Power and utility companies as part of their risk management program should have a rigorous business continuity and disaster recovery plan in place, including dealing with local emergencies such as power outages caused by storms. Other challenges such as devastating natural disasters (Super Storm Sandy, for example) and cyber attacks highlight the importance of companies beefing up their existing business continuity plans along with reviewing their energy insurance products to ensure adequate coverage. Those that do not have a plan in place need to turn their attention to doing so immediately.
In fact, in a survey conducted by PricewaterhouseCoopers (PwC) a few years ago, only 52% of utility respondents said they had a business continuity and disaster recovery program in place. Surprisingly, this was in the wake of Sandy’s crippling damage across the Northeast, which resulted in 8.51 million homes losing power. According to the PwC survey, “utilities should move aggressively from a defensive responsive capability to a more offensive, prepared stance regarding events that can have prolonged impact on their ability to generate, transmit, distribute and provide critical customer and internal business services.”
Where to begin?
A thorough business continuity plan includes preparing for events and scenarios that could affect a utility company’s ability to provide reliable electric power, as well as events that could severely limit the number of employees able to report to work. An effective program begins with conducting a thorough analysis to identify the risks and understand the impact of interruption on critical business functions and to prioritize the utility company’s supporting capabilities needed to sustain services during unexpected disruptions and mitigate those risks. By understanding the risks and then aligning them with an organization’s business processes, a company can better assess its needs for investment in recovery capabilities, as well as prioritize functions not commonly identified as critical to utilities, such as back- and front-office processes that support non-operational functions.
Once requirements are established, a company can develop strategies, which must have the approval of executive leaders, to mitigate potential business interruptions. Before deploying these strategies, each should be tested and validated to confirm requirements and recovery expectations. These strategies should also be regularly updated for effectiveness.
Utility providers should also prepare for incidents that may prevent employees from working at the corporate facility. If the headquarters is under water, there must be a plan for employees to work at a remote location or leverage a service provider. It’s important to test the use of these locations for their ability to establish remote connectivity.
Also important in a business continuity/disaster plan is contemplating the use of new technology to streamline recovery efforts. This can include mobile devices, apps and GPS services to dispatch and track power-restoration workers more efficiently and streamline damage assessment. Moreover, the right technologies can enable employees to work remotely if corporate facilities are unavailable.
Electricity providers should also prepare for risks that go beyond hurricanes, floods, earthquake, etc. Given today’s climate, a business continuity plan must include cyber security strategies that address the potential of an attack on a power company. According to Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), in 2014 the largest portion (32%) of the 245 cyber security incidents to which the organization responded involved the energy sector.
When reviewing a power company’s business continuity plan, the energy insurance products in place must also be aligned to ensure it provides the right combination of coverages in the event of an interruption to the facility.