|
Terrorists
smash planes into the center of world commerce and
declare war on America. A massive blackout shuts
down business through much of the Northeast. A
hurricane destroys businesses in wide swaths of the
Southeast. As for the West, a massive
earthquake—known to all Californians as The Big
One—is due anytime now. And a simple flu virus
threatens to kill tens of millions around the world.
What’s an executive
to do?
Three of the top choices—even today—are denial,
fatalism and hysteria. Those in denial note that the
disasters keep happening somewhere else, or are
over-hyped by the media. The fatalists believe
there’s no use in planning, contending that business
will inevitably grind to a halt and it will be
“every man for himself.” The hysterics go the other
way, reacting to every headline event with a new
plan, a new task force and a new set of expensive
consultants. The issue is then promptly forgotten
until the next headline appears. Conveniently, all
of these reactions allow executives to focus on the
next quarter, the next product and the next
strategic move.
Alternatively, executives can learn a few of the
lessons that have emerged since 9/11. First,
disasters do happen. Maybe a plane won’t hit your
office building, but in this outsourced world, the
loss of a vital supplier or vendor could have a
devastating effect as well. Second, companies do
recover—some better than others, depending on their
planning and resources.
The third lesson, however, is especially ominous for
corporate officers and directors—some of whom may
still believe they could never be held accountable
for an “Act of God.” But that term seems almost
quaint these days. As improved technology makes it
increasingly possible to predict the arrival of a
disaster, employees, customers or shareholders are
less likely to accept excuses for a failure to plan.
“In this post-9/11, post-Katrina, avian
influenza-threatened world, the category of
unforeseeable threats or events becomes narrower
every day,” says Scott Weber, a partner at Patton
Boggs. “Foreseeability is central to the analysis
for senior management’s and the board of directors’
duty of care to its shareholders. If it’s
foreseeable, one could reasonably argue that it
becomes part of the senior management’s and board of
directors’ duty of care to plan.”
And in a post-Enron world—where public faith in
executives is still tenuous—juries may be more
likely to interpret officers’ ignorance, denial or
fatalism as something much more damaging:
negligence. This opens up the possibility that
directors or officers could be held personally
liable for a failure to plan for a foreseeable
disaster, Weber says. “As companies understand the
moral and legal obligations they have to their
investors and employees, not being prepared is no
longer an option,” adds Norma Krayem, co-chair of
the Homeland Security, Defense and Technology
Transfer group at Patton Boggs.
Fortunately, help is at hand. You can prepare your
business for almost any eventuality without drowning
in paperwork or busting your budget. A small army of
consultants and specialists is available to assist.
And there could be benefits to planning that you
haven’t anticipated. Even if the big disasters never
darken your doorstep, good planning can make your
organization more nimble and cohesive—preparing you
for the little disasters that strike more
frequently.
Inside a
Top-Performing Planner
Pete Dowling knows big disasters. He was special
agent in charge of the Washington office of the U.S.
Secret Service on September 11, 2001. In 2002,
financial firms spooked by that fateful day hired
big guns to help them survive if there were a next
time. Dowling joined Axa Equitable, the
life-insurance arm of Axa Financial, located in
midtown Manhattan.
Today, Axa Equitable demonstrates extraordinary
preparedness. Every employee has a “Go Kit” with
necessities like bottled water, a glow stick and a
particulate mask. They also receive a pocket-sized
guide providing emergency numbers and evacuation
locations and procedures. The entire firm
participates in three evacuation drills a year, and
at least one shelter-in-place drill. If a disaster
occurs, a notification system called SendWordNow can
instantly send messages to every employee’s home
phone, cell phone or BlackBerry.
Dowling has also established a business recovery
site for Axa Equitable in New Jersey. A massive,
cubicle-filled room with 500 seats, the site allows
the business to continue running for as long as it
takes to find a new location or return to the old
one. Axa Equitable has run three full tests of the
facility, the first time during the 2004 Republican
Convention when protestors threatened a large-scale
disruption of city activities.
Far from a grim disaster drill, the relocations were
“a real bonding experience,” Dowling reports—much
like the effect a field trip has on students.
Dowling knows that people, not systems, determine
whether operations are successful. During
preparation, response or recovery, a series of
cross-functional teams swings into action. The teams
have a hierarchy that follows the normal chain of
command, though Dowling also has a succession plan
in case top executives are incapacitated.
During last year’s transit strike in New York City,
hundreds of thousands of people were forced to stay
home. At Axa Equitable, Dowling’s recovery support
teams spent the weekend before the strike renting
buses and designing bus routes that snaked
throughout the five boroughs. Everyone made it to
work. “The greatest story,” Dowling says, “is when
people with normal jobs—whose responsibility isn’t
to look after the welfare of others—decide they want
to help.”
Even given the firm’s successes, Dowling keeps
learning. During the Eastern Seaboard blackout of
2003, about 100 Axa employees were not able to get
home, despite Dowling’s best efforts. The experience
inspired Dowling to keep cash in a safe for
emergencies—and to outfit an auditorium down the
street so it can become a 500-person shelter at a
moment’s notice.
Preparing for All
Hazards—or Most
Big, Manhattan-based financial firms like Dowling’s
may be among the best-prepared firms when it comes
to disaster. They were directly affected by 9/11,
are highly regulated and have money to spend on
fancy plans. And since 9/11, many large companies
have followed suit. By 2007, according to Gartner,
Inc., three-quarters of large companies will have
business recovery plans in place.
By other measures, however, corporate America is not
so well prepared: Just over a third of financial
professionals surveyed by JP Morgan Chase in March
of this year, for example, say they’re ready to
handle an event similar to Hurricane Katrina. Half
said their companies have no immediate plans to test
the plans they have in place.
Two-thirds of American executives surveyed by
Deloitte & Touche in late 2005 said they had not yet
prepared adequately for a bird flu outbreak, and
most said they had no one specifically in charge of
such a plan. Another survey, by human resources
consultant Watson Wyatt, found that only 15 percent
of multinational firms based in the U.S. have a bird
flu plan in place.
Small to medium-sized businesses are even less ready
than the big ones polled in these surveys. The
consequences have become clear: After Hurricane
Katrina, many big firms suffered quarterly or annual
earnings hits, but countless smaller ones were wiped
off the map entirely.
“It’s guaranteed that everyone will experience some
sort of crisis,” says Roberta Witty, a Gartner vice
president who advises firms on business continuity
planning. “Companies need to look at all situations
that put them at risk, and understand the impact.”
This may seem a daunting task, as new threats to
your business seem to arise every year. The good
news is that a new profession of business-continuity
planners has emerged. Many major consultancy firms
now also advise on business continuity planning.
More than this, standards have also appeared, such
as the National Fire Protection Association’s (NFPA)
1600 standard on emergency management and business
continuity. The ANSI-approved standard was compiled
by experts in the public and private sectors and has
been given the stamp of approval by both the
Department of Homeland Security and FEMA.
The process dictated by NFPA 1600 is known as an
“all-hazards” approach. It begins with a risk
assessment encompassing every conceivable natural or
man-made disaster, from terrorism to tsunamis—and
not just the ones that have made headlines lately,
notes Patton Boggs’ Weber.
But it would be impractical to create a plan for
every possible contingency. Fortunately, the
measures needed to prepare for many disasters are
effectively the same, Weber notes. For example, all
firms must identify mission-critical business
processes, develop IT recovery and financial control
measures, determine which personnel must be notified
of disaster and develop a succession plan in case
leaders are incapacitated.
“There are four phases—mitigation, preparedness,
response and recovery—and you work through those
phases for every hazard you can anticipate,” says
Martha Curtis, NFPA’s liaison to the 1600 committee.
The ultimate goal is to establish an organization
that can respond quickly and flexibly even in an
unanticipated and stressful emergency situation. “If
you’re better prepared for all the crises you can
foresee, you’ll be better prepared for the ones you
can’t,” says Bruce Blythe, chief executive of Crisis
Management International, an advisory firm based in
Atlanta.
Why Directors and
Officers Should Care
For directors and officers, it’s more important than
ever to demonstrate that you’re taking preparation
seriously, says Weber, who was formerly a legal
advisor to Department of Homeland Security chief
Michael Chertoff. Evidence is mounting, Weber says,
that officers who fail to plan for foreseeable
disasters could be exposing themselves to liability.
Weber points to a 2003 ruling by a U.S. District
Court judge that a suit against airlines by victims
of the 9/11 attacks could go forward because the
companies could have foreseen the use of planes as
terrorist weapons. (The suit is still pending.)
The NFPA 1600 standard, Weber notes, says that
business continuity planning should be reviewed as
an “ongoing process by senior management.” It also
notes that the plans must be adequately funded to
maintain “viable recovery strategies and recovery
plans.” That’s just the sort of statement a
plaintiff’s lawyer might someday use against a
company that doesn’t follow those recommendations,
Weber says.
Though implementing the NFPA 1600 is not a legal
mandate, corporate officers’ fiduciary duty to
shareholders has been legally established. Now that
the NFPA 1600 exists—and now that there have been
several well-publicized disasters—a plaintiff’s
lawyer could make the case that failure to plan is
equivalent to negligence, Weber says.
There are plenty of other reasons to follow good
planning standards. Disaster planning is just part
of the overall process of risk management that is
part of directors’ and officers’ duty of care, notes
Tony Galban, senior vice president of D&O insurance
at the Chubb insurance group. And, he adds, managing
risk of all kinds helps firms obtain insurance,
defend against claims and keep premiums down.
Al Martinez-Fonts, assistant secretary for the
private sector at the Department of Homeland
Security, would like insurance companies to
guarantee discounts on premiums to companies that
comply with a standard. And, he adds, Congress
should consider guaranteeing relief from liability
for those firms. “We may want to change the laws so
people who do the right thing are not held liable,”
Martinez-Fonts says.
Right now, however, there are no guarantees. Still,
proper planning will greatly increase the chances
that your business and your employees—not to mention
your personal assets and reputation—will be safe
from harm.
“Many CEOs and board members say it’s nice to have
good planning, but it’s not a must-do category,”
says Weber. “I think that can be fatal.”
CT |
|
In 2002, financial firms spooked by the
events of 9/11 hired “big guns” to help them
survive if there were a next time. |
|
 Katrina,
many big firms suffered quarterly or annual
earnings hits, but countless smaller ones
were wiped off the map entirely. |
|
Your Continuity Plan:
It’s a Living Document
While many companies may have a business
continuity plan in place, that by itself is
not enough to ensure adequate preparation or
relief from liability, Patton Boggs’ Scott
Weber says, pointing out steps that even
large companies often neglect:
-
Benchmark themselves against peers in
their industry and standards like the
NFPA 1600
-
Make continuity planning part of all
corporate training;
-
Conduct regular, full-scale drills
-
Update the plan regularly
-
When considering acquisitions, do a due
diligence check to ensure that your
target has adequate continuity plans in
place.
Firms that put their plan on a shelf will
find themselves at a loss when disaster
strikes, Weber says. That’s because they
fail to adapt to changes, both internal
(such as new personnel) and external (such
as new threats).
This doesn’t mean an expensive wholesale
updating is needed, Weber says. Even small
updates can make a big difference. “You’d be
amazed at how important it is to do
something as simple as updating a phone
list,” he adds. “Failure to do that could
have a significant negative impact on your
response and recovery efforts.” |
|
 In
the eye of the storm: Some directors and
officers still believe they could never be
held accountable for an “Act of God.” |
|
 Just
over a third of financial professionals say
they’re ready to handle an event similar to
Hurricane Katrina. |
|
What Small
and Medium-Sized
Businesses Can Do
Small and medium-sized
businesses tend to operate on thinner
margins and often can’t afford to hire
specialized personnel to help with business
continuity planning. So it’s no surprise
that they’re more likely to bear the brunt
when disaster strikes. Al Martinez-Fonts,
assistant secretary for the private sector
at DHS, estimates that 40 percent of all
businesses close after a disaster, most of
them smaller businesses.
Luckily, there are
many measures smaller companies can take at
minimal cost. The DHS website for business,
at
www.ready.gov/business,
contains a wealth of free resources
including sample plans, forms and
checklists. There’s even a long list of
measures that can be taken for $500 or less.
Large companies depend
on their smaller counterparts as suppliers
or vendors, notes Martinez-Fonts. Leveraging
that important relationship, the DHS has
started a mentoring program that hooks up
small business owners with business leaders
for workshops and training sessions. Details
can be found on the DHS website listed
above.
“Large businesses have
the ability to hire preparedness and
security people,” Martinez-Fonts says.
“They’ve learned their lesson. If they can
share these lessons with small businesses,
that’s terrific. We don’t have to reinvent
the wheel.” |
|