Archive for Risk Management

Are We Prepared for the Next Disaster?

I found and listened to this NPR radio story titled, “Is the U.S. Prepared for the Next Disaster?”.  Even though this interview was conducted a year ago, I think the message is still valid and important.

I think the interviewee, Craig Fugate, does a good job in identifying a problem with past disasters being a failure to engage the proper level of support through a formal request for assistance.  Although Mr. Fugate doesn’t use this term, I like to label these the “triggers to engage”.  One of the biggest problems with the response to Hurricane Katrina was that Federal authorities assumed the trigger to engage was a call from the local authorities, whereas the local authorities thought the trigger to engage was the event itself.  While Federal agencies were waiting to be asked for help, local agencies were sitting and waiting for the help to arrive.  Meanwhile, crucial time was slipping by and the losses and damages were escalating.

I was glad to learn that FEMA now self-engages not only when an incident occurs but also when the threat of incident rises.

I think this is an important lesson to learn and address in our own plans.  I think it is important to identify and practice those “triggers” for engaging certain components in our Emergency Response, Business Continuity and Disaster Recovery Programs.  What are the “triggers” for: putting vendors on alert; communicating with employees; mobilizing resources; alerting customers and other stakeholders; declaring a disaster; etc.?

Also, Mr. Fugate notes that having a single entity in charge introduces a single-point-of-failure in the response process.  Whereas, I understand his point, I also think it is important to mention that when you have lots of links in your communication and control “chain” you have lots of opportunity for the chain to break.  If the mayor engages the governor who engages the president – well, there are lots of mis-engagements that can occur.  And, if one link in the chain breaks, all the links that follow are missed.

I agree with Mr. Fugate that we are better prepared today than what we were in the past, but saying you are in better shape today than you were when you were grossly out of shape, does not mean you are in good shape.  Unfortunately, I also believe that the further removed you are from the last significant event, the more likely you are to get back out of shape.  We are never more prepared to respond to a disaster than we are immediately after a disaster occurs.  Lessons learned are fresh in the mind, implementation guidelines and procedures are reviewed, refreshed and rehearsed.  But, as time goes by, we start to, once again get complacent and once again start to slip back into our bad habits.  And, as soon as we start to believe we are in good shape, I start to get more worried.

In conclusion, I think this is a terrific interview with important messages that are worth listening to again.  I encourage you to think about and rehearse the “triggers” in your program and to identify potential weak links in your communications and engagement chains.  And, never allow yourself to believe we are prepared for the next disaster … continue to work on improving your level of preparedness.  After all … how do you think people would have responded to the question, “Is the U.S. Prepared for the Next Disaster?” on September 10, 2001?

World Economic Forum Global Risks Report 2012

The World Economic Forum has published its 2012 Global Risks Report and has a terrific website displaying the results.  I recommend you read the entire report, but I simply love the interactive risk map feature the website includes.  For a quick look at this tool, go to page 88 and click on the “Launch Feature” on the right-hand side of the page.

A word of caution to the emergency planner and business continuity professional:  This report reports on global risks with serious world-wide impact; individual companies still need to be worried about those catastrophes like fire, local natural disasters, etc., that could have serious impacts on their firm alone.  I think we sometimes get so caught up on these spectacular risks that we forget about the one-firm-only risks that are far more likely to occur with serious ramifications to our organization.

I think this is a must read for all Crisis Management and Business Continuity Planning professionals, if not all CEOs and executives of organizations with a world-wide footprint.

Increased Terrorist Threats

Unfortunately, news reports about terrorist threats for this coming weekend do not come as a surprise.  I will be travelling myself this weekend, including on 9/11, and am preparing myself to be patient with heightened security measures at the airports.

Part of the terrorists’ objective is to paralyze their enemy from the fear of terrorism.  I am not, in any way, suggesting these heightened measures are not warranted – in fact, I believe in the motto of “better safe than sorry” – but, the increased measures we take and their impacts on the otherwise free citizens of the United States is, in some small way, a victory for the terrorists.

I just hope we all can understand and appreciate the need for these increased efforts this weekend and all of us can abide by the heightened security with patience and cooperation.

I will be keeping an eye on the reports – including checking out what Mayor Bloomberg has to say in his upcoming Press Conference.  I will not vary my travel plans, but will build in extra time in my schedule to anticipate some slow-downs at the airports.  I hope the fear and threats are just a technique for instilling fear and do not result in any real incidents.

Be safe my friends and enjoy your weekend.

And, regarding the anniversary of 9/11 … never forget.

Hurricane Irene

Her she comes, ready or not.  As Hurricane Irene treks up the East Coast of the United States, individual home owners and businesses brace for her impact.

By now, you should know if you lie in her projected path and you should have prepared best you can.  The video clip in this article tells and interesting story about the potential impact Irene could have on NYC.  It shouldn’t surprise most people that the real damage is mostly likely caused by the flooding and water surge that accompanied a hurricane.  The video clip states that New York City has 17 low lying flood zones.  I wonder how many places of business fall in the footprint of these zones?

Then, of course, there are the residual effects.  If the NYC subway system is shut down, how does this impact your employees’ ability to get to work?  Do they have work from home capabilities?  What about your customers – if you depend on their presence at your place of business?

I, along with many of you, will be watching intently the next few days.  For me – I will be watching from afar.  If you are in an evacuation area or near the projected path of Irene, I wish you well.

Please feel free to post comments to this blog with any lessons learned or other stories about how Hurricane Irene impacted you, your home or your place of business.  I would love to learn from you.

Good Luck.

Business Continuity and Business Insurance Policies

People often say that disaster recovery and business continuity planning is like having an active insurance policy.  And, I think they are right.  In the business continuity planning process, you conduct a Risk Analysis to determine what could go wrong to interrupt the business process.  Once you have identified risks, you can:

  1. Accept the Risk
  2. Eliminate the Risk
  3. Mitigate the Risk
  4. Transfer the Risk

Business continuity planners hate it when management decides to accept the risks – that leaves us virtually nothing to do.  Where possible, the risk can be eliminated through a number of solutions ranging from moving away from the risk, installing redundant systems to remove single points of failure, or other techniques to harden facilities.  Mitigating risk is what most business continuity plans are really all about, by lessening the impact of a risk through contingency plans and alternate site solutions should the threat come to pass.  And then there is the traditional, old fashion way of dealing with risks, by transferring the burden of risk to insurance companies with loss of business and other related insurance policies.

In reality, most enterprise programs include all of these solutions in one form or the other.  The surprising thing to me however, is that the business continuity planner and the risk management folks, i.e.: those responsible for the insurance policies, seldom work together or are even aware of what the other guy is doing.

There is a slow paradigm shift happening that, I think, will result in a closer integration of these two risk handling practices.  At Safe Harbor Consulting we have aligned ourselves with Granof International Group, a consulting firm that specializes in business insurance programs for risk management and executive liability.  The expertise of these two organizations provide a synergy that allows for a truly holistic Enterprise Disaster Preparedness Program ensuring the right combination of all the risk related strategies listed above.

You can check out Granof International through the Alliance Partners page at Safe Harbor Consulting or go directly to their web site by clicking here.

Responding to Riots – Case Study: London

Wow, just watching the news reports and reading the articles it is not hard to imagine how a city gone mad could seriously impact one’s ability to conduct business from the small, local establishment to large organizations with a presence in the area.

The impacts can range from your employees’ commutes being impacted due to blocked roads and shutting down mass transportation services to having your building engulfed in fires started by the mob.  Your customers may be prevented from getting to your place of business, key vendors may be impacted and your competition might be at risk as well – all events that could require some sort of coordinated response from your emergency preparedness and/or crisis management teams.

Has your company assessed the probability of a riot impacting key facilities and or the potential impacts should this occur?  Forbe.com has an interesting article on the potential insurance implications from the London riots with regards to English law.  It might be worth your while to investigate potential insurance policies your firm has covering potential losses due to riots or civil unrest.

I do not believe organizations need business continuity / disaster recovery plans for every type of scenario that could occur.  The strategies for responding to challenges employees face when transportation is shut down could be the same for strikes, hazmat spills, or even fear of being in public during pandemic scares – so, maybe you have a plan to address an immobilized workforce.  The plans you have for any event that damages your facilities may also work in this event, should your facility be in harm’s way of the fires that have been set.

I think it is valuable, however, to identify if you could be at risk to impacts from a riot and have an emergency response plan in place should the risk exist.  And, it may be a good idea to take a look at those insurance policies before an event occurs.

Referring to the Forbes’ article, I don’t care what you call it – if it impacts your ability to conduct business and puts your assets at risk – it is not a good thing.

Disaster Links

Want to read up on everything to do with disasters?  Sounds like a fun evening, huh?

Well, if you do, here is a terrific web page with links to disaster related sites that could keep you busy and entertained for many nights to come.

As business continuity and disaster recovery planning professionals we often have to deal with management teams or individuals who still are willing to believe that disasters will not happen to them – or, at least, not on their watch.  Well, the data and information is piling up to suggest that it is no longer a question of “if”, but of “when”.

I do not believe in the practice of fear-mongering, but it does help to be educated and aware of what disaster threats are out there; what organizations are in place to monitor and respond to them; and, what lessons can be learned by past disastrous events.  This site provides links to all of that.

So, put on your reading glasses, get a glass of your favorite beverage and have fun scaring the crap out of yourself getting educated about the risks and threats that loom out there.

Nobody said business continuity and disaster recovery planning professionals were normal people.