When Unexpected Strikes, Best Laid Plans Can Avert Disaster

0

When Unexpected Strikes, Best Laid Plans Can Avert Disaster

Entrepreneur’s Notebook

by Andre Sharp

No one disputes that earthquakes, fires, floods and hurricanes are disasters. But many businesses fail to recognize dozens of other disasters waiting to happen, from computer viruses to employee theft to runaway cars plowing into buildings. These can disrupt business as dramatically as any of the catastrophes on the 6 o’clock news.

How many businesses are prepared for a spectrum of business disruptions? How many have a fully documented plan to handle any foreseeable emergencies? As former New York Major Rudolph Giuliani has said: “You may not plan for the correct crisis, but if you have planned for a crisis, you can handle nearly everything that’s going to happen to you.”

In reality, most companies do little more than back up critical data on a regular basis. The duplicate data is tucked away, preferably off premises. But while the data may be secure, a fire in the computer room could damage the equipment and put the entire business off-line. If there is no plan for a transfer to an offsite location, this becomes a disaster equal to anything Mother Nature can dish out.

To plan for a variety of disasters, first identify and document all the tasks and processes performed in the course of the business. Then begin outlining what steps to be taken in each instance, in the event of a disaster. Potentially vulnerable areas should be identified, and as many problems as possible should be identified and addressed. At the very least, servers should be connected to uninterruptible power supplies, and a regular data-backup routine instituted.

The next most important task is to identify all potential threats to the business through a risk-assessment analysis of possible events. Group them into categories, such as: environmental, human, equipment, security breaches, loss of utilities and other emergency situations.

Environmental events include weather, quakes, major fires and contamination by hazardous materials. Human threats can include sabotage, embezzlement, fraud, property theft, terrorism and industrial actions. Equipment risks include system failures. Security breaches include cyber attacks, hacking, loss of data and disclosure of sensitive information. Utilities risks include the loss of power, water and gas, while other emergencies might include neighborhood hazards and even workplace violence all of which can cause a major disruption to the business.

The next step is to assign a measure of probability to each threat and imagine possible consequences. A small computer room fire can still cause a major disruption in operations. It might set off sprinklers and cut power to the entire building. The water may destroy equipment and paper documents.

Plan for the worst

The next planning item is to develop a recovery-point objective. This outlines which systems and processes will be brought back up and how quickly.

The accepted doctrine behind business continuity planning is that an organization must be prepared to function under a worst-case scenario. The way to do that is to have a written plan in place that addresses all the elements contributing to business disruption. Here’s how to begin the process:

-Gather useful documents and other information.

-Create a complete organization chart listing all names and positions.

-Create a database of emergency contact information for each employee.

-Create a list of vendors, contact names and numbers.

-Create a list of other civil emergency contact numbers.

-Create a list of professional advisers (consultants, attorneys, etc.) and emergency contact information.

-Create a list of (public) emergency services and contact numbers.

-Draw a map of the existing premises (include all of floor plans) and show all exits.

-Create and document evacuation procedures.

-Review health and safety procedures.

-Document all operations, tasks and the people performing them.

-Document all procedures required for each task including inputs, outputs and dependencies.

-Identify and describe all physical assets.

-Identify and document information (digital and paper) assets.

-Identify and document all intellectual property assets (trademarks, patents, formulas).

-Document all IT equipment including system specifications.

-Map and document the entire network complete with specifications.

-Document all software, versions, patches, license numbers, passwords, etc.

-Document communication system specification.

-Include copies of maintenance and service level agreements.

-Include all offsite storage procedures.

-Insurance information.

-Have a disaster supply kit including duct tape, plastic sheeting and first-aid kit.

Gathering the information is not the end of the process. The plan has to become a living document that evolves with the organization. Update the plan promptly each time a significant change is made to one of the components (human or equipment) and completely review it annually, or more often.

Build in a little peace of mind by testing the plan. One way might be to force a situation and test the response. After all, discovering glitches in a game plan ahead of time can only make it better.

The time invested in preparing and updating a business continuity plan increases its chances of surviving a disaster.

Andre Sharp, principal of Sharp Information in Hermosa Beach, is a business consultant specializing in disaster recovery/business continuity planning for small and medium-sized businesses. He may be reached at

[email protected].

No posts to display