Looking after your employees: the key to recovery

FST. You have worked in business recovery for a long time – can you give us a brief breakdown of how BCM has developed over recent years?

KT. Given the drivers – 9/11, Katrina, the tsunamis, as well as localized disasters like power outages, inclement weather in the Pacific northwest, Enron – companies are looking at backup and recovery strategies, backup technology. If the US Securities and Exchanges Commission (SEC) come in during or after a disaster and ask to see your records, you can pull back and provide that information. On the first of January 2007 in the US a new regulation went into effect for litigation, so when a company is involved with litigation and documents need to be part of the discoverable process there is a formal regulation that all parties need to follow. The threat of pandemic flu has resulted in companies adjusting plans or writing ones. Another result of impending pandemic flu is increasing attention paid to remote management services and access: companies implementing systems to manage from home or on the road.

We’re also seeing business leaders with more operational responsibility, more job titles of ‘Business Continuity Manager’. I’ve been pushing for that myself, as it’s important that there is somebody directly accountable and responsible for BCM within an organization.

In financial services especially, since 9/11 BCM has been of great importance. There have been many developments in backup and storage systems: storage area networks, virtual storage, storing data in different areas, and automatic notification systems (ANS). There is implementation of redundant data and telecom lines, where whole networks being made redundant and resilient so in the case of power outage, communication is still possible. There has also been major movement towards third-party providers – Sunguard, IBM, HP, local vendors - to share the risk. I recently attended a presentation on Katrina given by Rentsys. They brought in a mobile bank for a company in Louisiana – cash in the door, plugged in the generator – so the bank could work on rebuilding the physical structure and getting the plan in place.

Basel II is well documented in the financial services industry in Europe; as more US institutions have global footprints they are going to fall under that regulation, so some are already starting to work towards aligning their business with Basel II.

FST. Are there US specific regulations that the industry needs to take notice of?

KT. Well, SOX implies business continuity, but doesn’t explicit state that you need it. Whereas you look at healthcare, the Health Insurance Portability and Accountability Act of 1996 and Joint Commission on Accreditation of Healthcare Organizations require business continuity plans. We in the recovery industry think that some type of regulation is needed.

FST. Have you seen any shifts within the perception of BCM itself, and how it is managed within organizations?

KT. There is more focus on people rather than the technology and the business. Business continuity is a triangle: people form the foundation, IT is one leg and disaster recovery the third leg. Now there is more focus on the foundation, which is a change driven in part by the threat of pandemic flu. Companies are starting to focus on people and crisis management, getting people out to safety for example. That shows your employees that you care about them, so when you eventually need them for business or IT recovery, they will be there and willing to work for you.

FST. Why do you think the primary focus was previously on business or IT recovery?

KT. Business continuity traditionally emerged from IT and disaster recovery. Because of 9/11, Katrina and so on, financial services are now looking more at the people function in their recovery: workplace recovery is a term increasingly used. Business cannot run without people, so enterprises need to look after staff, make sure they are taken care of and their families are well and happy. Then staff will be productive in recovery processes. In Katrina a lot of people went AWOL, and companies in Louisiana are still struggling to find employees.

FST. Why did so many people go AWOL in Katrina?

KT. After Katrina, smaller banks in the affected area found employees and their customers had left. Many collapsed due to this loss, and the reason their staff left was because they were not taken care of. The enterprises that succeeded were the ones that took looked after their employees. When Rentsys did mobile recovery for the bank I mentioned earlier, they also brought in one of the mobile recovery units as a daycare center, so kids and families would be safe. They even provided a food service. When companies do that, it sends a powerful message to employees: they are important, they are cared for. In financial services – as mature as their processes are – need to pay more attention to taking care of families and employees.

FST. Should this focus differ between natural disasters and man-made disasters?

KT. It is well noted that around 65 percent of disasters are ‘manmade’: burst pipes, viruses, hackers, human error. Natural disasters make up only 5 percent of the things we need to safeguard against, but they gain the most attention because they are over a large geographic area and cause much more impact in one shot. With natural disasters, you certainly need to focus on your people first, communicating to them over large distances and getting them to safety. There are companies that still do not know where some of their people are, or where they were migrated to after Katrina. We saw a lot of disorganization and chaos. It is imperative to put your people first. The same holds true for ‘manmade’ disasters, be they employee sabotage, network outages, or data corruption.

FST. Have you seen examples of companies implementing business continuity measures that have led to better practice in everyday operations?

KT. I have seen companies implementing ANS so they can communicate with employees during disasters, but then also using evolving to use ANS for general communication. ANS is typically cost-restrictive, so initially you were unlikely to see it in smaller companies. The price point of ANS can be as high as $25,000 so for small companies it did not make sense. Now large and small companies are thinking they can implement ANS but not just use them for automated notification in case of disaster, but also use them for sending out messages about upcoming events, company news, updates: essentially anything that needs to be quickly and broadly communicated to a corporation, particularly over a large geographic area.

FST. Do you think there has been an over-reaction to pandemic flu in the media?

KT. Recently, pandemic flu has been minimized by the media but it is likely that that might be caused by fear, resulting in an unwillingness to address the issue. The problem with pandemic flu is that it is not a question of ‘if’, it is a question of ‘when’, and ‘what is the magnitude’. If you do not have a business continuity plan, or a communicable disease plan as part of your BCM, at the very minimum you should have policies, rules or regulations about what you will do in case 30 to 40 percent of your workforce is out sick over an extended period of time. How is executive management going to deal with time off? Will they wipe out vacations? Will they change sick leave, so employees then go on unpaid leave?

If companies show compassion and caring in situations like this, then employees will be more responsive getting back to work sooner, or in assisting in recovery after a disaster. If a company shows a laissez-faire attitude, employees will think, ‘you don’t care about me, all you care about the business’. You see a certain amount of that across all industries, not just in financial services. If a company shows little empathy or concern for their employees, they’ll find themselves without staff. Employees have to take care of their families, and themselves: if their employer shows little or no compassion in extreme circumstances, employees will just leave and seek alternative employment.

For pandemic flu in particular, enterprises should focus on setting up remote management so employees can work from home while they look after loved ones. Preparing for any disaster, in fact, companies should be working on remote management services.

FST. Do you think there is a problem with what BCM is perceived to be by employees?

KT. The perspective of many employees is that BCM is purely functional – just writing someone a report on a system or network, for example – but what does business continuity actually mean to them? You need to educate personnel before you start asking them to write plans or reports, because they need to understand what it means to them. That’s a big emotional hook that will be key.

BIOGRAPHY

Kevin Thomas is a risk manager specializing in business continuity and project management. Kevin has spent four years actively involved in business continuity management both as a practitioner and a consultant; over seven years in project management, and five years in the financial services industry. He has managed worldwide business continuity engagements for clients ranging from energy services to food manufacturers. Kevin also works in security and asset management to provide a ‘holistic’ approach enterprise risk management. Kevin has spent ten years in information technology and ten years in healthcare. Kevin is a certified Project Management Professional (PMP) and Certified Business Continuity Planner (CBCP).