Continuity Planning: Are We Prepared for Future Disasters

Problem statement: Natural and man-made disasters could cause a lot of monetary, mortality and morbidity losses for our business’ operations such as: Activities, products and services. In order to minimize losses from such disasters, it is essential to prepare and implement effective business continuity plans that could deal with abnormal conditions. Approach: In this study, a discussion of the major risk factors that could cause business disruption and the main strategies to prevent business’ losses were discussed so as to advice effective business continuity plans for organizations. Results: Risks are due to human and technology factors, natural and man-made disasters are the main contributors to business’ losses. Conclusion/Recommendations: This study introduced the main components to evaluate and modernize business continuity plans with the intention to develop effective business continuity plans.


INTRODUCTION
The humanity is witnessing an ever increasing number of natural and technological disasters to a degree that every day we need to handle the day before disaster or to prepare for the day after one. In some cases, we need to respond or to prepare for different types of disasters at the same time. Statistics such as the one mentioned in Fig. 1, support our assumptions. We could have a tornado disaster today and we end up the day by having hazardous material spill disaster that might cause mortality and/or morbidity and/or monetary losses more than the ones which could result from the tornado effects. For example, the number of earthquakes with a magnitude larger than 7.0 has remained relatively constant with an average of 20 earthquakes per year in the magnitude range of 7.0-7.9 occurred worldwide since 1900. These numbers reflect that we should be prepared for such events whenever our cities are located in seismically active areas (Al-Momani and Harrald, 2003). Moreover, such disasters must be considered by governments not only as part of emergency planning but also as part of long term strategic planning.
In this study several issues in business continuity will be discussed without focusing on crisis management issues (such as evacuation, search and rescue operations, dealing with victims, establishing and maintaining shelters and other roles for emergency responders), which could be more associated with governmental bodies (such as civil defense, police department, military units, non-governmental organizations and civil societies). It is important to mention that these crisis management issues are very important in business continuity as we see from Kope Earthquake experiences and private sectors begin to share responsibilities with emergency responders by providing their employees with specialized training in crisis management such as: evacuation, fire control and first medical aids. Hurican Katrina which slammed into the Gulf Coast in USA on August 28, 2005 caused a lot of disruption to business operations (products, services) due to physical losses in assets, human resources, or disruption to lifeline systems. In a study to identify whether small business were able to recover from this disaster Runyan and Huddleston (2009) conducted an interviews for local officials and small business owners in the Gulf Coast after three months from Katrina impact. They concluded that small business owners did not plan for nay disaster including Katrina and they were having great difficulties recovering from the hurican.
Moreover, during Hurican Charely, which slammed into Florida, USA in 2004, human needs play a role in business continuity planning. For instance, "Charles G. Brown III, president and CEO of Charlotte State Bank, Port Charlotte, Fla. found that one of the unexpected tasks for his employees during Hurican Charley was getting together enough water, ice and lunches to keep the staff going. (ABA Community Bankers Conference, April 2005/ABA Banking Journal," Business continuity planning, born in DP, needs human element). It is essential to prepare businesses and institutions so as to be able to respond and recover from several threats that could produce losses to business and prevent business resumption. It is no longer enough to think in business in normal day-to-day activities claiming that nothing could happen which might prevent us from doing that and we are strong enough to a degree that we will not be affected like to others. Moreover, with globalization and privatization, managers become more accountable for losses if they did not take appropriate actions to prevent stakeholders' losses. Therefore, the question is: Are we prepared to safeguard our business from future losses. If yes, do we have effective business continuity plans in place and applicable if needed. If no, we need to know how we could develop effective business continuity plans. In this study we will provide a framework to help businesses to answer such questions. But first, we need to attract attention to previous businesses' experiences with Kope Earthquake disaster (Exhibit 1) to stimulate thinking toward adopting effective business continuity planning as a strategic approach to minimize future losses from disasters. There were several disasters that have occurred during the last decade, as we see above.
We have chosen Kope Earthquake as an illustrative example from these disasters since it is a recent one which had impacted a city used to be a hub for movement of goods to the Far East and caused large human and monetary losses.
The aim of this study is to attract the attention to the need of business continuity planning to save lives and property and to provide guidelines for effective business continuity plans. It starts with introduction to illustrate the essential of business continuity planning.
Then, it discusses the main risk sources that could impact business planning. These sources are due to human and technology factors, in addition to natural and man-made disasters. Moreover, this study provides guidelines to mitigate these risks by eliminating risk sources or by reducing their impacts. Business risk analysis is considered to be the core of effective business continuity planning and the final section of the study provides 10 other points to help businesses establish effective business continuity plans in addition to business risk analysis.
Exhibit 1: Kobe earthquake: In January 17, 1995 an earthquake struck the port city of Kobe in Japan that killed 6,300 people, injured 30,000 and made 307,000 people homeless with an estimated of property losses of $ 200 billion (Kawamura, 1996). The flow of world trade was disrupted by the earthquake near the port of Kobe, the largest container port in Japan. Prior to the earthquake, Kobe was a hub for the movement of goods to other parts of the Far East (Agis, 1995). Some businesses survived the earthquake with minimum losses due to luck; others experienced huge losses because of the lack of recovery and business continuity planning measures. Moreover, businesses reliance on government to shield their assets did not reduce their losses as expected since such government will be more interested to save lives and property losses than helping businesses to resume to normal activities especially during the early stages of disasters impact.
After the Kobe Earthquake some companies' activities were disrupted even if their infrastructure were intact, since they lost some of their employees. Also, looking for lost relatives or securing shelters after they lost their homes might occupy the workers and affect their performance. Mitsubishi temporarily shut down operations of it is plants because it was missing about 50 employees (Cataldo, 1995).
As expected, most business acting on their own interest, would strive to salvage what they know about in terms of equipment and facilities than would anyone else. "On the day of the earthquake, the Co-op grocery chain was able to open 97 of its 363 outlets while also delivering relief goods to the city's nine ward offices under a prior agreement. With their computer systems down, managers resorted to the paper and pencil bookkeeping of 20 years earlier. The Daiei department stores, guided by their Tokyo office, immediately dispatched helicopters, trucks and ferryboats in a massive re-supply operation. The IBM headquarters staff in Kawasaki established a "war" room from which they briefed their Hanshin dealers in emergency procedures and serviced a hot line for all their area customers (Horwich, 2000)".

MATERIALS AND METHODS
In this study we will analyze business risks due to technology, human, as well as natural and man-made disasters. After analyzing these risks contributors we will advice proper methods that could be used to prevent or reduce future losses.

Business risk analysis:
As previously mentioned businesses bear losses from Kobe Earthquake that required their actions beyond government responsibilities of saving lives and property losses. It is not only earthquakes that we should be prepared for, but also we have many risk sources that could damage businesses' operations and cause a lot of financial losses. These are: • Technology: Using technologies such as internet, telecommunications to perform business process could fail due to several reasons whether accidentally or purposely which cause delay and disruption to business processes, activities and products • Human: Human errors or attitude could ruin a company reputation and its relationship with customers, clients and suppliers • Natural and man-made disasters: Natural disasters (such as earthquakes, wildfires, hurricanes, floods, thunderstorm, tornados, snowstorms) and manmade disasters (such as industrial accidents due to human or technology errors or terrorism acts) could cause several monetary and/or morbidity and/or mortality losses The above risk factors are the most contributors to business disruption and require effective business continuity planning in order to minimize businesses' losses. In this study, an illustration of some consequences for the previously listed risk factors (technology, human, natural and man-made) will be presented then some countermeasures to maintain business continuity will be advised in order to be able to meet products, services and activities demands.

Business risk analysis:
Technology: Most businesses relay on technology (hardware, software, internet and communications) to perform several processes such as storing business records for customers, suppliers and distributors. Also, technology is used in marketing departments to advertise for products or services by using the internet or the call centers. Several business processes are automated or partly automated which necessitate having the supporting technology up and running to be able to meet their needs such as transaction, payroll and bills. Others are fully automated and depend on computers and artificial intelligent units such as using robots to perform tasks that could not be both effectively and efficiently performed by humans such as car manufacturing industries. They could produce cars without relying on machine but the productivity of the cars will be very slow and will not fulfills the market demands and eventually such businesses will be overtaken by other competitors.
There are hundreds of technology related sources of risks that could damage businesses and require business continuity strategies. Therefore, each business should review the use of technology within its internal and external business environment in an attempt to reduce losses. Some of the strategies that could be implemented to reduce technology risks are: Protect media that stores important business records and back it up daily, keeping a copy in secure location away from the business location; identify the equipments that the business will use if its own equipments are destroyed or become inaccessible; ensure that employees know how to deal with frequent failures and maintenance issues to minimize down time; perform regular and scheduled maintenance for equipments to minimize business processes interruption. A wide-ranging global survey of 240 senior executives about their organizations' business continuity planning was carried out by the Economic Intelligence Unit for AT and T and Cisco (AT and T/Economist Intelligence Unit and Cisco Systems, 2005). The survey observed that 21% companies had to suspend key business operations as a result of disasters that cause system failure.

Business risk analysis:
Human: Businesses require human interactions in addition to the use of technology to perform their operations. Some industries could minimally use manpower to reduce human errors such as pharmaceutical industries and others depend mainly on man-power such as mail delivery businesses. Whether businesses depend heavily or lightly on human interactions, business interruptions and monetary losses could occur. These losses could be due to negligent, intentional and criminal behavior of employees. For instance, human behavior may damage or destroy the business' property or resources such as customers and suppliers who could move to other competitors. The previously mentioned AT and T and Cisco survey (AT and T/Economist Intelligence Unit and Cisco Systems, 2005) found that 12% of companies had to suspend key business operations as a result of human related errors in disasters. As technology, human risk sources are high and we need to understand the potential risks for business continuity in order to advise strategies to tackle these risks. Some of the strategies to address human related risks are: protect against bodily injury and property damage through identifying important business safety issues and train employees how to address them; protect against personal injury claims; establish internal controls to discourage and detect employee misuse and fraud; protect financial resources and the ability to continue operating through training employees to identify activities that may damage business property through fire, explosion, or other hazard and to prevent them; protect customer properties in business' possession; know and abide by any legal restrictions on generating light, noise and fumes; promptly address and resolve customer complaints; maintain workforce productivity and reduce turnover; reduce negative publicity by addressing and resolving customer and media complains; train employees to use resources efficiently and according to budget constrains; diversify supply sources and keep a backup inventory to avoid disruption of supply chain; keep good connections with neighboring community to prevent or reduce future liabilities due to accidental or intentional activities.
Other strategy is to improve employee loyalty to business by allowing them to participate in decision making through having their own stocks within the business' investment. This will encourage them behave suitably to secure their investment and they will become watchdog for outsider perpetrators.

Business risk analysis:
Natural and man-made disasters: Natural and manmade disasters are more threatening to business continuity than human and technology since human and technology interruptions to business could be due to primary or secondary effects of natural or man-made disasters. For example, an earthquake might cause power outage that could destroy a company transaction or telecommunication lines and causes business losses due to technology failure. The same earthquake might cause morbidity or mortality losses for workers, suppliers, distributor and monetary losses. Moreover, the business' assets (such as buildings, equipments, motor vehicles, computers, records) may be physically damaged or become unusable. The followings are the main natural and man-made disasters: earthquakes, windstorms, landslides, mudslides, volcanoes, drought, heat and cold waves and terrorist attack. Earthquakes such as the previously mentioned Kobe Earthquake cause an extensive monetary, mortality and morbidity losses.
The AT and T and Cisco survey (AT and T/Economist Intelligence Unit and Cisco Systems, 2005), found that 22% of the surveyed companies had to suspend key businesses operations as a result of natural and man-made disasters. In any giving time and location every business will face some sort of natural and man-made disasters depending on businesses setting. If businesses are located next to a river you could expect a flood that could impact such businesses but if they are located away from sea or ocean it is not expected to be subjected for tsunami effects such as the one which hit the cost of Northern Sumatra, Indonesia and resulted in more than 230 thousands casualties and billions of dollars in losses. Therefore, in order to be able to prepare for business continuity we need to analyze our business susceptibility to these risks factors and estimate the likelihood of consequences. Several models could be used for risk analysis for different types of hazards such as the Earthquake Consequence Model (ECM) which investigate the earthquake risk for a given area and the potential consequences for the identified risk. If the risk and potential consequences are higher than acceptable, a decision should be taken to minimize earthquake potential consequences (Al-Momani, 2009).
The numbers of risks due to natural and man-made disasters are high with causes stem from different resources such as physical, geological and environmental ones. Therefore, for each kind of disaster we need to estimate the potential business disruption for activities, processes and products that could prevent businesses, suppliers and distributors form maintaining normal operations. Subsequently, we could advice mitigation and preparedness measures to prevent, reduce, or compensate financial losses.
After conducting business risk analysis from natural and man-made sources as part of effective business continuity plans, it is essential to eliminate, to reduce, or to compensate for losses. For illustration, the following are examples for some possible mitigation measures which could stimulate thinking for other ones: • If risk assessment reveal that potential losses from business disruption, try to transfer losses to one of the insurance companies by having general or specific risk insurance coverage • Make the business premises more disaster-resistant by making changes to the structures and the use of theses premises such as: • Elevating vulnerable items in a building subject to flooding • Securing items in earthquake porne areas to prevent or minimize their movement which could destroy them or cause death or injury for workers and occupants • Design and construct buildings according to applicable and seismic codes • Install protection measures such as smoke detectors and fire extinguisher to prevent or reduce fire hazards • Securing items that could be carried away by strong winds if subjected to tornado effects • Change business processes to reduce disaster consequences such as reducing or eliminating the use and the storage of hazardous materials that pose an environmental threat if released • Prepare disaster response plan for each type of disasters the business may expect, have the plan easily accessible • Practice the plan regularly through actual or tabletop exercises to test its applicability and make changes according to business and environmental conditions changes • In the disaster response plan assign disaster responsibilities to answer typical questions in disaster response activities such as who is doing what? When? And how. Some of the activities could be: closing businesses, shutting down production process, turning off utilities, securing windows and doors, moving inventory to the second floor, taking valuables off site • Train employees in safety procedures that will help them avoid injury in case of a disaster

RESULTS
The above discussion show how natural and manmade disasters could cause business losses and we need to prepare to prevent, avoid, minimize and mitigate losses. These goals are captured through the need for business continuity planning. With increasing reliance on computers and data processing activities during the late 1960s, planners stress the needs of having back up for these activities when technology fails. They consider having backup for data on papers or disks could save their businesses from losing main data for instance for their customers, suppliers, agents that will prevent them to perform their activities, processes and services and ultimately cause business losses. By the late 1970s and 1980s, some business emerged as providers for technology (data and computer processing) if needed due to emergencies. Among these are SunGard and Comdisco in USA. In the 1990s, the focus of business continuity has extended to cover wide range of businesses' activities and not only data and computer processing activities.
With advances in information technology business continuity planners look for information systems solutions to develop and execute BCPs. Graphical user interface along with data-base-management systems are used to store and analyze data from different resources to develop BCPs. Erlanger (2006) pointed out that "Strohl systems' LDPRS is one of businesses continuity packages that guide planners step by step through a logical sequences of business continuity planning tasks. Sun Gard's program is another useful package that could be used in business continuity management. This package uses a central database and guides planners through the business continuity planning process with libraries of questions for business unit survey and numerous plan templates".
Another option for business continuity planning could be outsourcing of key processes or services to maximize profits and reduce costs. Walker (2006) and Runyan and Huddleston (2009) provides guidelines to successfully work with outsource providers.
Business risks are rapidly increasing due to natural and man-made causes with totaling more human and monetary losses. However, business continuity planning did not follow this trend. A research study for Gartner analyst that was conducted in 2000 "found that only 35% of small and midsize businesses have a comprehensive disaster recovery plan in place and fewer than 10% have implemented crisis management, contingency, business recovery and business resumption plans (Swartz, 2003)". Mitroff et al. (1992 suggest that crisis management should take a strategic role within organizations, given that resources and priorities should be considered to save lives and property by top management. Moreover, Herban et al. (2004) examined the potential of considering the business continuity planning on a strategic level. Moreover, they show general parallels between strategic management and continuity management in terms of: Planning processes, capability development and socio technical approaches, speed, configuration, resilience, obligation and embedded ness. In this research, two UK-based financial firms show that BCM provision is more aligned towards a mission critical strategic role. Clas (2008) outlined the ten essential elements of Business Continuity Management which are generally accepted principles of business continuity management from the Institute of Continuity Management (US) and the Business Continuity Institute (UK). They are: • Program initiation and management • Risk evaluation and control • Business impact analysis • Business continuity strategies • Emergency response and operations • Business continuity plan • Awareness and training • Business continuity plan exercise, audit and maintenance • Crises communications • Coordinate with external agencies Since there are no international accepted standards for business continuity, if we exclude IT sector, such as ISO 9000 and other standards we proposed in the following section strategies that could be integrated with existing standards (ISO 9000, ISO 14000, OHSAS 18001) which might be existing within the organization that could be tailored to include business continuity issues. Therefore, we leave it to readers and practitioners to adopt which model suit best for their organizations until we get worldwide accepted international standards for business continuity which are successfully used to overcome real disasters admitting that each new disasters might bring new issues of concern for business continuity planning.
In the next section we will discuss the most important elements that could lead to effective Business Continuity Plans (BCPs). These elements are: legal Requirements, BCP policy, business risk analysis, objectives and targets, structure and responsibility, BCP resources, training and awareness, BCP documentation, BCP testing, management review.

DISCUSSION
It is appeared from the discussion before that we need to prepare for the unusual events whether they are expected or not in order to prevent business losses and to assure business continuity. For this the essential components that should be considered in preparing effective business continuity plans will be discussed. Some of the presented components are already exist within other health, safety and environmental management systems that could be implemented within a company such as: ISO 14000, ISO 9000 and OHSAS 18001. It is worth to mention that these standards are voluntary ones and put forward to increase competitiveness and to gain customer satisfaction. Nevertheless, business continuity planning could be indispensable to governments' financial and political stability. Therefore, governments reinforce business continuity planning policies especially for financial institutions such as banks and insurances companies.
It is important to stress the need of establishing crisis management departments which are staffed with specialized and trained members in crisis management issues to insure that the below guidelines are taken seriously and be implemented. Saying that we need to have business continuity plans does not mean we have to follow strict requirements such as the above standards, since decision making in crisis situation require a room of flexibility in decision making to be able to prevent and mitigate losses due to uncertainty, ambiguity and stress. Moreover, decisions during crisis situation could be improved by previous planning and preparation so as to be based on realistic expectations. Different businesses could have different plans to meet their requirements since business continuity plans should be a dynamic one and could be modified according to business and environmental changes. In order to establish effective Business Continuity Plans (BCP), these plans should consider, at least, the following 11 points. These points are based on the author own judgment and there is no priority in considering these points: 1. Legal requirements: It is important to consider legal requirements to which the organization subscribe to such as safety code of practices. By considering such requirements the organization will both follow existing requirements and improve its business continuity capability 2. BCP policy: It is important to have a BCP policy that has the commitment of top-management to invest time and resources to develop business continuity plans. This policy should consider the applicable laws and trades agreement if existed and could be translated into actions for implementations 3. Business risk analysis: This step is considered to be the cornerstone for effective business continuity planning. In this step, we conduct risk analysis for business activities, process and services in order to identify the unacceptable risks that need mitigation measures to prevent, avoid, or reduce their impacts. In this step we consider wide range of natural and man-made risk sources such as earthquakes, tornados and others as we have discussed above. There are several methods to produce risk analysis such as quantitative risk analysis methods (e.g., two-dimensional impact/probability, pareto diagrams, failure modes and effects analysis) and qualitative risk analysis methods (e.g., multivariate statistical models, event trees, system dynamics models, sensitivity analysis, stochastic simulation models, additive models). For each of the risk analysis methods there are different requirements for successful application such as time, cost and experience, which could influence the method use for business risk analysis 4. Objectives and targets: We need to identify our objectives from having BCP in place which could be to maintain business activities during disastrous conditions and then we need to identify what are our targets. Do we intend to keep full operations capability during disasters or half operations capability? It is essential to have objectives and targets that could be achieved given the resources and preparation. For instance, if a company provides internet services by depending on cables without having microwave data transferring system it can not claim zero down time for their internet services due to cable failure 5. Business Continuity Plan (BCP): In order to achieve our objectives and targets we need to establish and maintain BCP that designate responsibility and the means for achieving objectives and targets. For instance, we need to know who is responsible for maintaining data base to be able to provide several copies that could be used from remote sites if needed during emergencies 6. Structure and responsibility: In BCP, roles, responsibilities and authorities shall be defined, documented and communicated in order to facilitate effective business continuity planning 7. BCP resources: We need to provide essential resources to the implementation and control of the BCP such as human resources and specialized skills, technology and financial resources 8. Training and awareness: In order to be able to implement the BCP effectively, each employee who has a responsibility in implementing the BCP should receive appropriate training and be aware of the following: • The importance of conformance with the BCP policy • The potential consequences of business disruption impacts, actual or potential, of their work activities and the benefits of improved personal performance • Their roles and responsibilities in achieving conformance with the BCP policy 9. BCP documentation: It is important to establish and maintain procedures for controlling all documents related to BCP and to insure that these documents could be located and periodically reviewed and revised as necessary. The current versions of relevant documents of BCP are located where the obsolete documents are promptly removed 10. BCP testing: In ordered to make sure that the existing BCP is properly implemented and maintained by workers, suppliers; contractors or other business related partners there should be scheduled exercises to practice the BCP. There are different levels of exercises such as: Full scale, functional, table top and disk check 11. Management review: The organization's top management (if the top management is not aware of crisis management issues he should consult advisors who have the knowledge and experience in crisis management issues) shall, at intervals that it determines and preferably to be coordinated with BCP exercises, review the BCP to insure its continuing suitability, adequacy and effectiveness. The management review shall address the possible need for changes to policy, objectives and targets, structure and responsibilities and other related documents in the light of BCP testing results and changing internal and external circumstances

CONCLUSION
Business continuity is a continual improvement process that starts with establishing business continuity policy and ends with recommendations from the management review to keep business continuity plans up to date. Business continuity planning requires human and monetary resources which could be diverted from other services, products, or activities and could cause financial losses. On the other hand, business continuity planning could save a lot of losses if implanted properly. Therefore, the top management awareness of potential business losses is the drive for business continuity planning commitments.
It is important to understand the causes of business losses such as human, technology failures or natural and man-made disasters. When we understand the sources of these risks and their potential impacts we could advise strategies to prevent or reduce them to an acceptable level which could be used to prepare effective business continuity plans. Experiences from Kobe Earthquake shows that not all businesses will be affected equally, some will be able to resume business operations and others will not. For effective business continuity plans we need to consider a wide range of components starting with top management commitment and be based on realistic expectations from business risk analysis components.