For the first time in US history, we are experiencing significant disasters on a wide-spread basis. The fact that severe events are likely to continue, and possibly intensify, makes it imperative to have a proactive disaster risk management (DRM) strategy to protect company assets and our most precious resource of all, our people.
Hurricane Katrina, which hit in 2005, has been the prior severity benchmark for significant storms and had an estimated cost of $125B. The devastating impact of multiple back-to-back Category 4 storms making landfall in 2017 resulted in a historic year for hurricane activity. In addition to hurricanes, natural and man-made disasters such as devastating wildfires, flooding, tornadoes and drought cost the US an estimated $306B in 2017.  Hurricane Michael, which hit in October 2018, is reported to be the strongest hurricane to hit the Florida Panhandle in 167 years of record-keeping. The storm’s torrential rain, storm surge, and hurricane-force maximum sustained winds, combined with damages from Hurricane Florence that occurred the prior month, caused historical levels of insured losses, for that region, amounting to close to $50 Billion.  These levels of losses are unprecedented, yet, likely to continue.
Disaster events often come unexpectedly and always result in added costs for businesses. These costs can be minimized with proactive disaster risk management planning.
A growing number of organizational leaders are now reevaluating and paying more attention to their DRM planning as they look to successfully adapt to and survive in the changing landscape around them. No longer is disaster risk management a low priority or simply considered to be part of business continuity planning in the minds of leaders. As leaders increasingly experience the impact of these disasters to their organizations, their people and their portfolios, there is a greater recognition of the need to develop strategies that anticipate risky events, develop response plans and employ tactics to minimize disruption and/or increased costs. Disasters are affecting the safety and soundness of business’ operations, not to mention bottom line profitability.
As part of their standard risk management processes, companies should be evaluating and identifying the risks that the company is likely to face, including emerging risks related to natural and man-made disasters, through DRM planning processes. In order to adapt and modernize DRM planning, an organization needs to adopt a framework that is established on sound risk management principles and DRM operational practices. The framework needs to consider the importance of disaster risk preparedness and strategic planning, the evaluation of the risks that are applicable to that organization, an assessment of tactical actions required to protect company assets, including their people, when external risk events occur, and finally, the framework needs to include defined protocols for the return to business-as-usual following risk events.
Business leaders can no longer afford to assume that disaster risks will not affect their business. Through proactive DRM strategies with an established operating framework, leaders can apply the lessons learned over the past severe storm seasons to prepare their organization for the unexpected.
Applying Lessons Learned to Strengthen DRM Practices
Change is hard. This is especially true for businesses that have been working under the same risk management approach for some time, to manage all risks. However, with the rise in external factors affecting organizations’ assets whether that be employees, buildings or portfolios, a more holistic approach to managing disaster risk must be considered. To begin, organizations need to recognize that core risk management principles are key to building a modern DRM operational framework that will allow the company to progress from reactive to proactive.
Applying Core Risk Management Principles to DRM
Businesses can leverage the recent experiences and basic risk management principles to develop proactive DRM strategies. The basic principles of risk management can and should be applied for DRM to:
- Identify and Predict Risk: Businesses with offices or assets in regions that are likely targets for high severity weather events should identify disasters as strategic risks. For example, we know that the official annual hurricane season for the Atlantic Basin (the Atlantic Ocean, the Caribbean Sea, and the Gulf of Mexico) is projected to last from approximately June 1st until November 30th every year.
- Assess Risk: Businesses need to incorporate disaster risk considerations into portfolio analytics, modeling assumptions and forecasting.
- Develop Risk Response and Control Plan: Businesses ought to define thresholds and triggers that exceed risk appetite and/or present unacceptable heightened risks. These metrics will be incorporated into a risk management plan that outlines required response actions, stakeholders involved and desired mitigation outcomes.
- DRM Communication Plan: Organizations should apply an active communication plan for all stages of DRM. Communication approaches and methods should be defined from early stages of event monitoring through to communication during incident response, including considerations for business resiliency tactics in the event that lack of electricity and damaged telephone towers prohibit normal communication.
- Risk Monitoring and Analysis: Companies must implement processes for proactive monitoring of events that present heightened risk, including natural and man-made disasters. Companies also need to implement tracking and reporting to evaluate mid-to-long term impacts that may be detected after risk events subside.
Building and Maintaining a Modern DRM Operational Framework
The following are modern DRM activities that once put into motion will add value by increasing operational and process efficiency as well as providing a proactive approach to improve disaster response and reporting:
- Building Your DRM Framework
- Assign an owner of DRM to establish clear decision-making authority and provide leadership direction in times of crisis as well as normal activities. To have the most effect, this should be an executive level leader that has the ability to engage leaders across the organization to coordinate and respond quickly.
- Create a DRM operating model that establishes not only the formal owner role, but also the disaster leads in key functions across the organization. Because the DRM function tends not to require a large full-time dedicated team, an effective operating model to consider is a matrixed construct whereby the DRM owner has a disaster team made up of individuals from across the company to play specified roles before, during and after a disaster.
- Develop a DRM playbook to include defined DRM processes and cross-business roles and responsibilities. This document will provide guidance for each stakeholder allowing for individuals across the organization to know what responsibilities the individual has in a given situation, as well as what to expect from others. A recommended component to the adoption of the playbook is to perform tabletop exercises. This activity will ensure everyone is exposed to how DRM processes operate in real-life scenario’s. This group enactment will drive team engagement and highlight areas where improvements can be achieved in order to advance coordination and communication.
- Determine a centralized database system and owner. Documents gathered throughout the disaster lifecycle tend to get stored in disparate systems ranging from a person’s pc to separate databases owned by each business area. Without a central repository to house this key data, information on the effects of the disaster, how the organization managed the event and areas for improvement are difficult to glean.
- Adding Value – Metrics and Reporting
- Develop key metrics for all functions across the DRM lifecycle (pre-event, event and post-event). As an organization improves its measurement capabilities, conclusions drawn from DRM reporting will add value to the organization. Conduct impact analysis and incorporate reporting associated with DRM into ongoing risk reporting processes. The metrics should be woven into the overall corporate risk management and portfolio management reporting so that the impact of disasters on the organization can be more easily evaluated.
- Continue to gain efficiencies and evaluate reported results from recently experienced disasters and risk events. Improve DRM governance practices in measurable ways to drive responses, advance reporting and monitor customer service results. Also, continue to maintain a consistent pace of policy review and performing tabletop exercises to refine the DRM guidance and develop cross-organization communication and collaboration.
- Implement and Execute
- Establish corporate policy, standards and line of business procedures that add needed detail to the DRM strategy.
- Execute key DRM roles and responsibilities consistently, especially monitoring and active team communication. In times of normal activities, these daily tasks become secondary or are even discontinued as other corporate priorities consume business leaders’ attention. To help maintain discipline and cohesiveness, consider establishing a DRM project manager who has responsibility for managing monitoring and communication activities as part of their defined corporate responsibilities.
- Create communication and reporting templates as a means of sharing information. As a company experiences and begins to proactively manage events, it will see trends and potential areas of improvement to enhance the corporation’s ability to anticipate and plan for high risk events. This forecasting ability will enable the company to better inform its customers and its employees about what to expect and how to prepare before the events occur.
- Refine the DRM strategy, periodically and continue to update processes for monitoring, analysis and reporting activities. Change is a constant within any risk management strategy, and so must be the guidance and systems by which DRM is managed. Continual improvement will only add value across the organization.
The Importance of Sustained Preparation and Diligence
There is an observed tendency in organizations to coalesce around a sensational event and lose focus after the event has passed or when an event is minor and has less effect on the organization’s overall footprint. Said another way, it’s common practice for organizations to lose sight of sound DRM operational practices and be reactive to a present crisis because it is an immediate priority for all stakeholders given the impending risk to corporate assets.
Proactive activities such as preparation and diligence outside of a crisis can often be perceived as lower value in comparison to competing company priorities especially when DRM responsibilities are in addition to an employee’s primary job. This reactionary mentality is shortsighted. Not only does an organization lose the “all-for-one” momentum inspired by the team’s collaboration around a significant event, but it loses the value gained from consistent monitoring, reporting and process improvements implemented from lessons learned from past disasters.
Another factor to consider when weighing the value gained from proactive preparedness is the growing need for systematic data for disaster mitigation and impact assessments. For many companies, disaster data requests are addressed on an ad hoc basis, which includes collecting the information at the time of the emergency. However, there is a growing importance and understanding that disaster risk data collection, analysis, and management can help inform both short and long-term corporate strategic goals and help proactively identify and address emerging risks. Another reality is that remediation and recovery activities continue beyond when the news headlines pass. The secondary effects of storms, such as storm surges and flooding, can be as damaging as the primary effects of high winds and heavy rain. Through post-event monitoring and tracking organizations can gain important information to measure the total impact of the event and provide data for proactive predictive analysis and forecasting for potential future events.
The Evolution of the Employee Impact to DRM
When disasters strike leaders need to evaluate the impact to their business which not only includes customers, but also third-party service providers and employees. Ensuring the safety of people, our most valuable asset, is the highest priority when businesses are located in areas that have a high likelihood to be impacted by a disaster. Strategies around business continuity planning are wide-spread and offer various solutions for establishing back-up systems, alternate locations, cloud-based critical information storage and operational recovery. However, with the increase in teleworking arrangements, business leaders need to consider another potential cost of DRM. Natural disasters disrupt the nature of work everywhere, promoting a need for urgent review of where work is performed, whether in a corporate office, or by teleworking staff members located in home-based offices.
Telecommuting has increased in popularity due to increased commuting congestion in major metropolitan areas and the desire for workers to balance work-and-family obligations. Promoting the ability for staff to work from home is also one of the greenest ways to work, thus making a positive contribution to the environment, because it reduces the carbon footprint for each non-commuting worker. Companies realize financial benefits to having teleworking staff due to reduced office costs. However, when disasters impact a teleworker’s ability to access information, or worse, damages their home office, leaders need to have solutions to address the needs of all impacted staff members.
Many organizations have implemented business resiliency and recovery plans, which often focus on the supply chain logistics, information technology and facility functions. Comprehensive DRM plans will apply proactive strategies to have clear decision and communication paths that consider the impact to staff as they apply prudent customer outreach strategies, meet employee needs and keep operations functioning.
“Remember: When disaster strikes, the time to prepare has passed.”
– Stephen Cyros
Business leaders have an opportunity to apply lessons learned from recent precedent-setting disaster events to improve risk management practices and establish proactive practices to respond to disaster risks. Those who fail to prioritize the integration of modern DRM principles and practices into the core of their organizational functions will continue to experience a greater negative impact when inevitable disasters affect their organization, customers and portfolio. As the external environment continues to change, organizations must proactively evolve their disaster risk management practices in order to survive.
President & CEO, GME Enterprises
GME Enterprises is a management consulting firm that offers risk management, housing finance and operations management solutions to financial services, government and non-profit clients.