Natural disasters like fires, floods and hurricanes happen across the country on a frighteningly regular basis. Security and data breaches are commonplace in today’s society.
Most businesses will experience an operational failure (such as human error or equipment failure) at least once. Given the frequency and severity of recent disasters, preparedness is a hot topic.
Many times the impacts on human life, privacy and property take center stage when talking about these disasters. But what about the enterprise impacts of a disaster? A breakdown in business communications or technology can impact any organization—large or small.
As a CIO, it’s important to prepare for social engineering attacks and IT failures. You can also start thinking about what you will do to keep your business afloat in the event of any kind of disaster. Considering your threats and putting together a disaster preparedness plan for business can be effective to mitigate potential losses.
How to Create a Disaster Preparedness Plan for Business
Disasters can impact profitability, reputation, infrastructure and even result in the failure of an enterprise. In fact, 40% of small businesses fail to reopen after a major disaster. For large companies, disruptions in communications can mean a loss of revenue, vendor complications or data loss.
In fact, the Ponemon Institute reports that in 2016 the average cost of unplanned downtime as a result of a data breach was $8,850 per minute. That number has likely gone up. You can check your estimate with IBM’s data breach cost calculator. 25% of businesses fail to reopen after a major disaster. pic.twitter.com/J2gFW16sV3 Click To Tweet
The best way to lessen the effects of a disaster is to have a plan locked in place that every level of the company understands. Would business functions be able to remain at least partially operational if the power went out? Do you have all important digital information backed up in the cloud? These are just some of the important questions to consider.
Here we’ll explore ways you can prepare your IT team and, in turn, your entire company for an emergency situation.
Assess Potential Threats to Operations
Every business has different threats depending on location, size and industry. Threats can include natural disasters (like tornadoes or floods).
Cyber attacks, data breaches, equipment malfunctions and server failure are common as well. As a CIO, it’s important to focus on the technological threats that could impact the success of your company.
For example, a snowstorm can knock out power for days. A flood can disrupt transportation and equipment. A cyber-attack can leave critical information vulnerable.
If there are industry-specific threats to information or technology your company is dependent upon, you should identify them.
There is a wide range of potential disasters that could paralyze your business. Each will pose a different level of risk to the company. You will need to determine which threats are most plausible, which will have the greatest impact and how you will tackle them should they occur.
Analyze the Technological Impact of a Disaster
Once you’ve identified the most plausible emergency threats, think about what technological functions could be disrupted by each disaster. Every industry and disaster will have its own ramifications. It’s important to know which are the most likely to occur so that you can plan. Technical impacts and possible solutions are below.
Loss of Data and Records
Losing data and records, especially if they are confidential, can be devastating for an organization. It can set back productivity, cause you to lose customers and cause many other expensive setbacks.
One way to mitigate data and records loss is to preemptively save information in the cloud. Check hard infrastructure and determine if any can be eliminated by transitioning them to the cloud.
You can often buy infrastructure (IaaS), platforms (PaaS) or unified communications (UCaaS) as a service. With these business models, business’ infrastructure is already backed up. This software retains copies in many cloud locations.
Loss of Physical Assets
Physical losses to an organization can include loss of equipment, physical documents, licenses and more. An organization must try to prevent the loss of physical assets by developing a disaster plan ahead of time.
As with data and records, many physical documents can be scanned and uploaded to the cloud to prevent loss. You can also make physical copies of these assets to store offsite at another location.
For other physical assets — make a list of all items the organization can’t operate without. This can include computers, contact directories, office equipment and office space. Include any serial numbers and the cost of these items. These can be helpful when filing an insurance claim.
If loss or damage does occur, minimize theft or fraud by limiting access to valuable resources and documents. Contact the police and your insurance agent to file reports. Communicate to staff, stakeholders and donors on how this loss will affect them and their work. Then, transition to alternative facilities, equipment or office space to continue operations.
Loss of Facilities
Loss of facilities can halt production and cause major losses. To prevent this, arrange alternate facilities ahead of time to make a change of location run smoothly. Assess alternate sites and decide which is the most appropriate. Keep in mind that this may mean allowing employees to work remotely from their homes.
In the event of a disaster, move any undamaged equipment and ensure there is an internet connection at the new facilities. Transfer any digital files onto any new or leased equipment and try to resume operations.
Be sure to remember to maintain payroll operations and communicate clearly with all staff. Let them know where they are able to move and when they should do so.
A Breakdown in Communications
A breakdown in communications means internal communications may become unavailable. External communications could be interrupted as well. Whether it’s a phone line down or a loss of your network, loss of communications can be disastrous.
Before a breakdown in communications happens, you should obtain and maintain key contact information for all employees, customers, vendors and stakeholders. Keep a physical copy of these onsite, offsite and in the cloud. Identify possible alternative methods of communication. This can include phone, email, social media or meeting arrangements.
It’s helpful to create a crisis communication plan. This includes a communications coordinator, message templates and procedures. Communication during a crisis can be very difficult, so it’s best to know your procedures beforehand.
When the event occurs, arrange alternate communication strategies. In the event of a power outage or internet failure, you will need to choose the most appropriate method to get your message out to all key personnel.
You may need to use a phone tree to share urgent messages with key employees. This can be effective to get important messages out to the entire organization quickly. If cell service is working us it to send out a mass email or text message. If you have access to your company’s website, distribute a message on the main page to customers and vendors.
Interruptions in Supply Chains
If supply chains are disrupted damage can cause unsatisfied customers, damage to your company’s reputation and eventually loss of revenue. It’s also possible you can incur penalty payments for contractual non-performance clauses.
Before an incident occurs, identify actions you can take to shorten the duration of the disruption. This can include alternate communications. Determine any human or technological resources that can be used to pivot operations ahead of time. It can be helpful to diversify markets and suppliers ahead of time.
Decide what will trigger the pivot to your alternative means of communications, markets or suppliers. For example, once you lose a certain amount of revenue or customers you will implement the plan.
Loss of Revenue and Customers
The bottom line when it comes to technological impacts of a disaster is loss of revenue and customers. The best way to do this is by maintaining operations as efficiently as possible and communicating clearly.
Keep customers and employers informed. Update them early and often about problems, loss of data or interruptions in service. Use any technological resources available to communicate. This can include your company’s website, email, social media or internal messaging software.
It is helpful to create a company-wide business impact analysis (BIA). This helps the business lines supported by IT identify the true impact of an outage event. This can include lost revenue, productivity or delayed sales or income. It can also include increased expenses such as overtime labor, outsourcing costs or expediting fees. Consider any regulatory fines, contractual penalties, damaged customer relationships and more.
Create a spreadsheet of potential risks as well as the impact they could have on the company. Rank them by likelihood and severity. Then concoct an action plan for the situations that will have the most likely and severe impacts on business continuity. This helps with prioritization and resource allocation later on.
Develop an Emergency Action Strategy
You’ve identified what emergencies threaten your business and the potential impact of those threats. Now you can put it all together to create an emergency action plan. There will be critical moments after a disaster occurs. Your priority should always be the protection of human life and then the preservation of your business. After that, you will need to focus on business continuity.
Here are some basic steps to create an emergency action plan. Keep in mind yours may be more or less intricate depending on your business needs.
Identify Emergency Response Objectives
The needs of your action plan will vary based on your industry, size, location and the highest priority risks to the company. Here you can explore what main objectives need to be completed and in what order.
As stated earlier, making sure employees are safe should be the first objective. Next, you will need to determine in what order the following objectives should take place.
Legal requirements or interaction with law enforcement may be necessary. It can be helpful to communicate with the appropriate teams to ensure your disaster preparedness plan for business is ready to go.
Assemble a Written Disaster Preparedness Handbook
Since disasters are unpredictable, it’s very important to make sure the plan does not hinge on one person or department. You never know who will be available to communicate plans when disaster strikes.
For this reason, it’s important to write the plan down and ensure it’s available to all personnel at all times. To be effective, the plan should be actionable, well-organized and detailed. A great example is FEMA’s emergency action plan template which you can use as a guideline.
Discuss Your Emergency Response Plan With Your Team
Having the plan written down is a great starting point. But for it to be truly effective, your plan needs to be understood by all employees involved.
Make sure you discuss the plan with the entire department. Those on the ground floor are best equipped to understand how a response plan will play out in actuality. They should also be able to spot holes in the plan and give input on a micro level.
Your team should convene regularly to determine how the group will function in a crisis. Decide what methods of communication you all will use and alternatives to those methods.
You should decide what constitutes a crisis and what will prompt your plan to take action. Each person should have a backup or alternate capable of representing their area.
Ensure the company, as a whole, develops and trains a Crisis Management Team (CMT) that each have primary responsibilities. Core members should be people familiar with technology, facilities, safety, HR, legal and compliance, sales, marketing, business operations and customer service.
Run Response Simulations
It’s best to conduct these kinds of live-action drills annually for each of the highest risk emergency situations in your handbook. After each drill, meet with those involved to discuss challenges. Discuss any miscommunications or any potential changes to the plan.
Create a Plan to Get Back on Track
Once you’ve created an emergency action plan, think about what your company will need to do to get things back up and running.
Consider what systems will need to be put in place to continue operations. Perhaps employees can work remotely from data you have saved to the cloud. Maybe you will need to buy or lease new equipment and facilities.
You may need to alert the public. This Emergency Preparedness Social Media Toolkit from Ready.gov has some great templates, graphics and outreach materials you can use as a guide. If you have an airtight plan in place, your IT department can be back up and running as soon as possible.
Remember — disaster response is only as strong as its communications system. Business priorities in a disaster are always going to include communicating with customers, communicating to the market and communicating with each other.
It’s important that the communications system functions in a disaster more or less how it would under normal circumstances. Those displaced by the event should be able to use communications from their home or temporary locations as if they were sitting in a desk or office.
A CIO should be vigilant about disaster preparedness. Any event or disturbance that can impact the productivity of the enterprise should be considered and planned for.
The process of analyzing possible threats and preparing for them can be daunting. But having a plan in place can ensure your business experiences minimal losses should a disaster occur. You can never be too ready for an emergency!