Think of Business Continuity Planning along the lines of taking out life insurance... you hope that you never have an accident, but should it happen it is nice to know that there is a plan to help the survivors cope with the aftermath. Few people would argue in favour of gambling that nothing will happen, and fewer still would voluntarily go through life without insurance. Why is it that there are business organizations that are totally unprepared for disasters? We cannot answer that for sure: it may be that people think of creating an adequate Business Continuity Plan as too complicated a task. If you imagine yourself as tasked with preventing every possible incident then that is truly an impossible mission, but if you simply think of preparing yourself for the most likely or most serious incidents it becomes quite doable. Most people are prepared for power failures (have flashlights and candles at home), for kitchen fires (have baking soda and a fire extinguisher), for accidents and injuries (carry a first-aid kit and have access to a phone to call 911), and think nothing about their involvement in disaster management planning.

Nothing is as complicated as dealing with a disaster on the spur of the moment. We should be specific about this: we are not talking about sending copies of a few critical files to off-site storage so much as how you would ensure the safety of your employees while evacuating and how you would redirect business to a backup site to resume operations if your primary site is destroyed. That backup data is useless unless you have ways of giving employees access to that data using an alternate business site. Preferably that site should be immune to those risk exposures that destroyed your primary site, or at least the odds of two concurrent disasters should be low enough as to be practically inconceivable. If this sounds complicated, it is nothing more than to take stock of the potential risks and to consider what you can do to minimize the consequences of those risks, just as you prepared for eventualities that could strike at home. However, while being inconvenienced at home if a disaster strikes is bad, there tends to be help available and life will continue. For business operations there may be help available to rebuild, but it may not help you with the problem that customers may have established a supply arrangement with another vendor, and as a result business life may still terminate.

PM4HIRE.COM uses a proprietary methodology for Business Interruption Response Planning that begins with a complete assessment of risks that may affect your business operation, and of exposures that may result. We would definitely take concurrent risks from the same events that may affect backup sites into account, to make sure backup sites will probably be safe when the main site suffers a disaster event. Instead of taking the risk of seeing your customers drift towards competitors, you may be able to identify this risk and you may be able to establish mutual arrangements whereby supplies continue to flow but from an alternate source that may be transparent to the customer. Clearly this takes planning and there are costs involved in making the appropriate arrangements, so your Business Continuity Plan can become quite complicated as a result.

The first stage of our 6-stage RECIPE methodology is to engage in Risk Identification for what types of risk events can affect the company. That does not mean that we try to look for monsters but for everyday events that can in some ways interrupt the company operations, from small events to outright disasters.

Risks are things that can happen and that may or may not affect our ability to continue to provide a service. Risks are not specific to a business operation, and risks may not be a serious threat to a business operation per se. In fact, we will expect many more risks to be identified than we have to compensate for, to provide an audit trail of our analysis efforts. If we can mitigate risks so that no further exposures exist it no longer becomes an issue for further attention. For example, we carry a spare tire to eliminate the exposure of a flat tire in the parking lot, but we cannot eliminate the exposure against a blowout simply by carrying a spare tire. The latter then needs to be further analyzed. Searching for potential risks is not a matter of fear or uncertainty. It is a matter of educating both yourself and your peers of what sort of things to be prepared for, and how to respond in case an event occurs that requires you to deal with a business interruption.

PM4HIRE.COM provides a detailed list of potential risks that can help you get started in your analysis. Any list of this nature includes the basic risks that a company is exposed to, but it cannot prepare you for dealing with a disaster like terrorists flying a plane into an office tower. At best you can use your preparedness for fire damage and similarly significant disasters to help you cope with such events and to keep any loss of life to a minimum. You can consider the complexities of any evacuation from such office towers, but then you also have to keep in mind the complexities of not being in the core of the business community while you are safely housed in several low-rise office facilities. While some people may find it unnerving to think of what eventualities you should take into consideration, others find that it provides a sense of comfort to be prepared. In particular when you exercise the different corrective actions before an event strikes, it is more likely that you will be able to deal with that event in a more effective manner.

We do not want to give you the false impression that we ignore serious disasters like 9/11 as part of our BCP methodology. We have collected some reference images to put this kind of disaster into perspective (just click on the airplane to visit the page) and to emphasize the need to break this down into smaller disasters that can happen all at once. It is easier to think of mitigation options for smaller disasters, and if necessary you can pull out all the stops to execute all mitigation steps at once.

Clearly, if your company occupies the top floors of the building in a 9/11 scenario there will be many reasons to believe that preparation only goes so far. The loss of life in this event has been staggering. Yet from a Business Continuity Planning perspective it is remarkable to realize that one of the companies hardest hit (Cantor-Fitzgerald) was able to continue operations within a short time of the disaster by switching to backup facilities and by working with the surviving employees and backup staff. How successful any company might be in such circumstances is up for debate, but at least if your company is in a position to resume business quickly it has an opportunity for survival. Many companies that were only indirectly affected (not WTC tenants) actually went out of business simply because of the time it took to be allowed back into their office buildings. That kind of tragedy is preventable, and that is why we need to take a good risk inventory to see what kind of disasters we can prepare for.

Once we understand what risks we may be exposed to it is time for us to consider the probability of how the exposure may affect us directly in some ways or indirectly in other ways. This is critical in order for us to know what risks to work on, and what risks to ignore, an assessment that leads to proper risk management. We need to know the frequency and the likelihood of risk exposures in order to establish a statistical value of potential costs due to these exposures. The intent is to then prioritize the risks in order to deal with the major and/or most likely disruptions.

PM4HIRE.COM separately reviews each site that you operate in order to identify what backup potential exists from one site for other sites. We also keep track of statistics produced by agencies like FEMA to put your risk into perspective and to devise backup plans that make sense. The purpose of a backup plan is not to pacify the shareholders, it is used to facilitate an orderly transfer of operations so that business continues, but we have seen examples that read a lot like fiction and that would be unlikely to be of much use in the event of a disaster of any significant proportion. Perhaps your site is inherently vulnerable to many events, and perhaps you should consider relocating to a more secure site. Only a comprehensive exposure analysis will help you to establish your options.

A vulnerability assessment determines what the critical functions are that must be resumed within an hour, or 4 hours, or 12 hours, and so on. This identifies where people need to concentrate their efforts to get you back in operation. Vulnerability includes financial and physical assets, including lost revenue, recovery costs, potential fines and penalties, loss of goodwill, delayed receivables collection, and so forth. There may be specialized equipment on site that is hard to replace and that may make a timely recovery difficult (unless you want spare facilities installed elsewhere). Our methodology lists a number of human impacts, property impacts, as well as business impacts, and it incorporates a systems analysis process to show the ripple effect of one disaster that can broaden the overall impact and to calculate the consequences of different simulated disaster events to provide you with the information you need to implement a disaster response plan.

With respect to any loss assessment we always focus first on preventing loss of life and on reducing the risk of injuries in general, irrespective of the financial exposure to the company. We would never expect employees to put themselves at risk to save company assets. Beyond that, we look at insurance to minimize the financial loss exposures and we look at prevention to minimize the risk of an event having such far ranging consequences. It is important to restate the risk in monetary terms in order to assess the feasibility of countermeasures that reduce that risk, or that reduce the cost of insuring against that risk, if that proves to be cost effective. We are always on guard against the incorrect use of statistics: probabilities are not very useful if one occurrence can wipe out the company.

To consider a loss assessment we need to understand the Executive Management view on risk exposure before we can propose adequate protection for the business. We may need to interview operating staff to understand the impact of various outages. We generally need to focus on the more serious impacts because any prevention or mitigation will automatically benefit the lesser impacts, but the reverse is not always true. Even if not all risks can be prevented or mitigated, at least you will have a list of weaknesses that will not become surprises in the event a disaster strikes. Some of these weaknesses may be addressed in a longer term plan, perhaps by relocating the business to a less vulnerable venue.

Ultimately the objective of the BCP is the survival of the company. You will probably need a disaster response team with different people that are responsible for different actions. That team should be involved in planning the response to any disaster event so that they are familiar with the roles and responsibilities.

Team members should be able to work well under pressure and they should have a firm grasp of reality that failure is not an option when disaster strikes. The team should be well staffed, so you have plenty of backup, but it will always be a part-time assignment until disaster strikes. They should also be acquainted with local expert consultants including emergency services and authorities, specialized contractors, and insurance companies, all of which provide free advise on how to minimize the impact of any disaster event. It is also important that the team establishes contact with these local experts before anything happens, and that these experts are listed in your documentation to be a part of your overall disaster response process.