Be Prepared
We have often said in these pages that if you are prepared for natural disaster you will be prepared for almost any other threat to your corporate existence. The corollary, of course, is that if you are not prepared for natural disaster you will not be prepared for anything else, either. We are personally relieved and pleased – and as a country fortunate – that the loss of human life in hurricane Katrina was significantly lower than had been forecast by some experts (http://americanradioworks.publicradio.org/features/wetlands/hurricane1.html), although ashamed that such a large number of the dead were the elderly, un- evacuated from nursing homes, where they waited, vainly, to be rescued.
The affect on businesses, however, has been right on target.
It had been estimated that there was a 1 in 6 chance of a Category 5 hurricane hitting New Orleans in this 1995 to 2015/25 high-intensity hurricane cycle. While 1 in 6 is high enough that businesses needed to give it very serious consideration, the implications were largely ignored, in spite of the LSU Hurricane Pam study of the potential for New Orleans of a category 3 hurricane . A small number of corporations learned the lessons of the World Trade Center, recognized that New Orleans had serious potential hurricane problems, and made appropriate backup plans. Most others did not. For those companies that were prepared, the hurricane was a survivable corporate disruptive event, although still a major trauma in terms of personal tragedy. For those that were not prepared, Katrina put them out of business, in many cases forever.
In some cases plans were doubtless made, and failed. Whenever a plan fails, it is important to go back and find out whether the problem was a flaw in the plan itself, or whether there was a systemic problem.
Systemic problems are interesting, because they generally bring us back to our mantra for evaluating policies and measures by asking five questions:
1. What problem is the policy or measure trying to solve?
2. How can it fail in practice?
3. Given the failure modes, how well does it solve the problem?
4. What are the costs, both financial and social, associated with it, and flowing from its unintended consequences?
5. Given the effectiveness and costs, is the policy or measure worth it?
In our experience, systemic problems come with the first question: The problem being addressed is not the problem we think is being addressed.
Often, both in private industry and in government, policies and measures that should address some specific issue in reality address the problem of building headcount and budget. We recall proposing a more efficient solution to a problem and being told that if our advice were followed, rather than having 600 people in his group, making him a senior member of the management team, our prospect would have 40 people doing the same work and be a division leader. You should not, for much the same reason, expect anyone at TSA to suggest letting America’s 663,535 sworn officers carry their weapons on planes as a substitute for the Air Marshals program.
In other cases, a measure may be put in place because it will reduce insurance costs, or because it will reduce liability, or because it will give the perception of activity (i.e., it is being done largely for PR purposes). Since in all these cases the measures are designed to give the appearance of addressing a problem, rather than to actually address the problem, don’t count on them being effective. This is especially true if the problems being addressed are statistically unlikely events, where the incidents planned- against will virtually never happen.
We see systemic problems when we do crisis management drills. We will be told that a company has, in fact, a crisis management plan. Nobody, however, has ever seen the plan, nobody knows where to find the plan, and the plan has never been exercised in training. In one case, we served on a committee to develop a plan for securing conferences of a law enforcement trade group. The committee provided a clean solution to that problem, but we failed to realize that the actual goal was to provide an adequate mechanism for placing blame. The plan was rejected, so a new plan was developed, oriented more toward post-incident finger-pointing, which was significantly less clear but was accepted. It has never been implemented.
The result of systemic problems is that the system tends to force good people out, and substitute them with incompetent people, or people who serve a bureaucratic need rather than a purposeful functional need.
So, let us assume that Katrina has attracted your attention, and you want to give some thought to an emergency plan that might actually allow your company to survive, rather than to merely placate shareholders or insurers.
The easiest way to begin thinking about the problem is with the assumption that you will wake up one morning and discover that your entire plant at one geographical location has disappeared. At this point don’t even give much consideration to how it disappears. It doesn’t matter whether you are in a hurricane area, an earthquake area, a tornado area, or an area at risk for faith- based initiatives: Just start with the basic assumption that everything is gone.
What would you need to get back in business, or to stay in business?
• You need information – seventy percent of the value of the average American company lies in its intellectual property – so safe backup of and subsequent access to information is critical. And safe backup means comprehensive and geographically safe. Just as the several holders of the Coca Cola formula are reputedly never allowed on the same continent, your information should be backed up in some geographically safe area or areas. The good news is that in this computer era backup can be anywhere.
• You will also need people. Either you need to have a backup operation elsewhere, or you need to be able to move people and their families from one place to another, probably under difficult circumstances, and re-start in a timely manner.
• Finally, you will need capital, so your flight and recovery needs to be pre-planned with your bankers.
With these three points understood, you should be in good shape to start thinking about dealing with disaster, natural or un-, and to speak intelligently to the experts you bring in for consultation. Folks in the disaster recovery business will know from experience what can be implemented, and what sounds good on paper, but won’t work in real life.
In trying to avoid the kinds of system problems seen in New Orleans, note that our colleagues in the international disaster recovery arena have expressed the opinion that one of the problems faced on the federal level (we will spare you their comments on issues of state and local incompetence exacerbating the legitimate – and highly desirable – local/state/federal disconnections imposed by 18 USC 1385) was that it was being handled by a security department. While security is an important component in disaster recovery, security is not the core discipline. Nonetheless, one of the downsides of centralization into a security organization is that staff, independent of specialization, eventually will either be forced into the current security-culture mindset, or be forced to leave. So be aware of the corporate culture of the group where operational responsibility is placed.