Published: PAMIC Pulse, Fall 2020, PAMIC.org
When crises occur, it is important for organizations to have strategies in place to mitigate the effects. Being unprepared for disaster can exacerbate the impacts that it will assuredly have for organizations. There are many aspects to building these strategies – it is crucial to understand and include all facets of the organization, so that nothing is left unconsidered. Also, it is important to be realistic when it comes to the expectations of a disaster response plan. Drastic measures may need to be taken to keep the organization running.
“Combining business continuity and risk management into a single operational process is the most effective way to prepare for the worst” (Robert Sibik). An organization’s impact assessments are important to determine continuity, but it can be essential to expand in that space. Simply checking boxes to avoid compliance issues is not enough – organizations should be willing to tackle issues of disaster impact specific to their operations. Legacy approaches may have just enough to pass an audit, but do not truly address issues of reducing the impacts of an event. Strategies should be integrated with the organization’s specific operational mission – the day-to-day processes that drive it.
First, organizations should understand various disruptions that may occur, and the likelihood of them occurring. For example, is it very likely that the building in which operations occur will flood? How old is the internal plumbing? What are the pipes made of? Are all utilities that run water properly connected? When was the last time they were inspected, or replaced? These are the kinds of questions organizations will want to ask themselves to determine how much of a risk a specific disruption can be. If the building is just simply passing inspection, it does not mean there are no risks. A building that has had its plumbing redone will have significantly less risk of impact from a plumbing related flood. It is also important to consider other potential causes of floods, including the risk of weather-related events or disasters in a particular area.
After making these determinations, organizations will want to consider measures that can reduce the impact of such a disaster, should it occur. If the building does indeed flood, are there employees on the staff that are responsible for handling this issue? Is contact information for disaster or flood response specialists readily available to these employees? Is there an alternate workspace that can be used to continue operations should the damage be too extensive? Having these kinds of responses in place along with the preventative measures can provide a more all-encompassing disaster mitigation plan. Understanding what resources are available during this process is key. If there is any help available through governmental agencies for a specific crisis, it should be included as part of the plan. Ensure there are people responsible for contacting these entities and submitting any applications that may be necessary to receive aid.
In an operational approach, this would be done with every piece of the organization. Consider the roles of your employees, what purpose they serve, and how exactly they interact with the organization and its assets. If your employees drive trucks, are there plans in place to ensure that every one of them is sufficiently licensed? How often are they reviewed? What is the plan if one of them were to cause an accident, or if the cargo is otherwise lost? How can additional issues caused by such a crisis (other motorists / pedestrians hurt, for example) be prevented? How would that impact the other facets of your organization? Human resources, employee benefits, and physical / digital security of assets are just a few main components that are common across most organizations.
Once a plan has been made, it is important to communicate these measures with the organization and stakeholders. Anyone involved in these plans should be informed of the operational strategies of the organization, and able to access them whenever necessary. It can be helpful to regularly review these strategies with employees to make sure that they are understood completely, and that any given employee knows their role in the response to an issue. If employees aren’t aware of their specific duties during a disaster, the response time will suffer, and precious time and resources can be lost.
Testing your response plan is important to ensure that it accomplishes the goal in mind. Having a plan in place is good, but organizations will want to have proof that it works. Once these strategies have been disseminated to the appropriate staff and they are given proper training, the plans can be tested. Organizations may feel the urge to run surprise tests of their response plans, not telling staff about an impending dry run. While this can be useful, it is generally more prudent to wait until these drills have been successfully executed at least once before. However, if it is a surprise, let them know during the exercise that it is just a test.
Employers will want to generate a specific scenario depending on which facet of the overall response plan they want to test. If an organization wants to test their staff on cyber security, then simulating a “phishing” attack or other breach can help determine how they will respond. Set the scene for them, give them the information they would have if it were a real attack, and let them know of any special conditions that should be placed on the event. For example, having the IT supervisor be “unavailable” during a cyber security breach drill can test how well employees can think on their own, and how much they are leaning on the specialist.
When the test is complete, perform a post-test debrief. Was the knowledge base of the staff in question up to par? Were they prepared to handle the issue to the extent they are expected to? If they were, and the plan went as written, did it mitigate the damage that would be done? This can help determine what adjustments may need to be made, whether it is increased or more-frequent training for staff, or parts of the response plan that, while completed as written, did not produce the desired results. Organizations will want to test regularly to ensure everyone is on board, and the response plan is still effective.
Another benefit of an operational approach is consistency and understanding. With no response plan, organizations are left to plan in the moment, which can be expensive, chaotic and inefficient. This can be frustrating to employees, and morale can suffer – particularly if it occurs often. When employees know how to respond and know that their response is part of a consistent plan by the organization, they may feel more confident and empowered to do their part to mitigate the crisis. This, again, can save time and resources when both are important to the organization’s survival.
An operational approach is not about preventing any and all problematic situations. It is about combining preventative measures with post-crisis mitigation strategies in order to decrease not just the threat of disaster, but also lessen the impact when it does occur. Having these specific policies integrated as part of the organization’s overall operations can improve its likelihood of survivability through emergent situations.