Chapter 5 The Private Sector in Emergency Preparedness and Response
Library | Homeland Security and Emergency Management: A Legal Guide for State and Local Governments (ABA) (2018 Ed.) |
Private sector businesses and organizations need to have and to flexibly follow continuity plans to reduce the time and cost of disruptions from disaster events. These plans need to be practical and based on common sense - and should coordinate with public authorities through Public Private Partnerships.
INTRODUCTION
"Tis not in numbers but in unity that our great strength lies."1 At the time that Thomas Paine wrote those words, our fledgling country was debating whether we should declare independence from Great Britain and he was referring to the number of soldiers and sailors in the continental army and navy. I would propose that the same is true in preparing for, responding to, and recovering from any emergency or disaster that befalls a town, city, county, state, tribe, or large regional area of the United States. Indeed, in emergency management—operating in a disaster environment where response resources are drawn from federal, state, tribal, and local governments and different agencies of government, and also from the private sector (for-profit as well as nonprofit) and volunteers—the great strength must come not from the "number" engaged in response but in how well coordinated and unified these numbers are. And the role of the private sector in response and recovery efforts is critical.
A key emphasis of the Federal Emergency Management Agency (FEMA) since Craig Fugate became administrator in 2009 was his focus on the concept of "whole-community response." Emergency management is not the responsibility of government alone; every part of a community, public and private, is part of the community's ability to prepare, respond, and recover from a disaster. One of FEMA's strategies is to engage the private sector throughout the entire life cycle of an emergency. In public addresses, administrator Fugate stressed that getting the private sector involved in a response— even if it is only the part of the response required to allow them to reopen—is paramount: If the gas stations are not open, then how can emergency management move supplies in a mutual aid response across a state ? Or, why should the federal government set up a water distribution point if a Walmart or Target store down the street is open?2
A critical objective, under this philosophy, is to get the community back to its familiar "normal" as quickly as possible. A normal environment is one where private sector commercial and industrial businesses are open and operating, providing goods and services, and providing jobs in the community. This has a long-term impact on the success of recovery in a community. The citizens of a community will be less likely to leave if they believe that their community is coming back. Indeed, if a family leaves the area of a disaster, their decision to return is complicated and varied depending upon their perception of infrastructure recovery, housing recovery, social influences, economic recovery, and housing, and it is also dependent upon socio-economic status, age, race, ties to the community, and family connections to name a few.3 Further, after a disaster,
Forty percent of businesses do not reopen after a disaster and another 25 percent fail within one year according to FEMA. Similar statistics from the U.S. Small Business Administration indicate that over 90 percent of the businesses fail within two years after being struck by a disaster.4
When people abandon a town after a disaster, the businesses that depended upon the people to purchase their goods and services close. Eventually the sales tax and property tax dollars begin to dwindle, forcing the town to start reducing services and possibly raising revenue on the remaining citizens through increasing taxes and fees.
Therefore, it takes the united front of every aspect of a town to recover. It is not just the big box stores; it is not just the public sector with limited resources; but it takes every business and every part of the "whole community" to recover. And so for a community to recover from a disaster, one critical priority is to ensure that the businesses and organizations in that community are prepared—through the development and implementation of a business continuity program (BC).
BUSINESS CONTINUITY
Overview
From my experience—and I have been responsible for business continuity planning and training in three Fortune 500 companies and now a major law firm—most businesspeople do not understand the language and process of, or even perceive the value of, business continuity programs. That being said, if a company's CEO or board of directors dictates and mandates a BC program, and makes it part of the company's management goals, objectives, and reward structure, then it has a chance of being a great program.
But without senior-level support, constant communications, status reporting, and holding people accountable and responsible, the overall result is mediocre at best. Although some company managers "get" the importance of BC, most will look at a BC program as additional work heaped upon them, further stretching their resources, unless it is part of their pay or bonus structure. A BC program needs to become a part of a company's culture in as much as safety is part of the culture at a manufacturing facility. Senior executives need to communicate the "value" of the program, but if they themselves do not understand the program or the risks of failure, and only give it lip service, then the program will exist only on the surface—like a cheap paint job on an automobile. And when disaster strikes and a robust program is truly needed, it will be too late.
Business continuity also has a number of associated terms, such as business resiliency, business interruption, and continuity of operations (more of a public sector term), and it is often confused with information technology disaster recovery (IT-DR). IT-DR has been around for a long time and is of course extremely vital to a company conducting business regardless of the size of the company. Whether it is in the form of keeping sales information, bookkeeping, payroll, ordering processes, inventory management, tax records, or an Internet web presence, IT-DR is a fundamental backbone of virtually any business. However, from my experience, IT-DR is somewhat of a "hands-off" program to business continuity planners. Additionally, the cost of infrastructure to ensure that a company has redundant systems/facilities, sufficient data back-up capability, and back-up power resources that can rapidly recover during an IT-DR incident may be considered prohibitive. Additionally, sufficient headcount will be needed to efficiently monitor a 24/7/365 network, and require them to have very specific certifications and training. Business continuity planners can evaluate information technology (IT) facilities using various methods of threat analysis. They can make recommendations such as not having an IT facility in the basement of a building or overly exposed to natural disasters such as tornadoes, but in the end the senior executives need to weigh the cost versus value versus perception of risk to implement a hardening of the IT infrastructure. Because of the risk of cyber terrorism or hacking, and the undue damage to reputation and brand name, this seems to be the major focus of IT senior management.
Keeping It Simple and Comprehensible
So where can business continuity planners focus? They can focus on people, places, and things. The business continuity planner must understand the business: who does what, where is it done, what "things" they need, and the financial impact of losing people, places, and things. Again, the value needs to focus on financials. What would happen if I only had 50 percent of my workforce ? What impact would there be if a particular facility was uninhabitable (or inaccessible) for one day, a week, two weeks, or more than 30 days? Putting into perspective the "loss" due to a disaster event (it does not really matter what caused the loss) can motivate business leaders to consider reasonable mitigation efforts.
One must also keep in mind that in most non-regulated companies, there is no requirement to have a business continuity plan. No one is mandating that XYZ company have a documented, tested business continuity plan. Companies wanting to cover themselves may ask a vendor/supplier if it has a business continuity plan, but rarely does the vendor/supplier actually provide it (proprietary information is what I've mostly heard) or require documentation proving that they have tested or exercised their plan. Most of the time when I have been involved with reviewing a vendor's business continuity plan, it really is a business interruption plan with fallback capabilities to continue providing goods and services.
The business continuity planner must also understand what the company's capabilities are. For example, in the case of a blizzard that keeps the employees away from their workplace for a number of days, having a mitigation strategy that includes people working from home could be problematic if the infrastructure Virtual Private Network (VPN) cannot handle the increased load, if the employees work from laptops and there is no policy that requires them to take their laptops home every night, or if let's say customer service agents can only work from PCs at their desks. Also, the assumption that everyone could work from home probably would require them to have some sort of Internet access for the VPN or cloud service servers. Would a company then need to have a policy requiring an employee to have a certain type of Internet access and then become responsible for the cost? I know of one financial institution during Superstorm Sandy that had planned to mitigate the impact of the storm by having its employees work from home, only to discover that an IT security interface device that was at their work desk locations had not been...
To continue reading
Request your trial