No matter where your business is located you will most likely be impacted by a disaster at some point. It could be a power outage for an extended period that stops all productivity, ordering processing, call center and of course the heating and cooling in your facility. The disaster may not be local to you but impact your operations at other locations. While power may not be a long-term impact, natural disasters, such as tornadoes and hurricanes, can have much more severe consequences with long term outages and more importantly, impacts to your most valuable assets, your employees. Pandemics have a direct impact on your employees, and depending on your business, can have an impact on your revenue. Your success, or ability to survive a disaster, is largely going to depend on whether you have a plan.
A disaster falls into a number of phases. First is the response phase or the immediate actions you need to take to get through the emergency. This would include your fire plan, a building evacuation plan, a plan for an active shooter event and any other specific plan depending on your business. These plans are your emergency plans.
A continuity of operations (COOP) plan is your blueprint on how you modify your operations to continue to provide some services. It includes orders of succession, who is in charge if the boss is incapacitated and is usually three deep. This part of the plan includes the necessary authorities for the second in command to execute and continue business, such as legal documents giving them the necessary authority. This is the same as the orders of succession that exist in local, state and the federal government, except they are called continuity of government plans.
The continuity plan also details what are the most essential functions that your company must do immediately or daily, and what things can wait a few days. This helps you prioritize what you need to focus on. It is important that you think through the business operations when things are normal, so you don’t have to try and do them when there is an emergency going on around you. Part of this process is prioritizing those essential functions. Knowing your essential functions then helps you identify key personnel, those you must have to carry out those essential functions. This will help you determine that if you lose a percentage of your personnel, say through influenza, you already know what functions can wait and what ones you must do. Again, as part of this process you will identify who does what, and if there is a key person who is the only one that can do a critical part of your operation. When you identify a situation like that you must take steps to train someone else, their backup.
Another important aspect of a continuity plan is identifying important documents and records. What must you have to stay in business? What legal documents are irreplaceable? Where do you keep them? Are their legal copies somewhere else? What documents would you need if you had to operate somewhere else? This applies not only to paper documents but also to computer files. Do you have backups done daily that are stored off site? In this day and age of cloud storage this shouldn’t be too difficult, however, as with other files, you need to make sure they are secure, as cyber security poses another threat that can wipe out a business. We have seen this with cyber ransom attacks on major cities, such as Atlanta in 2018, the US Government Office of Personnel Management in 2014, even Google, Equifax, JPMorgan and most major credit card companies have been hacked at one point in time. One consideration you should look at is if there is no internet. What if the hurricane has wiped out communications over a very large area and you are trying to work from home or another location? Having a backup of key files, like emergency and continuity plans, on a secure flash drive might be an option. I suggest a flash drive that meets the FIPS 140-2 level 4 encryption standard. With a flash drive and a laptop you would be able to access your key documents at any time. Of course, you have to make sure you keep them up to date.
One thing that most organizations struggle with when stay at home orders were issued, and the government and other organizations implemented plans to reduce the office work force by at least 50% in a matter of days, was work from home policies and capabilities. The Federal government requires agencies to have a work from home policy and procedures, and to have employees work from home several times a month. This ensures that they are able to access networks and other systems and have a home office work environment. Non-Federal agencies and organizations struggled with this in the first several weeks of the COVID stay at home orders. Many did not have the remote network access capabilities or security protocols in place. Many organizations required a company laptop in order to access networks for security reasons. Many organizations did not have sufficient laptops and had to suddenly provide them for 50% of their workforce.
Writing a continuity plan is just the first part of the process to provide your business a reasonable chance to survive through a disaster. However, until you test a plan you have no idea if it is going to work. Therefore, you must conduct some exercises. You should conduct a tabletop, a discussion-based exercise where a scenario is presented and you discuss through actions, trigger points and action items. Any corrections should be made and then you should conduct operations-based exercises. These could be where your employees work from another work site or from home, where they would access the work network, usually through a secure VPN, to make sure they can access the programs and files they need to do their job and that conference capabilities for meetings meet your needs. You could, or perhaps should, do this on a regular basis to continually train your employees in working from home and continually testing your capabilities and make improvements.