Threats due to weather include floods, earthquakes, hurricanes, tornadoes and blizzards. Planning for weather events should be very realistic in nature. Major weather events usually occur in 25, 50 and 100-year cycles. Disease outbreaks are also a big threat. A potential flu pandemic could be detrimental to many businesses. For example, the bird flu pandemic scenarios that are floating around are being modeled on the Spanish flu pandemic of 1918. That global outbreak killed 500,000 people in the United States and more than 20 million people worldwide. Since that time there have been two other smaller scale flu pandemics, each that killed hundreds of thousands of people. The flu is just one disease that can cause a business disaster situation around the world (Business Continuity during a Disaster, 2008).
Recent years have also shown that terrorism threats are a real possibility that needs to be considered. Terrorism is a great threat because there is so much uncertainty about when, where or what kind of attack may next occur. The attack could be nuclear or biological in nature with the possibility of being very widespread. Any analysis of potential threats should include probabilities of each threat occurrence with time frames in which critical functions must be resumed after the disaster (Business Continuity during a Disaster, 2008).
It is important that someone within an organization be responsible for making the continuity plan work. People within the organization must be identified to assume key roles should a disaster occur. This phase of a disaster plan needs depth to include more than one person or group assigned to each role, in case the first person or group is incapacitated by the disaster. This section of the plan should identify who is responsible for what activity or strategy both during the disaster and during the recovery phase following the disaster event (Business Continuity during a Disaster, 2008).
The next step is in putting a plan together is to develop strategies for pre-event, event and the recovery phases of the disaster. These strategies need to include developing training programs; laying down procedures for notifying and mobilizing key employees; establishing policies for contacting key public officials, police, informational media, emergency response personnel and hospitals and data backup and protection procedures. These strategies should also identify goals for minimally acceptable time frames for restoration of critical functions and systems (Business Continuity during a Disaster, 2008).
In addition to set time frames, these strategies should establish the amount of critical data or function loss that is acceptable. Management needs to decide what amount of loss is acceptable, or if alternative strategies should be implemented to reduce potential loss (Business Continuity during a Disaster, 2008). This is very important to have established well ahead of any disaster that might happen.
The next step is disaster planning is to identify what triggers when a continuity plan is to be activated. For example, when the local emergency management office declares a state of emergency would that be the trigger point. If it is then at that point the organization would be in crisis mode and management should be first concerned with stabilizing and preventing further damage. Implementation should involve emergency response or evacuation procedures, delegation of authority or responsibility and following checklists for recovery and restoration. One necessary component of crisis management is communications which includes communications taking place before, during and after the event. This would include communications with employees, customers, the community, regulatory agencies, shareholders, directors and any others affected by the situation. A good way to handle this is to develop a sequential call tree. Under this situation each member of a small group is each responsible for making a few phone calls to an assigned list of people. The members of this second group in turn each call a few more people and so on creating a communications network (Business Continuity during a Disaster, 2008).
Once a disaster event has occurred, the recovery process must begin as quickly as possible. This might include caring for the sick and injured along with stopping loss or damage. It might also include making repairs to facilities, and reestablishing service or product delivery. Usually the first step is to restore electrical power. Power is needed for basic essentials such as pumping water, making ice, preserving and cooking food. Restoration of power is essential before any other plans can be put into place or carried out (Business Continuity during a Disaster, 2008).
Once a disaster recovery plan has been devised and recovery procedures have been developed, it must be tested in order to work out any problem areas. Testing provides for additional training to staff. One method of training that is often used is that of creating roundtable discussions. In these discussions a disaster scenario is presented and then each person is responsible for describing how his or her department or responsibility would respond to the event. As each department responds, a picture of the plan's effectiveness begins to take shape. Another testing method that is being used is to create exercises simulating disaster events. Rather than simply talking about the response, each person must physically act out the response. These testing methods allow the staff an opportunity to evaluate the plan and make changes if necessary. It also provides the added benefit of creating greater staff buy-in or acceptance of the plan. Periodic review and maintenance of the plan should be required. This may involve training new staff members, reviewing procedures for relevance, evaluating software and hardware requirements and preparing management reports and audits of the plan (Business Continuity during a Disaster, 2008).
One of the biggest assets for most businesses is data. This is why preserving critical data is a primary component of any continuity plan. Loss of data can mean lost revenues, loss of competitive position and can also create liability exposure in tax or regulatory agency audits.
The continuity plan must also provide analysis of appropriate back up systems. This might include using a vendor to provide off site storage of critical data. Any back up system and off site storage vendor or facility must also provide protected access to the information for security purposes (Business Continuity during a Disaster, 2008).
Banking continues to be the most mature industry in terms of business continuity. It is driven by a body of regulatory requirements that focuses on both business and technology recovery, and each bank's business continuity program is reviewed regularly. Regulators often look beyond the existence of the plan, and pay close attention to all aspects of the business continuity lifecycle, with particular emphasis on the business impact analysis (BIA) and testing. Risk management executives continue to focus on prioritizing core business functions, services and technologies using the BIA, developing crisis management processes to respond more effectively to a variety of events, and implementing programs to test the effectiveness of business continuity strategies.
The banking industry's business continuity program scope is highly enveloping. Beyond the typical corporate processes such as human resources, payroll, accounting, and investor relations the program scope often extend to:
Key processes contained within core lines of business such as retail banking, commercial banking, mortgage operations, and brokerage operations
Call center operations
Credit card and ATM operations (Business Continuity Consulting: The Banking Industry, 2008).
After the terrorist attacks of Sept. 11, 2001, the banking industry realized that no business is immune from a catastrophic event. The brutality of the 2004 and 2005 hurricane seasons, taught financial institutions that disaster recovery programs alone cannot protect their businesses. This has forced banks to reevaluate the strength of their backup plans. Thus, the banking industry now strives toward a goal of business continuity. Rather than just rely on disaster recovery plans that help them get back to work after a catastrophic event, banks are focusing on business continuity plans. These are frameworks that are established in order to keep them operational in the first place. While these plans visibly highlight the importance of hot sites, banks also have learned that Web-based communications networks and imaging solutions could be the tools that are needed to survive a catastrophe (Amato-McCoy, 2006).
Catastrophic natural disasters are not something that can be controlled, but they can be planned for. Those organizations that have continuity plans in place before a disaster hits are more likely to survive to do business again than those who don't. Developing a good plan and testing it ahead of time is essential to knowing how to act when such an even happens. The Banks that were affected by the tsunami of 2004 in the Indian Ocean had such a plan in place and seems to have worked the best that it could under the circumstances. The banks were a critical player in the rebuilding and recovery of the areas after the tsunami which makes the fact that they had a good plan in place an even bigger deal.
Aceh Post-Tsunami Reconstruction: Lessons Learned Two Years on. (2006). Retrieved