If your business isn’t completely dependent on technology, then you are in the minority these days. Given this dependence, protecting your business from an IT failure should top your priority list.
“Having been in the IT business now for 16 years, I’ve seen my fair share of close calls and, unfortunately, my fair share of outright disasters when it comes to IT,” says Zack Schuler, founder and CEO of Cal Net Technology Group. “There are three particular disasters that stick out in my mind. In each of these three cases the companies were taking nightly backups of their data, and they thought this was enough.”
Smart Business spoke to Schuler about how businesses can avoid these kinds of mistakes.
What are some of the worst disasters you’ve encountered?
The first case was a company that had a sprinkler break right above its servers. While it was taking a daily backup, the company left the tapes on top of its servers. The tapes were drenched and basically unusable after the downpour. The server hard drives were sent to data recovery, and after several days the company was up and running again. Had the tapes been taken off site, the downtime would have been significantly less.
The second case was a company that had its building burn down. Its current tapes were stored on site; however, the company had an older set that was taken off site. After a painful data reconstruction process, and several months later, the company was able to get back on its feet.
The last case was a company that experienced an Internet outage for a week when a major telephone company had its T1 down. This was the company’s only connection to the Internet, and its business was highly dependent on email, so this outage had a significant impact on its business. The company lost a percentage of its revenue as a result of the outage.
Needless to say, none of the above companies were prepared for the type of disaster that they suffered, yet all of them were backing up their data.
How can businesses avoid costly downtime?
Here are three important questions that you can pose to whoever manages your IT, and some tips that will get you one step closer to being truly prepared in case of emergency.
1. What is your plan in case of a lengthy Internet failure? The smart thing to do is to make sure that you have multiple connections to the Internet, over different mediums. Having a connection via a T1 and a DSL line is not a smart move, as they both traverse over the strands of wire. An Internet connection through a telephone company and another through a cable provider is the way to go.
2. What is your plan in case of a physical site failure, such as a fire, earthquake, etc.? Something as simple as a long-term power outage in your building can be a lot more common than one would think. On more than one occasion we’ve seen a building lose power for several days, and companies basically send their employees home. We had a client that was prepared in this scenario. It sent its employees to work from home, as it had a hot-site set up that employees were able to connect to from home.
3. What is your plan in the event of a major hardware failure? Even if your equipment is under warranty, if a particular part fails on a server, and the vendor is out of stock on that part, you could see some downtime. In this scenario, you should have a transition plan documented whereby you can easily move the data from one server’s backup over to another server, perhaps in a virtualized environment, to keep running.
What is the most common issue you’ve encountered with companies’ backup plans?
Perhaps the biggest overall error that I’ve seen companies make is that they don’t have any documented plan in place to recover from any of the above scenarios. Most companies simply don’t test their backups by going through a simulated failure. They assume that the backup is running as they’ve been told. The smartest action that you can take is to go through a simulated failure. Pretend that any of the above scenarios has happened, and try to recover from them. We assist IT departments with this type of work frequently, and we’ve never walked into a disaster recovery test whereby we didn’t make a tweak of some sort to make the plan better, thus more recoverable.
Zack Schuler is founder and CEO of Cal Net Technology Group. Reach him at firstname.lastname@example.org.
Insights Technology is brought to you by Cal Net Technology Group
In the aftermath of major disasters like Hurricane Sandy, renewed focus on planning for catastrophic incidents can actually undermine effective preparedness for more likely events and distort perception of risk in a way that makes businesses more vulnerable.
In a spectrum of risks, high-severity, low-frequency events are major natural disasters like hurricanes or earthquakes. On the other hand, there are high-frequency, low-severity disasters, such as human errors, computer crashes and power outages. Disasters such as fires and floods fall somewhere in between.
“We often focus on the catastrophic risks, those at the far right end of the spectrum,” says Mike Maloney, vice president, Comcast Business Services. “We assume that preparing for the worst-case scenario automatically includes preparation for all lesser risks. But, it hardly makes sense to initiate a full-blown disaster recovery plan every time the business experiences a minor deviation in operations. That is too expensive and cumbersome.”
Smart Business spoke with Maloney about how preparing for everyday disasters can keep your company — and its technology — on track.
Why is it especially important to prepare for everyday disasters?
If you prepare for the everyday disaster, you will also be ready to address the more serious and less likely threats. For example, power outages commonly occur on a standalone basis, such as brownouts during the summer months with peak air conditioning usage, but power outages also follow more serious threats like hurricanes.
How can you guard against human error?
Human error is the most common form of disaster. Of course, the best way to address this is to ensure proper staff training and good management practices. But, you will also need a strategy to mitigate cost when error does occur, such as on-demand, user-generated data backups and clear recovery procedures.
What’s the best strategy for preparing for equipment or third-party failures?
By making good vendor selections and following proper equipment maintenance procedures, you reduce the frequency of occurrence. Also, build in redundancy for when those failures will occur and have extra equipment in inventory.
Third-party failures are the failures of service providers needed to deliver products and services like telecommunications. The basic strategy is to invest in due diligence to make wise choices for third-party vendors to entrust with your critical services, negotiate appropriate service guarantees and support, and build in redundancy to cope with failure when it occurs.
How is planning for environmental hazards extended to more severe threats?
Environmental hazards are conditions that displace staff and could be as trivial as a water pipe bursting and flooding the office. So, plan for human safety and assure the technology is in place to enable temporary remote operations. This concept is extended for fire, natural hazards and sabotage, which pose more severe threats to safety and longer periods of remote operations.
Once you’ve established your planning framework, what’s next?
The next step is to identify the business’s key assets, which may sound simplistic but is not necessarily obvious. For example, a small software development company insured its property, so after a fire, it was fully reimbursed for the replacement costs of office furnishings. But its critical asset was its intellectual property, embedded in hundreds of thousands of lines of software code. The company had failed to back up the software and subsequently went out of business. If it had a severe budget constraint, as start-ups often do, it would have been better served to forfeit insurance on physical assets and invest in off-site secure data backup.
In addition to determining how best to protect the business, this provides insights as to how to better manage the course of normal operations. Several years ago, a disgruntled systems administrator of the city of San Francisco refused to relinquish key passwords to computer systems controlling, among other functions, employee payroll. A little due diligence to understand the key processes, assets and functions of operations might have revealed this vulnerability.
Mike Maloney is a vice president at Comcast Business Services. Reach him at email@example.com.
Insights Telecommunications is brought to you by Comcast Business Class
Learning how to deal with disaster during a crisis is not a good idea. Hurricane Sandy’s aftermath reminds employers of the importance of insurance, disaster planning and claim preparation.
“Always at a time like this, organizations who were not affected need to take a step back and ask themselves, ‘What if?’” says Neil Harrison, AGRC, group managing director, Risk Control, Claims & Engineering, at Aon Risk Solutions.
Smart Business spoke with Harrison and Ron O’Neill, senior claim consultant at Aon Risk Solutions, about best practices business owners can use to ride out any disaster.
How did Hurricane Sandy affect the insurance industry?
With an event like Sandy, the insurance industry plays a role in business specific and general economic recovery. Brokers and insurance companies expect to be judged on their performance and response. With a significant amount of claims, there is a lot of resource pressure. Resource scale and leverage become key, and operational efficiency is a prerequisite for success.
It’s too early to comment on the longer-term impacts of insurance pricing or coverage availability. With these events, everybody has an opinion, but nobody knows at this early stage. Property damage, business interruption and contingent business interruption all create the overall cost. Also, just because a company is based in Detroit or somewhere out of Sandy’s way doesn’t mean businesses didn’t have customers, suppliers or vendors affected.
How should you handle an insurance policy?
The first step is ensuring you’ve got the right insurance coverage — the terms, the conditions in place, definitions of perils — and that you understand items such as limits and exclusions. Business owners should aim to have claims preparation coverage on the property cover. Then you can engage an expert for accounting work critical to quantifying and making the claim, and, generally, the process runs more smoothly.
Also ensure the values at risk — asset values and business interruption values — are understood and accurate. Too often, an organization has a claim and is underinsured or overinsured. A best practice is having an external expert work with you on assessing values during your policy renewal process. The business interruption is particularly important because it’s complicated to work out in post-loss panic mode. Since the recession, everybody has different values at risk, but organizations may have continued to index link their values or sums insured.
Beyond insurance, what can businesses do to respond well to disasters?
Organizations that have responded well are those with business continuity plans that are well defined, kept up to date, frequently tested and broad. The plans cover not just the direct issues of building damage but also employee safety and welfare issues, supplier issues, customer issues, etc.
Insurance is an outcome, in many ways, of business continuity. Take a broad look at the business, plan for every eventuality, make sure everyone knows what to do and have restoration firms on contract, as well as access to alternative power.
How should a business submit claims if it suffers damage?
When a significant incident hits, the company has some responsibility to mitigate the damage and cost. Much of it is common sense, but that’s easier to apply when it’s written down with clear responsibilities. Make sure that you:
• Report the loss to a broker or insurer immediately and there are clear lines of communication.
• Take immediate action to minimize loss.
• Keep documents, invoices or receipts, which become part of the insurance claim.
• Take photographs of the damage.
• Engage an external expert, if needed. When a business is in trouble mode, it’s all about recovery. Outside expertise allows you to talk to customers, suppliers and staff, while the expert handles the tactical, and somewhat more mundane, issues.
It’s important to have continuity planning, follow insurance best practices, consider a claim preparation clause and ensure common sense is applied after a loss. Disaster response, claim response and claim preparation are specialist technical disciplines, and businesses find investments in these areas have a positive return.
Neil Harrison, AGRC, is group managing director, Risk Control, Claims & Engineering, at Aon Risk Solutions. Reach him at firstname.lastname@example.org.
Ron O’Neill is a senior claim consultant at Aon Risk Solutions. Reach him at (248) 936-5243 or email@example.com.
For information from the Aon Situation Room, Post-Tropical Sandy, including videos on claim steps and business interruption, visit http://insight.aon.com/?elqPURLPage=3422 For an archived webinar on Post-Tropical Sandy, visit http://www.visualwebcaster.com/event.asp?id=90768.
Insights Risk Management is brought to you by Aon Risk Solutions
Learning how to deal with disaster during a crisis is probably not the right way to go. In the aftermath of Hurricane Sandy, employers are reminded of the importance of insurance, disaster planning and claim preparation.
“Always at a time like this, organizations who were not affected need to take a step back and ask themselves, ‘What if?’” says Neil Harrison, group managing director, Risk Control, Claims & Engineering, at Aon Risk Solutions. “We are spending a lot of time talking to organizations and helping them to say, ‘OK, what if it was us? Would we have been ready? Were we prepared?’”
Smart Business spoke with Harrison and Roland Laury, CFPS, senior risk consultant at Aon Risk Solutions, about some best practices business owners can use to help them ride out any disaster.
How did Hurricane Sandy affect the overall insurance industry?
An event like Sandy gives the insurance industry an opportunity to demonstrate why it exists. Too often, businesses look at insurance purely as a cost, but the industry is playing a role in business specific and general economic recovery. From the perspective of brokers and insurance companies, they expect to be judged in terms of their performance and how they respond to clients. There is a lot of resource pressure, as the number of claims is significant, so already busy staff is suddenly taking on increased workloads. Resource scale and leverage become key, and operational efficiency is a prerequisite for success.
It’s too early for anyone to comment on the longer-term impacts of insurance pricing or coverage availability for individual businesses or industry segments. When these events happen, almost everybody has an opinion of the cost, and those opinions vary widely. The reality is nobody knows at this early stage. Property damage, business interruption and contingent business interruption all come together to create the overall cost. In addition, just because an organization is based in St. Louis or somewhere not in Sandy’s way doesn’t mean businesses didn’t have customers, suppliers or vendors who were affected. This may indirectly affect them in terms of business interruption or contingent business interruption.
What should business owners know about their insurance policy for an event like Sandy?
There are some key things that organizations should look at. The first step is making sure you’ve got the right insurance coverage — the terms, the conditions in place, definitions of perils — for this kind of event and that you understand it. Business owners need to understand limits and exclusions. They should aim to have claims preparation coverage on the property cover, meaning there’s the opportunity to engage an expert for some of the accounting work critical to quantifying and making the claim. With this coverage in place, and with a relevant expert engaged, generally speaking, a claim is better prepared and the process runs more smoothly.
Linked to that is the need to make sure that the values at risk — asset values and business interruption values — are well understood and accurate. Too often, an organization has a claim and then is found to be underinsured or overinsured. A best practice is having an external expert work with you on assessing those values during your policy renewal process. The business interruption is particularly important because it’s far more complicated to work out in post-loss panic mode. If you think about the economy since 2008, everybody has different values at risk now than they did then. Organizations may have just continued to index link their values or sums insured.
Looking beyond insurance, what can businesses do to respond well to disasters?
The organizations that have responded well are those with business continuity plans which are well defined, kept up to date, frequently tested and broad. The plans cover not just the direct issues of building damage but also employee safety and welfare issues, supplier issues, customer issues, etc. There’s no alternative to investing the time, and probably some money, in a far-reaching business continuity plan because it gives the balance sheet the best protection possible.
Insurance is an outcome in many ways of business continuity. Take a broad look at the business, plan for every eventuality, make sure everyone knows what to do when an incident happens, have restoration firms on contract so you’re first in queue when an incident happens, and have access to generators or additional alternative power.
How can a business best submit claims if it does suffer damage?
When a significant incident hits, the company has some responsibility to mitigate the damage and the cost of the loss. Much of it is common sense, but common sense is easier to apply when it’s written down and people know what they are responsible for. Make sure that:
- Everyone knows to report the loss to a broker or insurer immediately and there are clear lines of communication.
- Immediate action is taken to minimize loss.
- You keep the documents, invoices or receipts for any vendors brought in for restoration or to provide alternative power, etc. Later, this will become a part of the insurance claim.
- You take photographs of the damage. It’s surprising how many people get everything repaired and then try to make the insurance claim without proof.
- You engage an external expert, if needed. Sometimes when a business is in trouble mode, it’s all about recovery. Outside expertise allows the business leader to talk to customers and suppliers and deal with staff, while the expert handles the more tactical, and somewhat more mundane, issues.
It’s important for businesses to have continuity planning, follow best practices for insurance, consider a claim preparation clause and ensure common sense is applied when a loss occurs. Recognize that disaster response, claim response and claim preparation are specialist technical disciplines, and many organizations find that their investments in those areas have a positive return.
Neil Harrison is the group managing director, Risk Control, Claims & Engineering, at Aon Risk Solutions. Reach him at (312) 381-5660 or firstname.lastname@example.org.
Roland Laury, CFPS, is a senior risk consultant with Aon Risk Solutions. Reach him at (314) 719-5120 or email@example.com.
Insights Risk Management is brought to you by Aon Risk Solutions
Hundreds of businesses were recently destroyed or severely damaged in the Joplin, Mo., tornado, and if statistics hold true, fewer than 20 percent of those will be up and running again within three years.
If that happened to your business, would you be in the 20 percent or the 80 percent?
“Too many business owners fail to obtain business interruption coverage, or, if they do have it, are surprised in a disaster to find it is not written to properly cover their needs,” says Parker Berry, an executive vice president with SeibertKeck Insurance Agency. “If your plan is not properly designed, you may find you don’t have the coverage you assumed you did.”
Smart Business spoke with Berry about how having the right business insurance coverage can mean the difference between rebuilding and going out of business.
What is business interruption insurance?
A business interruption occurs when you have a physical loss to your location. For instance, if there is a fire at your manufacturing plant, there will be a loss of income because you are no longer able make a product.
The insurance will pay for loss of business income, expenses such as moving to another location while the building is being rebuilt or repaired, and continuing to pay your employees until they are able to work again.
Business owners should look at it as disability insurance for the business itself.
What types of businesses need this insurance?
Most should at least have the extra expense piece of it. For example, contractors make most of their money in the field, but if they have office operations, and something happens to that physical location, they will still have those extra expenses, and some lost income.
With a manufacturer, restaurant or retail location, all revenue comes from the physical location. So there are certainly some classes of businesses that need it more than others.
How does a business determine how much coverage it needs?
There are formulas your agent can use to give you a good idea of the amount of coverage you need. Other businesses will use monthly multiples of sales.
For example, if you are a manufacturer that uses certain machines and they are destroyed, you’ll need to replace them. But there may be a six-month build-out time. You are never going to start loss adjustment from day one because you have to clean up and take inventory. Then you have to order new equipment and it’s a minimum of six months before it arrives.
Do you have a contingency plan? Is there disaster planning? How quickly can you replicate what you’re doing somewhere else? Those are all items for discussion when determining the amount of coverage.
Each business is different, and it’s an art to figure out the right number. This is why an experienced agent is critical when working through the process.
What questions should business owners ask their agent to make sure they’re getting the right coverage?
Are there coinsurance limits? Are there time limits? Is the coverage paying for a regular work force? Is it covering ordinary payroll — because if it’s not, your employees are not going to wait for you to start paying them again. Is it paying fixed bills like utilities and rent? For what length of time is the coverage?
The agent should be asking questions of the business, as well. While most businesses have some form of business income coverage, it may be poorly written because the coverage isn’t designed specifically for them, or the agent isn’t asking enough questions.
Without a true understanding of your business, the agent won’t be able to design the best coverage for your needs.
What other areas should a business consider when buying business interruption coverage?
You can have ordinance or law issues, or power interruptions. For example, an ice storm could cause a manufacturer to be out of business for weeks without power. Or if a restaurant loses water service, it’s out of business until that is restored. The building itself may not be physically damaged, but the business has sustained a business interruption loss.
There is also a form of contingent business income. Say you have a large vendor or client that is damaged by a fire. That can have an impact on your ability to do business.
Or you may have a retail business anchored by another large business that pulls in a lot of traffic. If that business is damaged and no longer operating, causing a loss of traffic and, as a result, income, you can recover that through dependent property coverage.
How can an agent work with a business to minimize the chances of a disaster and increase its odds of recovering if one does occur?
An agent can do a risk management audit, trying to find the weaknesses in coverage and where the company is weak in loss control. Risk management can help prevent bad things from happening, but if they do occur, it can help ensure you have the right coverage in place.
Business owners can do a lot to make sure that if a claim does happen, it will move quickly and in the way they want. If data are backed up offsite, they will be easier to recover than if everything is inside those four walls.
You will recover much more quickly if you truly spread your risk and have a disaster plan. If you lose your physical plant and don’t have a plan, it’s going to be a long road back.
Parker Berry is an executive vice president with SeibertKeck Insurance Agency. Reach him at firstname.lastname@example.org or (330) 867-3140.
Insights Business Insurance is brought to you by SeibertKeck Insurance Agency
Smart Business spoke with Mike Landman, CEO of Ripple IT, about how business owners can ensure their company’s IT department is using the right backups.
Every business leader I talk to is certain their company has good backups. Well, pretty sure. Kind of sure? There's tapes, so there must be a backup, right?
When pressed, most business leaders find that they don’t really know the status of their backups.
I’ll grant you, backups are boring. Like insurance, flu shots and TPS reports. But once you’ve seen the face of someone that has lost their company data — or even thought they lost their data — the boredom ends quickly.
As a leader, you want to trust your IT guy, or your IT department, or your brother-in-law that handles your IT. They know technology, and this is their role. But there is a difference between delegation and abdication. And with backup, I think a leader needs to know what’s up.
Here’s a few things you should know to keep on top of data protection:
Backups fail. Every backup software can and does fail. More often than you might think. There are three things you can do about it:
1. At Ripple we decided that no single backup software is good enough to shoulder the responsibility for client backups. So we use two completely different software vendors and technologies for backup. The downside is, of course, that it costs more to implement and to manage. The upside is a nice reduction in risk of data loss from a failure or a software bug.
2. Get looped-in. Have a chat with IT, and get a report every day (just like they do) of the status of backup. If everything is OK, you have spent 30 seconds over coffee getting reassurance that your company is safe. If not, you can help out with some positive support.
3. Set the tone. Troubleshooting backup failures is difficult and time-consuming, and it often happens without management even knowing there was a failure, because IT is nervous to tell leadership. So they work on it silently. But now that you are looped-in, you can help. Let them know that you know software fails sometimes, and that it’s a top priority to you that they have the time to get it fixed. Then let the rest of the company know that regular support will be a little slower while IT works on an issue that’s important to the company’s security. Those words mean a lot more when they come from leadership rather than from IT, and you will buy your IT team time to fix the problem, rather than shelving it because of daily IT fires.
If your backup is not offsite, you are not safe. The kinds of events that require restoration from offsite are certainly more rare, but they are company killers if there’s no offsite backup. A fire, the cleaning crew sets off the sprinkler, natural disasters — they happen. This is what backup is for. The same day you ask IT to add you to the daily backup report, ask them how the company handles offsite backups. You might be surprised at the answer.
Some of your most valuable data is not on the server. The mantra of IT for as long as I can remember has been “if it’s not on the server, it’s not backed up.” While this has some measure of CYA for IT, it’s not a viable strategy. It makes your end-users (particularly your mobile ones) responsible for backups, and if you’re honest with yourself, you have probably had an important file (or 50) nowhere but your laptop. And if you’ve done it, you can bet every laptop user you have has done it too. Yes, there is an expense to backing up all of your laptops, but it’s nothing like the expense of watching your highest paid employees scramble to recreate a presentation after having their laptop die. Unless you enjoy saying “I told you so” more than you enjoy having crisp, timely presentations from your road warriors — backup your laptops.
Backup is important enough for leadership to pay attention to. Just like you don’t have to be an accountant to keep an eye on your company’s cash, you don’t have to be an IT guy to keep an eye on your data.
Mike Landman is the founder and CEO of Ripple IT, an IT company that makes IT run smoothly for companies with less than 100 employees.
Disasters, both manmade and natural, can strike at any time, at any place. And if you’re not prepared, your business might be forced to close — which, even if only temporarily, could lead to devastating consequences.
Ravi Sundara, partner and firm manager at The Stolar Partnership, says that a comprehensive disaster recovery and business continuity plan is key to ensuring a business’ survival in the wake of a catastrophe.
“With proper planning and preparation, a business can place itself in a better position to ensure that it will continue, even in the face of disaster, which is important to a business’s customers, employees, management, owners, business partners and markets,” says Sundara.
Smart Business spoke with Sundara about how to be proactive, the legal issues that may arise if you are unprepared and the importance of having off-site backup.
How can preparing for the worst-case scenario help a business re-emerge from a catastrophe?
Proactive planning and preparation are extremely important in helping to ensure business continuity when disasters or other major business interruptions occur. Everyone is familiar with fire, tornado and other disaster drills. The reason we go through those drills is so that we know in advance how to respond, rather than trying to figure it out on the fly in the middle of a disaster. A disaster recovery and business continuity plan serves the same purpose for the business.
What steps can business owners take to prepare for disaster?
It is important to have insurance coverage for loss of property, liability and business interruption. Also, you should have contracts and alternatives in place to deal with disasters that might happen elsewhere that can affect your supply chain. Take, for example, the recent tornado in Joplin, or the earthquake and tsunami in Japan. Your business may be dependent on other businesses to supply it.
Make sure you have alternative vendor arrangements, or have at least identified where you would turn if a current supplier is unable to deliver shipments. For disasters that directly affect the business, options should be in place for temporary office or plant locations, as well as alternative communication methods. If the phone systems go down or there is no cell phone coverage, how will you communicate? This is important not only for internal communications but external, as well.
What types of legal issues commonly surface for businesses that have been affected by a disaster?
There are a number of legal issues, including contractual issues, regulatory compliance and negligence claims. Contractual issues involve fulfilling obligations to customers in the aftermath of a disaster. If a business is unable to fulfill its goods or services obligations, does it have contracts that require it to come through regardless of the circumstances? If so, it could be in breach of its contract.
If there is a force majeure clause — commonly thought of as an Act of God clause, but broader — the business may be let out of the contract or given an extended period to perform. Even if there is a force majeure clause, however, the business might still be responsible for performing if it could have reasonably planned for foreseeable, yet uncontrollable, circumstances, such as a power outage.
Negligence is a failure to act as a reasonably prudent person would under similar circumstances. Failure to plan for reasonably foreseeable disasters could allow customers, employees or others to bring legal claims asserting negligence based upon the failure to undertake reasonable planning for disasters.
In addition, directors of a corporation have a fiduciary duty of care owed to the corporation, and the failure to undertake reasonable business continuity planning to address foreseeable disasters could be a breach of that duty for which the director may be held liable.
How important is it to back up computer data frequently and keep a backup tape off site?
It depends upon the nature of the business and the type of data that is being stored. In other words, how much data could the business stand to lose and still be able to function? It could be a day for some businesses, and it could be an hour or even just minutes for others.
Off-site backup is very important because if a disaster strikes and disrupts your main systems, and if the backup is located in the same location, the backup could very well be destroyed, as well. This is why many businesses that have good disaster recovery and business continuity plans often use data centers located in other regions of the country for their off-site backup needs.
How do disaster recovery plans and business continuity plans differ?
Disaster recovery — involving data, information and documents — is really one piece of a broader business continuity plan. A business continuity plan includes those essential functions that a business needs to perform in order to continue operating. It covers identifying items such as employees’ roles and responsibilities, systems and data recovery, temporary locations, alternative communications, alternative modes of transportation and funds management. Some companies, such as financial institutions, may be legally required to have both a disaster recovery and a business continuity plan.
How often should a disaster preparedness plan be reviewed?
At least once a year. Contracts change, needs change and technology changes. The last thing you want is to have a disaster occur and when you pull out your data recovery/business continuity plan, you find that most of the items are no longer relevant, making the plan useless when you need it the most. Finally, it should be tested periodically, even if that simply means walking through it with your top management and staff.
Ravi Sundara is partner and firm manager for The Stolar Partnership. Reach him at (314) 641-5143 or email@example.com.
The catastrophes in Japan have caused many companies to take a hard look at the terms and conditions of the coverages they have in place.
Many policies exclude earthquake, flood and nuclear damage from coverage, says Shane Moran, vice president of ECBM Insurance Brokers and Consultants. However, there are other factors that make a company susceptible to contingent losses.
“It’s really a matter of evaluating your business model and identifying whether you are dependent upon a small number of vendors or suppliers to produce your product or service,” Moran says. “If so, you definitely have an exposure.”
Smart Business spoke with Moran about how to prepare your business for unexpected events.
How will the tsunami and earthquake in Japan change the way companies consider their coverage?
The tragedy will force companies to take a hard look at their business model, the key relationships they have and their risk management program in general.
Contingent business income is a property form, so you could expect to see earthquake, flood and nuclear exclusions on many forms. If you are a larger company with that type of exposure, you would want to negotiate with the carrier to write the coverage for your exposure. So you may be able to get an insurance carrier to provide some type of coverage for losses from an earthquake or flood, but probably not for a nuclear event.
The second area that companies are looking to reassess is the limits of coverage that they have chosen on their business income coverage. The magnitude of that destruction was so large that it will take a lot of those manufacturers a lot of time to get back up and running. That will force the buyers of those products to go elsewhere to find companies that can meet their needs, and that process is time consuming. Can a replacement meet quantity and quality expectations? You are not going to be able to pick up the phone, call a company down the street and immediately process an order for 10,000 widgets.
If you have a piece of equipment that takes nine months to build and you have one component you can’t get, the ripple effect can cause problems for your business for a long time.
How do unforeseen events affect losses for small and larger companies?
Whether you are a small or large company, you still need a well-thought-out contingency plan. It’s essential for any business to survive an unforeseen event.
If your business relies on a small number of key component suppliers, or depends on only a few customers, or if you only use one or two vendors for your product — then you have a very large business-contingent income exposure. That is going to apply whether you are a small, family-run company or large, international organization. For example, take the iPad 2 launch. Because so many of that product’s key components are made in Japan, shortages have created delays, which have cost that company because it can’t get its product into people’s hands.
Events like the disaster in Japan give us the opportunity to evaluate how our own contingency plans would respond and look at it from a fresh perspective. The key is to develop a plan that can be implemented whether you are a small or large company.
How do you begin to develop a well-thought-out contingency plan?
First, identify those key relationships with suppliers, vendors and manufacturers. Are you dependent upon just one or two of those to make your product?
Second, develop a plan that you would implement in the event that one of those companies shut down. How does that affect your business? What type of monetary loss would you suffer? Can you find a secondary vendor to replace that one? In that scenario, large companies do have an advantage because they are able to spread their risk over a larger spectrum than a smaller company can.
Then, the plan needs to be constantly monitored. As the business environment you are operating in changes, your contingency plan constantly needs to be evaluated and updated. You need to review annually, at a minimum.
If you are getting raw components from a country and the political climate there changes, you immediately need to evaluate how that will affect your business model. You need to be able to potentially outsource that stream of income to another, stable environment.
What else can businesses do to protect themselves from contingent losses?
You need to evaluate your company to see if you have that exposure. If you have identified that you have a problem, transfer that risk to an insurance carrier by purchasing coverage.
If a company’s spread of risk is small and it is not dependent on one particular supplier, and could easily move its business to another firm, it doesn’t have the same level of exposure as a company that gets a key component from only one company.
How can companies limit that exposure to contingent losses?
First, find another supplier. If you can’t, then you need to transfer that risk through purchasing insurance coverage.
Then, it becomes important to look at the terms and conditions of the policies. You may need to manuscript the coverage to fit your needs.
Finally, identify the limit of coverage you need. Make a business decision based on the cost of that coverage, whether you insure it or self-insure it.
Shane Moran is a vice president at ECBM Insurance Brokers and Consultants. Reach him at (610) 668-7100, ext. 1237, or firstname.lastname@example.org.