The global impact of COVID-19 has required accounting practice teams around the world to adapt quickly and recognize the importance of a robust disaster plan. These plans, when properly designed and implemented provide the tools necessary to empower employees and management to navigate a multi-dimensional disaster response. Without a plan, incident firm management responses are inconsistent, confused, and lacks continuity necessary to maintain the highest service standards.
Designing a Complete Disaster Plan
A comprehensive accounting practice disaster plan at a minimum contains three major elements: The Risk Analysis, the Emergency Response Plan, and the Business Continuity Plan. Each plan represents a separate phase in the emergency preparedness cycle.
Risk Analysis - The Risk Analysis essentially asks one question: “What threats do we face?” It should identify potential threats to firm operations in the categories of natural disasters (i.e., hurricanes, COVID-19, etc.), technological disasters (i.e., power outage, HAZMAT spill) and security emergencies (i.e., terrorism, active shooters). While there is a temptation by experienced management teams to simply do this by “gut” instinct or from past experiences, the Risk Analysis should be conducted by a multi-pronged analysis of data from local, state, and federal sources. Sometimes, corporate teams do large-scale risk analyses for their entire portfolio, when each company should have a unique risk analysis conducted for each organization. Given the size and sophistication of many portfolios, this will unquestionably require an on-site visit by an independent professional.
There are many places that have hidden hazards and threats that haven’t been considered previously. For instance, prior to 2020, few people had a real grasp of the potential for a crippling pandemic, even though the federal government placed pandemics in their National Planning Scenarios as early as 2003. Furthermore, other bacteria long known to mankind can easily create a business disruption. For instance, minor outbreaks of yersinia pestis (commonly known as the Bubonic Plague) do crop up from time to time in certain regions of the US, particularly the Southwest in Arizona and New Mexico. While seemingly innocuous, these have occasionally resulted in area-specific quarantines and closures.
Emergency Response Plan - The Emergency Response Plan is a comprehensive document covering every element of the initial response to an incident on a firm. This may be termed the “lights and sirens” phase of an emergency. It should cover evacuation, shelter-in-place, and lockdown of the firm, and how to set up an emergency leadership structure. However, the plan must also address crisis communication, utilities, worker injuries, equipment, supplies and training. Most plans cover about 20 percent of what they really need to be effective and must be improved regularly. For corporate teams, this is a multi-pronged process that is going to require site visits, trainings, and an aggressive drill and exercise schedule to be implemented effectively.
One of the most important elements of the Emergency Response Plan is the Crisis Communication Plan. Crisis communication should be a key priority in these plans to ensure that uniform messaging to employees, clients and the general public is developed in a way that is realistic and provides staff with the flexibility to respond to communication queries from the public. Training, exercise, and improvement schedules should also be rigorously implemented, so that every person from seasonal staff to senior management has a consistent understanding of how the protocols are supposed to be applied in practice. Too often, management teams simply write a plan, then expect it to be followed to the letter, when we know that direct, kinesthetic trainings of staff members is required for accurate implementation. Videos and other interactive media are NOT sufficient. Ongoing, semi-annual training of staff (and more when turnover is higher) are required to verify understanding of the plan, and implementation of procedures.
Business Continuity Plan - The final piece of an accounting practice disaster plan is the Business Continuity Plan (BCP), which is a purely recovery document. Any company will have multiple service processes (HR, information technology, etc.) that will require a comprehensive recovery examination. However, there are pieces of the BCP that should be incorporated into your Emergency Response Plan because there are elements of recovery that also fit into a firm’s initial response phase, such as recovering utilities and ensuring that generators are set to automatically response during a blackout. BCPs are highly technical documents and should not be written by laypeople. They require technical expertise to develop operational recovery times and points that align with a metric of consequence of late recovery for both brick and mortar as well as information technology.
This means that corporate teams should ensure the person writing the plan is a Certified Business Continuity Professional or an equivalent, because a full business continuity program will include a business impact analysis, plan, information technology disaster recovery (IT/DR), critical process recovery, recovery time objectives and point objectives to align with business goals. A corporate BCP is typically ~50 pages for a medium-sized firm. Other BCPs, such as one for a resort-size property will be much longer (100-200 pages), including an IT/DR. When the aforementioned components are not appropriately developed within a plan, incongruent and inefficient recoveries result.
Learning the Lessons from COVID-19
Once a comprehensive disaster plan has been designed, constructed, and implemented, it must be put to the test through regular disaster exercises or through the crucible of an actual disaster. COVID-19 has provided an opportunity for many disaster plans to be activated for the first time and put under the stress of an actual emergency. No disaster plan is perfect, nor can it ever be. However, what separates average disaster plans from exceptional plans are those that adapt and improve through a rigorous lessons-learned process after each event. COVID-19 is no different. To learn the lessons from COVID-19, management teams must do three things:
Conduct Debriefings with Management and Staff – These are a series of meetings that reveal the strengths and weaknesses of the COVID-19 response. It should be thorough and cover each part of the response plan, including communication, operations, human resources, finance, and initial recovery. For complex businesses, this process is not short, and will likely involved multiple meetings over several days. For smaller organizations, this can be as short as 20-30 minutes with two or three groups of staff. Regardless, this process should be conducted by someone totally unaffiliated with the firm. No exceptions. Management should never lead the meetings, as employees will be extremely reluctant to critique what would be perceived as their supervisor’s policies and procedures, and corporate team members can be intimidating to line staff who are simply trying to be “team players.” An outside professional should be hired to conduct these meetings and write the reports.
Complete an After-Action Report – Once the meetings are concluded, a complete report should be written by an Emergency Preparedness Specialist called an “After-Action Report.” This is a technical document, that provides actionable improvement steps on what procedural, functional, and policy modifications need to be made to strengthen the firm’s pandemic response. Steps on plan modifications, additional training, equipment, policy adjustments, and other elements of the response should be evaluated independently by an outside specialist to ensure nothing is omitted. On a corporate level, these recommendations can run the gamut from the simple to the complex, and this requires a synthesis of the existing documents, reports on how the plan was executed, and what additional steps need to be taken to ensure a more effective response in future pandemic.
Redraft the Disaster Plan – Once these weaknesses have been corrected, the disaster plan should be fully redrafted with these changes that have been developed. Otherwise, the lessons-learned are useless! The disaster plan will then be improved and grow in operational sophistication as these lessons are implemented into the organization. The redrafting process can be complex and will, for most corporate teams, require 3-6 months to be done at their most efficient. Approvals, best-practice implications, and other elements can play a significant part in a successful disaster plan. Disaster plans that are not updated will fall quickly into disuse and become obsolete.
Conclusion
The COVID-19 Pandemic presented unprecedented challenges to accounting practices around the world. Management teams from small or large firms should develop and maintain a sophisticated disaster plan. This plan, if implemented properly, will provide management teams and their staff the tools to respond to any emergency they face as move into the COVID “new normal.”
Patrick Hardy is founder and CEO of Hytropy Disaster
Management™, the largest full-service disaster
management company in the US. A Certified
Emergency Manager®, Certified Risk Manager® and a
FEMA Master of Exercise® he has extensive experience
working in the public, private and non-profit sectors
in disaster management. Patrick spoke at the WSCPA
Annual Meeting on June 3..
This article appears in the summer 2021 issue of the Washington CPA magazine. Read more here.