Disaster management/business continuity – Keep calm and carry on07 August 2012
More enlightened organisations are encouraging their safety professionals to get involved in business-continuity decisions and disaster planning. Given their close relationship with health and safety, these are responsibilities that practitioners should give serious consideration to taking on, says Richard Byrne.
You often hear health and safety professionals joking that they are disaster-recovery experts because that’s all they seem to do: sort out other people’s mess! But it’s not a joking matter for many business leaders, whose priority is to keep their operations going, whatever the situation.
Traditionally, safety professionals haven’t got heavily involved in disaster recovery and business continuity. Given everyone’s reliance on computers, the Internet, and the fear that things will grind to a halt without such connectivity, these matters usually fall within the IT department’s remit. While not dismissing the huge importance of computers and associated systems, disaster-recovery and business-continuity issues go far deeper – a large element of which is related to safety.
Every safety professional should be capable of developing an emergency evacuation plan to get people out of a building, or site and to a safe place in the event of an alarm sounding. Disaster recovery uses the same thought processes involved in fire evacuation and takes things a few steps further.
Before we go any further, let’s first be clear about the key terms we are talking about and the interaction between them.
A disaster is an incident that causes severe distress or disruption, and is generally split into two categories: natural disasters, such as an earthquake or floods, and man-made disasters, such as fire or power loss. Disaster recovery is all about putting measures in place to deal with the immediate aftermath of the incident, so that the impact on the organisation and its people is minimised.
Business continuity is about taking steps to ensure that an organisation’s key functions can continue to operate on a day-to-day basis should disaster strike. It’s possible, however, to have a disaster without it being a business-continuity issue. For example, consider a food retailer that has a number of stores serviced by four regional distribution centres. A fire at a store might reduce its ability to trade, but it’s not going to cripple the business, whereas a fire at one of the distribution centres might.
Identifying your critical points
A good place to start with any disaster-recovery plan is to think about what could go wrong at each site – effectively, to carry out the hazard-identification part of a risk assessment. Staying with the above example of the multi-site food retail organisation, the following hazards might be identified:
- power loss;
- telephone loss;
- gas leak;
- fridge/freezer failure;
- computer loss;
- Internet loss;
- accident (by type); and
- terrorist threat.
Having determined what could happen, you next need to consider what the plan is should it happen.
Take the simple example of a fire and subsequent evacuation. Getting people out safely is only a small part of the disaster-recovery plan; once everyone’s out, and the Fire Service is en route, what then? From an operations perspective someone needs to tell the area manager. Someone needs to advise the organisation’s communications people in case of press interest. The organisation’s insurers also have to be informed. And, what if you need to stop deliveries for a short while – you’ll need to get in touch with the on-call distribution manager.
The worst time to start thinking about these questions and answers is when you are standing there watching the building burn down. This is where our training as safety professionals really comes in handy. Our profession is trained to think expansively about issues and to delve into the detail of things to cover all angles – these are exactly the same generic skills that are needed for business-continuity planning.
Many organisations map out the procedure in the form of a flow chart with a tick box alongside each action. When an event happens, the trained duty manager should take a mobile phone, the flow chart and the disaster-recovery plan, and follow the relevant process. The tick boxes enable the person in charge of the disaster-recovery operation to keep a check on exactly where they are in the plan. This approach has four distinct advantages, all of which should be familiar to the safety professional:
1 People panic in the event of an emergency. The flow chart enables them to focus on something and ensure they aren’t going to be standing around thinking: what do I do?
2 The training for duty managers is simple – there is no need to make people sit through hours of training for something that might not happen for years, as they probably won’t remember it when they need it;
3 When people are in a situation they have never found themselves in before they tend to go into ‘problem-solving’ mode. This approach is often considered trial and error, but when the site is burning down and the press are all over the story, the last thing you want is people thinking things up on the spot;
4 Organisations also need assurance that if something happens, it will be dealt with in a consistent fashion across their network.
Keeping the show on the road
This takes the disaster-recovery plan even further still and asks: ‘if we can’t operate or trade from a certain location, what do we do?’
You may remember the ‘I love you’ computer virus that spread like wildfire several years ago and the massive disruption that it caused to the way organisations operated. Take an example like a ‘breakdown’ response centre, which operates round the clock, 365 days a year. If its computers and communications go down, how can it access customer records, locate the nearest response vehicle, and, ultimately, service its customers’ needs in line with the terms of their contract?
In such events, organisations can pay for additional office space off site, or use a fast-track relocatable building, from which a small number of key operations can continue. Another option is to revert to paper-based records. It is up to the organisation to choose the most suitable option for them but consideration beforehand can save money.
Experience shows that when no business-continuity plan exists to respond to a major disruption, people will pay virtually anything to get their service back up and running and, often, pressure at the time means they miss the obvious solution staring them in the face. This is a bit like people always going straight for PPE as a risk-control measure, rather than thinking a little higher up the hierarchy of risk control.
There is also a whole host of factors that needs to be considered and, again, the ability to think expansively is critical. For example, if your head office is out of action, how do you contact all the people that work there and inform them to stay at home, work from home, or perhaps even go to another premises.
Who should be involved?
Like many things, working in isolation on disaster recovery and business-continuity planning is not advisable. The most sensible planning approach is to set up a working group which, as well as including a health and safety professional and someone from IT, should also comprise the following individuals:
- a director to make sure the organisation listens and takes the plan seriously;
- someone from HR, as they can help figure out how to manage employees if the site or office can’t trade for a certain period;
- communication professionals, both internal and external. The messages you communicate during a disaster and the business-continuity phase should not be underestimated. Not only do they let people know what’s happening but they also give an indication to the outside world as to how the organisation is managing the situation; and
- representatives from each department, as the functions they represent will have their own requirements as to what happens at each stage of the plan.
There is also a technique used by organisational development experts called scenario planning, which enables people to think flexibly about the future. The technique helps people tell the story about what could happen for each event they identify. Here are three examples of scenarios based on the same event:
A fire occurs at a shop during working hours. The alarm activates correctly and a member of staff puts the fire out using a first-aid fire-fighting device. The store is successfully evacuated within two minutes of the alarm sounding, and trading is resumed within 30 minutes. Little more than cosmetic damage occurs to the building fabric.
A fire occurs at a shop during working hours, but the alarm does not activate as planned. It is only raised when a customer sees smoke coming from the warehouse. Although the fire is contained by the Fire Service, a member of staff in the warehouse suffers smoke inhalation and dies. Trading resumes within 48 hours after initial investigations are complete and smoke-damaged areas have been partially removed to allow the warehouse to be used.
A fire occurs at a shop outside of working hours. The alarm activates correctly and is spotted some time after by a passer-by. Once the Fire Service has put the fire out, it is apparent that the store is gutted.
Clearly, there is a number of other scenarios that could occur, and this technique helps create the space needed to think about the ‘what ifs’. You can then come up with a series of sound plans to deal with all the scenarios identified. This sort of approach is used by the emergency services when devising plans to deal with such things as a terrorist attack, or a major accident on the motorway network.
Testing and recording
Having developed a disaster recovery and business-continuity plan, it is important to test it works. Testing does not need to be complex – the working group picks a scenario, a day and time when it will happen, and then the test is carried out. It could be something as simple as someone walking on to a site and saying to the manager: “‘X’ has happened – what do you do?” and then observing as they follow – or fail to follow – the required protocols.
Testing gives the working group and the organisation the assurance that the plan works, and highlights any potential areas for improvement. For extra confidence you could test each scenario at different sites. However, it’s a good idea to alert those at the top of the organisation to what you’re doing, or else they might think there is a bomb threat at one of their sites!
It is recommended that someone records the decisions that boards take in the event of a business-continuity situation. This enables organisations to evaluate what they did, what went well, what didn’t go well, what they could improve, and what they missed. It also means that should their actions ever be questioned by their stakeholders, a record exists.
Despite the significant risk associated with disasters and disruption, many organisations just don’t plan or manage disaster recovery and business continuity very well. This is all the more surprising given that you’d expect shareholders and other stakeholders to demand it, not least to give them assurances on their investment.
Disaster-recovery and business-continuity planning are just other fields of risk management, which use very similar techniques to hazard identification, risk assessment and management systems, such as HSG65 and OHSAS 18001. Ultimately, both these areas present a massive opportunity for health and safety professionals to add more value to their organisations and show their true worth, even if it is not in an obvious area of their day job.
It shows you can think strategically, practically, and from many different perspectives – and, most importantly, it shows that safety can help organisations develop.
Richard Byrne is route safety improvement manager for Network Rail.
Join SHP Online
- ✔ Download free reports and research
- ✔ Access free Digital magazine
- ✔ Email newsletter briefings