Workplace continuity and contingency planning strategies

Business

Workplace Continuity and Contingency Planning

According to the U.S. Geological Survey, the earthquake that generated the great Indian Ocean tsunami of 2004 is thought to have released the energy of 23,000 Hiroshima-type atomic bombs. Huge forces that had been building up deep in the Earth for hundreds of years were released suddenly on December 26, shaking the ground violently. They unleashed a series of killer waves that sped across the Indian Ocean at the speed of a jet airliner. By the end of the day more than 150,000 people were dead or missing and millions more were homeless in 11 countries (the Deadliest Tsunami in History, 2005).

The epicenter of the 9.0 magnitude quake was located under the Indian Ocean near the west coast of the Indonesian island of Sumatra. The brutal movement of sections of the Earth's crust, known as tectonic plates, displaced an enormous amount of water that sent powerful shock waves in every direction. The earthquake happened because of the sliding of the portion of the Earth's crust known as the India plate under the section called the Burma plate. This process of one plate pushing against the other until something has to give, has been going on for millennia, the result on December 26 was a rupture of more than 600 miles (1,000 kilometers) long, displacing the seafloor above the rupture by perhaps 10 yards (about 10 meters) horizontally and several yards vertically (the Deadliest Tsunami in History, 2005).

On the surface a great volume of the ocean was displaced along the line of the rupture, creating one of nature's most deadly phenomena. Within hours killer waves radiated from the earthquake zone and slammed into the coastline of 11 Indian Ocean countries. Many people were taken out to sea, while others drowned in their homes or on beaches (the Deadliest Tsunami in History, 2005).

Disasters can arrive like a lightning bolt, suddenly, unexpectedly and with mind-numbing consequences. Businesses are faced with natural disasters such as fires, tornadoes, floods, earthquakes and hurricanes every year. Those businesses that are prepared survive and recover. The rest become casualty statistics (Business Continuity during a Disaster, 2008).

The tsunami, which devastated the coast of South and Southeast Asia, proved an opportunity for banks in the regions to test their emergency preparedness and to provide economic assurance to affected clients and employees. The business continuity plans for banks, operating within the countries affected by the tsunami, appears to have worked reasonably well under the circumstances. Banks in Indonesia and Sri Lanka reported that business continuity and disaster recovery programs came into operation effectively during the tsunami disaster. The banks made sure that clients were able to access lifelines in the form of deposits or loans. Sufficient business continuity planning enabled displaced clients to access deposits from ATMs and branches of banks elsewhere. Banks worked very quickly to assist employees and their families in the affected areas. At the same time they activated plans by sending personnel from other branches to re-open damaged offices in the disaster areas (McDowell, 2005).

Most banks in the region operate highly centralized administrative and technical services. Highly centralized back-up systems and records in consequence ensured that branch damage did not impact the service continuity, which was maintained through open communication lines.

The overall financial impact on the banks was not as bad as was originally anticipated. The S&P indicated that banks in Thailand would likely suffer physical damage as well as earnings as a result of the tsunami disaster but they should be manageable, while the impact on banks in Indonesia and India was expected to be limited. Overall aggregate exposures for loan losses were anticipated to be in the region not much in excess of U.S.$1 billion. From a risk assessment point-of-view, most banks classified the event as a major loss event but a near-miss in terms of operational risk. This disaster was seen as an opportunity for banks to refine their modeling by performing stress testing and scenario analysis for their business recovery and disaster planning programs (McDowell, 2005).

While it may not have been the most immediately pressing issue that followed the tsunami, resumption of business and economic activity was important for those countries that had been affected. Resumption of commercial banking activities was one of the critical elements in order to ensure businesses may re-establish themselves as quickly as possible (McDowell, 2005).

Reconstruction never occurs quickly but there has already been a good effort showing results in Aceh. Most medical facilities have been reconstructed and almost all the children have returned to school. While it has been slow, the effort to rebuild roads, bridges and other infrastructure is progressing. Community-driven development has proved to the best way to accomplish top-down reconstruction, particularly in housing. Acehnese communities have a very strong sense of belonging together and almost all communities have wanted to participate in key decisions that affect their future. By using the existing network of community-driven development projects that were already covering over 40,000 villages in Indonesia there was found a fast and effective means to deliver assistance (Aceh Post-Tsunami Reconstruction: Lessons Learned Two Years on, 2006).

It has been seen that community-driven housing reconstruction has proven to be of higher quality, more cost-effective and in most cases even faster than other methods of providing housing. One of the key lessons that have been learned is that good information and communication are critical to successful reconstruction. Keeping track of the progress of reconstruction is essential to coordinating an effective response. So is informing the local people about what to expect and when. One innovative approach supported by the World Bank is the Ceureumen Newsweekly, which is a regular newspaper that provides vital information regarding reconstruction. The World Bank was present in Aceh before the tsunami, supporting the Indonesian Government in the community-driven Kecamatan Development Program (KDP). Soon after the tsunami, the Bank made an assessment of the damage, which remains the blueprint for the reconstruction that is sill going on today (Aceh Post-Tsunami Reconstruction: Lessons Learned Two Years on, 2006).

When a special reconstruction agency was established, the World Bank provided support for institutional building. When donor money started to pour in, the Bank set up and managed the Multi-Donor Fund. This fund brought together $655 million in grant funding from 15 donor countries and international agencies. These vital resources have been used to provide tsunami victims with housing, schools, clinics, basic infrastructure, waste management, port reconstruction, and environmental protection. Most projects involve communities to ensure oversight and ownership and include programs to support the new peace (Aceh Post-Tsunami Reconstruction: Lessons Learned Two Years on, 2006).

An important aspect of the World Bank's work has been in providing technical assistance at many levels. With 50 to 60 national and international experts working on a variety of programs and providing technical support to the Indonesian Reconstruction and Rehabilitation Agency, the World Bank has one of the largest offices in Aceh. John Victor Bottini, the Bank's resident representative in Aceh, says that the Bank is planning for the long haul as several new projects, will continue the work of community-driven development in conflict-affected and other areas once the reconstruction programs end. Since the tsunami, a small World Bank team, made up mainly of national staff, has been tracking the money. The team provides quarterly updates on the reconstruction process and has become the main reservoir of financial information on the reconstruction program (Aceh Post-Tsunami Reconstruction: Lessons Learned Two Years on, 2006).

The World Bank's support to Sri Lanka after the tsunami of December 26, 2004, included mitigating the immediate suffering; assist people to regain their livelihoods; restore basic services to the affected population; and initiate the recovery and reconstruction process (Sri Lanka: Tsunami recovery - Achievements, challenges and prospect after 3 years, 2007).

Business continuity development is often driven by stockholders, government regulations and market forces. It has gained popularity during the past 35 or 40 years, evolving from disaster recovery into a more comprehensive plan that includes not only recovery but operational continuity during and following a disaster. It is thought that the fuel for the fire has been data processing technology. The constant changing of technologies has given companies the opportunity to address critical recovery issues and focus on continuance. With each advance there has been the opportunity to take continuity to a new level. Because they have special vulnerabilities, banks have been leaders in business continuity planning for years. An overview of how business continuity planning has developed in the financial services industry provides a picture of just how this important facet of business planning has become. The lessons learned by this industry can go a long way in helping other companies, both large and small, cut short the learning curve (Business Continuity during a Disaster, 2008).

The first step in business continuity planning consists of doing a realistic analysis of the possible threats. These can include such things as weather threats, disease outbreaks, fire, cyber attacks, and extended loss of electrical power or terrorism. Threats due to weather include floods, earthquakes, hurricanes, tornadoes and blizzards. Planning for weather events should be very realistic in nature. Major weather events usually occur in 25, 50 and 100-year cycles. Disease outbreaks are also a big threat. A potential flu pandemic could be detrimental to many businesses. For example, the bird flu pandemic scenarios that are floating around are being modeled on the Spanish flu pandemic of 1918. That global outbreak killed 500,000 people in the United States and more than 20 million people worldwide. Since that time there have been two other smaller scale flu pandemics, each that killed hundreds of thousands of people. The flu is just one disease that can cause a business disaster situation around the world (Business Continuity during a Disaster, 2008).

Recent years have also shown that terrorism threats are a real possibility that needs to be considered. Terrorism is a great threat because there is so much uncertainty about when, where or what kind of attack may next occur. The attack could be nuclear or biological in nature with the possibility of being very widespread. Any analysis of potential threats should include probabilities of each threat occurrence with time frames in which critical functions must be resumed after the disaster (Business Continuity during a Disaster, 2008).

It is important that someone within an organization be responsible for making the continuity plan work. People within the organization must be identified to assume key roles should a disaster occur. This phase of a disaster plan needs depth to include more than one person or group assigned to each role, in case the first person or group is incapacitated by the disaster. This section of the plan should identify who is responsible for what activity or strategy both during the disaster and during the recovery phase following the disaster event (Business Continuity during a Disaster, 2008).

The next step is in putting a plan together is to develop strategies for pre-event, event and the recovery phases of the disaster. These strategies need to include developing training programs; laying down procedures for notifying and mobilizing key employees; establishing policies for contacting key public officials, police, informational media, emergency response personnel and hospitals and data backup and protection procedures. These strategies should also identify goals for minimally acceptable time frames for restoration of critical functions and systems (Business Continuity during a Disaster, 2008).

In addition to set time frames, these strategies should establish the amount of critical data or function loss that is acceptable. Management needs to decide what amount of loss is acceptable, or if alternative strategies should be implemented to reduce potential loss (Business Continuity during a Disaster, 2008). This is very important to have established well ahead of any disaster that might happen.

The next step is disaster planning is to identify what triggers when a continuity plan is to be activated. For example, when the local emergency management office declares a state of emergency would that be the trigger point. If it is then at that point the organization would be in crisis mode and management should be first concerned with stabilizing and preventing further damage. Implementation should involve emergency response or evacuation procedures, delegation of authority or responsibility and following checklists for recovery and restoration. One necessary component of crisis management is communications which includes communications taking place before, during and after the event. This would include communications with employees, customers, the community, regulatory agencies, shareholders, directors and any others affected by the situation. A good way to handle this is to develop a sequential call tree. Under this situation each member of a small group is each responsible for making a few phone calls to an assigned list of people. The members of this second group in turn each call a few more people and so on creating a communications network (Business Continuity during a Disaster, 2008).

Once a disaster event has occurred, the recovery process must begin as quickly as possible. This might include caring for the sick and injured along with stopping loss or damage. It might also include making repairs to facilities, and reestablishing service or product delivery. Usually the first step is to restore electrical power. Power is needed for basic essentials such as pumping water, making ice, preserving and cooking food. Restoration of power is essential before any other plans can be put into place or carried out (Business Continuity during a Disaster, 2008).

Once a disaster recovery plan has been devised and recovery procedures have been developed, it must be tested in order to work out any problem areas. Testing provides for additional training to staff. One method of training that is often used is that of creating roundtable discussions. In these discussions a disaster scenario is presented and then each person is responsible for describing how his or her department or responsibility would respond to the event. As each department responds, a picture of the plan's effectiveness begins to take shape. Another testing method that is being used is to create exercises simulating disaster events. Rather than simply talking about the response, each person must physically act out the response. These testing methods allow the staff an opportunity to evaluate the plan and make changes if necessary. It also provides the added benefit of creating greater staff buy-in or acceptance of the plan. Periodic review and maintenance of the plan should be required. This may involve training new staff members, reviewing procedures for relevance, evaluating software and hardware requirements and preparing management reports and audits of the plan (Business Continuity during a Disaster, 2008).