Tag Archive for risk management

World Economic Forum Global Risks Report 2012

The World Economic Forum has published its 2012 Global Risks Report and has a terrific website displaying the results.  I recommend you read the entire report, but I simply love the interactive risk map feature the website includes.  For a quick look at this tool, go to page 88 and click on the “Launch Feature” on the right-hand side of the page.

A word of caution to the emergency planner and business continuity professional:  This report reports on global risks with serious world-wide impact; individual companies still need to be worried about those catastrophes like fire, local natural disasters, etc., that could have serious impacts on their firm alone.  I think we sometimes get so caught up on these spectacular risks that we forget about the one-firm-only risks that are far more likely to occur with serious ramifications to our organization.

I think this is a must read for all Crisis Management and Business Continuity Planning professionals, if not all CEOs and executives of organizations with a world-wide footprint.

The Next Disaster

So is your “Falling Satellite Hits Building” plan up to date?

Although I do not think this is a serious threat and do not suggest anyone become too alarmed by this story, I am somewhat amused with the quote:

“Since the beginning of the Space Age in the late-1950s, there have been no confirmed reports of an injury resulting from re-entering space objects. Nor is there a record of significant property damage resulting from a satellite re-entry.”

For many disasters that occur throughout history, prior to the event, you could probably safely say there was no record of that particular event occurring.  For example: Were there any records of significant damage resulting from a tsunami compromising a nuclear power facility?  Were there any records of significant damage resulting from terrorist attacks into high rise buildings with hijacked airplanes?  I could add a few more, but think you get the point.

Now, I am in no way suggesting that this threat has the potential to equal either of those two events – or, to even cause any damage at all – I am just saying, we cannot always rely on history to indicate what the next crisis might be.

Please, do not confuse me with Chicken Little here, running around yelling, “The sky is falling, the sky is falling” – I really am not an alarmist, despite the occupation I have chosen – I am merely pointing out the lack of assurance I get hearing someone say, “Well, this has never happened before so why should we worry about it”.

Do not activate your Command Centers monitoring “the satellite threat”.  Do not put business areas or your recovery site vendors on alert.  I am merely suggesting, do not expect your next disaster to necessarily have a historic precedent.

Now go out there and have a great day – just look up every now and then.

Increased Terrorist Threats

Unfortunately, news reports about terrorist threats for this coming weekend do not come as a surprise.  I will be travelling myself this weekend, including on 9/11, and am preparing myself to be patient with heightened security measures at the airports.

Part of the terrorists’ objective is to paralyze their enemy from the fear of terrorism.  I am not, in any way, suggesting these heightened measures are not warranted – in fact, I believe in the motto of “better safe than sorry” – but, the increased measures we take and their impacts on the otherwise free citizens of the United States is, in some small way, a victory for the terrorists.

I just hope we all can understand and appreciate the need for these increased efforts this weekend and all of us can abide by the heightened security with patience and cooperation.

I will be keeping an eye on the reports – including checking out what Mayor Bloomberg has to say in his upcoming Press Conference.  I will not vary my travel plans, but will build in extra time in my schedule to anticipate some slow-downs at the airports.  I hope the fear and threats are just a technique for instilling fear and do not result in any real incidents.

Be safe my friends and enjoy your weekend.

And, regarding the anniversary of 9/11 … never forget.

Business Continuity and Executive Liability

I am having a terrific time in preparing for the upcoming American Bar Association (ABA), Tort Trail and Insurance Practice Section (TIPS) teleconference on Disaster Preparedness and Response.  The session I will be participating on is scheduled for September 16 and is titled: “September 11, 2001 Terrorist Attacks: Duties of Corporate Directors and Officers in the Preparation and Execution of Disaster Avoidance and Recovery” – wow, that’s a darn long title!

I have been asked to participate on this panel to give a practitioner’s point of view on what is typically included in a corporation’s Disaster Preparedness Program (and, please, let’s not get hung up on the terminology being used here –see my blog post below) before the lawyers get into talking about possible executive liability and the implications of traditional insurance coverages used as a means for transferring risk.

One of the interesting things that has transpired in our conversations, that may or may not end up being discussed in the teleconference itself, is the different potential legal implications in lawsuits that may follow a company’s response to a disaster and how that ties into the typical planning methodology. 

We have differentiated between disasters in which the corporation played a contributing factor in the event, such as: the BP Oil Spoil in the Gulf of Mexico; the Exxon Valdez oil spill; or, the Union Carbide incident in Bhopal, India and those in which the companies were simply in the way of a tragedy that impacted them, such as: the earthquake and tsunami in Japan; Hurricane Katrina; and the events of 9/11.  And then, after further discussion, we broke up the last category in events that might be expected versus those that could not be foreseen.  It all has potential interesting implications should the companies be sued as a result of their ability or inability to effectively respond to the event and/or protect those around them impacted by the event.

Certainly, it is easy to see the liabilities if the company itself caused the disaster.  But, what about events in which the company is truly the victim?  I suggest there might be some difference if it is something they should have known to prepare for.  This ties directly to the business continuity planner’s findings from a Risk Analysis.  If the Risk Analysis identifies critical facilities on an earthquake fault, or in tornado alley, or in common Hurricane zones – you should plan accordingly.  If your Risk Analysis identifies potential threats from nearby nuclear power plants or hazardous material sites – you should plan accordingly.  And so on.

But, it was also noted that plenty of firms are sued for events they could not reasonably foresee.  I suggest that even if you could not plan to prevent or mitigate a particular scenario, you still can make horrendous mistakes and be negligent in how you react and respond to the unpredictable.  Although I think it is important for companies to have specific response plans for known risks, it is also important to have generic response plans based on impacts of unforeseeable events.  For example, plans to evacuate regardless of why you are evacuating.  Plans for shelter in place, regardless of the outside threat.  Plans to continue operations in alternate facilities, regardless of what rendered the targeted facility inaccessible.  Etc.

Our session will then go on to discuss the role Directors and Officers should be playing in the development, implementation and activation of these plans and the possible liability they may be held to should things go wrong.

I haven’t often had the opportunity to discuss these topics with a group of litigation lawyers and I am fascinated with the synergies we are experiencing in educating one another.  I am looking forward to a fun and rewarding teleconference on September 16 and in continuing the discussion and association with these folks after this event to explore these topics in greater depth.

Business Continuity and Business Insurance Policies

People often say that disaster recovery and business continuity planning is like having an active insurance policy.  And, I think they are right.  In the business continuity planning process, you conduct a Risk Analysis to determine what could go wrong to interrupt the business process.  Once you have identified risks, you can:

  1. Accept the Risk
  2. Eliminate the Risk
  3. Mitigate the Risk
  4. Transfer the Risk

Business continuity planners hate it when management decides to accept the risks – that leaves us virtually nothing to do.  Where possible, the risk can be eliminated through a number of solutions ranging from moving away from the risk, installing redundant systems to remove single points of failure, or other techniques to harden facilities.  Mitigating risk is what most business continuity plans are really all about, by lessening the impact of a risk through contingency plans and alternate site solutions should the threat come to pass.  And then there is the traditional, old fashion way of dealing with risks, by transferring the burden of risk to insurance companies with loss of business and other related insurance policies.

In reality, most enterprise programs include all of these solutions in one form or the other.  The surprising thing to me however, is that the business continuity planner and the risk management folks, i.e.: those responsible for the insurance policies, seldom work together or are even aware of what the other guy is doing.

There is a slow paradigm shift happening that, I think, will result in a closer integration of these two risk handling practices.  At Safe Harbor Consulting we have aligned ourselves with Granof International Group, a consulting firm that specializes in business insurance programs for risk management and executive liability.  The expertise of these two organizations provide a synergy that allows for a truly holistic Enterprise Disaster Preparedness Program ensuring the right combination of all the risk related strategies listed above.

You can check out Granof International through the Alliance Partners page at Safe Harbor Consulting or go directly to their web site by clicking here.

Responding to Riots – Case Study: London

Wow, just watching the news reports and reading the articles it is not hard to imagine how a city gone mad could seriously impact one’s ability to conduct business from the small, local establishment to large organizations with a presence in the area.

The impacts can range from your employees’ commutes being impacted due to blocked roads and shutting down mass transportation services to having your building engulfed in fires started by the mob.  Your customers may be prevented from getting to your place of business, key vendors may be impacted and your competition might be at risk as well – all events that could require some sort of coordinated response from your emergency preparedness and/or crisis management teams.

Has your company assessed the probability of a riot impacting key facilities and or the potential impacts should this occur?  Forbe.com has an interesting article on the potential insurance implications from the London riots with regards to English law.  It might be worth your while to investigate potential insurance policies your firm has covering potential losses due to riots or civil unrest.

I do not believe organizations need business continuity / disaster recovery plans for every type of scenario that could occur.  The strategies for responding to challenges employees face when transportation is shut down could be the same for strikes, hazmat spills, or even fear of being in public during pandemic scares – so, maybe you have a plan to address an immobilized workforce.  The plans you have for any event that damages your facilities may also work in this event, should your facility be in harm’s way of the fires that have been set.

I think it is valuable, however, to identify if you could be at risk to impacts from a riot and have an emergency response plan in place should the risk exist.  And, it may be a good idea to take a look at those insurance policies before an event occurs.

Referring to the Forbes’ article, I don’t care what you call it – if it impacts your ability to conduct business and puts your assets at risk – it is not a good thing.