Small business owners are strongly encouraged to make contingency plans for responding to and recovering from disasters that may befall them. The motivation for doing so may be more sharply present in the aftermath of the 2005 Katrina hurricane that almost wiped out New Orleans. Analysts note that disasters—whether they take the form of floods, corporate espionage, fires, or power outages—can have a devastating impact on a business's viability. Business experts also insist that the importance of a good disaster and recovery plan has never been as acute as it is today. In large part this is because today so many businesses rely on vulnerable technology (communication networks, management information systems, process control systems, etc.) to execute fundamental business operations.
Yet as Alan M. Levitt reported in Disaster Planning and Recovery, "various studies and surveys instruct us that most organizations have not established a comprehensive strategy for disaster planning and recovery. The percentage of organizations that lack any semblance of a plan is, simply put, frighteningly large." Levitt also noted that many disaster contingency plans that do exist are "applicable only to certain specific business processes (put another way, it is designed only to rescue specific bits and pieces of the business, not to save the entire organization!)." Many other companies' disaster planning policies, meanwhile, seem to consist only of disaster insurance. Such coverage is valuable, but it is only of limited usefulness. Indeed, Kenneth N. Myers, author of Total Contingency Planning for Disasters, described disaster insurance as only one element of a comprehensive disaster contingency plan. "The role of insurance in protecting against loss of physical assets, such as buildings and equipment, is clear," wrote Myers. "However, using insurance policies to protect against the loss of cash flow, the ability to service customers, or the ability to maintain market share is often not practical…. The primary function of business insurance is to provide a hedge against loss or damage. A disaster recovery and business continuation plan, however, has three objectives: 1) Prevent disasters from happening; 2) Provide an organized response to a disaster situation; 3) Ensure business continuity until normal business operations can be resumed."
It is essential, then, that small businesses take the time and effort to construct comprehensive disaster and recovery plans if they hope to weather unwelcome interruptions in business operations in good financial and market condition. "Some call it Crisis Management," remarked Building Design & Construction magazine. "Others call it Disaster Management, Emergency Preparedness, Business Resumption, or Contingency Planning. The newest 'buzz word' is Business Continuity Planning. It really doesn't matter what it's called as long as your company does it."
CREATING A DISASTER AND RECOVERY PLAN
"It is not easy to recognize the hundreds of hazards or perils that can lead to an unexpected loss," wrote Susan Anastasio in the SBA's Small Business Insurance and Risk Management Guide. "For example, unless you've experienced a fire, you may not realize how extensive fire losses can be. Damage to the building and its contents are obvious, but you should also consider: smoke and water damage; damage to employees' personal property and to others' property (e.g., data-processing equipment you lease or customers' property left with you for inspection or repair) left on the premises; the amount of business you'll lose during the time it takes to return your business to normal; the potential permanent loss of customers to competitors."
Of course, many other types of disasters can strike a business as well, ranging from those triggered by natural events such as floods, tornadoes, earthquakes, or hurricanes, to those that come about as a result of localized environmental problems, like water main breaks, work force strikes, power outages, hazardous materials spills, explosions, and major transportation mishaps (aircraft crash, train derailment, etc.). In addition, damage that is the direct result of premeditated human actions such as vandalism, sabotage, and arson can also be classified as a disaster.
The first step in creating a strategy (or reviewing existing contingency plans) to protect a company from these and other events involves mustering the necessary business will to undertake the challenges associated with the task. However, business observers contend that many companies fail in this regard. "The fact is that the majority of private-sector management is still reluctant to allocate the necessary time, staff, or funds to prepare and plan for the possibility of a disaster that may put them out of business," according to Building Design & Construction. Myers agreed that this tendency to give short shrift to disaster planning is a common one, observing that "when the economic climate is favorable, contingency planning is last on the list of things to do; when profits are down, contingency planning is the first item to be cut from the budget."
Small business owners, then, need to make sure that they devote adequate resources to disaster preparedness and recovery planning before beginning the process. Indeed, Levitt said that contingency planning efforts are ultimately doomed if they are undertaken without top management commitment, involvement, and support; participation of front line managers and staff teams in both planning and implementation; and ongoing communication with all constituencies of the business.
Once a business's leadership has decided to invest the necessary time and effort into the creation of a good disaster preparedness and recovery plan, it can proceed with the following steps:
Determining Vulnerabilities "Begin the process of identifying exposures by taking a close look at each of your business operations and asking yourself what could cause a loss," counseled Anastasio. "If there are dozens of exposures you may find dozens of answers…. Many business owners use a risk analysis questionnaire or survey, available from insurance agents, as a checklist." These questionnaires will typically address the business's vulnerability to losses in the areas of property, business interruption, liability, and key personnel, among others.
Obviously, this component of disaster preparedness planning—often referred to as risk management—needs to be comprehensive, covering all aspects of business operations, including telecommunications, computer systems, infrastructure, equipment, and the facility itself.
Gathering Information "The process of creating a disaster planning and recovery strategy is, in reality, the result of determining the organization's goals and objectives for business continuation—the ability to deliver its goods and services in the as-intended manner, utilizing its as-intended processes, methods, and procedures—whenever any out-of-course event might impair, impact, impede, interrupt, or halt the as-intended workings and operations," stated Levitt. " A disaster planning and recovery strategy is not a method; it is a medium to sustain … the organization." With this in mind, businesses should make an extra effort to solicit the opinions of all functional areas when putting together a disaster and recovery plan. Facility management areas may be most knowledgeable when it comes to the vulnerabilities of computer systems, office areas, etc., but other areas can often provide helpful information about the areas of the business that most need protection or fall-back plans so that the business can continue to operate in the case of a disaster.
Reconciling Findings with Principle Objectives All businesses should be concerned with meeting certain fundamental goals of disaster prevention, safety, and fiscal well-being when working on contingency plans. Analysts offer largely similar assessments of priorities in this regard, although minor differences in nuance and emphasis are inevitable, depending on the industry, the size of the business, and the viewpoint of the analyst. Most experts agree, however, that the primary objectives of a good disaster response plan should include:
- Preventing disasters from occurring whenever possible (through use of annual reviews, disaster prevention devices such as fire detectors and alarm systems, and physical access control procedures).
- Containment of disasters when they do occur.
- Protecting the lives, safety, and health of employers and customers.
- Protecting property and assets.
- Establishing priorities for utilization of internal resources (such as manpower, talent, and materials)
- Providing an organized response to a disaster/incident.
- Minimize risk exposure and financial loss (disruptions to cash flow as a result of canceled orders, etc.) through alternate procedures and practices.
- Prevent a significant long-term loss of market share.
Disaster response strategies will vary from business to business, but in the final analysis, they should all be structured in ways that will best ensure that essential business functions can be maintained until operations can be returned to normal.
Communication of Plan
Disaster contingency plans should be widely disseminated throughout the company. All employees should be cognizant of the business's basic disaster plan, but this is particularly important for managers, who are often called upon to make important operational decisions in the aftermath of crisis events.
This final stage of contingency planning is concerned with returning the business to its pre-disaster competitive position (or at least returning it as close to the position as is possible) and normal business operations in the event that a crisis event does take place. According to Industry Week 's Karen G. Strouse, this entails restoring productivity in three primary areas: people, information, and facilities. "People are the priority," stated Strouse. "You need to account for them physically and emotionally, and enlist them in your recovery efforts…. Contact each employee personally; don't be satisfied with an answering-machine connection. Restoring technology is critical for two reasons. First, most companies rely on technology to conduct day-today business. Second, technology may represent your only means of giving your employees, customers, and the media important information as soon as they need it." Finally, Strouse observed that while information and employees are portable, "facilities are not. Your central facilities—mailroom, copy center, file room—need to be restored immediately. Office space is often on the critical path to people and information; without it, nothing else can happen." She also warned business owners to ensure that safe practices are followed when searching for and conducting operations in temporary locations.
Levitt, meanwhile, broke the recovery stage down into two elements: "First is the aspect of planning concerned with providing the resources for recovery. This encompasses the resources of a workplace, equipment, facilities, power, communication capabilities, information and data, forms and other supplies, people, food, lodging, transport, and all else that enables to the business processes to continue or to be re-established—within the planned time-line basis—after being impeded, impaired, interrupted, or halted." The other aspect of the recovery phase, wrote Levitt, is "concerned with impact, consequence and affect mitigation, and damage restoration requisite for the return to as-intended functioning."
see also Crisis Management
Arend, Mark. "Time to Dust Off Your Contingency Plan." ABA Banking Journal. February 1994.
Brunetto, Guy, and Norman L. Harris. "Disaster Recovery." Strategic Finance. March 2001.
"Dealing with Disasters Takes Careful Planning Ahead of Time." Building Design & Construction. September 1996.
Head, George L., and Stephen Horn II. Essentials of Risk Management. Insurance Institute of America, 1991.
Karpiloff, Douglas G. "When Disaster Strikes … How to Manage a Successful Comeback." Site Selection. August/September 1997.
Levitt, Alan M. Disaster Planning and Recovery: A Guide for Facility Professionals. John Wiley, 1997.
Mansdorf, Zack. "Emergency Response and Disaster Planning." Occupational Hazards. May 2000.
Murphy, Todd P. "Surviving Katrina—with a Lot of Help." American Banker. 20 January 2006.
Myers, Kenneth N. Total Contingency Planning for Disasters. John Wiley, 1993.
Strouse, Karen G. "What If Your Office Vanishes? Practical Advice on What to Do if Disaster Strikes." Industry Week. 3 July 1995.
Tynan, Dan. "When IT Disasters Really Strike—You can't be blamed for acts of God. At least not if you've got robust disaster recovery plans in place." InfoWorld. 30 January 2006.
U.S. Small Business Administration. Anastasio, Susan. Small Business Insurance and Risk Management Guide. n.d.
Hillstrom, Northern Lights
updated by Darnay, ECDI