Crocker agrees that business continuity plans should be reviewed frequently and that if there isn’t a third-party making an organization review them on a regular basis, then there needs to be someone within the organization that can be a “champion” for that purpose. “The plans need to be table-topped regularly. Ideally every quarter; you need to update the plans based on new business circumstances,” Crocker says.
Organizations also need to consider the implications to their workforce in the aftermath of a natural disaster. “When you look at a large-scale organization, just generically speaking, people are a key resource that you need to plan for,” says Crocker. “What happens if certain members of your leadership are unavailable? How do you replicate that part of the decision making process and how do you amend it with outside staff or people from other divisions in the company that can fill in during a crisis?”
Crocker says it is also important for small and mid-sized business to think about how they’re going to maintain and store their records, which can be critical to an organization’s recovery efforts. “At a smaller scale organization, you need to be able to have key records replicated somewhere else,” he says. “Have your records in the cloud, in a server farm or at an offsite location where if there was damage to your structure, you don’t lose your business records. Most businesses that lose their records fail within 12 months.”
Following the 2010 oil spill in the Gulf of Mexico, Crocker said many businesses were unable to recoup losses from BP because they couldn’t document their revenue from the previous year.
Because communications are commonly knocked out during natural disasters, experts say it’s also important to consider how communications infrastructure for your organization will be fortified during one of these events, which could extend as far as having an alternate site where operations can be maintained.
“From a technological point of view, I think you need to be able to manage the documents, records and communications for an organization that’s been hit by a natural disaster,” says Crocker. “How are you going to direct the calls? Who’s going to answer those calls? When billings and business communications come in, where are they now going to go and whose going to respond to them? And then there is the ever important IT infrastructure and how are you going to provide the survivors or replacement or outsourced personnel for business continuity access to the IT system?”
Aside from the security director, Hamilton says others that need to be included in business continuity/risk management planning process are the facilities manager, followed by someone in operations and possibly human resources.
“Of course it depends on the type of organization it is,” she explained. “If it is a production plant, whether they are producing Winnie the Pooh dolls or electricity, whoever is in charge of plant production should be involved. If they are in healthcare, they’re going to need someone on the clinical staff who is going to be involved in the process. At a larger company, often times there will be an emergency manager who is designated that is going to come in and help with this planning process. And it is not just a planning process, it is an ongoing thing with a life of its own, so it’s planning, doing emergency drills and it’s making sure that when there is a change in something, that it ripples through to the plans.”
Overall, Hamilton doesn’t believe that most organizations are very well prepared for disasters, which is all the more reason why events like the Oklahoma tornadoes and Superstorm Sandy should serve as an impetus to develop and practice business continuity plans.
“It is very unusual for me to go anywhere and find that they have a 100 percent completed plan in place that’s been practiced and everything,” says Hamilton. “I think the reason for that partly is that we just came out of this recession and so I think that is one of the things that go when things get tight… but I think now is the time to get back to it and just realize that it is part of your responsibility to safeguard a corporation or business to have that kind of planning in place.”