Disaster planning means different things to different people. To those impacted by recent crises, it means much more than a business continuity plan (BCP), a disaster recovery plan (DRP) for your information technology (IT) team, or an enterprise risk management document that was mandated by executive management. It is more than a document that was prescribed by auditors to meet a Sarbanes-Oxley Section 404 finding that a material weakness in internal control was evident because the disaster plan did not adequately address steps to take after a catastrophic loss.
To those unfortunate enough to have experienced a real catastrophic loss, operational resilience planning is an important process that helped dictate steps that were taken when catastrophe struck home. Too many of these, however, the resilience plan came up woefully short. This article addresses practical considerations for operational resilience and recovery planning and how to test to see if your insurance program is well coordinated with this process.
Operational resilience planning is an umbrella term used for disaster planning and is often composed of several types of plans.
Comprehensive emergency management plans are about the protection of life, property, assets, and infrastructure. They address prevention, mitigation, preparedness, response, and recovery related to all types of natural and man-made hazards facing the organization.
BCPs deal with sustaining operation of essential functions and processes during disruptions and recovering them after the disruption.
IT DRPs provide an orderly restoration of applications, hardware, and network/communications resources in response to the business recovery requirements articulated in the BCP.
Risk management identifies risks throughout the enterprise, supports these types of mitigation plans, arranges risk transfer mechanisms and insurance programs, and deals with the post-loss claims process. Organizations should document each of these types of plans and ensure that they are integrated with their insurance programs and exercised often enough to become a part of the organization's risk sensitivity culture.
Key Considerations in Resiliency and Recovery Planning
A comprehensive resilience and recovery process is designed, among many other things, to do the following.
Address your specific exposures
Review the potential for various loss conditions at each of your locations
Consider interdependencies of functions within your organization
Quantify the potential dollar exposure of each potential loss condition
Consider best ways to mitigate each loss condition
Establish written procedures and responsibilities to respond to a loss
The best process considers many types of exposures, such as (1) the threat of cyberattack, (2) an unplanned shutdown of critical business systems, (3) lost production due to labor strikes, (4) environment or contamination problems, (5) product recalls, and (6) damage to critical infrastructure from fire, windstorm, typhoon, flood, or other catastrophic event.
Each of these exposures should also be addressed for key suppliers and customers within your supply chain as part of your supply chain risk management process. Many companies require that their key suppliers maintain comprehensive plans for emergency management, business continuity, and IT disaster recovery. Robust tools are coming to market that help quantify contingent business interruption exposure throughout the supply chain.
Matching Insurance Coverage to Resilience Planning
Risk managers often play a significant role in the development of the components of these plans. This is critical for various reasons. First, insurance companies have taken a more active role to understand how prepared an insured is for a significant loss and how much the insured has focused on loss mitigation and recovery process documentation. A robust recovery plan can help insurers to better understand the insured's risk and how prepared it is to prevent a loss and mitigate the impact after a loss occurs.
A comprehensive enterprise recovery plan can help to identify and measure the exposure at each insured location and can provide a meaningful plan to respond should a loss occur. For example, if the insured has a plant on the Gulf Coast, the risk for a hurricane may be significant. The recovery plan can also help identify and measure the exposures for losses to customers and suppliers; this can be invaluable to understand the specific need for contingent business interruption exposure. The plan may also be helpful to understand your exposure for specific insurance products, such as product recall insurance, cyberliability coverage, and political risk insurance.
Consider a "Walk-Through" before Actual Loss Occurs
When a loss occurs, insureds sometimes find that the claim is not paid as expected. Issues often arise that they never expected. It is therefore very beneficial and eye opening for an insured to have a walk-through done to provide some insights as to how insurance may respond. One recent client had very significant insurance, with a huge overall policy limit and numerous additional coverages (e.g., extended period of indemnity, ingress/egress coverage, service interruption coverage, contingent business interruption coverage for any "tier" of customer or supplier, and an endorsement for ordinary payroll). The client has extensive operations in California and wanted to understand how its policy may respond if an earthquake strikes at the San Andreas Fault. The client was surprised to find that the insurers may argue that much of the loss isn't covered.
Review Insured Values
As part of an enterprise recovery plan, it is often beneficial to review the reasonableness of your insured values. This is a tricky area that requires more than the rote preparation of the "business interruption work sheet." A more detailed analysis of your "maximum probable loss" can also be enlightening as it takes into account the likely time to complete repairs, additional costs that may be incurred after a loss, the ability to mitigate the loss, and the complex interdependencies of business interruptions within the enterprise and contingently across its supply chain. A loss can often be mitigated in many ways, including using inventory, using other insured locations, using external sources, or working to make up lost sales after repairs are complete.
This assessment helps an insured to think through its true maximum exposure and is often shared with the insurers to provide a robust assessment of their exposure.
Recent catastrophic losses have shown that a comprehensive enterprise recovery plan can be very beneficial as a hands-on detailed working document to follow when a loss occurs. It can also help to identify your potential exposure, understand how your insurance may respond when a loss occurs, and determine whether your business interruption values are reasonable. Finally, this planning process can expose areas that are ripe for the loss mitigation through emergency/crisis planning, business continuity planning, and IT disaster recovery planning.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.