Though most businesses agree emergency preparedness is
important, too few are taking necessary steps to prepare. According
to a recent survey of small businesses conducted by the Ad Council,
"92% of respondents said it was very important or somewhat
important for businesses to take steps to prepare for a
catastrophic disaster; but only 39% said their company had a plan
in place."
Numerous regulations require executives and companies to
exercise due diligence when it comes to emergency preparedness and
business continuity planning (BCP). Yet, it is a sad statistic that
the majority of businesses still do not have a viable Disaster
Recovery (DR) plan, including critical business functions, and most
businesses that fully lose their facility and data will not recover
and go out of business.
"Over 40 percent of all companies that experience a
disaster never reopen, and over 25 percent of the remaining
companies close within two years." -- U.S. Department of
Labor.
Businesses that recover quickly from a major disaster are those
that plan in advance. This involves purchasing the right insurance,
but also developing and maintaining an adequate recovery plan.
"That's something Joe Bogner of Dodge City, KS, learned
first-hand. Bogner owns Western Beverage, Inc., an alcoholic
beverage distributing company serving 29 counties in western
Kansas. In 2002, Western Beverage sustained millions of dollars in
fire damage. Yet the company resumed deliveries after just three
days. Bogner was named the Kansas Small Business Person of the Year
for 2006, partially because of his company's ability to respond to
adversity." As reported by the SBA Small Business Resource, Summer
2006 issue.
"93% of companies that lost their data center for 10
days or more due to a disaster, filed for bankruptcy within one
year of the disaster." -- National Archives and Records
Administration.
Elements of a good disaster plan
What does a good business continuity plan look like? It involves
identifying critical business functions and the
resources needed to maintain an acceptable level of business,
protecting those resources and identifying
alternatives. Critical business functions are those
functions that, if not performed, either impact revenue, have legal
ramifications, are mandated by regulatory agencies, and/or severely
impact customer service. This is an outline from the National Fire
Protection Association "NFPA 1600 Standard on Disaster/Emergency
Management and Business Continuity Programs", which is endorsed by
FEMA;
- Program Management
- General
- Laws and Authorities
- Hazard Identification, Risk Assessment and Impact Analysis
- Hazard Mitigation
- Resource Management
- Mutual Aid
- Planning
- Direction, Control and Coordination
- Communications and Warning
- Operations and Procedures
- Logistics and Facilities
- Training
- Exercises, Evaluations and Corrective Actions
- Crisis Communications and Public Information
- Finance and Administration
The big gamble
Did you know that 1,200 tornados are reported in the U.S. each
year? That 4,000 die and 25,000 are injured in fires in the U.S.
each year? According the SBA, "The number of declared major
disasters nearly doubled in the 1990's compared to the previous
decade." "Seven out of the top ten most costly catastrophes in U.S.
history, when adjusted to constant dollars, have occurred since
9/11/01", per the III. So why do so many companies put off creating
a BCP
According to the Small Business Administration (SBA), "every
year hundreds of businesses that carry adequate insurance against
direct property losses fail because they are not insured for
indirect losses. Don't forget to protect your business against loss
of income and unusual expenses that may result if indirect losses
force you to close temporarily." "After the 9/11/01 World Trade
Center plane crashes 33% of dollars paid out for commercial claims
were for lost income and extra expense claims for getting
businesses back on track", according to the Insurance Information
Institute (III). "Since it's essential to get a business up and
running as quickly as possible after a disaster, business
interruption insurance should begin paying as quickly as possible.
Forty-eight hours is adequate; two weeks or one month is too long.
The faster a business is operating again, the better its chances of
avoiding loss of customers to competitors, maintaining relations
and discounts with suppliers, and retaining employees", per the
National Federation of Independent Business (NFIB).
Government assistance following a major disaster
The SBA is the primary source of federal funds for long term
recovery assistance for disaster victims. The SBA has low interest
disaster loans for homeowners, renters, and non-farm businesses to
cover disaster damage to real and personal property, per FEMA. To
process your disaster loan application the SBA will also need
current financial information such as a personal financial
statement, a current profit and loss statement, balance sheet and a
list of debts. The SBA tries to make a decision on each disaster
loan application within 21 days.
Wrong decisions can expose a company's directors and officers to
liability lawsuits. Many regulations and statutes establish
business continuity, within executive's purview. "Senior management
decisions don't have to cause damage for senior management to be
sued, however even if the directors and officers decisions are
exonerated, the company may still have to bear the cost of a legal
defense", according to the Disaster Recovery Journal. Due diligence
is a key element of avoiding criminal or civil charges.
- HIPAA administrative simplification regulations mandate the
development and maintenance of a BCP to recover critical functions
in the event of a disaster for every company storing or
electronically moving patient data. The Security Exchange
Commission (SEC) has asked to police HIPAA. The SEC prohibits
making false or misleading statements about internal
operations.
- Sarbanes-Oxley section 404 requires that enterprises have a
security policy and classify data for security, risk and business
impact.
- Foreign Corrupt Practices Act, section 13 (b) (2) also requires
public U.S companies to create a system of internal accounting
controls that will provide reasonable assurances that transactions
are properly authorized and protected.
- The Controller of the Currency and Federal Home Loan Bank Board
require that the banking industry have BCP's.
The bottom line
Dwight Eisenhower once said, "In preparing for battle, I have
always found that plans are useless, but planning is
indispensable." All executives, like any good battle commander,
should already understand this principle. Be sure your company is
ready for a disaster by annually reviewing your insurance coverage
and updating and testing your BCP. Give us a call; we would be glad
to help.
To schedule a BCP review of your company, please contact:
918-971-1999 or 888-972-1999
salesteam(at)stonehenge.org