Resiliency and continuity drive successful organizational risk planning

Oct. 17, 2022
Global enterprises bridge security and risk management so top executives can better understand threat remedies

The devastation Hurricane Katrina wrought in the city of New Orleans and throughout the state of Louisiana in 2005 was a game-changer for most commercial enterprises and global businesses. It forever changed how business continuity plans were drawn and the depth of post-disaster preparedness was viewed. The storm surge and Category 5 wind devastation of Katrina caused more than $41 billion in insured losses and another $108 billion in economic losses. Myriad lawsuits remained in litigation more than a decade after the storm.

Whether you are in the climate-change crisis camp or not, the evidence of climatic upheaval is undeniable. The average costs associated with extreme weather events in the United States have increased steadily since 1980. In fact, since NOAA started tracking billion-dollar extreme weather events that year, the U.S. has sustained 338 weather and climate disasters where overall damages/costs reached or exceeded $1 billion (including CPI adjustment to 2022). The total cost of these 338 events exceeds

Hurricane Ian recently impacted Florida’s residential sectors along the southwest coastal areas with wind and flood surge damage, however, the flooding that pushed through the middle of the state also affected larger commercial businesses. RMS, a Moody’s Analytics company and a world-leading risk modeling company, estimates total private market insured losses from Hurricane Ian to be between US$53 billion and US$74 billion, with the best estimate of $67 billion. RMS also estimates the National Flood Insurance Program (NFIP) could see an additional $10 billion in losses from storm surge and inland flooding as a result of the event. The RMS estimate reflects losses from property damage, contents, and business interruption, across residential, commercial, industrial, automobile, infrastructure, watercraft, and other specialty lines.

The Proactive Risk Model

As risk executives and security management in Florida and the Southeast finalize their post-Hurricane Ian assessments, what has been learned in the past decade and a half since Katrina and other catastrophic weather and climate events has helped reshape risk, security and continuity strategies. Risk experts like Fred Burton, the Executive Director at Ontic Center for Protective Intelligence and a former DSS special agent and New York Times bestselling author, feel the aftermath of Ian may create a paradigm shift in the way enterprise organizations construct their business preparedness frameworks and how security figures into that planning.

Burton is regarded as one of the world’s foremost authorities on protective intelligence, security and counterterrorism. He has spent a career spearheading strategic consulting to physical security leaders at major corporations, advising how to optimize their security programs and how streamline protective intelligence initiatives. His assessment is that the wake of Ian’s wrath figures to be as momentous as Katrina.

“Katrina in 2005 really changed how risk managers, corporate security directors and supply chain logistics personnel started to view these kinds of events. What I've seen, just from a historical perspective post-Katrina, is a proliferation now of 24/7 fusion centers or GSOCs where weather and the prediction of weather is critical to business continuity and business operations. The situational awareness of {weather events} is something that companies really changed because so many were hit hard after Katrina,” explains Burton. “The marvels of today's forecasting capabilities enable companies to bring that right into the operational command posts so they can preposition distribution centers, they can anticipate where the problems might be, and it's much more robust today than at any other time I've been in this business since 1980.”

Burton adds that many large enterprise companies have hired meteorologists to work in some capacity to help them make sense of weather patterns.

“Because although {Ian} was…clearly {the biggest threat} here in the continental United States, if you're a global company and you're managing or looking at the global supply chain, you've got all kinds of problems to think about when it comes to catastrophic weather that might affect other ports in Houston, Long Beach, New Orleans and so forth. You have companies that are on top of weather on a day-to-day basis better than most people would realize,” he says.

Making a Plan, Dodging a Bullet

That was certainly the case as Ian marched its way into the Gulf of Mexico and what was anticipated as a collision course with the Tampa Bay area. This scenario was not only dangerous because of the Tampa-St. Petersburg corridor is a heavy population center surrounded by water, but Tampa also houses one of the top shipping and commercial ports in the country. The prospects of shutting down the Port of Tampa would've been even more catastrophic. Luckily, that didn't happen as the storm tracked further south slamming into the Fort Myers and Sanibel coast with deadly consequences.

Because of the inability to track the exact path or landing spot for fierce storms like Ian, major organizations are linked to Fusion Centers that provide minute-by-minute situational reports. This unified communication among the business community and governmental agencies is that new paradigm for earlier weather disasters has been established.

“You are running joint meetings inside {these} companies, saying, ‘Okay, on the horizon, as we had with Ian, where can we forecast this coming a good two weeks out?’ There's actually a lot of telephone calls, usually in the morning, in the afternoon, in the evening at the close of business communicating detailed situational reports for each time period,” says Burton, explaining that these reports involve the status of the organization’s facilities, updates from corporate security, supply chain information revisions, affected business units and whether or not they're expecting goods and services to be adversely impacted. “There's a lot of pre-planning that goes into late-stage {assessments); for example, water at key distribution points, which is something that the dynamics of Katrina really changed from a geography perspective. How can we get things close enough so we can preposition {relief and responders}?”

Burton credits Florida’s emergency response as they had prepositioned crews that were able to restart cell phone services, positioning power crews and auxiliary supplies to address power outages in a timely manner and working with big box retailers in an effort to distribute much-needed supplies.

“Companies take on an almost quasi-governmental role in these capacities when looking out for themselves. However, most realize that they are also providing vital services to the community, whether it is water, gasoline, retail, whatever it might be,” continues Burton, stressing those local businesses, working alongside strategic government agencies, must be part of the recovery efforts that help communities get back up and running. “The logistics behind this is really phenomenal to see. Organizations like FEMA have come a long way. The state of Florida is quite used to standing up these kinds of op centers, or what we would use in my old days as an agent, ‘leaning forward’ -- making sure that we've got everything ready to go once the storm subsides.”

Security versus Risk

The paradox for business executives and staff is how to weigh business interest against your company’s “duty of care” responsibilities. Organizations and companies on the fringe of critical operations may have a tough call, while others deemed as critical infrastructure have little choice but to remain operational.

“In this day and age, {executives} defer to the eyes and ears on the ground as to when they do need to close up operations and just hunker down or move their personnel out, recognizing fully that they're providing a vital service to those communities. Property can always be replaced. The personal safety aspect has an overriding concern {with an organization}. Therefore, you're going to defer to those regional managers to make sure that they have their personnel accounted for,” Burton says. “Managers, especially frontline managers, have to make sure to make a concerted effort to stay in touch with staff that could be affected by {a weather event}. But at the end of the day, there are those windows of time, whether that be a 48-to-72-hour window, where things will have to shut down unless of course you're in that public safety community or you're providing other {critical} services. “

Technology, both from a security and a public safety perspective, is another key element in how business preparedness and response are approached. Burton admits that with advanced digital devices and smart analytics, almost any crisis can be met head-on from the road or the command center. He warns that there is a double-edged sword when it comes to relying on real-time situational data without the capacity to interpret and/or act on that information.

“It becomes a triage situation where you attempt to make sure you're collecting the right needles out of that haystack so you can make sense of whatever that tactical problem is. There's also the concern for public safety, such as looting, for example. One of the contingency plans that I've seen a lot of corporations implement and {taking a cue} from lessons learned from Katrina, is that corporate security teams must make sure they have a good third-party vendor, whether that be one of the larger guard services or some boutique service that can be called upon to go into certain areas to help secure facilities while recognizing that public safety is going to be overwhelmed with search and rescue,” Burton says.

Best Practices

Global companies that find themselves in the eye of the storm have to be “forward-leaning” with solid business continuity strategies and a resiliency perspective that accounts for the present and future. According to Burton, a company’s preparedness posture is predicated on “planning for that, prepping for this and doing all the offsite tabletop {training} ahead of time” so when a crisis unfolds remotely, there is a unified plan of attack and open lines of communications. Security and risk management must function as the consultative link to the C-level executive team when threats arise.

“Organizations must recognize that the threat landscape is very complex and incredibly dynamic, as the pandemic should have taught us all and as Hurricane Ian has reminded us of the volatility of certain events such as weather. Pre-planning can't be emphasized enough. You can't simply react to something like {Ian} at that moment. You have to have had the planning {done} ahead of time. “Therefore, I would make tabletop exercises mandatory. I get many people don't like to do, and busy executives don't like to take the time. But it's important to red team these kinds of situations,” concludes Burton, referring to red teaming’s goal of systematically and rigorously testing the readiness of an organization’s risk and security capabilities. “The more planning and the more thinking you can do about these events prior to them occurring will make you much better off once that event starts to unfold.”

About the Author: Steve Lasky is a 34-year veteran of the security industry and an award-winning journalist. He is the editorial director of the Endeavor Business Media Security Group, which includes magazines Security Technology ExecutiveSecurity Business and Locksmith Ledger International and the top-rated webportal SecurityInfoWatch.com. Steve can be reached at [email protected]

About the Author

Steve Lasky | Editorial Director, Editor-in-Chief/Security Technology Executive

Steve Lasky is a 34-year veteran of the security industry and an award-winning journalist. He is the editorial director of the Endeavor Business Media Security Group, which includes the magazine's Security Technology Executive, Security Business, and Locksmith Ledger International, and the top-rated website SecurityInfoWatch.com. He is also the host of the SecurityDNA podcast series.Steve can be reached at [email protected]