Top 10 op risks: business continuity and disaster recovery

Unusually low rates of disaster losses in the first half of the year were followed by the severe damage done by Hurricane Sandy to the Caribbean nations and the eastern US. The US suffered estimated direct damage of $20 billion, rising to $50 billion once interruptions to business are taken into account.

Last year’s Top 10 highlighted the risk of hurricanes along the east and Gulf coast of the US as a particular business continuity risk, and there are several reasons why hurricane damage will rise as a result of climate change. In particular, as the atmosphere becomes more moist, precipitation will increase – more rainfall and thus more river flooding during hurricanes, and more extreme rainfall events at other times, according to predictions from the US government’s National Climatic Data Centre in North Carolina. Sea level rise will also increase the risk and extent of sea flooding during a storm surge.

Despite the relatively uneventful first half of the year, the long-term trend is bad for extreme weather events in the US in particular, as Munich Re’s head of geo risks research, Peter Hoppe, noted in a July 2012 research report: “Overall in the USA over the past four decades, we can see a rise in losses from convective events, severe weather events with windstorm, tornadoes, hail, lightning and torrential rain – even when the figures are adjusted to take into account factors like increasing concentrations of values and inflation. One possible explanation could be changes in meteorological conditions, and particularly increased atmospheric moisture content, also due in part to climate change.”

Resilience against natural disasters is, of course, a political issue – much was made of the possible impact of Hurricane Sandy on the US presidential elections a week later – and while it might be assumed that events like this would encourage preparation for more severe floods, that will not necessarily be the case. Republican state legislators in another eastern seaboard state (ironically, North Carolina) passed a law in August 2012 that will block the state from making any plans for flood defence based on the predicted effects of climate change such as higher sea level and greater storm intensity until 2016 (an earlier version of the law would have forbidden all planning on the assumption of faster sea level rise).

While so far no other states have followed suit, the existence of climate change has become a subject of political debate in the US and, increasingly, in other countries such as Canada and Australia. A strong belief in the value of severe austerity policies may also make it politically unacceptable in the near future to build defences such as the planned Verrazzano Narrows barrier system designed to protect Manhattan and Brooklyn from future floods at a cost of $5.9 billion.

The impact of Hurricane Sandy, in New York in particular, highlights an important lesson for disaster recovery planners. The first is that individual, company-level business continuity plans are of only limited value. Southern Manhattan was one of the worst-affected parts of the whole New York area. Banks such as Goldman Sachs implemented anti-flood plans for their offices which were largely effective, and others, such as Citi, were able to move operations to backup offices outside the flooded area, but even if they managed to keep the lights on and the water out, their operations were still hampered by problems elsewhere. 

Employees were unable to travel to work by subway, floods closed the New York Stock Exchange as well as road and rail tunnels, backup offices were often not ready for occupation and use immediately, and employees who tried to work remotely would have been vulnerable to direct damage or infrastructure cuts at home, or more serious damage.

The moral seems to be that business continuity and disaster recovery needs to be more than just a company-level task. Financial institutions need to regard it more like other forms of due diligence – for example examining contractors and suppliers for ethical behaviour, anti-money laundering or anti-bribery policies – and examine their vulnerabilities to a business continuity and disaster recovery failure at another organisation. To the extent where disaster recovery and resilience is the responsibility of local and national government, this will require interaction – and lobbying – with them as well.

Reliance on local authorities, though, would be a mistake: in a major disaster, business continuity will be (rightly) lower down the priority list than preservation of life. This reliance could extend beyond physical assistance: some New York hospitals, for example, were blacked out because their emergency generators or fuel reserves were inadequate. As was the case after the March 2011 earthquake in Japan, companies should be prepared to continue to function in disaster mode for several days or even weeks after the initial event, as normal power (or water, or communications) may not be restored for some time.

Top 10 operational risks 2013: Back to introduction

IT sabotage
 

Reputational damage

Incentives and compensation

Fraud and customer data abuse

Epidemic disease

Political intervention

Sanctions and AML compliance

Emerging market operating risks

Business continuity and disaster recovery

NEXT: Failure to enforce internal controls