Failure to manage post-disaster liability risk may cost you

(1)

Failure to manage post-disaster liability risk may cost you

By Mark Stephenson, KnowledgeLeader contributing writer

Failure to manage risk of post-disaster liability may leave costly gaps in business recovery and continuity plans

As the first decade of the 21^st century has demonstrated in stark terms, the need for robust recovery and business continuity plans in the face of increasingly costly disasters, whether natural or manmade, has never been greater. The costly aftermaths of both the 9/11 terrorist attacks and 2005’s Hurricane Katrina are but two examples that illustrate the need for well- considered disaster response strategies.

However, even the most carefully crafted continuity plans may be missing a vital component that, if left unaddressed, could torpedo plan objectives. It is the risk of disaster-related liability to affected parties, from employees to emergency responders, customers, suppliers and even members of the general public that could result in potentially huge liabilities. The costs of such liabilities could continue to affect an organization long after the initial response and recovery phase of an event is over.

“From my experience, most business continuity professionals and risk managers have

emphasized operational recovery planning and have given little thought to liabilities that can be an outgrowth of major disasters,” says Eric Beck, associate director, Protiviti. "Businesses also need to consider the issue of liability management. This means taking a step back to look at an event through the lens of a lawyer in order to analyze the liability ramifications of a company’s disaster response.”

Life safety first … liability last

The reason for this deficiency in many plans is management's focus on first ensuring the safety of employees, then corporate property, productive capacity and ultimately its ability to generate cash flow. That is understandable, but it is an incomplete approach if the various triggers of disaster- related liability have not been figured into their equations.

Post-disaster liability can be triggered from a variety of directions. Employees may seek recovery either for company actions taken or not taken during an emergency or from the response actions they may perceive as negatively affecting the incomes upon which they depend. Customers whose own businesses may depend on a steady supply of product provided by a company affected by a disaster will see supply chains interrupted and their own processes affected, and some of those customers may hold contracts with specific performance guarantees. Local government entities may opt to commandeer or seize property of a private business or institution as a part of their own disaster response, with potentially significant downstream legal

consequences.

(2)

The example of an organization's potential liability management would take in the event of a pandemic, such as the H1N1 virus (“Swine Flu”). What liability will the company face in the event that it undertakes mass inoculations on its own, considering the fact that a certain percentage of the population will have adverse, possibly even fatal, reactions to any vaccine? What exposure might the organization have if it does nothing? Or, what might be the organization’s liability, contractual or implied, to customers and suppliers if it is required to cease operations by local, state or federal authorities? What legal recourse might the organization have if local authorities seize control of private property in the course of the official response to a disaster?

Certainly, a natural disaster such as a hurricane, earthquake or terrorist attack is a situation in which local entities with eminent domain authority can take whatever actions they feel are necessary to deal with the situation.

In one case following September 11, 2001, a Washington, D.C. heliport operator was forced to shut down by the Federal Aviation Administration, with predictable impacts on its employees and suppliers, because the company's normal operations were well within the no-fly zone over the District … end of discussion.

In another September 11, 2009 example, many emergency responders, rescue and engineering personnel have filed suit against New York City for health effects allegedly due to hazardous materials released in the World Trade Center collapse, with total claims exceeding $1 billion.

Where to begin

These and other examples point to the need for greater attention to disaster planning and liability management within the risk management and legal functions. But risk managers, corporate risk officers, in-house legal departments and others may be uncertain about where to begin.

For several years, the cataloging of potential liability issues of major disasters has been a key focus of the international law firm Pillsbury Winthrop Shaw Pittman LLP. The firm’s New York City office is presently engaged with local government analyzing operational plans for a range of natural and manmade disaster scenarios.

“Operational plans that address disasters are rarely vetted against legal considerations that can come into play,” says Kenneth Taber, a partner at Pillsbury and national co-leader of the firm’s litigation practice. This is often because the lawyers are not consulted when those plans are developed, or because in-house legal departments do not have any experience in disaster liability issues.”

Taber also raises the specter of the pandemic scenario. “The strictly operational question would be whether we inoculate the workforce,” he says. “It is a straightforward and logical question, but it opens up a host of potential issues. No vaccine ever made has been entirely free of negative side effects, sometimes even fatal ones, among a small percentage of the population. It is

unlikely that any vaccines distributed to fight a pandemic would be any different. The organization has to be made aware from the start that without the proper waivers and disclosures this situation could easily develop into a serious liability situation."

Andrew Smith, an associate at Pillsbury, noted that a disaster event could readily morph into a property seizure. "What happens if a 747 lands at an airport with a planeload of people who may have been exposed to a disease organism?" Smith says. "All of a sudden, the authorities have taken over your hotel to house these people, moving out all other guests and quarantining the facility. Your income stream is frozen. And what happens to the business when the story of a potentially devastating disease being quarantined in your hotel gets out? What plans exist to deal with the emergency? The answer is likely to be, there are no plans."

(3)

So, how should organizations go about planning for disaster-related liability risks?

“The first step is to figure out which risks are realistic for you and your business,” says Taber. “If you are a business in California, you obviously need to consider earthquake events. If you are a business in New York City, earthquake exposure is just not relevant – but coastal storms are a concern. The first step in developing both an operational and post-event liability management plan is to identify the most relevant and likely risks.”

“The second step is to develop a comprehensive plan of operational response for every

meaningful disaster scenario you might face, and then determine with whom the responsibility for response will reside,” he says. “The third and most important step from the standpoint of disaster- related liability risk management is to have response and recovery plans thoroughly vetted by legal experts with the experience and specialized knowledge to understand the risk potential.”

“Finally, once the plan is analyzed and vetted, you need to circle back to the original operational plan and fine tune it to meet both the requirements of the organization’s disaster response plan and any potential liability issues.”

A role for internal auditors

As a component of the enterprise risk management process, the most logical home for post- disaster liability management would be the risk management function, more frequently overseen by a chief risk officer in larger organizations, along with effective interface with in-house legal resources. However, there is ample room in the process for internal audit to play a supporting role.

“In one form or another, every company has standards that call for plans to address business disruption, disaster response, pandemic response and other business continuity issues,” says Beck. “To the extent that internal audit measures compliance, control and policy standards – there is clearly a role for audit to play. Having general fiduciary responsibilities, internal auditors can be key influencers in highlighting specific risks that executive management should address.”

Internal auditors are often the ones management looks to when identifying and managing risk from a broader, enterprise level. Internal auditors understand the operations of the company and its risk profile. In many cases, they also have a strong technology perspective, which is an important facet of disaster recovery and business continuity. They can add a lot to the process, which can ultimately help to reduce the risks.

Changing risk environment

A recently released report suggested the expectation of a biological, radiological or chemical attack by terrorists within five years. This gives added urgency to the need for organizations to consider not only operational recovery planning but also the potential for disaster-related liability.

“One of the problems with this issue is that disaster-related liability management tends to be viewed as a long-term priority in a world in which companies are facing short-term risks that seem much more immediate,” Taber adds. “In view of the current economic crisis, the survivability of a business due to a recession and economic stress will trump the entire discussion about liability risk management, and yet that risk is not going away.”

(4)

Also, keep in mind that a changing business and regulatory environment will most likely intensify the need to focus on disaster-response liability management. It is important to remember that five or ten years ago companies were coming up with disaster recovery plans for technology that were not being linked effectively with the broader needs of the business. This occurred because many of companies had not wrapped their arms around that linkage. Managing the liability issues associated with crisis and disaster recovery plans is the issue of today.

Given the current economic and regulatory environment, the amount and intensity of regulatory oversight is likely to grow. This is going to require organizations be much more focused on ways that disaster-related liabilities can affect their operations.

Article from Protiviti KnowledgeLeader – www.knowledgeleader.com.

KnowledgeLeader is a subscription-based website that provides audit programs, checklists, tools, resources and best practices to help internal auditors and risk management professionals save time, manage risk, and add value. Free 30-day trials available.

Protiviti (www.protiviti.com) is a global business consulting and internal audit firm composed of experts specializing in risk, advisory and transaction services. The firm helps solve problems in finance and transactions, operations, technology, litigation, governance, risk, and compliance. Protiviti’s highly trained, results-oriented professionals provide a unique perspective on a wide range of critical business issues for clients in the Americas, Asia-Pacific, Europe and the Middle East.

Protiviti has more than 60 locations worldwide and is a wholly owned subsidiary of Robert Half International Inc. (NYSE symbol: RHI). Founded in 1948, Robert Half International is a member of the S&P 500 index.