When considering natural disasters, what are the biggest risks to organizations?
KASTENSCHMIDT Unlike events that impact only the organization, natural disasters can affect an entire local area or even a region. As a result, natural disasters have the potential to impact a large portion of the organization's staff, making them unavailable to participate in the recovery effort. Such events also often impact the organization's vendors, business partners, customers, etc. — all of which are factors that may significantly increase the impact of a business disruption event and the nature of the required response.
WALCH Generally speaking, the biggest natural disaster risks in the U.S. are tornadoes, hurricanes, and floods. While the U.S. hasn't seen a significant earthquake in many years, Ecuador, Italy, and Taiwan all experienced catastrophic earthquakes resulting in major loss of life and business disruptions with global impact. No matter the form of the natural disaster, they all pose possible major disruption to employee health, safety, and housing — not to mention disruption to business partners and supply chain participants.
What are the greatest risks to organizations of prolonged downtime?
WALCH Disruption of normal operations due to prolonged downtime can slow communications, ultimately resulting in brand and reputation damage that leads to customer loss, C-suite and board involvement, negative media coverage, and shareholder value loss.
KASTENSCHMIDT Being unable to adequately recover key systems and business functions timely can expose an organization to any number of unacceptable consequences. Beyond the more immediate impacts the organization may incur during downtime, such as lost revenue and additional expenses, one of the more serious long-term concerns is the potential erosion of hard-earned market share. After working for years or even decades to develop a solid market share, an organization can see it erode quickly if it is not able to meet the needs of its customers following a disaster. To keep their own businesses operational, even the most loyal customers may turn to a competitor to obtain required products or services — and once they've departed, they may never return.
What types of staff protections should be in place?
KASTENSCHMIDT A comprehensive recovery plan must consider situations that substantially limit the availability of the organization's staff. To mitigate the risk associated with a limitation of employee availability, organizations should factor contingency staffing considerations into their recovery plans. Such considerations may include staffing redundancy or overlap for critical functions, formal cross-training of key activities, thoroughly documented standard operating procedures, and arrangements with third parties to provide required assistance when needed.
WALCH Employee protections should include basic protections like the ability to shelter in place and evacuation plans, training on how to respond in a crisis, and resources available to them in the unlikely event of widespread disaster. Companies should have simple playbooks to instruct employees, notification systems, and training programs that include simulations.
What safeguards should organizations have to protect against data loss?
WALCH Having a strategy for data backup, off-site storage, and recovery is considered mature by many business leaders. However, the exponential growth in data combined with interdependencies between systems and applications has made that more difficult. Companies of all sizes are struggling to protect against storage corruption, data leakage, and ransomware attacks. Special precautions some companies are leveraging include taking frequent data snapshots to minimize data loss, moving data off site or far from an incident location, and creating isolated networks for data backups to protect against malware attacks.
KASTENSCHMIDT Many organizations have adopted system replication or similar technologies to minimize the data that would be lost if their primary systems were destroyed and they were forced to restore the systems in an alternate environment. However, despite these modern technologies and the small window of potential lost data, organizations still must consider how lost data and transactions would be replaced, reconciled, etc., following a disaster, through using a backup solution that considers various factors such as potential data corruption, geographic separation, and security threats. While the potential data loss, or recovery point objective, may have decreased substantially in recent years, few backups are truly "real-time" copies, and losing even a few minutes' worth of data/transactions can be devastating.
Why is a coordinated response important?
KASTENSCHMIDT Following a disaster, time and resources are both severely constrained. As a result, efficiency is paramount in executing an effective response/recovery effort. Without thorough coordination across the response process, participating teams and individuals may unnecessarily duplicate tasks, while other key activities may be overlooked. Furthermore, key elements of the response process — including internal and external communication — can be inconsistent or even contradictory, if not coordinated across the organization. Coordination of the response effort can not only allow the organization to recover quicker and more successfully, but it can also help to alleviate some of the impacts that can be encountered as a result of the event.
WALCH We have seen strong coordinated response and recovery efforts help decrease the financial and reputational impact of prolonged outages, disasters, and incidents. A good response requires consistent information synthesis during the event. Information sharing among executives in communication, legal, operations, and human resources is vital to the success of response. Coordinated response is required for transparency to shareholders, stakeholders, and customers in the event of a natural disaster or negative event.
What lessons can organizations learn from past large-scale disasters?
WALCH As with most things, having a plan in place is better than not. Companies that analyze their critical business processes and develop appropriate resiliency strategies to protect them are often able to respond in a more measured and cohesive manner during the hours immediately following a disaster. Planning efforts can include creating and thinking through crisis response playbooks and strategies, as well as war gaming or simulating crisis events to train leaders, employees, and sometimes business partners how to respond.
KASTENSCHMIDT In the aftermath of major events such as Superstorm Sandy, many organizations determined that the way they have traditionally approached disaster recovery plan testing was simply not adequate. In particular, organizations discovered that making assumptions — or cutting corners — in their testing prevented them from uncovering severe deficiencies in their recovery strategies and plans. Although effective testing has always been an important part of the recovery planning process, some previous large-scale disasters have only increased awareness of the importance of assuring that such testing is truly realistic.