Although such an apocalyptic event should not be the catalystinspiring risk managers to dust off their disaster recovery plans,South Asia's recent tsunami underscores the need to ponder andenact such plans.

Because both coasts of the United States are susceptible totsunamis, experts are scrambling to establish warning systems now,before government decision-makers lose a sense of urgency. In theaftermath of the South Asian flood that left 300,000 dead, U.S.officials will spend more than $37 million to establish newdeep-sea warning systems that aim for almost complete coverage ofNorth American coastlines. Even if they do not think that a tsunamicould happen here, risk managers must realize that either coastcould be hit. The concentration of insured properties on eithershoreline would propel insured loss to mind-bogglingproportions.

No one suggests that risk managers enter their CEOs' officesand, with straight faces, ask, “Hey boss, what's our company'stsunami recovery plan?” (especially if one's employer happens to bein Dubuque, Iowa). That could get you laughed out of the executivesuite. Risk managers often have a hard enough time earningcorporate credibility for their roles.

Disasters' Many Guises

Not all disasters take the form of 20-foot-high tidal waves,however. The recent tsunami should inspire risk managers to reviewand retool their disaster recovery plans. Doing so helps insurethat their organizations can resume operations and rebound quicklyafter losses.

Risk managers are like corporate funeral directors. Nobody likesto think about his own death. Funeral directors have the tough jobof selling services to folks who do not want to contemplatemortality. Similarly, corporate risk managers must think about theunthinkable, even when life is going well and everyone else thinksthat the risk manager is a loony worrywart.

What will it take for your organization to contemplate disaster?What is your tsunami? Are you located near an earthquake faultline? Are you in a flood zone? Does your plant work with volatilechemicals?

A business continuity plan, disaster recovery plan, or any othersimilarly labeled contingency plan should dictate the roles and theplayers, internal and external. If the risk manager and teamsurvive the disaster, then the risk manager is just another teamplayer. In this case, the risk manager may focus more on claimissues and harnessing resources available from outside entities tomitigate loss and restore normal activities.

Disaster recovery plans should be current and must address theareas that were hit, diverting resources to mitigate losses andresume full operations. A disaster recovery plan does not consistof drafting an impressive document and crossing it off a list withan attitude of, “Whew, that's done.” The danger is that such aplan, however nicely bound, becomes credenza decoration, somethingthat sits on a shelf and is foreign to most people. When disasterstrikes, folks are running to locate a copy of the plan to see whatto do. You do not want to wait to have a house fire before readingup on how to work that fire extinguisher that you have had in thekitchen pantry for years. As the boxer Mike Tyson stated about hisopponents at the height of his career, “They all have a plan, untilthey get hit.”

Having a plan but waiting until you get hit to use it is theantithesis of disaster recovery planning. Unfortunately, in manycompanies, it can become the norm. Some organizations just want tobe able to answer outside constituencies by saying, “Well yes, wedo have a written disaster recovery plan.” Maybe formulating orupdating one is part of the risk manager's to-do list.

Writing a plan is only half the job, though, if that. The morechallenging role for risk managers will be to instill the plan intoeveryone's consciousness and to be an agent of change who heightenseveryone's awareness of the plan.

Not Just an IT Thing

One misconception to crack is the notion that disaster recoveryplanning is a computer function or “something that the ITdepartment does.” It must go beyond just information technology.Certainly, effective disaster recovery includes making sure that anorganization's nerve center, usually the computer system, is up andrunning. It must, however, move beyond an IT-only orientation.

After a disaster, the risk manager may be gone, because he didnot survive the event. Disaster recovery should not be based on therole of the risk manager, but rather on many people. There shouldbe a wheel of interconnectedness and interchangeableness so thatquarter-backing the plan is not wholly dependent on one person,i.e., the risk manager. Redundancy must be built into thesystem.

Planning for disasters that arise outside the firm and threatento impose large-scale dislocation severely stretch the abilities ofmany corporate risk managers. Both the planning for, and responseto, these events transcend the corporation and demand a level ofcollaboration that is both unusual and taxing. Supervisors may notunderstand how much collaboration outside the corporation isneeded, declining to authorize investment of time and effort.

One important step is to master the problem and confront theneed for organizational challenges. Here, risk managers are facinga different decision-making model than works for, say, 95 percentof risk management. The unknowns remain unknown longer. The suddendemand for response is more immediate and imperative.

Collaboration is much more evident in disaster planning than inother day-to-day risk management activities. Where there has beenmuch opportunity for rehearsal, drill, and review — as with Floridahurricane risks — risk management checklists may work, the responsemay be quick, and the collaboration deeply embedded over time withlocal public safety personnel. For a hazard rarely seen and poorlyunderstood, however, risk managers must weave a network ofcollaborations outside their corporations. This may include taskforces among corporate, health care, and public safety peers.

In disaster recovery and the planning for it, the risk manager'srole is to ensure that the organization has planned its work andworked its plan, post event. Often, the risk manager is not thepoint person in disaster recovery because he has organized his teamso that the appropriate people have the appropriate duties.

If risk managers are preoccupied by being “everything” people,they are unlikely to function in other critical roles. They will bespread too thinly to effectively help the organization recoverafter a disaster.

Modern day disasters take many different forms. They may notnecessarily be forces of nature or spectacular fires, although suchevents certainly qualify. If your company's president is accused ofchild molestation or insider stock trading, that is as much acrisis or disaster as an earthquake, tornado, or tidal wave. Maybeyou got a subpoena about those finite risk contracts. Maybe you areon the radar screen of a guy named Eliot Spitzer, who is sayingthat your entire business model is ethically and legally flawed.Disasters assume many shapes.

Also, a disaster recovery plan can become useless unless thevendors, suppliers, or contractors on whom your organizationdepends are informed about your recovery plans. An optimal riskmanagement approach ensures that business partners have a recoveryplan themselves and that your plan meshes with theirs.

For the risk manager, a disaster is the equivalent of a proathlete's game day. This is what you are paid to do. This is yourturn in the spotlight. The stakes are higher for the risk managerthan for the NFL or NBA player, however. The glamour factor isclearly less. Those pro athletes who succeed on game day are theones who not only have the will to win, but the will to prepare inthe months leading up to the contest.

So it is with risk managers. The real determinant of a disasterrecovery plan's success will not just be during the disaster andits aftermath, but in the weeks and months preceding the event. Howwell did the risk manager use this opportunity to get ready? Smartrisk managers will use the time wisely to prepare themselves andtheir organizations for the unthinkable that the risk manager ispaid to think about.

Not all disasters are due to the whims of nature. In recentyears, however, Mother Nature has been shaking our cage andwreaking havoc. In 2004, six hurricanes made landfall in the UnitedStates, the most in almost 20 years. Nine of the worst hurricaneseasons on record were in the last decade. Last year's hurricanescaused $56 billion in damage.

The recent tsunami is a reminder that such disasters respect noborders. The 2003 European heat wave exacted a $20 billion toll oneconomies there. A recent Fortune magazine article reported that2004 “was the most expensive year ever for the insurance industry,”costing approximately $39 billion in claims globally due to naturaldisasters (“Getting Ahead of the Weather,” Fortune, Feb. 7, 2005,p. 90).

Whether the trend is due to global warming, sunspots, or wobblesin Earth's rotation, the fact is that volatile weather patternsseem to be an increasing norm. This trend has implications for riskmanagers, who must embrace more vigilant techniques for monitoring,forecasting, and cushioning their organizations from the ravages ofextreme weather.

Kevin Quinley, CPCU, is senior vice president for MedmarcInsurance Group in Chantilly, Va. He can be reached [email protected].