Archive for Risk Analysis

The Next Disaster

So is your “Falling Satellite Hits Building” plan up to date?

Although I do not think this is a serious threat and do not suggest anyone become too alarmed by this story, I am somewhat amused with the quote:

“Since the beginning of the Space Age in the late-1950s, there have been no confirmed reports of an injury resulting from re-entering space objects. Nor is there a record of significant property damage resulting from a satellite re-entry.”

For many disasters that occur throughout history, prior to the event, you could probably safely say there was no record of that particular event occurring.  For example: Were there any records of significant damage resulting from a tsunami compromising a nuclear power facility?  Were there any records of significant damage resulting from terrorist attacks into high rise buildings with hijacked airplanes?  I could add a few more, but think you get the point.

Now, I am in no way suggesting that this threat has the potential to equal either of those two events – or, to even cause any damage at all – I am just saying, we cannot always rely on history to indicate what the next crisis might be.

Please, do not confuse me with Chicken Little here, running around yelling, “The sky is falling, the sky is falling” – I really am not an alarmist, despite the occupation I have chosen – I am merely pointing out the lack of assurance I get hearing someone say, “Well, this has never happened before so why should we worry about it”.

Do not activate your Command Centers monitoring “the satellite threat”.  Do not put business areas or your recovery site vendors on alert.  I am merely suggesting, do not expect your next disaster to necessarily have a historic precedent.

Now go out there and have a great day – just look up every now and then.

Disasters, Disasters, Disasters

One of the challenges that Business Continuity and Disaster Recovery Planners have had to face over the years is in dealing with a largely apathetic business community.  Many of the management personnel we try hard to work with just do not buy into the belief that a disaster is likely to occur – or, at least – not during their time in the position, so why invest time and resources to plan for an unlikely event?

In this day and age, that is dangerous thinking.

I have written a few blogs over the past month about real events that have recently impacted the business community – the threats are real; the impacts are meaningful.  Safe Harbor Consulting alone has received numerous calls from companies that have been impacted by these events – even if just impacted by having to prepare for potential losses – realizing the need to update, expand and improve their emergency response and business continuity plans and posture.

It used to be that I would search for disaster related stories on the internet to try to validate the work we do, but now all you have to do is look at the top news stories for the day.

Today, for example, some of the top news stories on Yahoo include:

A Google news search, in addition to similar headlines, includes:

And these are just the top news stories for a typical day.  Each of these events have the potential of causing some sort of business interruption or impacting the workforce in some way for companies in the vicinity of the event.

These stories range from the scary (earthquake) to the sublime (satellite falling to earth), but they all have crisis management, emergency response and potential business continuity concerns.

We can no longer pretend that the threats are not out there.  And, we as professional planners can no longer use the excuse that management just does not appreciate the need for planning – it is our job to make them understand the need for planning!  So, let’s get out there and do our jobs.

I almost hate to see what tomorrow’s headlines will bring!

Business Continuity and Executive Liability

I am having a terrific time in preparing for the upcoming American Bar Association (ABA), Tort Trail and Insurance Practice Section (TIPS) teleconference on Disaster Preparedness and Response.  The session I will be participating on is scheduled for September 16 and is titled: “September 11, 2001 Terrorist Attacks: Duties of Corporate Directors and Officers in the Preparation and Execution of Disaster Avoidance and Recovery” – wow, that’s a darn long title!

I have been asked to participate on this panel to give a practitioner’s point of view on what is typically included in a corporation’s Disaster Preparedness Program (and, please, let’s not get hung up on the terminology being used here –see my blog post below) before the lawyers get into talking about possible executive liability and the implications of traditional insurance coverages used as a means for transferring risk.

One of the interesting things that has transpired in our conversations, that may or may not end up being discussed in the teleconference itself, is the different potential legal implications in lawsuits that may follow a company’s response to a disaster and how that ties into the typical planning methodology. 

We have differentiated between disasters in which the corporation played a contributing factor in the event, such as: the BP Oil Spoil in the Gulf of Mexico; the Exxon Valdez oil spill; or, the Union Carbide incident in Bhopal, India and those in which the companies were simply in the way of a tragedy that impacted them, such as: the earthquake and tsunami in Japan; Hurricane Katrina; and the events of 9/11.  And then, after further discussion, we broke up the last category in events that might be expected versus those that could not be foreseen.  It all has potential interesting implications should the companies be sued as a result of their ability or inability to effectively respond to the event and/or protect those around them impacted by the event.

Certainly, it is easy to see the liabilities if the company itself caused the disaster.  But, what about events in which the company is truly the victim?  I suggest there might be some difference if it is something they should have known to prepare for.  This ties directly to the business continuity planner’s findings from a Risk Analysis.  If the Risk Analysis identifies critical facilities on an earthquake fault, or in tornado alley, or in common Hurricane zones – you should plan accordingly.  If your Risk Analysis identifies potential threats from nearby nuclear power plants or hazardous material sites – you should plan accordingly.  And so on.

But, it was also noted that plenty of firms are sued for events they could not reasonably foresee.  I suggest that even if you could not plan to prevent or mitigate a particular scenario, you still can make horrendous mistakes and be negligent in how you react and respond to the unpredictable.  Although I think it is important for companies to have specific response plans for known risks, it is also important to have generic response plans based on impacts of unforeseeable events.  For example, plans to evacuate regardless of why you are evacuating.  Plans for shelter in place, regardless of the outside threat.  Plans to continue operations in alternate facilities, regardless of what rendered the targeted facility inaccessible.  Etc.

Our session will then go on to discuss the role Directors and Officers should be playing in the development, implementation and activation of these plans and the possible liability they may be held to should things go wrong.

I haven’t often had the opportunity to discuss these topics with a group of litigation lawyers and I am fascinated with the synergies we are experiencing in educating one another.  I am looking forward to a fun and rewarding teleconference on September 16 and in continuing the discussion and association with these folks after this event to explore these topics in greater depth.

Risk Analysis: The Nuclear Power Plant Threat

I am in the process of creating an Emergency Response Facilitated Exercise for one of Safe Harbor Consulting’s prestigious clients who has elected to simulate a nuclear power plant crisis near one of their strategic corporate locations.  My research on this topic has uncovered some rather disturbing information.

Currently, the US standard is to establish an evacuation zone of 10 miles, yet in the wake of the Fukushima, tsunami induced crisis, the US government ordered the evacuation of US citizens within 50 miles of the site.  The Nuclear Regulatory Commission (NRC) suggests that they would do the same should a similar event happen in the US.  Then why not expand the standard evacuation zone that nuclear sites currently are told to plan for?

Furthermore, my research suggest that information concerning the expected time to evacuate from nearby nuclear power plants is based on old and outdated population figures.  This is disturbing to me – what are your thoughts on this?

This web site shows the active nuclear power plants and the population counts nearby.  Realizing how many plants were in the path of Hurricane Irene is pretty scary.  Sure these facilities are hardened and built to withstand most weather and geological threats, but still – a breach at any one of these plants could be devastating.

Now, I do not want to come across as a fear monger – just wondering how many of you include the possibility of evacuation caused by a nuclear power plant compromise as part of your risk analysis?  If doing so, I would use the 50 mile radius precedent established by the Fukushima catastrophe as my measuring stick and not the official 10 mile radius established by the NRC.

Now back to planning the exercise.  Maybe in a future blog I can relate how it went.

Earthquake on the East Coast

Sometimes reality exceeds the imagination.  Here at Safe Harbor Consulting we have the priviledge of creating and facilitating emergency response and business continuity exercises for a number of organizations.  One of the first challenges we tackle in each case is to select a scenario that is feasible, yet not overdone, realistic and believable.  Up to about one hour ago, creating an exercize for an earthquake for companies on the East Coast of the United States, did not fit that criteria.
How many organizations up the eastern seaboard of the United States had practiced earthquake response plans?  Not many – yet there are several, overdue fault lines all along the east coast, including a few that put New York City at risk.
Know your risks and threats.  Safe Harbor Consulting can also conduct a thorough Risk Analysis that helps identify those risks that may threaten your facilities.
I will be closely watching the news reports to see how folks fared this afternoon.
I hope all of you did and are doing well.

Disaster Links

Want to read up on everything to do with disasters?  Sounds like a fun evening, huh?

Well, if you do, here is a terrific web page with links to disaster related sites that could keep you busy and entertained for many nights to come.

As business continuity and disaster recovery planning professionals we often have to deal with management teams or individuals who still are willing to believe that disasters will not happen to them – or, at least, not on their watch.  Well, the data and information is piling up to suggest that it is no longer a question of “if”, but of “when”.

I do not believe in the practice of fear-mongering, but it does help to be educated and aware of what disaster threats are out there; what organizations are in place to monitor and respond to them; and, what lessons can be learned by past disastrous events.  This site provides links to all of that.

So, put on your reading glasses, get a glass of your favorite beverage and have fun scaring the crap out of yourself getting educated about the risks and threats that loom out there.

Nobody said business continuity and disaster recovery planning professionals were normal people.

The Business Continuity Planner’s Job

Although this concept may prove frustrating for the business continuity planning professional, I suggest that our primary job is not to make sure the enterprise can recover critical processes in a timely manner following a business interruption crisis, but, rather, our primary job is to identify the risks and threats that could cause a business interruption event, the resulting impacts to the organization should those threats be realized and the options (and costs) of addressing these threats.  Now, there may be a subtle difference in the two sides of that statement and, you may need to re-read that sentence a couple of times to fully understand what I am suggesting, but I often see business continuity planners get frustrated because they cannot appreciate the difference.

I believe, that our first job as business continuity planning professionals is to provide senior management with the data and information that allows them to make an informed and intelligent decision on what to do based on this information.  If, senior management, armed with this information, decides to accept the risks and potential impacts – and, signs off on that strategy – so be it.  Every organization has its own risk acceptance, or risk adverse, personality and may make polar opposite decisions faced with the same risk and impact profile.

The worst thing that can happen to a business continuity planning professional, proving we did not do our job, is if a situation occurs and senior management is justified in saying, “No one ever told me …

… that a disaster in our data center would take us out of business for months”, or

… that a fire in our call center in Anytown would take down all our customer service capability”, or

… that our primary distribution center was located in a flood plain”, or

…  

If we are in a position to say, “No, we told you, but you elected not to invest the funds necessary to mitigate the risk or position us to recover from it”, then, although we may still be the scapegoat, we can feel satisfied we did our job.

Now, once we inform management of the risks, potential impacts and various options for addressing the situations, our job then becomes to implement, document, test and exercise the strategies and solutions they have approved.  Hopefully, we can influence management to take the course we, as professionals, believe they should follow.  If not, then, rather than just complain that management doesn’t understand, we either need to gather more information to influence a different choice or, do our best to implement and document the strategies management elects to employ.

It can be frustrating working for an organization that is willing to accept risks and bet against the chance that a business interruption event will occur, but our job is primarily to make sure they are making these decisions based on all the facts and understanding of what their decisions could mean should a disaster occur.