Emergency Preparedness

A new report from a survey conducted by The Conference Board shows companies are not adequately prepared for emergencies. The survey polled executives in small, mid-market, and enterprise firms with responsibility for business continuity, crisis management, emergency response, and security efforts.

Focal Points:

• A survey by The Conference Board of 302 senior executives showed 75 percent of companies have an emergency preparedness plan in place. Although a voluntary certification process for preparedness was adopted as part of the 2007 homeland security legislation (Public Law 110-53), no standard has gained widespread acceptance. ISO 27001/17799 information security standard was most common with 23 percent of the companies using it. Following closely behind at 20 percent was NFPA 1600, which was endorsed as the National Preparedness Standard in 2004 by the Department of Homeland Security (DHS), the U.S. Congress, the 9/11 Commission, and the American National Standards Institute (ANSI). Three other kinds of standards were in use by 12 percent of the surveyed companies. Among large enterprises, 92 percent of companies have a written plan, compared with 72 percent of mid-markets and 58 percent of small businesses. However, only one-third of large enterprises have plans that were formally approved by their board, compared to 49 percent of mid-markets and 44 percent of small companies.
• The survey also found that 91 percent of the plans had a crisis communications component. Almost as common was inclusion of evacuation procedures, which existed in 89 percent of plans. Other common items were securing access to facilities in 77 percent of plans, locating employees in 75 percent, first aid in 65 percent, and liaison with first responders in 64 percent. Roughly three-quarters of the large enterprises conducted regular risk audits, mitigation, and activation of their backup facilities, while two-thirds undertook regular tabletop exercises. Annual risk audits were conducted by 69 percent of mid-market companies while 53 percent of them reported that they conducted regular mitigation activities and backup site activation. However, only 31 percent conducted tabletop exercises at least once a year.
• 92 percent of business continuity programs addressed disaster recovery for IT systems. In general, the most common items covered are basic utilities, facilities, and human resource issues. Moving operations to off-site locations and communicating with employees are both mentioned by 82 percent of the plans, followed by providing telecommunications services at 78 percent, and backup electrical generators by 77 percent. The identification of essential employees was addressed by 75 percent and working from home appeared in 71 percent of the plans. A second cluster of issues, which were less commonly addressed, concerned the actual conduct of business operations. These items include conducting financial transactions (mentioned by 70 percent), contingency plans with suppliers (65 percent), coping with an avian flu pandemic (51 percent), prioritizing customers (49 percent), disruption of business travel (40 percent), and alternative transportation of goods (32 percent).

Experton Group believes except for crisis communications and disaster recovery most companies are not prepared to handle emergency situations, even though more than 50 percent of them will experience at least one of these events within a three year period. While most disaster recovery plans are comprehensive and tested annually, Experton Group finds companies have targeted crisis communications plans that do not adequately cover the myriad of crises that companies need to address. The lack of thoroughness of plans for other types of catastrophes compounded by the number that experience these events confirms executives are assuming more risks than they should. Executives are gambling the company will not be subject to a major disaster, can handle the crisis without advanced planning, or are too focused on near-term expense control to invest the money and time to prepare.  Business and IT executives should analyze emergency preparedness spending using a risk management methodology rather than an ad hoc or gut basis, and document the decision and the process as part of their fiduciary responsibilities.