Think about your approach to disaster events such as a hurricane or a terrorist attack. Is it primarily a facilities-based view, focusing on the possible consequences to buildings and assets or do you approach planning for such events with an eye toward business survival?
It's an important distinction, because in today's business environment, major crises raise issues of greater significance than the amount of facility or asset damage. A disaster today is more likely to raise concerns about the ability of the company to conduct business: Can it stay legal and meet demands of regulators? Can it satisfy its stakeholders? Can it secure its place in the marketplace?
Why you should have a broad perspective of emergency risk management. Emergency management leaders, security professionals, and other disaster team players have traditionally used a hazardous event vulnerability model for managing the risk from disasters--assessing which events are most likely to inflict damage to facilities and which could cause the greatest damage. This is a necessary step in disaster planning, but it can't serve as the framework, warns David Kaye, principal for Risk Reality (Gloucestershire, England).
Just as it's important for security to embed itself in the business outlook, so too must disaster management and continuity planning. In an operational risk management context, the real goal of disaster management today is to manage the dependencies that the business needs to move forward rather than to protect the things that make up the company because things no longer comprise a company, notes Kaye. Dependencies have replaced hard assets as the key ingredient to a modern business, he explained in a keynote address to the 2006 World Conference on Disaster Management (WCDM) in Toronto ("Business Continuity Management: New Challenges, New Visions, New Ideology").
"The business of yesterday had a warehouse of goods and its own workforce," Kaye noted. This model facilitated an event-specific approach to disaster management. "But today we have hollow or virtual companies, where nobody is at home," he explained. Modern businesses operate under tighter time compressions, rely on outsourcing for most of their operations, and are frequently within 1% to 2% of financial ruin, Kaye said. "Suppliers are no longer on the fringe of companies but are at the core of the business." And e-commerce has "brought its own massive dependencies," he added.
Michael Tarrant, an educator for Emergency Management Australia (www.ema. gov.au), identifies yet another risk from how business has evolved. He notes that corporations have spent years squeezing processes to be more efficient, and these efforts have left the companies significantly more vulnerable to any disruption. "Yet companies don't typically invest any of their efficiency dividend into protecting against the risks that they've pushed into the future," Tarrant said in a presentation on managing nonroutine risk at WCDM.
These business developments have left major companies more vulnerable to disasters than in the past when if a disaster occurred--even one that destroyed facilities or a warehouse of product--they could simply absorb the loss and move on. But in the age of hollow companies, competitors "can grow in your place if you suffer a disaster because your business model is now the same as theirs. All they need to do is step in, establish some outsourcing relationships, sign some contracts, and they're there."
What's it to you? Practically speaking, this transformation has critical implications for the approach security professionals and other disaster management leaders need for effective planning. It means looking at:
* Who falls under the umbrella of your disaster plan. Value chain suppliers and distributors are now central to effectively weathering a crisis. Unfortunately, many companies take a "tick box" approach to examining the contingency plan or service levels of key suppliers, said Kaye. "Companies ask, 'Do they have a plan? Yes?' Then they tick the box. But whom does the suppliers' continuity plan protect, the company or the suppliers?" In the age of hollow companies, the ability of partners to manage a crisis or prevent a security event is nearly as central to your ability to conduct business as your own, and so it deserves nearly as much scrutiny.
* Management of key personnel. Today's more virtual companies derive more of their value from intellectual assets, which increases their reliance on key company personnel. "And if a disaster hits, the best employees will already be on their blackberry looking for their next job," warned Kaye. This raises the stakes for employee crisis communication programs. Security leaders should follow the best practices described in the February 2006 issue of SDR ("How to Close the Gaps in Your Crisis Communications Plan").
* The role that insurance can play in risk mitigation. Companies have changed from being asset-based to having their value measured by intangibles that are less insurable--intellectual property, human capital, brand, business relationships, and so on. In this environment, companies may find it is more appropriate to spend less money on insurance and more on improving their ability to resume operations in the face of a terrorist or other emergency event, said Kaye.
* Working with your internal partners. Security leaders have accepted the fact that convergence requires them to forge better working relationships with IT, but it's not the only area that security leaders need to tap into others' expertise to be a better business leader. From a kidnap and ransom, a major fraud event, or a bomb threat, all crises have both a security and a business continuity component, notes Kaye.
Security leaders have an obligation to bring their operational plans for handling crises to the attention of corporate business continuity planners and other experts--such as public relations for planning media response--whose skills can help improve the odds of successfully handling the event from a business perspective. Security directors may be wary of letting "outsiders" scrutinize the plan for handling events, but it's important to remember that the handling of a major security event is not measured by the outcome. "We need to remove some of the artificial stovepiping of responsibilities and duties between security, disaster planning, continuity planning, and others," said DRI International (www.drii.org) President and CEO John Copenhaver in his address at the WCDM conference.
One document that can help bridge the gap is the company's business impact analysis (BIA), suggests Rich Schiesser, president of RWS Enterprises (www.rwsenterprises. com). Although many companies still lack this key crisis planning document, others use a BIA to systematically examine their operation and understand its most critical processes, which tells them the order in which things need to be restored after a crisis. Those involved on the logistical side of crisis management, such as security, need to understand what the BIA says and the implications it has on crisis response and recovery.
Note: Two free documents that can help companies align disparate emergency planning activities, players, and plans are: (1) NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity Programs (National Fire Protection Association, www.nfpa.org/assets/files/pdf/nfpa1600. pdf) (2) Professional Practices for Business Continuity Professionals (DRI International, www.drii.org/displaycommon.cfm?an=2).
Source Citation:"Do you have a dinosaur's view of handling disaster?." Security Director's Report 06-08 (August 2006): 1(4). Criminal Justice Collection. Gale. BROWARD COUNTY LIBRARY. 8 Oct. 2009
(Album / Profile) http://www.facebook.com/album.php?aid=10031&id=1661531726&l=cf90f7df9c