Tag Archive for risk analysis

Business Continuity and Executive Liability

I am having a terrific time in preparing for the upcoming American Bar Association (ABA), Tort Trail and Insurance Practice Section (TIPS) teleconference on Disaster Preparedness and Response.  The session I will be participating on is scheduled for September 16 and is titled: “September 11, 2001 Terrorist Attacks: Duties of Corporate Directors and Officers in the Preparation and Execution of Disaster Avoidance and Recovery” – wow, that’s a darn long title!

I have been asked to participate on this panel to give a practitioner’s point of view on what is typically included in a corporation’s Disaster Preparedness Program (and, please, let’s not get hung up on the terminology being used here –see my blog post below) before the lawyers get into talking about possible executive liability and the implications of traditional insurance coverages used as a means for transferring risk.

One of the interesting things that has transpired in our conversations, that may or may not end up being discussed in the teleconference itself, is the different potential legal implications in lawsuits that may follow a company’s response to a disaster and how that ties into the typical planning methodology. 

We have differentiated between disasters in which the corporation played a contributing factor in the event, such as: the BP Oil Spoil in the Gulf of Mexico; the Exxon Valdez oil spill; or, the Union Carbide incident in Bhopal, India and those in which the companies were simply in the way of a tragedy that impacted them, such as: the earthquake and tsunami in Japan; Hurricane Katrina; and the events of 9/11.  And then, after further discussion, we broke up the last category in events that might be expected versus those that could not be foreseen.  It all has potential interesting implications should the companies be sued as a result of their ability or inability to effectively respond to the event and/or protect those around them impacted by the event.

Certainly, it is easy to see the liabilities if the company itself caused the disaster.  But, what about events in which the company is truly the victim?  I suggest there might be some difference if it is something they should have known to prepare for.  This ties directly to the business continuity planner’s findings from a Risk Analysis.  If the Risk Analysis identifies critical facilities on an earthquake fault, or in tornado alley, or in common Hurricane zones – you should plan accordingly.  If your Risk Analysis identifies potential threats from nearby nuclear power plants or hazardous material sites – you should plan accordingly.  And so on.

But, it was also noted that plenty of firms are sued for events they could not reasonably foresee.  I suggest that even if you could not plan to prevent or mitigate a particular scenario, you still can make horrendous mistakes and be negligent in how you react and respond to the unpredictable.  Although I think it is important for companies to have specific response plans for known risks, it is also important to have generic response plans based on impacts of unforeseeable events.  For example, plans to evacuate regardless of why you are evacuating.  Plans for shelter in place, regardless of the outside threat.  Plans to continue operations in alternate facilities, regardless of what rendered the targeted facility inaccessible.  Etc.

Our session will then go on to discuss the role Directors and Officers should be playing in the development, implementation and activation of these plans and the possible liability they may be held to should things go wrong.

I haven’t often had the opportunity to discuss these topics with a group of litigation lawyers and I am fascinated with the synergies we are experiencing in educating one another.  I am looking forward to a fun and rewarding teleconference on September 16 and in continuing the discussion and association with these folks after this event to explore these topics in greater depth.

Risk Analysis: The Nuclear Power Plant Threat

I am in the process of creating an Emergency Response Facilitated Exercise for one of Safe Harbor Consulting’s prestigious clients who has elected to simulate a nuclear power plant crisis near one of their strategic corporate locations.  My research on this topic has uncovered some rather disturbing information.

Currently, the US standard is to establish an evacuation zone of 10 miles, yet in the wake of the Fukushima, tsunami induced crisis, the US government ordered the evacuation of US citizens within 50 miles of the site.  The Nuclear Regulatory Commission (NRC) suggests that they would do the same should a similar event happen in the US.  Then why not expand the standard evacuation zone that nuclear sites currently are told to plan for?

Furthermore, my research suggest that information concerning the expected time to evacuate from nearby nuclear power plants is based on old and outdated population figures.  This is disturbing to me – what are your thoughts on this?

This web site shows the active nuclear power plants and the population counts nearby.  Realizing how many plants were in the path of Hurricane Irene is pretty scary.  Sure these facilities are hardened and built to withstand most weather and geological threats, but still – a breach at any one of these plants could be devastating.

Now, I do not want to come across as a fear monger – just wondering how many of you include the possibility of evacuation caused by a nuclear power plant compromise as part of your risk analysis?  If doing so, I would use the 50 mile radius precedent established by the Fukushima catastrophe as my measuring stick and not the official 10 mile radius established by the NRC.

Now back to planning the exercise.  Maybe in a future blog I can relate how it went.

Earthquake on the East Coast

Sometimes reality exceeds the imagination.  Here at Safe Harbor Consulting we have the priviledge of creating and facilitating emergency response and business continuity exercises for a number of organizations.  One of the first challenges we tackle in each case is to select a scenario that is feasible, yet not overdone, realistic and believable.  Up to about one hour ago, creating an exercize for an earthquake for companies on the East Coast of the United States, did not fit that criteria.
How many organizations up the eastern seaboard of the United States had practiced earthquake response plans?  Not many – yet there are several, overdue fault lines all along the east coast, including a few that put New York City at risk.
Know your risks and threats.  Safe Harbor Consulting can also conduct a thorough Risk Analysis that helps identify those risks that may threaten your facilities.
I will be closely watching the news reports to see how folks fared this afternoon.
I hope all of you did and are doing well.

Single-Points-of-Failure

In a comprehensive Risk Analysis, there will be consideration given to where the single points of failure (SPOF) are in the corporate environment. It is usually easy to identify technology, and business process related SPOFS – a single server or computer platform; a single database; a single data center or call center; etc.

Single points of infrastructure are also usually easy to find; single power source, single telecommunicatios feeds; and such.

Business Continuity and Disaster Recovery Planners have been
getting much better at identifying single-source-providers and services.

What is often overlooked, however, are SPOF with Human Resources. Being dependent on one employee with a unique skill, knowledge base or expertise can be devastating if that resource is compromised.

The events of 9/11 proved to us that it is important to follow our dependencies far beyond the walls of our own environments. Companies that thought they had eliminated SPOFs being using multiple telecommunications providers or having dual power feeds into the buildings were surprised to find out that these solutions shared common infrastructure in conduits, central offices, and origination points outside of their facility. Instead of eliminating the SPOF all they did was move it somewhere else.

Be sure that when you conduct your Risk Analysis you consider all of your SPOFs, including Human Resources and shared infrastructure outside of your own facility.

The Business Continuity Planner’s Job

Although this concept may prove frustrating for the business continuity planning professional, I suggest that our primary job is not to make sure the enterprise can recover critical processes in a timely manner following a business interruption crisis, but, rather, our primary job is to identify the risks and threats that could cause a business interruption event, the resulting impacts to the organization should those threats be realized and the options (and costs) of addressing these threats.  Now, there may be a subtle difference in the two sides of that statement and, you may need to re-read that sentence a couple of times to fully understand what I am suggesting, but I often see business continuity planners get frustrated because they cannot appreciate the difference.

I believe, that our first job as business continuity planning professionals is to provide senior management with the data and information that allows them to make an informed and intelligent decision on what to do based on this information.  If, senior management, armed with this information, decides to accept the risks and potential impacts – and, signs off on that strategy – so be it.  Every organization has its own risk acceptance, or risk adverse, personality and may make polar opposite decisions faced with the same risk and impact profile.

The worst thing that can happen to a business continuity planning professional, proving we did not do our job, is if a situation occurs and senior management is justified in saying, “No one ever told me …

… that a disaster in our data center would take us out of business for months”, or

… that a fire in our call center in Anytown would take down all our customer service capability”, or

… that our primary distribution center was located in a flood plain”, or

…  

If we are in a position to say, “No, we told you, but you elected not to invest the funds necessary to mitigate the risk or position us to recover from it”, then, although we may still be the scapegoat, we can feel satisfied we did our job.

Now, once we inform management of the risks, potential impacts and various options for addressing the situations, our job then becomes to implement, document, test and exercise the strategies and solutions they have approved.  Hopefully, we can influence management to take the course we, as professionals, believe they should follow.  If not, then, rather than just complain that management doesn’t understand, we either need to gather more information to influence a different choice or, do our best to implement and document the strategies management elects to employ.

It can be frustrating working for an organization that is willing to accept risks and bet against the chance that a business interruption event will occur, but our job is primarily to make sure they are making these decisions based on all the facts and understanding of what their decisions could mean should a disaster occur.