Business Continuity and Personal Preparedness

by David Morris on July 7, 2011

This week, we’re going to talk about preparedness from a slightly different angle that’s widely accepted in business circles—business continuity plans.  Whether you own a business or not, everyone has the “business of running your household.”

This has been front and center for me for the last couple of weeks because of a rash of hacker attacks on business websites and an upcoming presentation I’m doing on this very topic for a Fortune 50 company.

In short, many businesses have assessed the biggest threats that they face and have developed plans so that if those threats happen, they won’t go out of business.  What kinds of threats?

1. Natural disasters like hurricanes, tornadoes, flooding, wildfire, etc.

2. Manmade disasters like terrorist attacks.

3. Disruptions in the banking system, including the ability to get paid by customers and the ability to pay suppliers/vendors.

4. Interruptions of key supplies from suppliers.  Specifically, disasters knocking out key suppliers.

5. Electrical blackouts/brownouts.

6. Bad flu seasons, pandemics, and bio attacks.

7. Fire.

8. Computer breakdowns.

9. Hackers & Viruses.

10. Death or disability of a key employee.

This list isn’t complete, but it should sound similar to the threats that you’re considering for yourself personally.

You may think that business continuity plans don’t affect you, but they do if you’re in one of these three groups:

1. Business owner.

2. Employee of a business.

3. You depend on a business for food, water, fuel, medication, etc.

In other words, business continuity affects everyone…ESPECIALLY retirees or anyone else who depend on an outside source for income, doesn’t have savings, has little money for preparedness, and depends on stores having food and/or necessary medication available to buy on a continual basis.

It becomes more obvious when you look at your household as if it were a business.  You have suppliers and vendors that you use on a regular basis, as well as “customers” who pay you for the work you’re doing now or for work that you’ve done in the past.

At a minimum, businesses are negatively affected when these disasters happen, and in many cases they never recover fully, if at all.  Statistics vary widely, but it’s generally accepted that the majority of businesses that don’t have a continuity plan in place will fail if they’re struck by a disaster.  That’s why it’s important that you know whether or not the companies that you work for and/or deal with have a continuity plan in place and that you plan on them not being around after a disaster if they don’t.

One of the big differentiators of companies that DO survive disasters is whether or not they have a plan in place, but just like with personal disaster plans, the best intentions don’t get them done.  Here are some of the common obstacles:

1. Business owners have to be somewhat optimistic to go into business.  This makes them discount risks and the effect that disasters might have on their business.
2. The chance of any single disaster happening is very slim.  But when you add up all of the slim percentages of various disasters happening, there’s a good chance that most businesses will be impacted by disaster.  Business owners tend to focus on how unlikely individual disasters are rather than how likely it is that they’ll be affected by ANY disaster.
3. Idle money looks bad on balance sheets.  When companies spend money on a backup generator, it means they’ve got money sitting idle…money that they could have paid to the owners or spent on inventory that they could have sold at a profit.  When they spend money on offsite data backup, it doesn’t make them ANY money…it only helps prevent the loss of money in the event of a disaster.
4. Just-In-Time is more profitable than stocking a large inventory.  When companies borrow money for inventory—and all companies borrow money for inventory, whether it is in the form of a loan or in the form of not paying the owners—they’d like to have as little excess inventory as possible.  Ideally, they’d run out of inventory just as the truck was backing up with more inventory.  And, yes, all businesses have inventory as well…even CPAs and other professionals, but in their case, their “inventory” is in the form of their time and the time of their employees.
5. Many businesses are in survival mode during good times.  Even though these struggling businesses are the ones most likely to be put out of business by a disaster, they seldom have the time or resources to take the necessary steps to plan for a disaster.

So, what do you do?  It depends on whether you are addressing the concerns of a business owner, employee, or someone running the business of your household.  Here are some quick tips for all 3:

For business owners:

1. Do offsite backups of your computers.  I like mozy.com, but there are several options now.  If you have a server, consider using a RAID array so that any single hard drive failure won’t knock out all of your local data.  I personally used Mozy in April when my computer died to recover all of my documents, videos, pictures, etc.  I have also had a couple of server hard drives die over the last decade or so and having RAID arrays in place made it so that I only had MINUTES of downtime in the middle of the night while the faulty drive was replaced instead of days, weeks, or months of lost income.
2. Use anti-virus software and scan your computers regularly.  Don’t JUST scan your computer when it starts acting strange.  There’s a new Trojan malware that actually wipes out other malware on your computer so that you won’t have any reason to scan your PC.  As of last week, it was estimated that over 2 million computers have this malware and don’t even know it.  At some point, the Trojans will be activated and used for a nefarious purpose, but for now they just sit idle like terrorist sleeper cells.  I change anti virus software quite often because of how frequently hackers evolve, but I like Microsoft Security Essentials right now.
3. Use different usernames and passwords for EVERY login.  Roboform and LastPass are two good ones that will let you sync your logins between computers, phones, and tablets.  Your logins will be protected by a master password, so even if someone gets your phone, they won’t have your password.  In fact, on my phone, I’ve got a password for the phone, a password to open Roboform, and a 3rd (strong) password that’s required to actually see any data.
4. Don’t let employees (or yourself) use public wifi locations unless they’re using a VPN (virtual private network) to encrypt and protect data.
5. Get procedures manuals in place for all of your key employees.  What to I mean by “key”? Anyone who, if they were to get hit by a bus tomorrow, would have a serious long term impact on your business.  Have them start by writing down everything they do on a daily/weekly/monthly basis.  Then have them start writing down, step by step, how they do it. Then cross-train employees using only the procedures manual.  If there are questions, make sure they’re answered in written form in the procedures manual and NOT verbally.

Many banks go so far as to require mandatory two week vacations for all employees.  Why? There’s two major reasons…first, to make sure that the bank has redundancies in place to survive any single employee leaving.  Second, two weeks is generally considered a long enough period of time to uncover embezzling and other illegal activities that an employee could cover up if they were working all the time.
6. Find backup suppliers and develop relationships with them.
7. Figure out multiple ways to accept payment from customers.  Backup merchant accounts, paper credit-card forms, systems for accepting cash/silver/etc., or even PayPal.
8. Insurance.  If you can afford it and the risk makes sense, get it.
9. Take half a day, and write down the top threats that your business faces and what your response would be if those events happened.  Do it with key people in your company if it makes sense. Then, focus on the common responses and take any actions necessary to make sure that you have everything you need in place to execute those responses.
10. Keep in mind that a company with a “perfect” disaster plan is probably wasting a lot of resources.  Continuity planning is a continual balance between optimal short term profitability and long term stability and you’ll have to make your own decision about which end of the spectrum you want to be on.
11. Most importantly, get yourself prepared personally and suggest that your employees get themselves and their families get prepared for disasters.

This list isn’t complete by ANY means…but it has punch list items that most businesses can implement within the next 24 hours and gain at least SOME resiliency against disasters.

For employees:

1. If your company doesn’t have the above mentioned steps in place, suggest that they do so and/or help them do so.
2. Consider adopting some of the same data protection measures that businesses do.
3. If possible, put cash aside for a time when your company may not be able to pay you because of a breakdown in electronic banking, going out of business, or have other issues.
4. Don’t depend on your employer to always be there…get yourself and your family prepared for disasters.
5. If your company doesn’t take continuity planning seriously, consider what you could do in the event of different disasters to help them keep their doors open and operational.  It may mean the difference between getting paid or not getting paid.
6. If you have a job that you can do from home, figure out what you would need to do if there was a 20-30 day lock down of your town from a pandemic or bio attack to be able to keep working. In other words, if you leave your computer at the office, do you have a way to log in?  Are you able to take an encrypted USB drive home with your current projects on it?

And for everyone:

1. To the extent that you can, store up as much of the “stuff” that you use on a daily basis.
2. Look for alternate/backup suppliers for anything that’s life-sustaining.
It’s especially helpful if you look at the business of running your house through the lens of business continuity planning.

3. Back up and protect your data, including logins.
4. Run disaster drills when possible…pretend you’re a week into a disaster, your fridge is completely empty and warm and you’re living on your emergency food, purifying any water you drink, dealing with any human waste you generate, and regulating the temperature in your house without help from the electrical company or gas company.  Run the drills, evaluate your results, and adjust as necessary.

As a note on this, as odd as it sounds, it’s easier for me to do 72 hours in the woods with my backpack than it is to do 72 hours in my home with no utilities.  It may be because I expect everything to work at home and I expect to rough it in the woods…I’m not quite sure, but I’d love to hear from you if you have similar experiences.

Let me know your thoughts on this…whether you own a business or work for one, does it have a continuity plan in place?  If not, what steps are you going to take to protect yourself from their demise after a disaster?

Until next week, God bless and stay safe.

David Morris

 .

Be Sociable, Share!

{ 11 comments… read them below or add one }

Vote -1 Vote +1sogone0
July 8, 2011 at 9:48 am

Hooah; Continuity planning is essential, think about it. OPSEC, Command&Control, Transport, Communications, barter, etc. is practically useless w/o continuity planning. Plus always have at least one back up plan to boot! Preferably two.

Reply

Vote -1 Vote +1Ron Summers
July 8, 2011 at 10:05 am

David, great article!
I advise multiple clients on their financial performance which cannot be separated from risk management as your article clearly demonstrates.
Thank you for sharing this article

Reply

Vote -1 Vote +1Neal Collier
July 8, 2011 at 12:18 pm

I operated my catalog photography and internet business from my house, but am very strict about business continuity. Main and backup computers and cameras lived at the house, while more cameras, terabytes of backup drives and a fully equipped laptop stayed in the car. I didn’t like the thought of losing a month’s supply of (5000) photos. Internet is via satellite with cell phone backup. Photos have to go to designers and publications, so I had to have internet. Satellite is lousy, but cable and landline don’t hold up in a major storm and cable and DSL are not available in the boonies where I live. When Hurricane Ivan approached, the dish went in the house. When the winds passed, it went back on the roof. After the hurricane, the power lines were down 5 weeks. The lights can’t go out in the house, as a bank of large batteries and an inverter automatically kick in during a power outage. That lasts 4 days, which is usually enough for a hurricane. Then there is a diesel gen set for heavier loads and battery charging. I keep over 500 gallons of diesel, but in 5 weeks needed only 43 gallons. I also keep a supply of cash for when that is all that works.
At a manufacturing and computer support business I had, we once noted the phones were awfully quiet. Someone had cut a main cable, so we had the telco transfer all lines to cell phones and kept in touch with customers. Before hurricanes, backup discs were made to take home, answering machine updated, all computers were shut down and unplugged and UPSs were turned off. After a hurricane, key employees would show up to assess damage, patch the roof or whatever.
If you are the boss, you need to make sure computers are backed up. If you are not the boss and make sure computers are backed up, you will likely be popular in the event of a problem.

Reply

Vote -1 Vote +1Eric
July 8, 2011 at 2:16 pm

My suggestion is to lay out a generic timeline with decision points along the way tailored to the particular business in question against the environment it must operate in. For instance start with the Crisis Incident. The analyst will have to define what constitutes an incidence or set of conditions that initiates the H-hour or D-Day for the sequence of decisions to follow and develop courses of action to undertake that address each situation. For instance: a solar flare disrupts the grid would be H-hour. At H+1 start monitoring the news from the short wave radio that was protected in the Faraday cage in the supply room to start receiving information. (this is just an for instance) The point here is having a way to get information to inform the decisions to make when the need arises. Consequently, the one who has access to reliable information will have a lot of power and may find him or herself in a position of brokerage should tensions increase. So this may have to be accounted for in the plan when your office becomes the emergency communications center when the sheriff finds out you have comms and he doesn’t. A bit digressive but points to the law of unintended consequences for being squared away. Back on track and speaking generally, each decision point should have branches and sequals built into the plan and each course of action and decision point should be aimed at achieving a specific goal. In planning each COA, branches and sequals the planner or analyst should appoint the “doubting Thomas” or “Debbie Downer” to point out why they think this or that won’t work with the plan. There is at least one in every office or shop. This will help see the holes in any ideas and will result in creative solutions. It may even help “square the circle” with any inefficiencies the business may presently have. Anyway at D+30 hopefully the scenario will reach equilibrium or at D+31 a new business model in the black or grey market may have to be implemented as the rules of the market have changed as the case with 1990′s Bosnia or current day Angola.

Once the analyst sees a plan ahead and reaches conclusions to each, start from H-Hour, D-Day in order to develop indicators that will anticipate or mitigate surprises. For instance, is there an early warning for EMP/solar flares? If so, put it in the time line at D – 3 or whatever and put into action whatever the boss sees fit; ie put faraday cage plan A into effect or run into the street in full panic mode plan (humor). If it is the 14 day breakdown cycle of the world economy tanking, put the indicators up on the timeline and develop a plan of action to mitigate the damage. Again, this is just is just food for thought. Worst case is entrepreneurial opportunities abound in the black and grey markets. Best case is an event occurs and equilibrium is re-established and one’s business stays in tact because of adequate preparation. See the opportunities; even the planning process may potentially illuminate some business practices that could be improved that could increase profits.

Reply

Vote -1 Vote +1Gloria Jacobsen
July 8, 2011 at 3:08 pm

This was another good heads up. Just today we discovered the phones were going to voice mail and the box is full. Yesterday we had a power surge and the phones and printer blew out. So I will be putting up the back up printer.
I am the only employee and CEO for my business. (The buck stops here) and it operates out of the one room in the house with two storage sheds in other locations. I plan on (now that I am aware of the need to do so) getting that back up for my patterns and customer list. I do hand made laces and have a stock of threads and when the floods happened in the middle of the country my supply for large balls of thread was down, because they were down.
I do change passwords often, so that was another good tip. Again thank you, David.

Reply

Vote -1 Vote +1Smitty
July 8, 2011 at 4:00 pm

Thought provoking article.
We had a tree go down and knock down power…made me think about preparedness….
It doesn’t seem that today’s homes are built with the idea of comfort without electricity…old homes, pre-AC were. Yes, we kept having to think, ooops, that won’t work, the electricity is out…thanks.

Reply

Vote -1 Vote +1BimBam
July 8, 2011 at 4:23 pm

Many common sense ideas here. We all knew about ‘em but who can sensibly remember all in an orderly manner? Well, you have it here.

Reply

Vote -1 Vote +1Lisa
July 8, 2011 at 9:01 pm

Last week while my husband and I were traveling a 3 hour distance from home, a transformer fire occurred at a passing by power plant. We could see the large black cloud in the distance.It affected homes and businesses for aprox a 15mile radius. We needed gas and to use the bathroom prior to setting out for home. Each offramp with gas stations and businesses were all closed. No power= no way of selling you product…… no one knows the old fashioned way of totaling items and all doors just locked. Letters of apology for no power adorned fronts of every business we visited. Offramp after offramp for 15 miles. The same. I turned to my husband and said this is what we would face if something permanently catastrophic occurred. People don’t have a plan as a whole. That is so concerning to me. It was a small reminder to me to think about that and not be reliant on stores at all in the time of extreme emergency. Thank you for your newsletter and all you do to help people be self reliant.

Reply

Vote -1 Vote +1Charmin
July 9, 2011 at 9:08 am

Hello, this article is excellently laid out and presented Dave. I found your website a couple of weeks ago and made the best decision to sign up for your newsletter! Your articles are full of necessary information for Everyone who has the foresight of planning ahead for any emergency or disaster. I will be continually reading your articles for valuable information as well as linking to your website Dave! People need to be aware and prepared, and your website says it all. Thank you for thinking of others.

Reply

Vote -1 Vote +1john
July 9, 2011 at 3:06 pm

this is the prefect time to tweek and ajust the current prepardness program that im running and im adding more food stuffs and first aid and hygene products to my inventory via coupons that i get in the paper. ( thank goodness for the show extreme couponing) it kick me in the but to get serious about stocking up while supplies are abundant including ammo and clips to the gun control people hint hint. and i will be purchasing a couple of solar generaters in 2012 to conencide with the incresed solar activity and just like in the bible and other groups get prepaired and take inventory of what you have and ajust accordently. i will chat more later on this subject and will talk to you soon from a pepper in el paso texas

Reply

Vote -1 Vote +1Barbara
July 10, 2011 at 4:10 pm

First I’d like to thank you for writing this letter.
I live in Tx. and it has been hot over 100 degrees for a few weeks now. This happened back in 1980 when my kids were 5 and 6 years old. Back then we never had a power outage. At night I would use a damp towel place it in the freezer then lay it over the kids to help stay cool.
This week we had a blackout or brownout at about 11:00 pm till 2:00 am. Thankfully we have had our house upgraded with lots of insulation and the house stayed cool enough for the two hours the A/C was out, before it would get hot fast. If we lose the electric for a day or two we have the back up generator and a roll around A/C unit.
I have four types of way to cook and boil water.
I purchased some backup emergency blackout light the ones from red cross, they came two days after the blackout LOL. They don’t last long 2 hours but at least I would not be stumbling in the dark looking for flash lights and candles. they have a night light on the bottom and the emergency light in top. Their about the size of a cell phone. They can even be used as a flash light. I have shake flash lights and solar flash lights with radio.
If you want to use solar lights you can use the type for outdoors, the best are the ones for post, they sit flat and you don’t have to use the stake placed in something to hold it upright.
You could make up your own using string lights and a solar kit.
Then I have my entertainment for when the power goes out, I’ve had to sit here to many times in the dark with nothing to do to many times so I got a portable DVD player. My husband works second shift so most of the time I’m alone when we lose power.

Reply

Leave a Comment

Previous post:

Next post: