The speaker, Roberto Zegarra, was all facts. His approach was very sound, very bottom-line and very insightful. He had consulted to a business that survived the 9/11 World Trade Center attacks; only 50% of the companies did so. He consulted with companies that survived the last three major hurricanes. In 60 minutes he covered an incredible amount of ground.
First—ask yourself—is your business prepared to survive for the avian influenza pandemic if it should hit your marketplace? Is your business prepared for a terrorist attack? Is your business prepared for a natural disaster—hurricane, snow induced roof collapse—earthquake? Are you prepared for internal mischief that could have a major disruptive effect on your business? You get the picture. There is much we can not control. Preparation for events that occur without warning, but are identifiable risks, can make the difference between survival and closing shop.
Zegarra, managing director for Telefonica, listed lessons to be learned from forty companies that survived the World Trade Center attacks. This list was presented based on the results of a meeting where these companies got together and mulled through what it took to recover:
A strong organizational commitment to "business continuity management"
A well-defined risk management organization
Clearly defined incident/emergency management response
Business continuity management not just disaster recovery
Alternate locations located at a safe distance
Well established procedures for electronic storage of vital records
A robust technical and operational recovery strategy
Frequent and extensive testing of their business continuity management plans
A strong maintenance process that kept their plans current
Consideration of vendor impact and human impact
Zegarra, a certified instructor with the Disaster Recovery Institute International, also enumerated characteristics of organizations that were able to regain their footing after a natural disaster. He noted the recent hurricane encounters underscored the indispensability of good leadership, advanced preparation, communication, qualified people that have been prepared to do what is needed and a plan to preserve information that is irreplaceable.
Using the phrase "Business Continuity Planning," Zegarra explained that this defining process takes into account disaster recovery, which is the IT portion of the plan, as well as the overall identification and protection of core business processes required to maintain an acceptable level of operation. Key components included an examination of the supply chain, the company's financials, IT, human issues-roles-requirements, and operations. The essence of Zegarra's argument challenged organizations to plan for the recovery of the key business critical processes and functions that would ensure basic business survival if a major event were to occur.
Leadership was discussed noting that public judgement regarding how a company reacts to a crisis can have a profound effect on its survival. Displaying calm, control, forethought will elicit both internal and public trust during an "event." It was noted that impactful human elements required thoughtful consideration within a plan such as succession planning, knowledge transfer, as well as communication strategies when phone lines, cell phones or Internet services were inaccessible.
Stating "you must plan for frequent and high impact threats and these plans must be specific to the threat, site, building, operations and people," Zegarra suggested that a good starting point for an organization to initiate the development of a business continuity plan was a discussion that identified and assessed possible risks. Ask: what could put you out of business?
He noted the importance of setting the criteria for what constitutes a disaster. Within his comments Zegarra spoke to determining the scope vis-ÃƒÂ -vis threat be it strategic, operational, technological, man made, natural, or financial. He suggested putting together a vulnerability matrix that score cards the various identified risks against probability of occurrence. This assessment also took into account impact i.e. severity of consequences on the organization's people, assets, operations, and environment and then lead to the development of a hazard index. He noted that using this technique an organization could expect to achieve greater clarity in order to prioritize its risk management plan development and its critical business processes risk.
"You must plan for frequent and high impact threats."
Using charts and tables, seminar participants were presented with examples of how to map out recovery management teams. Zegarra stated the importance of each team's role in developing its own plan. Noted in this discussion was the requirement to integrate the business continuity plan within the organization's culture. Zegarra emphasized that everyone should know his or her role, what was expected. Planning, preparation, procedures, and practice were all specified as important elements to smooth execution when needed. Zegarra underscored the importance of maintaining, testing and updating the plan.
Zegarra did not limit his comments to internal players. He noted the importance of assessing customers, supply chain requirements and the ability of vendors to respond to critical events. Knowledge of what and who had the potential to have the greatest impact on one's business recovery was noted as vital to one's strategy.
Zegarra's comments stimulated a great deal of thought on a topic that everyone "knows" should be addressed, but for the most part remains on the backburner. Taking all of the above into consideration it was emphasized that piecemeal attempts at planning and static plans were not what it took to survive. Uncontrollable events happen. Zegarra presented an eye-opening commentary to jumpstart your organization's planning in insuring its own survival.