Disaster Planning & Recovery: SHRM Resources Shelly Trent, SPHR; SHRM Field Services Director
2012 Disaster News Millions without power in India Wildfires in Colorado Springs Mass shootings in movie theater Drought in the midwest Ebola and whooping cough outbreaks Hailstorms in Kentucky Lightning strikes Record heat and humidity Tornadoes in Henryville IN and West Liberty KY (among others) Cruise ship accidents Dust storms in AZ Derecho wind storms causing damage and power outage
Percentage of organizations with a formal disaster preparedness plan (i.e., a plan for what to do in case of an emergency or disaster) Large organizations with over 2,500 employees are much more likely to have a plan in place 2011 (n = 306) 2005 76% 85% (n = 268) Data is from an 8/31/11 SHRM research poll. 2002 (n = 6,855) 2001 (n = 5,460) 53% 54% Note: Respondents who answered not sure were excluded from the 2011 analysis. 3
Overall, how prepared is your organization for any potential threats or disasters (e.g., terrorist attack, natural disasters, epidemics, workplace violence)? To a great extent 10% 8% 10% 33% To a moderate extent 31% 31% 40% 55% 2011 (n = 306) 2005 (n = 268) Large organizations with over 2,500 employees are much more likely to be prepared To a small extent To no extent 1% 5% 22% 27% 25% 36% 34% 33% 2002 (n = 6,855) 2001 (n = 5,460) Note: 2005 and 2001 data do not equal 100% because of rounding. 4
What security provisions has your organization implemented or revised specifically as a result of the Sept. 11 attacks? Offering and requiring more training about crisis/disaster management 48% Developing a business continuity plan 47% Developing communication plans for emergency situations 42% Installing and/or upgrading video cameras or closed-circuit television surveillance equipment Monitoring e-mails and Internet use 33% Developing backup data storage and/or backup facilities in order to restore the original data in an event of loss Installing high-tech identification equipment such as badge scanners 30% Requiring all visitors to wear identification badges 26% Adding cyber locks (electronic padlocks) that allow security personnel to track who enters and leaves each building Requiring all employees to wear an identification badge 18% 37% 30% 25% Note: n = 227. Total does not equal 100% because of multiple responses. 5
Planning for Disasters What are the threats to consider? > Fires/arson/escape from high-rise > Floods (water, waste, mold abatement) > Earthquakes > Volcanoes/ash clouds > Tornadoes > Hurricanes > Lightning strikes > Tsunamis > Terrorism/bomb threats > Shootings/violence > Explosions/gas leaks/oil spills Have you considered ALL of these in your plan? > Computer hacking/cyber crime/loss of data or equipment > Biological/chemical agents (anthrax, airborne pathogens, radiation) > Long-term power or phone outage/loss of water or gas/gas or oil shortages
Planning for Disasters What are the threats to consider? > Loss of trade abilities or import/export after disaster in another country/business interruptions > Snowstorms and extreme temperatures (hot or cold) > Drought > Landslides/avalanches > Epidemics/mass illness/contagious disease > Theft of equipment or money/embezzlement/fraud > Strikes/labor disputes > Employee deaths/on-the-job fatalities/mass layoffs > Emotional after-effects on employees after a disaster > Plane crash or car accident with several employees involved > Drugs/alcohol at work > Train derailments > Plane crashes Have you considered ALL of these in your plan?
Do a thorough risk assessment Have a consultant visit your organization to do a complete risk evaluation > Have you thought of every possible risk? > Is your data safe? > Is your facility meeting safety requirements? > Consider every risk, and be sure to have a plan for each one how will the organization survive and sustain itself in any situation? > Be sure you have insurance for each possibility, even if that doesn t happen around here > Remember that the creation of a plan will take time, but make it thorough and easy to follow
Creating the Plan No need to start from scratch numerous online resources/templates Make the plan specific to YOUR organization and location Establish a planning committee: Be sure to include staff members from every department in your planning (communications/pr, IT, finance, safety, operations, HR, etc.) Plan for every possibility, no matter how rare Also think about prevention what can you do before a disaster to ensure that data, people, and systems will continue or to minimize disruption? Be sure that senior leaders support the plan Provide every employee with a copy and train them on it Develop a formal process for employees when to do what, where to go, whom to contact, etc. Clearly outline the back-up/contingency plan so everyone knows what will happen after the disaster
Creating the Plan Have a main point of contact for the plan Make sure there are redundancies in the crisis management team so if someone is injured or away when disaster strikes, there's a backup. The main contact ensures that emergency drills are practiced, employees are trained to respond to disasters, and phone lists are up-to-date and printed out. Have counselors under contract on an as-needed basis. Consider having another facility where you could set up offices. Be sure those offices are stocked with business supplies/equipment and land-line, non-electric phones. Have a plan to account for every employee using various methods (call trees, company website, social media). Consider automatic voice messages that can go to all employees cell or home phones.
Creating the Plan Plan for the worst case scenario: destruction of your facility Be sure to outline what happens before, during, and after the disaster Have information in numerous places that employees can access (not only the Intranet, but posted on walls, in the handbook, etc.) Write the plan in simple language Geoffrey Wold, an author of disaster recovery books, states: > A disaster plan is similar to liability insurance: it provides a certain level of comfort in knowing that if a major catastrophe occurs, it will not result in financial disaster. Insurance alone is not adequate because it may not compensate for the incalculable loss of business during the interruption or the business that never returns.
Creating the Plan Geoffrey Wold also provides a checklist of reasons to develop a comprehensive disaster recovery plan: > Minimizing potential economic loss > Decreasing potential exposures > Reducing the probability of occurrence > Reducing disruptions to operations > Ensuring organizational stability > Providing an orderly recovery > Minimizing insurance premiums > Reducing reliance on certain key individuals > Protecting the assets of the organization > Ensuring the safety of personnel and customers > Minimizing decision-making during a disastrous event > Minimizing legal liability
Creating the Plan Keep lists of employees, customers, vendors, products, supplies, insurance policies, compensation data/payroll, benefits, inventory registers, tax records/receipts, etc., backed up in a location other than the office Federal and State requirements for records retention must be analyzed; have your legal counsel approve your retention schedule.
Creating the Plan Government Resources > Disaster Assistance.gov Details the kinds of assistance available and reduces the number of forms to file to receive assistance. > State Offices and Agencies of Emergency Management Direct contact information for emergency management offices in your state. > Tax Relief in Disaster Situations--IRS.gov The latest information on which localities can apply for tax relief following a disaster in their area. > Redcross.org Has a safe and well list where employees can let family, supervisors and co-workers know where they are. Also provides info on Personal Workplace Disaster Supplies Kit.
Creating the Plan Government Resources > Ready.gov Resources to help businesses create continuity plans, prepare for the unknown, communicate with employees and more, including: Why Business Should Have a Plan How to Talk to Your Insurance Agent Sample Business Continuity and Disaster Preparedness Plan
Post-disaster recovery In your planning, consider what type of back-up, recovery, and preventive strategies would be appropriate for each disaster in these areas: > IT systems/data > Facilities and equipment > Customer service > Administration and operations > Information and documentation > Confidential data/information > Insurance coverage > Personnel > Payroll
Contingency Planning and Audits Once you have created your plan, be sure to do an audit every year or two > Have new possible disasters come to light? > Any lessons learned? > Have you compared your plan to the DHS standards (add link)? > Have you performed practice drills with employees for each type of emergency? > Have you included employees with disabilities in your plan? Quote from SHRM article on performing disaster exercises and ongoing audits of the plan: Crisis plan exercises can help identify gaps, overlaps and interdependencies and help players and teams get more familiar with their responsibilities. They also can help validate and improve plans and increase management commitment, as well as help you meet organizational or regulatory requirements.
Testing Your Plan Charlie McDonald, president of Crisis Management International, Inc., in Atlanta says: > A good exercise should test five response components: activation and notification; information management and communication; resource deployment (including people, facilities and equipment); command and control of supporting teams; and incident documentation for legal and insurance claims. Test your plan at least annually with all factors Make changes to the plan based on the outcomes of the test: > Did things go smoothly? > Did anyone think of another contingency? > Did any part of the plan fail? > Did everyone perform the role they were supposed to? > Was the data backed up?
Employee Resources Media training First aid and CPR training Employee education about disasters List of resources (Red Cross, shelters, transportation, food banks, etc.) Critical phone numbers List of essential employees Resources for HR....
HR Disciplines > Safety/Security > Business Continuity
HR Disciplines > Safety/Security > Communicable Diseases
HR Disciplines > Safety/Security > Communication
HR Disciplines > Safety/Security > Data Security
HR Disciplines > Safety/Security > Disaster Prep
HR Disciplines > Safety/Security > Emergency Response
HR Disciplines > Safety/Security > Environmental
HR Disciplines > Safety/Security > Risk Mgmt
HR Disciplines > Safety/Security > Disaster News Archive
HR Disciplines > Safety/Security > Terrorism
HR Disciplines > Safety/Security > Violence
Templates & Tools > Samples > Policies > Safety/Security
Templates & Tools > Express Requests
SHRM e-learning
DISCUSSION & QUESTIONS Does your company have a disaster plan? How has your company prepared? Who manages the plan and process? Based on this program, what issues do you need to consider?