Executives and managers make difficult decisions every day, but one of the most important decisions that may have to be made is to formally declare a disaster for his or her company. This is a critical decision because one once it has been made, it initiates a critical chain of events that will spawn multiple teams and processes to manage human safety, damage assessment, salvage and restoration, and recovery of assets and systems.
These activities may consume significant financial and human resources to secure new facilities or assets, procure equipment and supplies, or to acquire targeted services. Declaring a disaster may be the first step in qualifying for governmental disaster assistance, emergency assistance from local responders, or insurance assistance, so it is very important.
If the event is leading toward a data breach of confidential information, declaring the disaster may be required to activate external forensic cyber analysts, data breach attorneys, or public relations consultants.
But it is also essential to recognize that it may be difficult to stop this process once it has started, and that doing so may be equally impactful. For example, once the Information Technology team has initiated a system or database transition to an alternate site, halting the process mid-stream might be worse than the disaster itself. Likewise, certain processes may have regulatory control check points that impact the logistics of managing through a disaster.
My point in all this is simply to understand that the decision to declare a disaster should not be taken lightly. It is recommended to consider the following questions and criteria prior to the final decision.
Are our facilities safe and structurally sound?
Are all of our employees, contractors, business partners, clients, and other onsite visitors safe?
What is the damage assessment for all assets (workforce, facilities, data & systems, capital, vendors & suppliers, communication channels, distribution channels)?
Are we able to provide service to our clients and customers to meet expectations?
The BCP should have identified a threshold of damage that would trigger a disaster declaration – has this exceeded the threshold?
Are any internal systems offline? This could include security systems, business functional systems (e-mail, inventory control, payroll & accounting, customer service or relationship systems, patient records, claims management, etc.), phone systems, mechanical & HVAC, or power systems.
Have we exceeded or do we know that we will surpass any Recovery Time Objectives (RTO) for IT systems or business processes?
Are any key operational processes in a non-functional state?
Are we in jeopardy of missing any regulatory compliance deadlines or of being out of compliance?
There is no one right answer, but the details of each answer will guide the decision process for if the time is right to make a formal disaster declaration.