Not all disasters take the form of 20-foot-high tidal waves, however. The recent tsunami should inspire risk managers to review and retool their disaster recovery plans. Doing so helps insure that their organizations can resume operations and rebound quickly after losses.

Risk managers are like corporate funeral directors. Nobody likes to think about his own death. Funeral directors have the tough job of selling services to folks who do not want to contemplate mortality. Similarly, corporate risk managers must think about the unthinkable, even when life is going well and everyone else thinks that the risk manager is a loony worrywart.

What will it take for your organization to contemplate disaster? What is your tsunami? Are you located near an earthquake fault line? Are you in a flood zone? Does your plant work with volatile chemicals?

A business continuity plan, disaster recovery plan, or any other similarly labeled contingency plan should dictate the roles and the players, internal and external. If the risk manager and team survive the disaster, then the risk manager is just another team player. In this case, the risk manager may focus more on claim issues and harnessing resources available from outside entities to mitigate loss and restore normal activities.

Disaster recovery plans should be current and must address the areas that were hit, diverting resources to mitigate losses and resume full operations. A disaster recovery plan does not consist of drafting an impressive document and crossing it off a list with an attitude of, “Whew, that's done.” The danger is that such a plan, however nicely bound, becomes credenza decoration, something that sits on a shelf and is foreign to most people. When disaster strikes, folks are running to locate a copy of the plan to see what to do. You do not want to wait to have a house fire before reading up on how to work that fire extinguisher that you have had in the kitchen pantry for years. As the boxer Mike Tyson stated about his opponents at the height of his career, “They all have a plan, until they get hit.”

Having a plan but waiting until you get hit to use it is the antithesis of disaster recovery planning. Unfortunately, in many companies, it can become the norm. Some organizations just want to be able to answer outside constituencies by saying, “Well yes, we do have a written disaster recovery plan.” Maybe formulating or updating one is part of the risk manager's to-do list.

Writing a plan is only half the job, though, if that. The more challenging role for risk managers will be to instill the plan into everyone's consciousness and to be an agent of change who heightens everyone's awareness of the plan.

Not Just an IT Thing

One misconception to crack is the notion that disaster recovery planning is a computer function or “something that the IT department does.” It must go beyond just information technology. Certainly, effective disaster recovery includes making sure that an organization's nerve center, usually the computer system, is up and running. It must, however, move beyond an IT-only orientation.

After a disaster, the risk manager may be gone, because he did not survive the event. Disaster recovery should not be based on the role of the risk manager, but rather on many people. There should be a wheel of interconnectedness and interchangeableness so that quarter-backing the plan is not wholly dependent on one person, i.e., the risk manager. Redundancy must be built into the system.

Planning for disasters that arise outside the firm and threaten to impose large-scale dislocation severely stretch the abilities of many corporate risk managers. Both the planning for, and response to, these events transcend the corporation and demand a level of collaboration that is both unusual and taxing. Supervisors may not understand how much collaboration outside the corporation is needed, declining to authorize investment of time and effort.

One important step is to master the problem and confront the need for organizational challenges. Here, risk managers are facing a different decision-making model than works for, say, 95 percent of risk management. The unknowns remain unknown longer. The sudden demand for response is more immediate and imperative.

Collaboration is much more evident in disaster planning than in other day-to-day risk management activities. Where there has been much opportunity for rehearsal, drill, and review — as with Florida hurricane risks — risk management checklists may work, the response may be quick, and the collaboration deeply embedded over time with local public safety personnel. For a hazard rarely seen and poorly understood, however, risk managers must weave a network of collaborations outside their corporations. This may include task forces among corporate, health care, and public safety peers.

In disaster recovery and the planning for it, the risk manager's role is to ensure that the organization has planned its work and worked its plan, post event. Often, the risk manager is not the point person in disaster recovery because he has organized his team so that the appropriate people have the appropriate duties.

If risk managers are preoccupied by being “everything” people, they are unlikely to function in other critical roles. They will be spread too thinly to effectively help the organization recover after a disaster.

Modern day disasters take many different forms. They may not necessarily be forces of nature or spectacular fires, although such events certainly qualify. If your company's president is accused of child molestation or insider stock trading, that is as much a crisis or disaster as an earthquake, tornado, or tidal wave. Maybe you got a subpoena about those finite risk contracts. Maybe you are on the radar screen of a guy named Eliot Spitzer, who is saying that your entire business model is ethically and legally flawed. Disasters assume many shapes.

Also, a disaster recovery plan can become useless unless the vendors, suppliers, or contractors on whom your organization depends are informed about your recovery plans. An optimal risk management approach ensures that business partners have a recovery plan themselves and that your plan meshes with theirs.

For the risk manager, a disaster is the equivalent of a pro athlete's game day. This is what you are paid to do. This is your turn in the spotlight. The stakes are higher for the risk manager than for the NFL or NBA player, however. The glamour factor is clearly less. Those pro athletes who succeed on game day are the ones who not only have the will to win, but the will to prepare in the months leading up to the contest.

So it is with risk managers. The real determinant of a disaster recovery plan's success will not just be during the disaster and its aftermath, but in the weeks and months preceding the event. How well did the risk manager use this opportunity to get ready? Smart risk managers will use the time wisely to prepare themselves and their organizations for the unthinkable that the risk manager is paid to think about.

Not all disasters are due to the whims of nature. In recent years, however, Mother Nature has been shaking our cage and wreaking havoc. In 2004, six hurricanes made landfall in the United States, the most in almost 20 years. Nine of the worst hurricane seasons on record were in the last decade. Last year's hurricanes caused $56 billion in damage.

The recent tsunami is a reminder that such disasters respect no borders. The 2003 European heat wave exacted a $20 billion toll on economies there. A recent Fortune magazine article reported that 2004 “was the most expensive year ever for the insurance industry,” costing approximately $39 billion in claims globally due to natural disasters (“Getting Ahead of the Weather,” Fortune, Feb. 7, 2005, p. 90).

Whether the trend is due to global warming, sunspots, or wobbles in Earth's rotation, the fact is that volatile weather patterns seem to be an increasing norm. This trend has implications for risk managers, who must embrace more vigilant techniques for monitoring, forecasting, and cushioning their organizations from the ravages of extreme weather.

Kevin Quinley, CPCU, is senior vice president for Medmarc Insurance Group in Chantilly, Va. He can be reached at [email protected].