The effects of a disaster are felt throughout the supply chain long after an event takes place. No one is immune; these catastrophes can be just as crippling if they happen to a key partner rather than your own organization, and they can disrupt the involved business, its suppliers, customers and employees. As our economy becomes increasingly global, even an incident halfway around the world can have an enormous impact on our ability to conduct business as usual.
A disaster is any event that causes a major disruption to normal operations and delivery of services for a significant period. Factories, warehouses, shipping terminals and stores are vulnerable, and the loss of critical resources — such as information technology (IT), people, power and transportation — is a distinct possibility for any business in todays’ complex network. However, by addressing a company’s exposure to risk, the probability of an extended disruption can be reduced and the ability to recover in a timely fashion increased.
A year of devastation
According to the U.S. National Oceanic and Atmospheric Administration, 2017’s weather and climate-related disasters cost a record $306 billion in the United States alone. Global insured losses made 2017 the third-most expensive year for the insurance industry. Millions were affected by floods, wildfires and earthquakes, including the following:
- Hurricane Harvey. Some analysts believe that Hurricane Harvey could be one of the most expensive natural disasters in U.S. history. Besides the destruction it caused for residents of Texas, it posed a serious threat to American commerce. The Port of Houston and its connected network of roads and rails are vital to many businesses’ supply chains. Even a few days’ disruption at such a crucial hub is felt around the world for months.
- Mexican Earthquake. Moody’s Investors Service says the September 19, 7.1 magnitude earthquake, which killed at least 369 people in the capital and nearby states, “has the potential to be one of Mexico’s costliest natural catastrophes.” Mexico City Mayor Miguel Angel Mancera adds that 360 buildings either have to be demolished or receive major structural reinforcement. An additional 1,136 structures are reparable. AIR Worldwide, a Boston-based catastrophe-modeling consultancy, notes that insured losses are only a small part of the total economic damages. It estimates the insured losses at 13 billion-36.7 billion pesos ($695 million-$2 billion).
- Monsoon rains in South Asia. Flooding and landslides resulting from monsoon rains have affected at least 41 million people in Bangladesh, India and Nepal, according to the United Nations. The New York Times reports than 1,000 people died and thousands of homes were destroyed “as sheets of incessant rain pummeled the region.”
- Hurricane Maria. Multiple news services have calculated that the Hurricane Maria death toll exceeds 1,000 people. Six months’ worth of rain fell in less than four days, major dams experienced cracked spillways and overflowing canals, and the wind tore hundreds of electrical transmission towers from the ground. Electrical grids and mobile phone networks went down, and backup generators stopped working as fuel became unavailable. So far, FEMA has identified approximately 18,029 affected businesses in Puerto Rico and The Virgin Islands, seriously upsetting businesses, jobs and sales. The destruction of medical device manufacturing capacity also created a shortage of medical IVs, requiring some health care providers to find new suppliers or rely on alternative products.
- California Wildfires. The Los Angeles Times reports that the wildfires that ravaged Northern California in October led to 44 deaths; burned through 50,000 acres; forced 27,000 people to evacuate; and destroyed more than 8,400 structures, including homes and businesses, making them the most destructive wildfires in state history. In addition, major rail and trucking routes were severely impaired.
Of course, Mother Nature doesn’t account for all disasters. They also can be manmade, such as incidents of civil and labor unrest, cyberattacks, piracy, utility failures, product defects and terrorism. Recent examples include the Samsung Galaxy Note 7 cellphone battery recall and the high-profile Equifax data breach, which caused major problems in the supply chains involved.
Taking disruption in hand
The ever-growing reach of global supply chains exposes these networks to serious vulnerabilities. Potential impacts include financial harm, such as unrecoverable loss of revenue or accounts receivable, as well as contractual fines and penalties; operational impairment from diminished productivity or the inability to provide effective customer service and regulatory reporting; and damage to relationships, corporate image, reputation and confidence.
The good news is that there are proven steps to identify potential risks to the supply chain and plan for business interruptions. The first is to develop an impact analysis. This investigation provides a comprehensive understanding of the business and its supply chain, enabling organizations to identify exposures and potential mitigation measures. It helps users pinpoint the most feasible and cost-effective strategies and solutions for business continuity and disaster recovery. In addition, reviewing insurance policies as they relate to business interruption enables companies to detect any areas requiring additional coverage.
Disaster recovery preparation is the next step. Based on the results of the impact analysis, this exercise finds critical business functions, resources and methods; reveals business unit, supplier and customer interdependencies; further identifies potential threats and exposures; and helps users ascertain potential losses and impacts, should a disaster occur. The process involves documenting recovery time objectives, IT interdependencies and manual procedures; evaluating existing recovery capabilities; and creating effective mitigation measures, including the recovery plan.
The recovery plan should clearly document who to call, where to go and who will do what in the event of a disaster. It also determines which tasks must be considered mission-critical. The plan sets a schedule for periodic backups of all electronic and hard-copy documentation, which should be stored in an alternate location.
Focus on creating a stable, yet flexible, supply chain. Diversifying suppliers and methods of transport wherever possible is an effective strategy. Also consider alternate supplier teams, and define roles both internally and externally to enable this emergency supply chain. Think of substitute work spaces, such as remote access to data and applications, as well as the ability to work from home or another facility. In a local or regional disaster scenario, it is common to have to compete with other businesses for the same limited resources, such as fuel for backup generators, replacement computer equipment, emergency repair services, alternate transportation, and specialized personnel. It is advisable to identify and secure an agreement for such priority services.
The body of the recovery plan should include
- incident-management team members, as well as critical personnel, resources and recovery assignments
- a recovery strategy and solution overview
- emergency-response procedures
- incident-reporting procedures
- recovery team notification, mobilization and assembly procedures
- detailed recovery procedures
- situation-assessment guidelines
- emergency contact information of key employees, vendors and customers
- a summary of mission-critical business functions to be recovered
- detailed procedures for transitioning back to business as usual.
Also keep in mind that, in the event of a disaster, it may be necessary for critical tasks to be performed by someone other than the usual resource. Write down all procedures in such a way that an individual with the appropriate skill set, but not necessarily the daily experience, will be able to understand and execute the critical tasks.
Finally, a plan is only as good as its execution. Once it is developed, make sure all internal and external team members are familiar with their roles and responsibilities. Recovery teams should be comfortable with plan details and procedures. A periodic review and mock test exercise should be conducted, which can be in the form of a table-top exercise or a full physical and technical exercise using a scripted scenario. This will help team members practice their roles, develop confidence and expertise, emphasize good judgement, and reveal any necessary updates.
Test as many components as possible and practical: Are alternate power fuel tanks full? Can backup data be easily accessed? Are partners prepared for their roles? Require development of test objectives and use this exercise to validate technical recovery procedures. Business continuity and disaster recovery planning rely on both common sense and due diligence.
Lowell Grabel began his career in professional services designing communication networks. Later, he provided consulting services in business continuity and disaster recovery planning. He has worked in a variety of industries, including manufacturing, finance, health care, government, pharmaceutical, energy, education and retail. Grabel may be contacted at firstname.lastname@example.org.