Traditionally, business continuity and disaster recovery planners are responsible for identifying the needs for continuity and recovery of business and technology operations after a business or technology interruption event occurs. The planning methodology also includes analyses to identify potential threats to the business / technology environments and to speculate on the probability a particular type of event might occur. Some programs also include policies and procedures for responding to the event as it unfolds within the aspects of an Emergency Response and Crisis Management program.
My question for this blog entry is: Who monitors the current state of affairs and tracks potential threats that may be developing?
In some environments, there are active Security Departments who constantly monitor potential, developing threats. I have seen a few Business Continuity Programs that maintain an active Command Center monitoring the stability of work environments. But, for the most part, I think most organizations do not have any department or area responsible for this task.
This may only be a relevant issue for large, multi-national firms. If your organization has facilities in hurricane prone areas, who monitors the pending storms to identify facilities that may be at risk when storms develop? If your company has facilities in unstable political environments, is someone responsible for monitoring civil unrest threats that may develop? If an earthquake occurs, or a nuclear explosion were to happen, or a volcano erupt, or a chemical spill happen – how quickly would your organization know whether or not one of its facilities and/or employees are in harm’s way? How quickly would a Command Center be established that can monitor and track the response and impacts of such an event?
How proactive is your organization in monitoring developing risks and threat before they have a detrimental impact on your facilities? How proactive should it be? I don’t believe there is a one size fits all answer to this question, but I do think it is something every large firm should consider. Identifying potential threats in advance of them having an adverse impact on your organization may be the difference between a successful response and a failed one.
At the very least, it might be useful for business continuity and disaster recovery planners to routinely check out the FEMA website for disaster events and developing threats. And, if your organization does track these threats through another department, such as the Security Department, make sure you are aware of their notification and escalation process and that your team is included in the loop.