Warning: Crisis Ahead

Aug 1, 2008 12:00 PM, By Ashley Roe

Disasters are all around us. Last March, an outbreak of tornadoes barreled through downtown Atlanta, catching residents, tourists and businesses off guard and in harm's way. In June, hundreds of people were forced to evacuate when major flooding damaged homes and businesses in southeastern Iowa. This summer, wildfires have threatened areas of northern California.

In addition to such events caused by nature, there are also risks from disasters such as terrorist attacks, workplace violence incidents, explosions or accidents.

The potential for disaster clearly should be top-of-mind for business leaders, including security directors. A business continuity/disaster recovery (BC/DR) plan should therefore be a priority.

However, since recent events have not been as extreme as Hurricane Katrina or the Sept. 11 attacks, some company leaders have allowed preparedness to be pushed to the bottom of their to-do lists. Not a good idea.

Make planning a priority

Two recent surveys - one conducted by the Ad Council on behalf of the Department of Homeland Security's (DHS) Ready Business group and another administered by Boston-based technology research firm, Aberdeen Group - suggest that BC/DR planning progress among small-, medium- and large-sized private businesses is lagging.

The Ad Council's December 2007 survey of private businesses with two to 999 employees found that 91 percent of respondents believe it is “very” or “somewhat” important for businesses to take steps to prepare for a catastrophic disaster, such as an earthquake, hurricane or terrorist attack. However, only 38 percent said their business had an emergency plan in place in the event of a disaster.

The Aberdeen Group's survey, conducted between February and March 2008, examined the usage trends, experiences and intentions of more than 150 enterprises of various sizes that had already created some type of BC/DR plan. According to the study, 34 percent of the businesses surveyed were “in varying stages” of creating a business continuity plan and had yet to implement it.

So why aren't organizations getting prepared?

One factor, says Rebecca Marquis, deputy director of DHS's Ready Campaign (ready.gov), which strives to help individuals and businesses adequately prepare for and respond to emergencies, is complacency. “Aside from the recent flooding in the Midwest, we haven't had another 9/11 or Hurricane Katrina, and a lot of people have become complacent as a result. They are not thinking about preparedness as much as they should.”

Adds John McCarthy, a principal of the Business Security Advisory Group (BSAG), a corporate security consulting firm established by five former chief security officers from major global corporations, and a Security Executive Council (SEC) member: “It all depends on whether or not people are taking notice of the risks around them. People ask themselves ‘do I really believe a terrorist attack could affect me?’ After 9/11, people did believe there was a real risk.” But, McCarthy explains, as the years have passed since the Sept. 11th attacks, concern over the risk of terrorism among businesses has subsided.

Many business leaders take a misguided approach to BC/DR planning, says Scott Watson, vice chair of the ASIS Crisis Management and Business Continuity Council, and principal consultant of S.A. Watson & Associates LLC. “A lot of organizations approach crisis management planning from a compliance mindset,” he says. In other words, business leaders spend time creating a plan simply in order to satisfy a requirement. In addition, organizations should spend time testing and adjusting the plan to make sure it will function well if it is called into action. Planning from a compliance standpoint, Watson says, too often involves developing the BC/DR plan, putting it in a binder and setting it on a shelf where it might go untouched or even forgotten about.

The need to demonstrate a clear return-on-investment (ROI) to senior business leadership may also be slowing businesses' approach. “Spending money on business continuity does not have an ROI associated with it, and if you don't see an ROI, many companies don't want to spend the money,” says Frank Mahdavi, chief strategy officer of MIR3 Inc., a San Diego-based provider of intelligent notification systems for use in disaster recovery and business continuity processes as well as for general business and information technology practices. MIR3 was one of three underwriting companies that commissioned the Aberdeen Group's business continuity survey.

A fourth reason is cost. “These plans are not cheap to put together. They take a lot of time and energy, and if you are going to practice them on a somewhat regular basis, they require a lot of resources, too,” McCarthy says.

Planning: Rules of thumb

Where does an organization begin to create and/or to build upon an existing BC/DR plan? There are some general rules of thumb to take into consideration.

The ASIS Crisis Management and Business Continuity Council, an educational group that promotes best practices in crisis management and business continuity, organizes an annual three-day workshop dedicated to basic crisis management training, including instruction of the “Six Steps of Crisis Management.”

During the workshop, Watson explains, groups of participants take part in role-playing exercises, with each group representing a fictional company in a fictional town, and each participant is assigned a fictional role within the company. Participants are taught how to create a crisis management plan using the six steps as a guide.

“Our students get a good foundation for understanding the process of creating a plan, including the experience of working with various groups representing an organization,” Watson says. “Participants can then bring their notes and knowledge back to their respective organizations for use in developing their own plans.

Want to use this article? Click here for options!
© 2009 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue