Organizations may have plans, yet still be unprepared

By Bob Jensen, Senior Managing Director of Strat3 LLC

Today, nearly all businesses and government organizations alike agree that the old adage of “an ounce of prevention is worth a pound of cure” is true when it comes to the benefits of being prepared for unexpected events, both small and large, that may impact and disrupt daily operations. However, when it comes to having the right kinds of plans in place to ensure their organization can handle an incident, the actual story is that most are woefully unprepared.

What are the key plans an organization needs to have in place?

Most larger organizations have put in place business continuity plans (BCP), but a survey in 2012 by a major U.S. insurance company found that about half of all small businesses were operating without a business continuity plan and many thought that having insurance was good enough.

For those organizations with a BCP, many of the plans were only focused on IT and technology, some didn’t cover multiple business sites and others had never been shared with key staff.

A major public relations firm survey found that nearly 35% of respondents didn’t have a crisis action plan, and even for those who did many weren’t adequate nor were they reviewed or exercised regularly. Only about 20% of responding companies were well prepared for a crisis, even though a majority of companies agreed they were vulnerable to a wide range of events from criminal actions to technical disruptions.

Even fewer companies had crisis communication plans that supported the crisis action plans and had clearly defined processes for identifying and reporting a crisis as well as clearly defined roles.

Finally, cyber threats are evolving into one of the biggest potential risk areas for businesses, ranking much higher than natural disasters and terrorism. Yet surveys conducted recently show that 60% of respondents only had a partial process in place for cyber defense and 11% reported no process at all was in place. Overall only 15% reported they were well prepared for a data breach. As for a cybersecurity crisis response plan, while 56% of larger businesses had one, very few of them were integrated with their crisis communications plans and most were more technically focused. Small businesses, which are being hit at a growing rate by cyber attacks, were even more unprepared, with only 10% having an internal IT manager focused on technological issues and few had a cyber plan of any kind.

The Risk Management Institute of Australasia (RMIA) is sponsoring a speakers tour of six cities by Mr Bob Jensen, a former senior US government official who brings three decades of experience handling national and international communications for major disasters and incidents. He will talk about all four key plans, will provide current perspectives on emerging threats, will share key lessons learned to help participants develop or improve plans, especially the critical communication elements and finally, will provide concrete actions and sources of information participants can use to address the gaps and challenges their own organizations may have with their plans.

Bob Jensen is conducting a national keynote tour for the RMIA in late February and March. Info and bookings here.