Business Impact Analysis: Vulnerabilities, Loss Potential and Mitigation

Donald L. Schmidt spoke at RIMS2019, the Risk & Insurance Management Society's annual conference, on the value of the business impact analysis (BIA) to risk management. He explained how the BIA identifies vulnerabilities and opportunities for risk mitigation. He also addressed how the BIA provides a methodology for quantifying business interruption and prioritizing the recovery of business operations.  View the presentation.

Read Preparedness, LLC's bulletin on Business Impact Analysis for an in-depth look at this important process and how it can prepare your organization.   

NFPA 1600 2019 Edition Webinar

NFPA has published the 2019 edition of NFPA 1600, “Standard on Continuity, Emergency, and Crisis Management.” In this webinar Don Schmidt, past chair of the committee, reviewed the new and revised content in the 8th edition of this important international standard. Access this webinar to learn how you can use this tool to improve your organization’s resilience. http://bit.ly/2Xenljr

Download Preparedness, LLC’s Self-Assessment Checklist (insert picture) based on NFPA 1600 “Standard on Continuity, Emergency, and Crisis Management” 2019 Edition.  Containing over 200 questions, this is an important tool to help your organization evaluate its preparedness program.  http://bit.ly/2ufM3B4

CFOs May Be Held Accountable for Climate Change Catastrophes that Affect a Company's Bottom Line

FM Global’s, Report Master the Disaster Report: Why CFOs Must Initiate Natural Catastrophe Preparedness in 2019 and Beyond^[1] makes the compelling case for CFOs to explore the broader financial consequences of natural disasters, and to allocate capital towards loss prevention and business interruption.

Insurance policies are implemented as they are thought to absorb most property damage and business disruption losses, however, they do not cover all economic risk.  Market share, reputation, cash-flow and even potential growth opportunities may be adversely affected by a prolonged disruption, resulting in economic hardship for an organization. 

While companies may take the gamble that unpredictable events are not likely to occur in this earning year, this is taking short-term view of profits over long-term viability.  Devastating results can be the consequence, even with a moderate natural disaster.  FM Global’s CFO Kevin Ingram says that “The buck stops with the CFO.”  If a company is unprepared for a natural disaster, wide-ranging stakeholders including institutional investors, shareholders, Wall Street analysts, consumers and regulatory agencies will be privy to this information.

FM Global reviewed 10-K filings of nearly 100 public companies that experienced damage and disruption in 2017 from Hurricanes Harvey, Irma or Maria.  Findings saw losses ranging from a few million to hundreds of millions of dollars.^[2]  The U.S. Securities and Exchange Commission has clarified their position on climate change risks, instructing companies to treat these material risks from climate change like any other business risk.  This position will likely place CFOs facing hard questions if losses are incurred and no plans have been put in place to deal with these natural disasters.

Risk managers, who typically have an inward-looking role in their organizations, are charged with planning for risks that already exist.  While this can improve vulnerability for a company, a more global view is typically needed.  The CFO, with their C-Suite vantage point and outward-looking focus, has the ability to completely eliminate some of these risks.  For example, the risk manager may allocate money to fortify a critical plant against flood exposure, whereas the CFO has the influence to change the landscape entirely by moving the plant from a flood plain to higher ground, eliminating the flooding risk completely.

The bottom line is CFO’s will be on the hot-seat if a natural disaster has negative impacts on the company’s profitability and survivability.  Natural disasters have the potential to impact global supply chain, impact cash flow, and severely impact customer relationships.

For the complete picture, read FM Global’s Master the Disaster:  Why CFOs must initiate natural catastrophe preparedness in 2019 and beyond.  Click Here

---

[1] FM Global. Master the Disaster: Why CFOs must initiate natural catastrophe preparedness in 2019 and beyond.  W00644_18 © 2019 FM Global (01/2019)

[2] Ibid

NFPA 1600 2019 Edition Published

The 2019 edition of NFPA 1600 “Standard on Continuity, Emergency, and Crisis Management” has been published by the National Fire Protection Association. This international standard is the most mature standard of its kind in the world. Originally published in 1995, the 2019 edition is the 7^th edition. It addresses the inter-connected elements of a preparedness program including program management, risk assessment, business impact analysis, prevention/mitigation, emergency management, business continuity, crisis management, and crisis communications.

First off, the title has changed to emphasize “crisis” management content that has been introduced over the past three editions. A crisis is defined as “an issue, event, or series of events with potential for strategic implications” including impacts on brand, image, reputation, and more. A new section “crisis management” has been added to chapter 6, Implementation. This section defines a “crisis management capability,” with senior leadership involvement, signals detection, identification of issues, strategy development, and more.

Another notable change is the addition of a new chapter 7 titled “Execution.” It defines what should be obvious but is often overlooked, that is, how a program should be executed. Incident recognition, reporting and notification, activation and planning, incident management, documentation, and resource management are included in the new chapter. The chapter extracts the important elements of alerting, notification, and warning with activation of an incident management system.

The annexes, which are a treasure trove of valuable information, continue to expand. Annex J, “Social Media in Emergency Management” has been added. When an incident occurs, social media is alive before emergency, continuity, and crisis management responders are fully engaged. Therefore, integrating social media into all program activities—preparedness for a forecast event to communicating with stakeholders regarding continuity and recovery information after—is a must.

Other new annexes include Annex K Emergency Communications: Public Alerts and Warnings in Disaster Response and Annex L Emergency Management, Continuity, and Crisis Management Data Interoperability.

NFPA 1600 can be downloaded for free from the NFPA website http://bit.ly/2AOTiFF

Check out a historical review of NFPA 1600 on the Preparedness, LLC website. http://bit.ly/2UcLzt9. Be sure to download the 2019 edition of Preparedness, LLC’s program self-assessment checklist, which is based on NFPA 1600. http://bit.ly/2uUz7ma

Happy New Year

The New Year, A Time of Reflection and Anticipation

The early Roman calendar was created in the 8th century B.C. by Romulus, founder of Rome, consisting of 10 months and 304 days. Each New Year began at the vernal equinox as was tradition.  Later, King Numa Pomlpilius added the months of Januarius and Februarious. Over the years the calendar fell out of synch with the sun. In 46 BC, emperor Julius Caesar consulted with prominent astronomers and mathematicians to solve this problem. The Julian calendar, which closely resembles the more modern Gregorian calendar used today, was introduced. Caesar instituted January 1st as the start of the New Year, honoring the month's namesake: Janus, the Roman God of beginnings and endings. The fitting significance of Janus' two faces allowed him to look back into the past and forward into the future.

_________________________________________

Looking back, here are events that occurred in 2018 causing widespread and significant impact: Hurricanes Florence and Michael Over-pressurized gas lines in Massachusetts that caused explosions, more than 60 fires, and months-long service interruption to 8,000 customers including many businesses Data breaches of Facebook, Marriott/Starwood, and many others Historic wildland fires in California Reputations tarnished by product liability suits (Bayer/Monsanto) and privacy concerns (Facebook and others) Geopolitical events including trade wars affecting the global supply chain and disinformation campaigns inciting the public discourse

Events thought to be "unexpected" are now clearly foreseeable. Preparing for events that threaten life, property (real, digital, and intellectual), business operations, reputations, and relationships with stakeholders is a New Year's resolution for every organization. We continue to monitor events as they unfold and work towards building better international standards and practices for preparedness and resilience.  Our goal has always been to help others understand the hazard, operational, and reputational risks that surround them and to implement plans and strategies. We wish you all the best in 2019.

Tips to Enhance Survival During an Active Shooter Incident

"Active Shooter" actor from a full-scale exercise
(photo by Preparedness, LLC)

Lieutenant Colonel (ret.) Mike Wood’s article “What cops need to tell their families about active shooters,” (PoliceOne.com) should be read by everyone venturing out into public.

• Maintain situational awareness
• Know where the exits are
• Get off the floor.
• Don’t volunteer to be deaf and blind
• Limit alcohol consumption in public
• Have a plan
• Be careful with your communication devices
• Know how to act when the police arrive
• Learn first aid basics.
• Be prepared

Personal preparedness is essential. When a hostile event unfolds, no one is going to direct you to exits, concealment, or cover. It’s up to you.

Organizations have a lot of work to do, too. Human resource practices, effective physical and operational security, threat detection, warning and communication systems, and many more elements of a preparedness program should be implemented. Read the Preparedness Bulletin “Acts of Violence” for detailed guidance.

Resilience

November is National Critical Infrastructure Security and Resilience Month. Critical infrastructure is the physical and cyber systems and assets that are so vital that their incapacity or destruction would have a debilitating impact on our physical or economic security or public health or safety.

There are 16 critical infrastructure sectors including commercial facilities, manufacturing, financial services, food and agriculture, healthcare, information technology, transportation, communications, energy, emergency services, and more. Every organization depends on critical infrastructure and many are a part of, or support, the critical infrastructure sectors.

What is resilience?

You hear the word resilience more and more—often after a major disaster or utility outage. Merriam-Webster defines resilience as the “ability to recover from or adjust easily to misfortune or change.” Resilience is not a finish line, rather it is a continuous process that engages safety, security, human resources, operations, engineering, supply chain, IT, risk management, and others. It begins with identifying assets that are critical to the success of the organization—people, operations, facilities, supporting infrastructure and technologies, machinery and equipment, supply chain, and more. Resilience should also encompass reputation and relationships with stakeholders.

Resilience is a continuous process to gain and maintain a current understanding of:

• threats, hazards, and perils that could impact life and physical, digital, intellectual, operational, and reputational assets
• operational criticalities (production or service delivery priorities),
• vulnerabilities of assets and resources (weaknesses) that would make them more susceptible to damage or loss, and
• potential impacts to life, property, operations, the environment, and the organization’s reputation and relationships with stakeholders.

Resilience also includes the development of strategies to manage risk and capabilities to promptly respond to and recover from whatever has happened.

What does it take to achieve resilience?

Since the risk environment is not static, continuous gathering of information and the development of actionable intelligence about credible threats, foreseeable hazards, and potential impacts to critical assets is essential. THIRA (threat and hazard identification and risk assessment) and BIA (business impact analysis) are the processes that engage internal and external experts to identify hazards, their probabilities of occurrence, and assets at risk; to evaluate the adequacy of prevention and mitigation capabilities; and to develop strategies for risk management.

Strategies for loss prevention, deterrence, and hazard mitigation should begin even before a building is built. By selecting a geographic site that has limited exposure to natural hazards and crime and one with reliable infrastructure and public safety services, the need and costs for building design, construction, redundant utilities, and on-site response capabilities may be reduced. Design and construction that is compliant with building codes and standards and industry best practices also can enhance resiliency. Periodic inspection, testing, and maintenance of protection systems and equipment are essential to ensure reliability.

Ongoing programs to manage risk are essential. Internal professionals including human resources manage employee risks through pre-employment screening, onboarding processes, threat assessment, critical employee backups, training, employee communications, and wellness programs.

Environmental, health and safety (EH&S) professionals partnering with human resources, operations, engineering, and others play an instrumental role with job hazard analysis, process safety, fire prevention, accident prevention, and environmental protection.

Security professionals and facilities management staff implement CPTED (crime prevention through environmental design) practices, surveillance and detection technologies, and operational security practices to deter, detect, and respond to potential threats. Communication and coordination with law enforcement is needed to promptly learn about developing threats and to increase security commensurate with the threat level.

EH&S professionals along with security, facilities, human resources and other staff must work together to develop and implement emergency response capabilities to safeguard employees, protect facilities, and prevent environmental contamination from the threats and hazard identified during the risk assessment.

Information Technology must manage the technology environment balancing access, efficiency, reliability, information security, and costs. Connectivity between internet service providers, worksites, networks, servers, and users must be reliable and have sufficient bandwidth to meet business needs. Digital information must be protected and promptly recoverable along with user applications to minimize production and service delays and unacceptable customer impacts. Information security laws require compliance. Conformity to standards and best practices for the protection of data centers and supporting infrastructure reduces exposure to loss and interruption. IT disaster recovery plans must be developed and tested to validate the ability to meet recovery time objectives.

Production managers and engineers must identify vulnerabilities in production methods, machinery and equipment, supporting infrastructure and technologies and develop strategies to overcome loss scenarios. Supply chain managers must continually assess the ability of suppliers to meet demand and logistics capabilities to deliver supplies where and when needed. Strategies for loss or damage to equipment, unavailability of essential personnel, and supply chain interruption must be developed.

Operations personnel working together with managers, supervisors, and others within the organization that possess the institutional knowledge of operations and resources must work together to complete the business impact analysis and develop business continuity strategies and documented plans for use when critical processes are interrupted or required resources are unavailable.

Role of Leadership

Resilience is elusive because of the broad spectrum of hazard, operational, financial, and strategic risks. It can be fleeting because of the short duration of institutional memory and human nature that “it can’t happen to us” or “it will never happen again.” A concerted, ongoing effort is required to understand and manage risk. Ultimately, senior management must embrace resilience as a core value of the organization and strive to embed risk management within its culture.

Reaching a threshold of “resilience” means that the organization has a clear understanding of risk and has implemented controls to manage operational, financial, and reputational risk to an acceptable level. Compliance with laws and regulations is the minimum. Meeting customer requirements is essential. Protecting the business, its employees and facilities by implementing and maintaining a mature preparedness program is no longer a luxury. There is no finish line.