Those of us who "test" their risk management plans usually check to see the reaction at the crisis point; when the event occurs and immediately thereafter.
Realistically, that's about all we can economically exercise, and even that often is pushed down to a simulation.
What we rarely consider is incremental recovery.
For example
- You operate an IT-dependent call center.
- The facility is destroyed; any reason will do, but for convenience, let's blame it on a fire.
- Staff is relocated to temporary housing at a nearby hotel's Grand Ballroom; it is, after all, easily cabled and quickly readied for operations and your organization had an agreement in place for just such an occurrence.
- The InfoTech operation is worked from a hot site.
- Business returns to less or more normal operation within 72 hours.
End of exercise.
Now consider,
- The nearby hotel wants its Grand Ballroom back after 90 days - or less.
- The cost of maintaining InfoTech at the hot site is becoming prohibitive.
- The original facility is still far from ready for occupancy.
- The operation must be moved to another temporary home.
Is looking for a long-term temporary facility in the plan?
Is even consideration of a "restore or relocate" option in the plan, and if so, what are the decision parameters?
What does it take to relocate?
A project risk management plan.
Granted, the details of the project risk management plan may be "out of scope" for the overall organizational risk management plan; after all, decisions made following the initial event will drive later efforts in one direction or another.
Still, the organizational risk management plan needs to consider
- Temporary facility options
- Long-term facility options.
- Consolidation of business units and support units, e.g., HR, InfoTech, including acquisition, installation, and testing of equipment and systems.
- Impact on personnel, especially if the alternate sites are distant from the original location.
Basically, the relocation project plan will be similar to any facility relocation plan.
The project manager and the risk management practitioner, along with representatives from both internal functional units and external participants - vendors, local fire, police, building, utilities, and zoning offices, perhaps others. The "involve everyone" philosophy is based on the knowledge that one person cannot think of everything; a risk management plan should never be created in a vacuum.
What could possibly go wrong? A partial, alphabetized, list must include:
- Building lacks occupancy permit.
- Equipment deliveries delayed.
- Installation personnel unavailable when scheduled.
- Telephone and Internet connectivity delayed.
- Vacations and holidays ignored in the time line.
- Vendors fail to get required permits when anticipated.
- Wiring to the building is delayed.
Bottom line: Failing to consider post-crisis events beyond the typical 72-hour "return to minimal operations" requirement can prove to be a greater disaster than the original event. The initial crisis caused a "hiccup" in operations for which the organization was prepared; the post-event activities easily can put a recovering organization out of business unless this period, too, was considered in the overall risk management program.
John Glenn
Enterprise Risk Management practitioner
Hollywood - Fort Lauderdale Florida
JohnGlennMBCI@gmail.com