A lack of disaster regulations for businesses
Keeping pace with new regulations is challenging. Not having them can sometimes be worse. Unless you are familiar with disaster planning, it unlikely that you know what the laws are. Countries outside of the US have business disaster regulations in place. Today, the US does not. Regardless of what you think of rules, it can be helpful to have guidelines in place.
Small business owners often struggle to complete core tasks. Understandably, disaster planning is rarely a priority. If you attempt to create a plan, you may come across FEMA’s small business continuity template or FINRA’s Small Firm Business Continuity Plan template. Online sources don’t do a go job of helping you easily accomplish disaster preparedness. Later in this blog, I will share the global regulations. Next, let’s look at why most US companies don’t have a disaster plan.
Statistics supporting this claim
Here are some interesting facts to consider:
• Small companies make up 99.9% of all US business but 2 in 3 say they don’t have a documented plan (Source, Harris Poll for Nationwide Insurance, 2017)
• 40% of companies never recover from a disaster (Source, FEMA, 2017)
• 90% of businesses without a disaster recovery plan will experience IT failures after a catastrophe (source, Touche Ross 2017)
Check out my blog Top 10 Scary Statistics For Small Business Disaster Planning if you want to learn more.
One problem is lack of consistency and clarity
It’s not your fault. This country has done a lousy job of integrating disaster planning into the business culture. Overall, there is a lack of clear disaster planning information.
Additionally, professionals don’t agree on basic terms. People use jargon with different meanings but call it the same thing. For example, disaster recovery can refer to the process for restoring critical applications from a server or helping a community after a disaster. See my blog, The Two Faces Of Disaster Recovery, for more on this topic. Last, words like disaster, crisis, and incident are different but used to mean the same thing.
What makes a good disaster plan is an ongoing debate. Regardless of the regulations, professionals vary in their approach. One method is to plan for critical operations. Another takes a more holistic view and prepare all business processes. In conclusion, there is little consistency.
Another is a lack of understanding about what to do
Best practice guidelines are issued by:
• ISO’s 22301 Societal security — Business continuity management systems — Requirements,
• DRI International’s Professional Practices, and
• Business Continuity Institute’s Good Practice Guidelines.
Guides like this are for large business continuity programs. Disaster planning concepts are unfamiliar to the majority of business owners. So, it is not surprising that companies lack continuity plans. Business Continuity is still a relatively new field. In the US, it has roots in the Continuity of Operations Planning (COOP). Other milestones are Y2K (2000), responses to major natural disaster events, and the September 11 attacks.
If you have not been paying attention, it is not your fault
Business Continuity does not have an effective marketing campaign. If it did, I wouldn’t be writing this blog. Think for a moment about effective marketing campaigns or slogans. Then, ask yourself if any of them are for disaster planning. If you know of one, let me know because I can’t think of any! So, you can understand why the value of business continuity planning remains unclear.
A value proposition is a clear statement of why to buy a product or service. But, if you don’t even know what the term business continuity is, you won’t engage in it. People like me need to do a better job of getting your attention. We need to clarify how to plan, making it simple, and straightforward.
Vincent Davis, wrote a great article related to this topic on building community resilience, called Defeating The Clown – How Do You Tackle Community Resilience? I recommend you check it out.
We do not make disaster planning easy for businesses
Very few of us want to think about all the bad things happening to our business. If you try to do disaster planning on your own, you will find lots of information out there. However, most it tells companies to plan without clear instructions about how to achieve this goal.
In my last post, I referenced resources to help business owners get started. What would be better is an easy to follow tool kit. And, it would be helpful if there were planning models for brick-n-mortar businesses versus virtual companies.
Beyond the Wild West
I don’t want to think it is the Wild West out there, as most professionals agree on the same necessary disaster planning steps. But, your end product will likely depend on the person or source materials helping you to build your plan. Few planners I see an excellent job in creating tailor-made programs.
Regardless, planning does not need to be a complicated process. And this is my main point. As a country, we need to do a better job of helping our business owners achieve success in this area.
I encourage you to read my post Don’t Let Your Business Be A Disaster Casualty for resources to help build a basic plan. Before you get started, read the next section so that you are aware of current standards. At the end of this blog are links to the comprehensive US and global regulations and guidance.
A few words on regulations and standards
I started this blog, pointing out that there is a lack of universal business continuity regulations. Instead, there is a loose mix of rules, standards, and guidelines that address emergency preparedness. Criteria exist for critical business sectors like government, first responders, financial institutions, hospitals, or utilities.
The Occupational Health and Safety Administration (OSHA) has a regulation to address emergency response, called the Emergency Action Plan (EAP) [29 CFR 1910.38(b)]. It focuses on evacuation from a worksite and outlines what needs to be in a plan document. However, it says that employers with ten or fewer employees do not need a documented plan. Due to this, small operations may skip this and not have the necessary emergency life safety procedures in place.
Key US cross-industry regulations or guidance related to business continuity*
COOP and Continuity of Government (COG). Federal Preparedness Circular 69, 26 July 1999
Occupational Safety Health Administration (OSHA) 1910.38 – Emergency action plans
National Fire Protection Association (NFPA) 1600
*This is not a complete list, see the resources section for links to detailed global information
If this makes your eyes glaze over as it does mine, I get it. Recent administrations generated increased compliance and regulatory standards. Still, the country seems reluctant to establish guidelines on something so directly tied to the protection of life safety and property.
Regardless of the political, social, or economic reasons for this, it has left most industries with no clear idea of how to prepare for crisis events. I don’t like regulations for the sake of rules. However, I am surprised that most of the rest of the world has adopted business continuity standards but that the US has not.
Why BC planning is your ace in the hole
On the plus side, it gives business owners a competitive advantage. A benefit of disaster planning is that it lets your customers and third-party suppliers know you care about emergency preparedness. Increasingly, customers want to know that companies prepare for disasters.
Beyond the value of emergency readiness and building operational resilience, it can help you think strategically about your business model. Last, it allows you to understand your business from a tactical standpoint.
Ben Franklin’s quote, If You Fail to Plan, You Plan to Fail, applies here. In today’s fast-paced world, all businesses are at risk of crisis events. By not planning, you lose the opportunity to identify your company’s vulnerabilities. If you want to achieve success, it is vital to stay ahead of the competition. Engaging in business continuity planning is one way to do that.
Business Continuity makes good business sense
So, now you know that no one is forcing you to have a disaster plan (for most industries). You may have noticed from media reports that recent natural disaster events were the costliest in US history. The National Oceanographic and Atmospheric Administration (NOAA) reported that 16 major weather disasters cost $306 billion in damages in 2017 (up from $100 billion over the previous year). This data doesn’t include in the impacts of cyber-attacks, power outages, facility issues, or crisis events caused by human error or intent.
Most people think that an event won’t happen to them. Well-developed plans are designed to mitigate the effects of a crisis event. They also establish a resilience baseline for your organization. A good rule of thumb is to treat plans as proactive, living documents that mature and adjust with your changing business model.
It is worth investing time in safeguarding what is most important to you. When you add disaster planning to your toolkit, it helps you to continue operations when you experience a crisis. Businesses fail from a lack of planning and knowledge. Don’t be that business.
List of information security and business continuity regulation sources
• Adversia’s List of information security and business continuity legislation worldwide country
• Gartner’s Laws Influence Business Continuity and Disaster Recovery Planning Among Industries
• Marsh’s Regulatory Requirements for Disaster Recovery/Business Continuity Programs
• Geminarie’s An Overview of U.S. Regulations Pertaining to Business Continuity
• Disaster Recovery Journal’s DR Rules & Regulations (global list)
FEMA Continuity of Operations brochure
Open for Business® Toolkit – Institute for Business & Home Safety
OSHA Emergency Action Plan and Procedures eTool