The Definitive Guide to Disaster Planning

Sat, May 18, 2019 at 1:40PM

Agility Recovery

Between 2013 and 2018, Florida experienced a total of 1,291 severe weather events, including: 194 wind events in excess of 65 mph, 606 hail storms, 237 tropical storms, 246 tornadoes and 8 named hurricanes. If this makes you think twice about creating and implementing a disaster plan, then this article will provide some necessary guidelines and items for consideration.

Why Does My Company Need a Disaster Plan?

A lot is asked of today’s business leaders, and the challenged faced on a daily basis already occupy the lion’s share of a leader’s time. However, in addition to other strategic initiatives inherent to the role, leaders must also be confident in the ability to maintain critical operations despite business interruptions. Revenue generation, customer satisfaction, employee well-being, and legal or contractual
obligations can all be dramatically impacted by even the smallest incidents, not to mention the large scale regional events that are increasing in frequency and severity across the globe. Even if a company is located in a low-risk area for natural disasters, man-made and isolated incidents pose an ever-present threat. For this reason, strong, well-led companies must have a disaster plan in place to overcome a variety of business interruptions and ensure your company can:

■ Recover from any disaster,
■ Protect your source of revenue,
■ Fulfill moral responsibilities to stakeholders,
■ Facilitate compliance,
■ Reduce exposure to civil or criminal liabilities,
■ Enhance your company’s image and credibility,
■ Potentially reduce insurance premiums, and
■ Build company-wide consensus and a culture of preparedness.

The responsibility of ensuring the viability of a company lies with senior management. Therefore, steps must be taken to establish a business continuity program and prepare to overcome interruptions. This will allow your company to satisfy moral obligations to employees, clients, and the community, as well as fulfill compliance responsibilities to customers, stakeholders, and regulatory entities.

The information contained in this article will outline the most basic, yet impactful steps any organization should take to build resilience in the face of all manner of threats. In many cases, these steps will not require complex, long-term projects for implementation, nor significant capital investment. Instead, much of the commitment simply depends on prioritizing the attention of your organization and building a company-wide culture of preparedness. The hardest step is often the first when it comes to implementing such a strategy,
but with the help of the following information, the road toward preparedness does not have to be overwhelming.

Step 1: Assemble a Disaster Team

There is perhaps no more important element to a successful disaster strategy than gaining support and buy-in across your company. Additionally, an effective strategy cannot be created nor implemented without the help of others. Therefore, obtaining leadership approval is an important first step that is necessary for gaining support and funding each element of your plan. Of course, building a capable team will also set you up for success. Therefore, you should involve your employees in the disaster response planning process to let them know you’re ready for whatever crisis may occur and build buy-in towards a culture of preparedness. By working together, you can design a plan that will accommodate the challenges faced throughout the company during a disaster.

Responsibilities of the disaster team include:
■ Provide guidance, oversight and approval of resources for the continuity program
■ Facilitate the implementation and routine testing of the program
■ Ensure collaboration and buy-in across all departments
■ Execute the plan should the need arise

When assembling your team, it’s important to include members from all departments of the company. Downtime after a disaster affects departments in various ways. Involving all departments allows for equal consideration of priorities and critical tasks, and protects any critical inter-dependencies.

Once you’ve chosen your team, it’s key to establish clear communication and focus on the same goals. Here are some tips for building a high level of consensus among your team:

■ Determine and agree upon high level goals and prioritization (goals may include safety, physical security, or fiscal well-being)
■ Solicit input from all involved
■ Ensure buy-in for resource allocation

Determine roles – team members must have defined responsibilities, tasks, schedules, and deadlines in order for your plan to succeed. The distribution of tasks will depend on the size of your company, and roles may not necessarily relate to current job descriptions. Possible roles include:
■ Disaster team leadership
■ Vendor/supplier relations
■ Spokesperson/communications
■ Data/technology
■ Facilities management
■ Safety/security
■ Financial oversight

Step 2: Understand Your Risks

Identify. Prioritize. Mitigate. It is necessary to consider all possible incidents and the impact each may have on your company’s ability to conduct essential operations. Properly identifying and prioritizing risks allows you to focus mitigation efforts in the most effective areas.

Identify and examine your internal and external risks to customize your disaster plan to your company’s current needs. Areas of potential threat include:

■ Weather-related disasters (consider the historical record of any catastrophic, naturally occurring events in your area)
■ Facility location (consider your geographic location and your proximity to potential threats originating nearby, such as power grids or major transportation corridors)
■ Facility design/construction
■ Technology failures
■ Isolated incidents
■ Supply chain disruption (Risk to your company extends to all of the external vendors and suppliers you rely on to deliver your everyday services and products to clients.)

Prioritize – the best way to understand and prioritize risk is by using this basic formula: risk = probability x impact. Focus mitigation efforts on the risks with the highest importance, measured by multiplying the probability that an event will affect your company by the impact that event would have on your business operations.

Mitigate – develop a strategy to mitigate your risks, and manage risks that cannot be mitigated (for more on this, see step 4). Three options for mitigation include:

■ No cost solutions (e.g., moving power sources away from the ground floor)
■ Solutions that require an investment or cost your company is able and willing to accommodate (e.g., purchasing an on-site generator)
■ Solutions with a cost your company cannot endure, and thus must be insured against (e.g., a building fire destroys the entire facility, including all equipment)

Step 3: Determine and Prioritize Essential Business Functions

Critical business functions are activities that are vital to your company’s survival. Although protecting revenue is a key concern for most companies, revenue generation is actually the outcome of a myriad of other functions within a company. Even for industries that rely on a direct-to-consumer transaction of products or services, ensuring quality and delivery timeframes may be a critical process that lead to satisfying customer demands. Keep in mind, the process of identifying your critical business functions will require careful cross-referencing with findings from your risk assessment analysis. Typically, critical business functions are functions that:

■ Affect the safety and security of employees and customers
■ Are the most sensitive to downtime
■ Fulfill legal or financial obligations to maintain cash flow
■ Play a key role in maintaining your market share and/or reputation
■ Safeguard an irreplaceable asset

Determine and analyze essential business functions by conducting a simple Business Impact Analysis (BIA), which will document the impact on your company resulting from interruptions to regular operations. In order to conduct a BIA, follow these steps with your disaster team:

1. Divide the company into functional business units.

2. For each business unit, identify all routine and critical functions, their major attributes, and any inter-departmental dependencies.

3. Identify the staff that must be available and actively working for the function to remain operational.

4. Specify any equipment, applications, or tools that must be available to active staff.

5. Estimate the maximum amount of time your organization can remain viable without this function in place (consider that the more immediately you need something recovered, the more it will cost).

6. Determine the impact (both quantitative and qualitative) that the loss of this function has on your organization.

7. Be sure to consider and incorporate the loss of outside vendors, suppliers, service professionals and other aspects of your supply chain on the function in question.

Step 4: Create an Emergency Management Plan

Now that you’ve assessed the risks your company faces and analyzed your critical business functions, use those conclusions to identify and consider available mitigation and recovery strategies. Begin by considering each of the Critical Business Functions discovered to develop plans and strategies protecting each from the top risks posed to your organization.

This is where all your discovery will begin to take the form of detailed strategies. Therefore, extra time should be taken in this major stage of the process to clearly articulate the steps involved, including their anticipated timeframes and required resources.

Tasks:
■ Mitigate potential risks (when cost effective).
■ Develop options to establish continuity procedures that will protect critical functions and processes should a threat actually occur and require recovery.
■ Document and vet proposed recovery strategies while determining scope and required resources so that a cost-benefit analysis can be conducted for each proposed strategy.

Establish who will participate on the Recovery Team and include detailed descriptions of their responsibilities. Roles and responsibilities can include:
■ Life safety – first aid, protective equipment, evacuation planning, shelter-in-place planning and alert notification.

■ Incident stabilization (keep the incident from escalating, minimize its effects, and bring it under control) – include firefighting, medical treatment, containment, relocation/direction of traffic and personnel and protection (isolate the scene).

■ Damage assessment – inventory damaged property, locations and infrastructure (IT), document damage (take pictures, descriptions, and notes), assess value, determine immediate replacement options, notify crisis management team of impacted facilities and assets,
contact insurance carrier, coordinate activities, and cooperate with proper authorities (consider your own internal investigation).

■ Contingency plan execution – act on the recovery strategy, perform roles related to alternative procedures and processes, restoration of basic services such as office space, power, communications (telephone, Internet, fax, etc.), IT networks and hardware, applications, data, unique assets, employees and partners, and other items, such as restroom facilities, HVAC, food and water. Communicate with larger teams and organizations, plan for restoration of normal operations and transition to such.

■ Management of recovery vendors, partners and existing supply chains.

■ Crisis communications and situational awareness.

■ Liaison with authorities, first responders and government.

Establish how your company’s critical functions will continue to operate immediately after an incident. This may include details about functioning with reduced staff, replacing compromised systems, offering partial services, relocating staff and operations, communication protocols, and mitigation or recovery procedures.

Establish how actual logistics will proceed in terms of precisely outlining and adhering to timelines, decision points and verified procedures.

Establish, in detail, the required resources needed for mitigation and recovery. Required resources will vary by organization and function widely, therefore guidance should be sought from the findings of your Critical Business Functions to properly detail and comprehensively outline.

Establish the procedure by which the Emergency Plan will be enacted. Who has the ability to declare the disaster or put the plan into action?

It should be noted that not every strategy is either warranted or worth the investment. A simple cost-benefit analysis should be undertaken at this stage of the planning process to ensure that any recommended element of the strategy properly fits the company’s needs and resources available.

Implementation and execution needs can now be considered as well as whether to internally execute the strategy or work with an outside vendor. Though some companies’ disaster teams are often incredibly capable and resourceful, there are many other variables to consider that could place internal recovery plans at risk or failure. Successful companies will establish a strategic mix of internal and external capabilities to enhance both execution and resilience.

Step 5: Create a Communications Plan

When a disaster occurs, the need to communicate happens immediately. Your employees and customers will look to you for real-time information, wanting to understand how they will be impacted. No matter how robust your overall plan may be, without the ability to communicate promptly and effectively during a crisis, these plans are destined to fail.

Communication may be the most important component of your disaster plan, and both internal and external strategies are crucial. Here are some important steps to follow:

1. Assign a lead and backup communications coordinator and outline roles for each.

2. Create an internal emergency contact list with each employee’s home and cell phone numbers, business and personal email, and complete family information. Regularly update this list and make sure employees know how to access it.

3. Set up an alert notification program that is tested and updated.

4. Standard communications methods often fail during a disaster. Use multiple alternative communication methods such as text messaging, an emergency webpage, or social media, and consider a plan to redirect your phone to cell phones or an answering service.

5. Create a list of key external contacts for before, during and after a disaster. Possible contacts include: clients, vendors and suppliers, business or operational partners, media and other community resources, government disaster response entities and insurance agencies.

6. Utilize social media to post real-time updates, direct clients and employees to alternate locations, and provide emergency contact information and instructions.

7. Test your communications plan at least once a year.

Step 6: Create an Evacuation and Shelter-in-Place Plan

If a life-threatening event were to occur, orders to evacuate or shelter-in-place are issued to protect life safety. Threats to consider include building fires, severe weather events (tornado, flood, hurricane), gas leaks or other utility accidents, workplace violence, and unique threats caused by the nearby environment. Be sure to follow all threats identified in your Risk Assessment.

Provisions for notifying building occupants should be established; alarms must be distinctive and recognized by all those within your place of operation. If possible, alarms should automatically notify first responders and have an auxiliary power supply as backup to power loss. They should be unique to the threat to indicate the action to be taken (either evacuation or shelter-in-place). An evacuation plan should:

■ Establish a clear, concise explanation of situations that would require an evacuation.
■ Identify a clear chain of command to authorize and issue an evacuation command.
■ Specify evacuation procedures for each defined area within the office, floor, building and complex, including primary and secondary routes and exits.
■ Include detailed, accurate maps and diagrams posted along routes (include at least two escape routes from each room, and indicate location of equipment like fire extinguishers and first-aid kits)
■ Identify an exterior assembly area (at least 100 yards away).
■ Include suitable arrangements for those with disabilities.
■ Include a means to account for all employees (and identify known absences) and known visitors.
■ Designate which, if any, employees will remain after the evacuation alarm to shut down critical operation or utilities
before evacuating (employees must be trained to
recognize when to abandon the operation and evacuate themselves).

A shelter-in-place plan should include:
■ Established scenarios appropriate for taking shelter (such as severe weather events, gas leaks, workplace violence).
■ Ensure shelter location is stocked with supplies (food, water, battery powered radio, first-aid kit, flashlight, batteries, and emergency contact information.)
■ Ensure shelter location has the following characteristics: interior roof with fewest windows and vents, room for all personnel and guests to sit (10 sf per person is recommended), access to some kind of communication device (landline preferred), and room for storage of emergency equipment and supplies.

Best practices for evacuation or shelter-in-place events include:

■ Assess the location and condition of existing signage and emergency equipment.

■ Incorporate training into employee onboarding process and employee handbooks.

■ Hold initial educational sessions to make employees aware of the most likely threats.

■ Conduct drills at least twice annually, ensuring scenarios are as realistic as possible. Drills should be conducted with notice and without to simulate unusual conditions that can occur during an actual emergency. Conduct discussions or debriefs afterwards to identify
areas for improvement.

Step 7: Create or Restock Your Emergency Kit

An Office Emergency Kit should include far more than simply First Aid supplies. When disaster strikes, time is of the essence, beyond protecting health and safety, you must consider elements needed to ensure critical functions can continue. Below you’ll find a list of items needed to care for employees, as well as those supplies required to keep your business operating:

First Aid Supplies/Kit
■ First Aid reference guide
■ Antibiotic ointment
■ Gloves/triage kit
■ Anti-inflammatory/pain meds
■ Masks
■ Eye wash/irrigation
■ Bandages/sterile gauze
■ Hand sanitizer and wipes
■ Waterproof tape
■ Emergency blanket
■ Ice packs
■ Burn gels/dressing
■ Sanitary supplies
■ Sting/bite swabs
■ Tweezers/scissors
■ Blood-stop pack

Emergency Supplies
■ Nonperishable food, minimal prep
■ Tools, gloves, protective gear, blankets
■ Water – 1 gallon per person per day
■ Battery powered radio/NOAA weather
■ Flashlight, lanterns, extra batteries
■ Battery backup, solar and crank charges

Protecting Continuity of Critical Functions
■ Cash/paper checks
■ Login and password credentials
■ Your Recovery Plan
■ Building access keys
■ Important documents
■ Emergency contact list copies
■ Letterhead, envelopes, office supplies
■ Cleaning supplies
■ Application software
■ Basic tools

Nice-to-Haves
■ 2-Way radios or satellite phone
■ Emergency fuel supply

Step 8: Back Up Your Data

When a disaster occurs, you need critical systems and applications back up and running as quickly as possible. Your employees and customers depend on these critical systems to be available for the company to operate. It is important to note that disasters related to your IT systems can range from a single corrupted file that could take down your email system, to having your servers destroyed in a natural disaster. Every disaster is different and it is important to have flexible backup systems in place that can react to your specific situation.

Everyone in your company would agree that backing up your data is essential. Here are some guidelines to ensure effective restoration.

■ Employ a hybrid-cloud backup system which allows for quick restoration of data in the event of a localized failure. It allows for offsite cloud recovery scenarios in the event that a local datacenter has been rendered unusable. It also replicates data offsite for long-term
retention to meet audit requirements.

■ Backup your data as often as possible, with critical systems backed up at least once per hour. A customized schedule for each server should be developed and maintained.

■ Specific resources should be in place for managing the backup process. If your company isn’t large enough to have dedicated resources, consider partnering with a company that focuses on Disaster Recovery and Business Continuity.

■ Document the backup recovery process for each server. Understand which servers need to come up in a disaster to meet certain business requirements and understand in which order they should be recovered. Record which servers are backed up and at what interval so there isn’t any misunderstanding about protection levels, retention periods, etc. Documentation should be stored in a location where anyone on the recovery team has access to it.

■ Smaller companies may want to consider purchasing an external drive and copying all company information to it. Store it in a safe location, waterproof safe or offsite location.

■ Test your backups regularly in different scenarios using your server and cloud backup.

■ Make sure more than one person knows how to access your data and make sure they are trained and up to speed on the recovery strategy.

Step 9: Prepare Your Employees

Help your employees feel safe and prepared for a disaster. Develop a plan and let employees know about it via email, workplace trainings, and postings throughout your building. Practice the plan and hold an unscheduled drill so that employees understand how to implement your plan.

At home personal preparedness is also important. If an employee is ill-prepared for a home disaster and can’t report to work, your company suffers. Notify your employees ahead of forecasted weather events and make sure they stay informed about other potential risks to their home. You should also encourage your employees to take the following steps in their homes and with their families.

■ Create an evacuation or shelter-in-place plan and know where to go if their family gets separated.
■ Maintain a home emergency kit at all times.
■ Store critical documents somewhere safe and accessible and store duplicate copies in a separate location.
■ Practice evacuation routes and how to get out of the house from a variety of exits.
■ Develop a communication plan to remain in touch with family members during a crisis.
■ Be familiar with local warning systems and emergency plans.

The most effective way to generate employee buy-in is to build a culture of preparedness in the work place and make preparedness fun. Lead by example and share your own personal preparedness plans, consider hosting contests and offering incentives for participation.

Step 10: Plan for a Power Outage

Power loss is the number one interruption to which Agility responds. In fact, nearly 70 percent of all businesses in the US will lose power sometime in the next 12 months. Since every company has different power needs, it is important to know and understand your risk as well as your building’s power requirements.

Mitigate the risk by backing up your data regularly and install at least one landline telephone. Obtain and test uninterruptible power supply (UPS) devices and surge protectors. Install and regularly test and maintain an onsite generator, and develop a work-from-home procedure.

Consider preparation for mobile generator recovery and know your power requirements ahead of time. Assess the impact of loss of power on your operations. Know how long you can last without power and establish your strategy accordingly. Determine your company’s power needs in advance.

■ Know what phase your electrical service is (single or three phase).
■ What is your voltage service? (208v, 240v or 480v?)
■ Is your power requirement for a Wye or Delta generator?
■ How many amps do you need to power key systems? (Determine the peak Amperage draw over the past 12-24 months.
■ What size generator will be required?
■ Determine whether your building has a power transfer switch.

Step 11: Find an Alternative Place to Work

The best recovery comes from the best preparations. Now is the time to think about where you might temporarily set up or permanently relocate if your place of business becomes nonoperational. Your relocation plan should be clear so that when the time comes, you can simply tell your team to activate it. Strategies may involve third party contracts, partnerships or reciprocal agreements, or displacing other activities within the organization. Make sure your strategies include multiple means of recovery with tiered or phased recovery implementation.

Suggested recovery site options include:
1. Primary site: use of unoccupied space or common areas for displaced employees in a minimally affected situation.
2. Alternate internal: site owned by your company unaffected by the event.
3. Reciprocal: client, vendor or partner site accessed through formal agreement.
4. Hot site: vendor-provided site with shared recovery capability but ready for immediate occupancy. This could be a shared or dedicated access location.
5. Warm site: vendor-provided site with shared capability requiring some preparation.
6. Cold site: readily accessible location requiring full provisioning for recovery.
7. Mobile: fully functional office deployed anywhere, independent of terrestrial infrastructure.

Important considerations should include: facility type, location and accessibility, recovery timeframe, cost, availability and reliability of vendor facility, impact to employees, customers and vendors, access to transportation networks or basic services, duration of typical recovery, uplift or buildout requirements, ancillary costs (connectivity, lodging, travel, etc.) and whether or not you need guaranteed or dedicated space.

Step 12: Test Your Plan

Testing your disaster recovery plan is not only an essential part of planning, but a step that could mean the difference between giving in to a crisis and surviving one. This is the culmination of your planning process and allows a thorough assessment of both mitigation procedures and recovery strategies. A good test will:

■ Feature realistic scenarios based on identified risks to your organization.
■ Meet compliance or regulatory requirements.
■ Increase employee, management and community confidence in the plan; this includes setting realistic expectations for response team members.
■ Expose holes, gaps, misperceptions, or other potential failures of the plan.
■ Be conducted both with and without notice.
■ Improve your overall readiness.

When you’re running a test, make sure to take notes during the exercise. What was the task or issue? When was it started or identified? Was it resolved? How? What problems arose? Review the findings with participants and then update and distribute your written plan making sure to write down notes for consideration on your next test.

Business continuity planning is an ongoing process, and testing is a critical step in continually assessing and improving the strategy as your company grows and evolves. Your testing process should run in a continual loop: test-feedback-improve. Remember, a successful test is not necessarily one that runs flawlessly, but an exercise that allows you to identify failures and therefore improve your plan and increase your ability to serve customers after a disaster.

FRM

Agility Recovery began as a division of General Electric nearly 30 years ago recovering internal operations. They quickly realized many other organizations needed a dedicated team of experts to efficiently recover from business interruptions and expanded from serving exclusively large organizations to become the dedicated team of recovery experts for organizations of all sizes in nearly every industry in the US and Canada. Agility’s technology, capabilities, and processes have evolved significantly in the last three decades, and they continue to innovate as the risks your company faces change and intensify. Agility Recovery will always maintain an unwavering commitment to protect your company's mission and organization. Visit www.agilityrecovery.com or call 866-364-9696 for more
information.


Bookmark & Share