Identify Most Critical Risks As Basis For Your Disaster Plan
Another thing to keep in mind when you're doing your emergency preparedness planning is that there's a domino effect, says Robert Lang, assistant vice president, strategic security and safety, and chief security officer, Kennesaw State University. It's not just one building or group of buildings that is affected in a disaster situation. So it's essential to identify the most critical risks as the basis for your disaster plan.
"We take our emergency management, business continuity, disaster recovery, crisis management — and put all of those plans together as a baseline operating guide," he says, "and then we inject over the top of that an enterprise risk management theory, which then identifies all of your strategic, operational, financial, compliance, regulatory and reputational risks."
When the staff at Kennesaw State first started identifying risks, they came up with more than 900, says Lang, but many of them were too narrow or too self-centered — "if you don't pay me enough, I'm going to leave," Lang provides as one example of a submitted risk — to extend across the campus. But, after they narrowed the list, they still had more than 30 major risks to keep in mind as they developed, refined and implemented the plan.
Let's start with the obvious: No department is going to claim to be anything less than critical. But some are more critical than others, so defining the order of importance for each business unit goes a long way toward streamlining your response plan.
One way to help with this is to provide scenarios where only a limited number of staff is available, says Lang. Doing so forces prioritization.
"The main criteria is that we never know how far down we're going to get," in terms of available staff, he says, "so you end up ranking your critical operations in the order of what it would take in order to survive."
You also have to have each department answer the question of what it really means for them to be in a crisis situation, Lang says. An honest answer to the question of "how would that affect the whole organization?" is the starting point for determining what comes first.
The other aspect of this is determining the most common threats and considering how they would affect each department, says Chris Wade, principal consultant, Resilient Critical Facility Solutions. While the threat list has grown over the years — as things such as terrorism, workplace/campus shootings and threats, and weather phenomena such as hurricanes in New York have become more commonplace — there are still some things you can leave off.
"Say you have a data center in Arizona," he says. "Well, you wouldn't have to worry about major snowfalls or things like that."
Geography plays another part in risk management, though. In a situation like a hurricane, you're not going to be the only facility or business affected. So, if your plan involves heavy use of backup generators, you need to determine just how much of a fuel supply you have on hand and where you can get more.
"If you have a regional outage, where are you going to get your fuel from?" Wade says. "You can't go somewhere in that region to buy fuel because they don't have power, so they can't pump it. You have to have out-of-region supplies to be able to continue to operate at that facility."