Business Recovery Will Your Plan Work?

Research suggests that about 60% of North American businesses with a recovery plan have never tested them. Furthermore, trials conducted in the U.S. show that a full half of all plans failed when tested. If the test reveals a flaw in the recovery plan, it is possible to fix the plan. If the failure is revealed after a loss, however, it is a different story.

One would think that an executive team would ensure that they had not only an IT recovery plan, but also a business recovery plan in place, especially with the recent world events. Shockingly, only 15% of companies have a business recovery plan that encompasses not only IT but the business issues as well. The world continues to watch and read about the fallout from the terrorist attacks in the U.S. The good news is that many of the companies, human loss not withstanding, will survive the devastation reasonably well. The earlier attacks on the World Trade Center (WTC) in 1993, combined with the preparations made for the Y2K, helped spur many businesses into action.

Rethinking web use

At the least, most had a workable IT plan. Many had a full plan that dealt with more than just the IT issues. All are now reviewing and rewriting their plans to cover the areas that they missed. The Internet is one example of mistakes that were made. With families, friends and the world desperate for information websites could not handle the traffic. Companies should now know, in the event of a significant disaster, websites need to go into emergency mode, functioning in text only to reduce bandwidth, and increase capacity on the server by restricting graphics, and sound. The importance of remote servers and alternative webmasters cannot be overlooked. At least one company in the WTC had their back up providers in the next tower — a serious mistake on the part of their risk managers.

The broad issues concerning business recovery planning are still vague in the minds of many executives. Often organizations have left recovery planning to the IT professionals and that is a huge mistake. IT teams are frequently far removed from the financial facts that face their company. What they think is a reasonable solution can be financially unacceptable to other stakeholders.

Stress factor

Any catastrophic event, whether it affects only one business or hundreds, places key decision makers under significant emotional stress. Emotional decisions do an enormous amount of damage to businesses. I doubt that there is even one CEO who could say he was thinking rationally during the events of September 11. Yet, because many organizations fail to plan for disasters man-made or otherwise, many of the business decisions made around the world on that fateful day were based on emotion rather than good business sense. A Business Recovery Plan has three critical parts:

IT — more than 300 companies offer a plethora of solutions. “Hot sites”, “cold sites”, Internet duplicating, you name it, there are dozens of solutions available. The IT component must address hardware issues, software, and most importantly data issues. Unless it has been tested and proven to work, all of this and the money an organization spends is useless. Apparently 50% of all plans will fail if not tested. So, why do so many gamble?

Human Resource — dealing with a reluctant workforce. Afraid to go to work, unwilling to sell their souls to the company, many workers are feeling enormous stress and companies need to be able to respond. Counseling services, disability packages, work at home strategies, and compensation all need to be re-addressed once a workforce has been traumatized. The events may not be as dramatic as a terrorist attack, but even the death or suicide of a key member of the company can send productivity into a tailspin.

Business Recovery — what is the right thing for your business? We think about key areas everyday but almost instantly send them to the backburner when we have a disaster. How will we meet the needs of our customers? Where will we relocate? Who in our firm is the best to manage the press? What message do we want to send into the world? Who do we need to take care of first?

Focusing attention

Please note that emergency egress and the immediate actions are not necessarily considered part of business recovery planning. In most jurisdictions the government regulates emergency egress and an individual with each company is charged with implementing the emergency procedures of evacuation and re-assembly in an alternate location. Certainly in the U.S., building a thorough recovery plan has been heightened as a result of the events of last year. Canada on the other hand has not been moved to action as quickly. Risk managers, brokers, business owners seem to think we are immune to disasters. However, one quick look at natural disaster frequency and severity should help focus a risk-manager’s thinking.

Risk managers can provide leadership in this critical area of recovery planning. Many have begun the task. Few have finished. While there are hundreds of IT solutions to choose from, there are very few business recovery plans available to risk managers to help them with the fifteen other key issues. The reason many companies fail to prepare is that the time it takes to do a proper plan takes away from profit making activity. There is always something more pressing and resources are stretched to the limit. When proposing a recovery plan the risk manager needs to emphasize the vital urgency in creating a plan.

Just like the urge to buy insurance increases dramatically as soon as the need is fully realized, a business recovery plan is a matter of corporate survival. If you want your business to survive, drafting a survival plan must move to the top of your “to do” list — today!