Catastrophic events can have a direct impact (i.e., a wildfire burns down your headquarters) or an indirect impact (i.e., your key supplier was crippled by a cybercriminal). Any ensuing business interruption can lead to lost revenue and wages, and can even compromise the health and safety of those who depend on certain services (this is particularly true for healthcare providers). Establishing a disaster recovery plan is a critical step toward protecting your organization against business interruption loss.
Disaster Recovery Plan vs. Risk Financing
According to the Federal Emergency Management Agency (FEMA), more than 40% of businesses never reopen after a major disaster, and only 29% of those that do reopen are still in business two years later. While insurance can be an excellent risk transfer vehicle, it’s important to know when it’s not the best solution. There are major coverage gaps when it comes to business interruption. For example, business interruption insurance is traditionally part of a property policy, which would likely exclude all claims related to cyber loss. Specialized coverage is typically needed, which can be pricey and demand large deductibles. Purchasing insurance for business interruption should be one of the last steps in your risk management process. There are many lower-cost strategies to manage this risk, and we encourage you to start with a disaster recovery plan.
Many industries are now required to have a disaster recovery plan, including hospitals and medical providers receiving Medicare or Medicaid funds. Banks and other financial institutions have similar compliance rules at state and federal levels. Furthermore, company directors have a fiduciary duty to ensure successful recuperation after a major disaster, and mismanagement claims can be alleged by shareholders, regulators and any party who claims to have suffered following an inadequate response to a disaster. We expect to see more industries face similar requirements as new threats emerge.
By using an enterprise risk management approach, you can help control your company’s exposure to risk and protect your bottom line by preparing for loss before it occurs.
Making the Plan
You can systematically develop a disaster recovery plan by: 1) identifying the risk; 2) analyzing and quantifying the risk; 3) controlling the risk; 4) financing the risk; and 5) administering the risk. These five steps can help you develop a contingency plan for worst-case scenarios. For illustrative purposes, we will explore these steps in the context of a single exposure – a tornado.
- Identify the Risk
The first step is to identify any potential sources of loss. Most losses can be grouped into one (or more) of these classifications: property, human resources, liability or income / financial. Once potential loss sources are identified, you can focus on a single source and envision what an actual loss might entail. While we will focus on a tornado as a potential risk for the purpose of this article, there are risk management identification tools to help identify all exposures. These tools can be customized specifically to an industry and include checklists, surveys, flowcharts, insurance policy analysis, inspections, financial analysis, compliance review, contract analysis and consultation with outside experts.
- Analyze the Risk
The next step involves a qualitative and quantitative analysis. In other words, you’d want to know what impact a tornado would have on your organization and how much this loss would cost. For qualitative measurements, consider the following questions:
- For what property are you responsible? Will everything be replaced following a total loss?
- What will your nonessential employees do if your business closes for an extended period of time? If you are located in a rural area, will your employees be able to find work or will they have to move?
- What ongoing contractual arrangements or exposures to third parties will continue regardless of whether or not you are open?
- Will governmental emergency funds cover your losses, or do you have other assets you can rely on such as accounts receivable?
- What long-term effects will this have on your customers? Will they come back when your business reopens, or will they move to a competitor?
- How will your public image be affected based on the amount of time you are closed?
- Are companies likely to cease doing business with you based on the level of disaster planning you have done? (This has liability implications if assurances were made and not actually planned for.)
- For quantitative measurements, consider the following questions:
- What has the average cost of construction been for recently completed buildings in your area? How will that be impacted if others in town are also rebuilding?
- How much time will it take to rebuild?
- How long can your nonessential employees go without income if you are unable to pay them?
- If your business is seasonal or has turnover / specialized workforce issues, how will these calculations be affected?
- Do you have forecasting models and / or insurance industry data to supplement your analysis (especially regarding the length of time you are closed)?
Depending on your proximity to a large metropolitan area, getting back to business after a tornado may take longer or cost more than expected. It’s also important to consider that what happens to others and how they respond could impact you. Infrastructure losses could affect you as well, whether it’s a utility interruption or blocked access to your business. Contemplating these scenarios and understanding the potential loss can help you create a recovery plan that actually works.
- Control the Risk
Risk control is usually broken down into two segments – “pre-loss” and “post-loss.” Following are some “pre-loss” questions to consider:
- Could you have prevented loss by constructing a more tornado-resistant structure?
- Will you be forced to rebuild at the same site, or can you rebuild elsewhere? (Check your property insurance policies for what is known as a “same-site restriction,” which is not part of every property policy.)
- Can you set up a temporary location? What would be a suitable space to rent? Could you still conduct all of your business there? (This is very important for companies with specialized operations and equipment, or those with significant regulations governing facility controls.)
- Is it possible to make a deal with another business – even a competitor – to help one another out in a time of loss?
- Can you buy enough insurance to transfer all or part of the financial consequences of loss? (For technology-related losses, you may be unable to insure total losses, which means operations must be set up to avoid certain types of losses. This has driven a lot of operational outsourcing strategies in recent years.)
- You should also consider the following “post-loss” strategies:
- Hire someone to oversee the claims process and ensure things are proceeding in the most efficient and effective way possible. Your insurance / risk advisor should have resources that can help manage this process.
- To calculate business interruption, especially loss of income when insured, significant forensic accounting will be needed. Knowing what is needed ahead of time will make the check you ultimately receive less disappointing based on net income calculations.
- If you find yourself facing third-party lawsuits, dedicate a staff member to manage your litigation issues in conjunction with legal counsel or carrier representatives.
- In the event that a disaster is more devastating than your pre-planning anticipated, create a contingency plan to handle any new challenges. Remember to include relevant staff members as you develop new strategies.
- Finance the Risk
Since a tornado is a low-frequency, high-severity exposure, it is an ideal exposure to insure. But before buying a policy, consider these questions:
- How much of the primary exposure to loss do you want to retain (i.e., what is your deductible?)?
- Can you transfer or share (via contract) certain liability exposures with other parties?
- For any potential business interruption, what is the best way to design this coverage to meet your needs? (Completing a business interruption worksheet can help answer this question.)
- Is it practical or necessary to insure 100% of your losses?
- What “continuing expenses” must be accounted for?
- Can you afford the amount of insurance needed? If not, what will your plan be after insurance proceeds are exhausted?
- Administer the Risk
Finally, you need to implement your disaster recovery plan. It is critical that the plan is constantly measured to ensure outcomes are meeting expectations. Here are some final questions you should review to help conclude this process:
- What key personnel will be involved in a reconstruction process?
- Who will ensure that everything is done correctly (i.e., a project manager or owner representative)?
- How will you measure the success and speed of your disaster
- What if personnel who are key to the disaster recovery plan
are injured and can’t help? Who can step in?
- Are you receiving the coverage you were guaranteed or is
- What events will prompt a disaster recovery plan review
(i.e., getting a new vendor)?
Getting Back to Business
Remember that risk management, while complicated, does not have to be chaotic. It can be managed through systematic steps like the ones listed in this article. Creating and implementing a comprehensive disaster recovery plan is a vital part of your organization’s overall risk management program. How you handle business interruption in the wake of a disaster could be the difference between reopening your doors or closing them indefinitely. The time to plan is now. Don’t wait until it’s too late!
This article originally appeared in the 2018 | ISSUE ONE of the SilverLink magazine, under the title “Business Continuity vs. Business Interruption: What’s Your Disaster Recovery Plan?” To receive a complimentary subscription to the SilverLink magazine, sign up here.