Lessons from 2017 Disaster Recovery and Business Continuity Planning
With hurricanes, floods, wildfires and other natural disasters, the past year has offered plenty of lessons about the importance of being prepared for unexpected business disruptions.
Despite frequent reminders, many businesses remain unprepared for the unexpected. According to one major insurance company, 40 percent of businesses that don’t have a disaster plan go out of business after a major loss such as a fire, break-in or storm.
For contractors and other construction-related businesses, disaster planning and preparation can be particularly challenging. You must consider not only your own facilities – trailers, shops, offices and IT systems – but also worksites where you share responsibility.
It’s impossible to prepare for every possible type of business disruption. But it’s important to have an effective disaster recovery and business continuity plan in place to help you minimize the financial damage and get back to business quickly.
There may also be legal reasons for developing such a plan. In many cases, a disaster recovery plan is required by a statute, contract or common law.
Identify the Risks and Their Effects
To develop or evaluate your disaster recovery or business continuity plans, begin with a business impact analysis to identify the risks your company might encounter. These can include natural disasters, accidents, power outages, equipment or system failures, work stoppages, and so forth.
Next, identify your critical business operations and systems and quantify the potential effect that each of these disruptions would have on them. Your goal is to develop a matrix that compares both the likelihood of certain events occurring and the amount of damage each event could cause.
Choose Your Strategies
Once your risks have been identified and prioritized, you’re ready to choose from among the four traditional strategies for managing risk: avoid it, reduce it, transfer it or accept it.
In the case of natural disasters and similar threats, avoiding the risk altogether is generally not possible since it would probably require either moving or closing down completely. Accepting the risk is viable only for risks that are either highly unlikely (like a meteor strike) or relatively easy to recover from (like a traffic jam or minor rainstorm).
This leaves the remaining two strategies – reducing the risk through planning and preparation, or transferring some of the risk by insuring against damage or losses. For most threats, your strategy will be a combination of these two approaches, with a heavy emphasis on reducing the risk.
Protect People, Equipment, and Data
With the strategies confirmed, it’s time to examine your emergency procedures and identify the personnel and other resources you would need to restore critical systems. This can provide you with a list of action steps for launching or improving your recovery plan. (See page 3 for more details.)
Your objective is to protect three critical elements of your business:
1. Your people – This should be your highest priority. Much of your recovery plan will focus on keeping your employees safe, informed and prepared. Recognizing this, some contractors have begun providing all employees with emergency supply kits to keep in their cars.
2. Your equipment – This represents a sizable investment in most construction businesses. Review insurance binders and policy details on a regular basis (at least annually) to be sure they are current and reflect all current inventory.
3. Your business data – This is especially critical in today’s technology-driven construction industry. Bear in mind that natural disasters are only one category of risk that must be addressed. The loss of financial or project data due to power outages, system failures, viruses or cyber attacks can be almost as devastating as a physical loss.
As more companies move their data stores and operating systems onto cloud servers, their vulnerability to a complete loss of data can be reduced. But moving to the cloud alone is not a panacea.
Work with your IT professionals to be sure you can access your backup systems and data quickly. The point is not only to preserve your data, but also to minimize the amount of time your business is down due to lack of data access.
Consult Experts for Help
When developing or upgrading your disaster recovery plans, it’s important to work closely with those who have expertise. This includes your in-house IT team as well as IT consultants and specialized cybersecurity consultants.
Also, talk to your insurance providers to obtain loss prevention expertise. After all, they have a vested interest in helping you minimize losses. They also can help you choose which risks you can insure against most cost-effectively.
Be sure you are clear about policy terms and coverages. After Hurricane Harvey, many Houston-area businesses sustained no significant physical damage but were unable to operate because they were cut off by floodwaters. Unfortunately, some owners discovered too late that their business interruption insurance policies covered only losses stemming from actual physical damage to their premises – lack of access to the premises was not covered.
Many contracting businesses choose to work with professional disaster planning consultants to develop their recovery plans. While no one can prevent a disaster or foresee every possible risk, objective and experienced professionals can help your business plan for survival.
Disaster Recovery Plan Basics
In the short term, a disaster recovery plan must identify and organize the individuals responsible for getting key business functions and systems operating again. Over the longer term, it must outline how you will return your company to its original capabilities.
Much of the emphasis in a disaster recovery plan involves designating teams to manage the various aspects of the effort to protect life and property and restore business operations. For example, your plan should spell out who will:
• Notify employees not to report for work or to report to different locations.
• See that critical data is retrieved from the cloud or an offsite backup.
• Communicate with clients and property owners during a crisis.
• Communicate with government officials and news media if necessary.
A disaster recovery plan should also include advance arrangements for a backup office location and secure offsite storage of paper documents such as employee records, contracts, financial and insurance records, and permits.
Even when your disaster recovery plan is updated and complete, you should review and revise it regularly. Performing an annual review is a good benchmark.