is often
considered a low priority based on cost, logistics and the down time required. This view
assumes that the plan would work, and does nothing more than put an organization at
greater risk than the event(s) it is planning for.
Be proactive. Test your plan against a range of realistic scenarios that present escalating
degrees of disaster impacts. These might range from your IT server going down or a
chemical hazard that shuts down your facility to a fire that destroys your office or the
worst-case scenario – a terror event or severe weather that strikes the entire city or region
where your company is located. The outcomes of your scenario testing will help determine
whether your:
• Server can be virtualized or must be replaced
• Employees can work remotely
• Operations can be sustained and restored
• Company is unable to recover and forced to shut down
Put Your Employees First
People are essential to the recovery of operations. Since your business cannot resume
unless employees are able to return to work, you might consider providing them with:
• Alternate forms of transportation such as carpooling or vanpooling
• Emergency lodging if they become displaced
• Short-term financial aid to meet immediate emergency cash needs
• Childcare at your primary or alternate site
9
You can sustain
high levels of
awareness and keep
your employees
focused on the prize
through a variety
of tactics,
including rewards,
incentives
and ongoing
communication.
Providing payroll is key to maintaining the loyalty and trust of your employees. It helps
them handle disaster-related challenges and meet personal financial obligations. You might
establish a company-wide policy for:
• Direct deposit of paychecks for all employees
• Overtime pay during a disaster
• One week’s pay (or other amount) even if your business is temporarily closed
Plan ahead to deal with security/worksite access issues for your primary or alternate site.
If employees need badges or security clearances, be prepared to provide them. If your
employees need special licenses to move or operate equipment, be sure you have a plan in
place to obtain or replace them.
Meet with your employees at least once a year to review emergency plans and to share
information on disaster preparedness and protection at home. Give them wallet cards with
instructions on how to get company information in an emergency situation.
Consider Your Physical Resources
Have your facilities manager regularly inspect the physical structure and assess the impact a
natural disaster would have on your facility.
If your business operates out of an older building, have it evaluated by a professional
engineer. This will help safeguard your building from potential hazards. Whether you are
planning to re-fit your existing facility or build new from the ground up, make sure your
plans conform to local building code requirements that reflect lessons learned from past
catastrophes.
Maintain Key Contacts
Make sure that those who help administer your business, such as your banker, insurance
broker, accounting firm and outside legal counsel, etc., are readily available to you. This also
includes organizations and services within your community. Maintain a good relationship
with municipal authorities, utilities and other service providers before disaster strikes.
Your customers are an essential part of this list since your economic recovery depends on
retaining them. Consider the following outcomes and ask yourself:
• What happened to my customers/clients?
• Were they affected by the disaster?
• Will their buying habits change? Your product or service may be a discretionary purchase or
not essential at the time.
10
A typical policy will
cover your Internet
liability, business
interruption, network
security and web
content liability.
Keep Insurance Coverage Up to Date
Most property and casualty policies do not provide for flood or earthquake damage, so
depending on your location, you might purchase separate policies to cover these threats.
Consider business interruption and extra expense insurance to hedge against having to shut
down operations for a few days. While you are closed, customers will go elsewhere, and
as your revenues decrease, you will have both ongoing and new expenses. That’s a double
whammy that might be tough to handle without this incremental coverage.
Another consideration is cyber insurance. As the private sector invests more in Internet
infrastructure and e-Commerce, more organizations are budgeting for it. According to the
2008 CSI/FBI Computer Crime and Security Survey, “34 percent of U.S. companies say they
have external insurance policies to manage cyber security risk, up from 29 percent in 2006.”5
These policies are underwritten to deal specifically with technology and, like commercial
insurance, can be customized to your organization’s needs. A typical policy will cover your
Internet liability, business interruption, network security and web content liability.
Although insurance can help protect your assets, it cannot by itself assure the survivability
of your business following a catastrophic event. Without a pre-defined plan to protect people
and property, and to resume business, most organizations find it very difficult to survive a
business shutdown.
History has shown that disasters come in many forms, can strike unexpectedly and leave a
trail of devastation behind. You can either make the decision to plan for a severe business
disruption or catastrophic event or accept the risks.
One final thought: planning strategies are transferable and the cost can be amortized. In
the event that you prepare for a hurricane that never materializes but experience a severe
blackout like the massive power failure that hit the Northeast U.S. in 2003, you’ll still be
prepared to sustain operations until the situation returns to normal.
This issue of Perspective is part of a series of publications for executive
business leaders, compliments of Chase Commercial Banking. Each in-depth
report is designed to present you with relevant news you can use on emerging
business issues. For more information, please contact your Chase Commercial
Banker or visit us online at www.chase.com/NewsYouCanUse.
11
References
1. Moffat, Rob, Improving Communications in Emergency Situations: Mobile Business
Continuity Planning Solutions, Industry White Paper, Research In Motion Limited, 2007.
2. Ibid. 1.
3. Thomson, Mike, Newswire, From the President’s Pen, Association of Contingency
Planners, South Texas Chapter, June 2009.
4. Harris, Norman, CBHP, CRP, During a Recession, Reliable BC/RP Plans are a Must,
Disaster Recovery Journal, Spring 2009.
5. Richardson, Robert, 2008 CSI Computer Crime and Security Survey, Computer
Security Institute, 2008.
© 2009 JPMorgan Chase & Co.  All rights reserved.  
Chase is a marketing name for certain businesses of JPMorgan Chase & Co. and its subsidiaries worldwide.