This article was first published in the June 2011 China edition of Accounting and Business magazine
In just the first three months of 2011 the world has faced a series of natural disasters – from quakes in northern Argentina and China’s southern Xinjiang, heavy floods in Brazil and Australia to the 9.0 magnitude earthquake and tsunami that struck Japan on 11 March. These disasters have left tens of thousands dead and thousands more homeless.
Then there’s the economic cost of these disasters. The Wall Street Journal recently reported that the Japan earthquake and tsunami will cost insurers between US$21bn and US$34bn, making it the most expensive disaster since Hurricane Katrina in 2005. In its recent East Asia and Pacific Economic Update, the World Bank said rebuilding in the wake of the destruction could take five years, while gross domestic product growth could fall by as much as half a per cent this year.
The World Bank report added that the earthquake has already disrupted global supply chains, particularly in the automotive and electronic sectors where Japan is a major producer of parts and components, and is a supplier of capital goods. It was also reported that Thai carmakers are running out of components imported from Japan, and Korean electronics firms are seeing higher prices for memory chips.
The floods in Malaysia earlier this year delayed palm oil deliveries as the rains submerged some estates in Sabah and Johor (the country’s top oil palm growing regions that create more than half the output). The floodwaters also cut off access roads to the estates. Malaysian refiners then had to buy crude palm oil from Indonesia to meet orders from China and India.
Muazzam Mohamed, executive director of KPMG Business Advisory, says that the recent natural disasters have highlighted the importance of disaster risk management.
‘Over the past 10 years, crisis management and business continuity management (BCM) have evolved into key corporate governance activities for public and private organisations. The case for implementing a crisis management and disaster risk management strategy has been compelling,’ he says.
He adds that for the public sector, the consequences of not being able to recover from a natural disaster in a timely manner can include loss of reputation in the eyes of public and other government departments, inability to provide timely reporting and the loss of public confidence.
Unfortunately, he says, in Malaysia crisis management and BCM may not be perceived as a priority area. He points out that resources tend to be channelled towards business strategies, process improvements and efficiencies and implementing systems that support core operations, as these activities yield more visible results.
Ong Ai Lin, senior executive director of PwC Malaysia’s Risk Assurance Services agrees, adding that organisations often perceive such plans as a matter of compliance rather than operational strategies. ‘Many people think disaster is a “it will never happen to me” situation, and this in itself is a challenge [to overcome],’ she says.
Software and IT solutions provider Symantec Corporation has found that 59% of Malaysian small and medium-sized businesses (SMBs) do not have a disaster plan, and almost half of these say that being prepared for disaster is not a priority.
Elaborating on the key findings of its 2011 SMB Disaster Preparedness Survey, Nigel Tan, principal consultant of Symantec’s Asia South region, says SMBs are at risk given that they do not have plans to help them deal with disasters and keep their computer systems up and running. He adds that SMBs also often do not act until it’s too late, with 45% of companies implementing a plan following an outage or data loss.
‘Not being prepared can have a negative impact. It could put an SMB out of business,’ he says, adding that in Asia Pacific, downtime costs SMBs an average of US$14,500 a day.
Manage, respond, recover
Given the potential losses and threats to business survival and continuity, Ong says organisations need to change their mindset. ‘BCM should be viewed as a corporate asset rather than an expense or a waste of money. When done properly, taking into account the worst-case scenarios, a BCM plan will allow an organisation to respond more efficiently and effectively to disruptions in their normal operations,’ she adds.
Under the Malaysian government’s National Cyber Security Policy, 10 Critical National Information Infrastructure (CNII) sectors have been identified. These are: national defence and security, banking and finance, information and communications, energy, transportation, water, health services, government, emergency services and food and agriculture.
‘These sectors would be the ones most at risk in case of disaster and the inability of these sectors to function will affect the country as a whole,’ Ong says, adding that the financial sector regulators require all financial and insurance institutions to have a BCM plan in place.
For power company Tenaga Nasional Berhad (TNB), the prevention of personal injury and loss of property is the primary purpose for establishing its Corporate Emergency Response Plan. The plan was implemented in 2007 and since then it has been revised and updated to include responses to different emergencies such as electrical blackouts, floods and pandemics.
So what does a disaster risk management or BCM plan entail? PwC’s Ong says that while most organisations would have an IT disaster recovery plan in place to safeguard IT systems and procedures for fire evacuation, these alone are not sufficient.
‘There are three key components to a BCM plan – crisis management, immediate response and the recovery phase (which comprises the business recovery of the operations as well as the IT systems and other relevant infrastructure). Consideration should also be given to supply chain management and interdependencies both within the organisation and with external third parties.
‘All the employees in the organisation must know what their role is in a disaster and what the organisation’s recovery priorities are,’ she says.
Ong adds that companies without a plan in place also risk losing market share permanently if they can’t get back on their feet in the shortest time possible. ‘Their clients may go to their competitors as an alternative source for materials, and might not go back to them after the original supplier’s business operations have resumed to normal,’ she says. Tan agrees, adding that 73% of SMB customer respondents in Symantec’s survey said that they switched vendors due to unreliable computing systems.
KPMG’s Muazzam believes that a robust crisis management and BCM plan should cover risk assessment. This includes asset and threat identification, quantifying the potential losses, assessment of vulnerabilities, and evaluation of counter measures. ‘It should also include definition of incidents and crisis assessment criteria, escalation procedure; and crisis management team roles and responsibilities,’ he adds.
Put to the test
Apart from having a disaster risk management plan in place, testing and reviewing the plan is also important. ‘You want to make sure that the plan is always up to date, testing is also a way of educating the employees… much like a fire drill,’ says Tan. He adds that the rule of thumb is to put the plan to the test at least once a year. ‘Larger companies conduct reviews once a quarter,’ he adds.
Organisations that have a disaster risk management plan report that it has helped them manage disaster situations better, especially in terms of immediate response, says Ong, pointing to the example of a financial institution that had to shut its branch due to the recent floods in Peninsular Malaysia.
‘It was able to respond effectively because it had a plan of action to follow – it mobilised the staff to another branch, posted up signage to redirect customers to other branches and also provided emergency hotline numbers. It had a team ready to clean up the branch as soon as the floodwaters subsided and was the first to open for business again in that area. By doing so, it showed customers that it was sensitive to their needs and was committed towards delivering continuous service,’ she adds.
For TNB, its CFO Mohamed Rafique Merican says that during the floods in the east coast and northern states of Peninsular Malaysia, local emergency response teams were activated to ensure the safety of the public and availability of electrical supply.
While having disaster risk management plans in place do help organisations minimise disaster-related vulnerabilities, consultants caution against the thinking that such plans will wholly insulate a company from the effects of natural disasters. ‘Having a BCM plan only works as a safety net to mitigate the impact of a disaster; you can never disaster-proof a company,’ says Ong.
Muazzam agrees, adding that having a good plan in place means that the organisation is ready to respond when an incident or disaster occurs and helps the organisation to minimise the amount of time to get its operations, at least the core or critical operations, running again. In some cases, that may well be the difference between whether an organisation survives and prospers post-disaster.
Sreerema Banoo, journalist
THE WALMART EXAMPLE
Walmart, the world’s largest retailer, has become adept at responding to natural disasters, sometimes more quickly than governments, most notably during Hurricane Katrina, reported The Wall Street Journal.
The retailer, in a statement on its website, said that within the first three days following the earthquake and tsunami on March 11, its associates, working across Japan, quickly took action to help by setting up distribution points for relief items in its store parking lots when the stores themselves were too damaged to open.
In the immediate aftermath, its stores and distribution centres provided donations to the victims including water, food and sanitary items. The statement added that Walmart associates worked around the clock to keep supplies going to the Seiyu stores – as the chain is called in Japan – which had become a lifeline for local communities.