Last month, powerful tornadoes ripped through Oklahoma over a 12-day period, leveling buildings and killing more than 40 people in the process. Among the victims were 10 children, seven of whom were killed when a twister stuck an elementary school in the Oklahoma City suburb of Moore. Last fall, Superstorm Sandy struck the northeastern U.S., destroying numerous homes and businesses. The storm also knocked out power and communications for thousands of residents in the region.
The damage left behind in the aftermath of these acts of nature reinforces the need for organizations to incorporate comprehensive natural disaster management policies and procedures in their business continuity plans. Often times, however, security managers become so bogged down in the minutiae of every day operations that their enterprise risk management plans are neglected, rarely ever being updated of practiced.
According to Caroline Hamilton, president of Fort Lauderdale, Fla.-based security consulting firm Risk and Security, LLC, natural disaster planning should be a part of every organizations’ risk assessment regardless of their industry or location.
“Natural disasters are part of what you do when you’re doing any kind of risk assessment on a business, enterprise or facility. That’s a whole category by itself and that can be hurricanes, tornadoes or tsunamis, but it can also be simple things like flooding or chemical leaks or spills that occur in a city,” says Hamilton. “When I go in to do an assessment of something, whatever it is, the first thing I look at are the controls that they already have in place. These controls are important. They are as important as the threat analysis because the control is going to show you how to mitigate that threat - either how to reduce it or eliminate it so it doesn’t happen at all. Disaster (planning) is probably about 25 percent of what you do and making sure you can recover no matter what happens is really, really critical.”
Hamilton says one of the most frequent issues she sees in organizations is incomplete risk management plans. “That happens a lot times. Companies have good intentions and they start these plans, but they don’t finish them because they get sidetracked by some other thing,” says Hamilton. “You have to be disciplined enough to go back and finish them.”
These plans need to be updated and/or revised every year at minimum, according to Hamilton, who also recommends performing drills at least twice year. Drills for natural disasters can also reap benefits for planning and preparing for other types of emergency events.
“Something that people don’t normally associate at all with a natural disaster would be an active shooter,” says Hamilton. “But I was just at a conference where local police and DHS were there talking about how to deal with active shooters and they said having these evacuation drills and things that you do for a disaster or emergency drill in case of a fire, chemical spill or whatever, that those evacuation drills are very useful in an active shooter scenario too. A lot of security managers think, ‘active shooter, we’re going to lockdown the whole facility tight.’ They’re saying exactly the opposite in that they want to open it up completely because they want as many people as possible to exit out of that building. People remember what they practice.”
Michael Crocker, president of Houston-based security consulting firm Michael Crocker, CPP & Associates, Inc., says that organizations also need have someone from the outside review and validate crisis management plans. “I think it is really important to be peer-reviewed,” he says. “If you’re subject matter experts are in-house, you need someone out of the house to look at it and validate it.”
Crocker agrees that business continuity plans should be reviewed frequently and that if there isn’t a third-party making an organization review them on a regular basis, then there needs to be someone within the organization that can be a “champion” for that purpose. “The plans need to be table-topped regularly. Ideally every quarter; you need to update the plans based on new business circumstances,” Crocker says.
Organizations also need to consider the implications to their workforce in the aftermath of a natural disaster. “When you look at a large-scale organization, just generically speaking, people are a key resource that you need to plan for,” says Crocker. “What happens if certain members of your leadership are unavailable? How do you replicate that part of the decision making process and how do you amend it with outside staff or people from other divisions in the company that can fill in during a crisis?”
Crocker says it is also important for small and mid-sized business to think about how they’re going to maintain and store their records, which can be critical to an organization’s recovery efforts. “At a smaller scale organization, you need to be able to have key records replicated somewhere else,” he says. “Have your records in the cloud, in a server farm or at an offsite location where if there was damage to your structure, you don’t lose your business records. Most businesses that lose their records fail within 12 months.”
Following the 2010 oil spill in the Gulf of Mexico, Crocker said many businesses were unable to recoup losses from BP because they couldn’t document their revenue from the previous year.
Because communications are commonly knocked out during natural disasters, experts say it’s also important to consider how communications infrastructure for your organization will be fortified during one of these events, which could extend as far as having an alternate site where operations can be maintained.
“From a technological point of view, I think you need to be able to manage the documents, records and communications for an organization that’s been hit by a natural disaster,” says Crocker. “How are you going to direct the calls? Who’s going to answer those calls? When billings and business communications come in, where are they now going to go and whose going to respond to them? And then there is the ever important IT infrastructure and how are you going to provide the survivors or replacement or outsourced personnel for business continuity access to the IT system?”
Aside from the security director, Hamilton says others that need to be included in business continuity/risk management planning process are the facilities manager, followed by someone in operations and possibly human resources.
“Of course it depends on the type of organization it is,” she explained. “If it is a production plant, whether they are producing Winnie the Pooh dolls or electricity, whoever is in charge of plant production should be involved. If they are in healthcare, they’re going to need someone on the clinical staff who is going to be involved in the process. At a larger company, often times there will be an emergency manager who is designated that is going to come in and help with this planning process. And it is not just a planning process, it is an ongoing thing with a life of its own, so it’s planning, doing emergency drills and it’s making sure that when there is a change in something, that it ripples through to the plans.”
Overall, Hamilton doesn’t believe that most organizations are very well prepared for disasters, which is all the more reason why events like the Oklahoma tornadoes and Superstorm Sandy should serve as an impetus to develop and practice business continuity plans.
“It is very unusual for me to go anywhere and find that they have a 100 percent completed plan in place that’s been practiced and everything,” says Hamilton. “I think the reason for that partly is that we just came out of this recession and so I think that is one of the things that go when things get tight… but I think now is the time to get back to it and just realize that it is part of your responsibility to safeguard a corporation or business to have that kind of planning in place.”
