Printed from BusinessInsurance.com

Continuity plans key to business survival after disaster

Posted On: Jan. 21, 2007 12:00 AM CST

No matter how the steps involved in creating a business continuity plan are described, the plan's objective remains starkly simple.

In fact, as Charles Brandt, risk control consultant in the Plymouth Meeting, Pa., office of Glen Allen, Va.-based Hilb Rogal & Hobbs Co., put it: "Survival is the objective."

"It's all about keeping the business going," said John Phelps, director-risk management for Blue Cross & Blue Shield of Florida in Jacksonville. The key is to get critical functions up and running as soon as possible, he said.

After an event happens, an entity is in the emergency phase, said Mr. Phelps. "This often determines whether the company will be in business after six months."

"That's where the event controls you, you don't control the event," he added.

The "heart and soul of our emergency response is to take us from the emergency phase into the stabilization" phase when business continuity plans can take over, Mr. Phelps said.

Plans can differ in complexity, and in who is involved in drafting the plan and at which stage, say experts. But the development of a business continuity plan follows a progression even though the names given to its elements may differ.

"Every company has a different need, so their perspectives are different," said Matt Kelly, president of HRH Risk Mitigation Inc., in HRH's Plymouth Meeting, Pa., office. "You get different terms, but at the core everybody should be on the same page about the fundamentals."

Planning strategies

Business continuity planning consists of three phases--preplanning, planning and post-planning, he said.

In first phase, "establishing a management commitment" is important, said Mr. Brandt, who said the effort involves starting the project, establishing a budget and performing a risk analysis.

"Management support is an essential ingredient," said Michael Rodman, a principal with Albert Risk Management Consultants in Needham, Mass. "It takes quite an investment of time to do this--not just to plan it, but to exercise it later."

"There should be a champion" within the organization or outside it, said Steven J. Ross, director and national leader of Deloitte & Touche L.L.P.'s business continuity practice in New York. But basically, it falls to the chief risk officer, particularly in banking and finance, he added. In addition, the chief financial officer and chief operations officer by "definition own much of it," he said.

Every business function "needs to take ownership" of what the people involved would do during a disruption, he said. The business function needs to understand what is critical, which people are critical and what resources are needed to perform the function.

"The objective of risk analysis is to identify the probability and identify existing controls to prevent loss," said HRH's Mr. Brandt. "Once you do that, you complete a business impact analysis. That ties into the risk analysis. It quantifies your risk and your threats based on how those threats may impact your bottom line."

Mr. Kelly said the process is "almost like risk mapping," trying to lay out and quantify risks. "It's important to the board members and other management that the team brings to them something that is tangible."

Assessment is critical, Mr. Rodman said. "It's really crucial that the functions of the organization be completely understood. It's essential to know how the company operates in great detail to make sure that something that could be key won't be missed."

Companies need to plan for situations such as an inaccessible location and ways to continue key administrative functions, said Mr. Rodman. Perhaps the most important is payroll, he said. "In some fashion, be prepared to make sure the employees are continuing to be paid."

Without risk analysis and a business impact analysis, there's no way to put people in a room and devise a plan, said Mr. Brandt, who added that too many people try to go into the planning phase without performing preplanning. "They have no idea where to begin," he said.

In the pre-event stage, an entity can plan and put resources in place because "you have the luxury of being able to work without having an adverse effect breathing down your neck," said the Florida Blues' Mr. Phelps.

The Florida Blues have plans for dealing with events such as hurricanes, power outages, water problems and anthrax, said Mr. Phelps. The organization also has an aircraft disaster response plan.

"We first determined what our critical functions were--identified all the business processes in the company--and then evaluated them using enterprise risk management format using a scale of 1 to 10," said Mr. Phelps.

In the planning phase, the first thing is to examine existing emergency procedures--primarily life safety--such as emergency evacuation plans, said Mr. Brandt. Then, planners should proceed into strategy development and writing the business continuity process. "It's dynamic--you're implementing as you go along."

Documenting strategy

In the post-planning stage, the team rolls out the document and explains it to the staff. "This is what we have and why we have it," Mr. Brandt said.

"In the old days, we thought just about disaster recovery--it started and ended with the risk manager--but it really is essential that department heads and key personnel throughout the entire organization be involved in this process," said Albert Risk Management's Mr. Rodman.

When the plan is developed, it must be in both hard-copy form and electronic written form so it can be communicated readily, he said. The document can be used as a training tool and be distributed so that the key people who have active roles in the recovery process have the plan available to them wherever they are, he said.

Once a plan's in place, it must be tested, noted several experts. An example of a test is a tabletop exercise that simulates an outage for the information technology department, said HRH's Mr. Brandt. This involves going through the procedures and walking through the methodologies, although not in real time, said Mr. Brandt.

Working out kinks

The importance of testing cannot be overstated, said John Copenhaver, president and chief executive officer of Disaster Recovery Institute International, a Washington-based nonprofit organization that administers educational and certification programs for people engaged in business continuity planning and management.

With the plan drawn up, then "comes a very critical component part"--a description of how the plan should be tested and maintained, said Mr. Copenhaver. That helps assure that "whatever bugs exist in the plan are found in advance of actually having to execute the plan in difficult circumstances." Doing so can range from "relatively painless" tabletop exercises all the way up to a full-scale drill, which is very time-consuming to prepare, more disruptive and more expensive, he said. Nonetheless, a full-scale drill is "a better diagnostic tool because you get to see" what people would do in a real-life situation.

"Pretty clearly, you want to use some mix of tabletop exercises, simulations and full-scale drills," said Mr. Copenhaver, a former regional director for the Federal Emergency Management Agency. "We recommend some exercise at least twice a year, and after any significant change in the entity structure" that includes mergers, acquisitions and significant personnel changes, he added.

Plan importance

Some entities, such as the Florida Blues, have had business continuity plans in place for years. Mr. Phelps noted that the Blues planning came in response to the perceived disruptions many feared would occur from the so-called Y2K computer glitch that was supposed to hamper information technology on Jan. 1, 2000. The disruption never happened, but the business continuity planning that arose from it has continued to grow more comprehensive, he noted.

Nevertheless, Albert Risk Management's Mr. Rodman said U.S. companies still seem to lag their overseas counterparts in crafting such plans.

"There's still a tremendous need for both middle size and larger companies to do business continuity planning," said Mr. Rodman. Many companies are "much more absorbed" with issues such as meeting financial reporting requirements under the Sarbanes-Oxley Act than they are with business continuity, he said.

"There's a lot of work to be done in this area. I can't think of a company of any size that shouldn't have a plan in place," Mr. Rodman said.