DISASTER RECOVERY 
JOURNAL

P. O. Box 510110
St. Louis, MO 63151
(314) 894-0276 
Fax: (314) 894-7474
Internet www.drj.com 
E-mail drj@drj.com

PUBLISHER &
EDITOR-IN-CHIEF
Richard L. Arnold, CBCP
richard@drj.com

SENIOR EDITOR
Janette Ballman
janette@drj.com

MANAGING EDITOR
Jon Seals
jon@drj.com

COPY EDITORS
Richard Sandhofer
richards@drj.com
Pamela Clifton
pamelaclifton@hotmail.com

ADVERTISING 
Robert Arnold
bob@drj.com

_____________

Corporate

President/CEO
Richard L. Arnold, CBCP
richard@drj.com

Vice President 
Robert Arnold
bob@drj.com

CONFERENCE COORDINATOR
Patti Fitzgerald, CBCP
patti@drj.com

CONFERENCE REGISTRAR
Merce Knese
mercedes@drj.com

CIRCULATION
Laura Baugh
laurab@drj.com

EXECUTIVE COUNCIL
Patrick Corcoran, IBM Bus. Cont. & Rec. Services
Jeff Dato, MBCP, KPMG
Edward S. Devlin, E.S. Devlin & Associates
Judith Eckles, SunGard Availability Services
James Hammill, CBCP, JMH Consulting Inc.
John Jackson, Independant


INTERNATIONAL
CONTACTS
England: Thom Hetherington
Business Continuity 
Phone: 0161-237-1007
thomh@tempus.demon.co.uk

Australia: Anthony J. Harvey
Journal of Business Continuity
Phone: 0011-613-953-0055-8
fax: 0011-613-953-0528
sector@notability.com.au

Japan: Shinji Hosotsubo
Quake Japan Co., Ltd.
Phone: 03-3215-2880
fax: 03-3215-2881

Brazil: Jose Carlos Ferreira
Disaster Recovery Mercosul
Phone: 55 11 3666-9506
conc2000@uol.com.br
www.drms.com.br

Click Here for a Printable Version

LEGAL ISSUES

False Cover:
Could Inadequate Crisis Preparation Open
You to a Charge of Negligent Failure to Plan?

By BRUCE T. BLYTHE
TERRI BUTLER STIVARIUS

We once got a call from the risk manager of a national fast-food chain. He had been assigned to put together a crisis prevention and response plan … by himself. He was given no budget and virtually no management support. Though well-meaning, he kept going off on tangents – surfing the Web, reading articles and futilely trying to figure out what to do. He didn’t know enough about the business’ overall operations, or the predictable human impacts of crisis, or public relations practice. He only knew his own discipline, risk and insurance management. He was overwhelmed and poised to fail.
Five years later, this company still didn’t have a comprehensive crisis plan in place. It had already experienced one serious incident, involving a shooter, a fatally injured employee and many bystanders. If another tragedy occurs on their premises – which is not at all unlikely, in that industry – tough questions will be asked about the firm’s lack of preparedness. Having assigned someone to come up with a plan shows that management acknowledged it faced risks. But they took false cover in setting up a crisis point person who could only fail at his task. This could end up having serious consequences for the company later on, because of an emerging concept of liability: negligent failure to plan.
When your company experiences a catastrophe, the immediate concerns will be urgent tasks like taking care of injured people, securing sites, accurately gathering and disseminating information, and getting things back to normal. It’s only afterward that the uncomfortable questions will begin to come up. Employees, the media and the public will inevitably get around to demanding explanations about how thorough a job you did of preparing for any such incidents.
They will want to know whether you took reasonable precautions to prevent an incident such as this from occurring. And they will scrutinize how well prepared you were to respond – in particular, examining whatever protective or palliative measures you took in aid of those people who were directly affected. How you are able to answer their probing questions might have a lasting effect on the future of your company, and even of your own career.

What Does The Law Require?
Through occupational health and safety laws, employers’ legal duty to provide safe workplaces is legislated, and further regulated, by the federal government and many state governments. For instance, under the federal Occupational Safety and Health Act (OSHA), every covered employer has a general duty to provide a safe workplace. The “standard of care” employers must use, regarding concerns such as hazardous materials and other potentially harmful workplace conditions, is further spelled out in regulations and guidelines issued by the U.S. Department of Labor. In recent years, these guidelines have also come to cover plans to prevent and respond to incidents of workplace violence. So it is established and accepted that employers must take steps to prevent dangerous incidents from occurring on their premises, and must respond reasonably and effectively when they do occur.
Negligent failure to plan is another new legal concept that is likely to further stretch this expectation. It will probably be tested in the near future, even though there is no reported law yet on the subject per se. A negligence claim is relatively simple. It is based on a duty under the law; a breach of that duty (failure to exercise the standard of care of a reasonably prudent person in similar circumstances); and damages that are proximately caused by such breach. Think of negligent failure to plan as the common law of simple negligence, applied in our new – and, alas, probably permanent – context, in which people are hyperaware of risk, and eager to assign blame when things go wrong.
Over recent decades, thanks in part to our culture’s media saturation, acts and occurrences that once would have seemed obscure and unlikely – like a toxic chemical spill or a random shooter in a shopping mall food court – have come to be expected. Partly, because of media coverage, we know more about the sorts of tragedies that have always occurred; and partly, the state of American and world society is now such that what was once unthinkable has become almost commonplace. No one can predict exactly when such awful things will happen, but few people would say that they will not occur again somewhere, some time.
With the attacks of Sept. 11, and the realization that we face the promise of anti-American terrorism for some time to come, the possibilities for critical incidents have expanded further. The public now generally understands that employers can be considered negligent if they do not take reasonable steps to avoid or mitigate risks which are known, or could be reasonably foreseen, and which could cause harm. So no matter what kind of incident triggers it – a terrorist act or any other harmful event that occurs in the context of your operations – you, as an employer, must anticipate both intense scrutiny of your crisis planning and an eagerness to hold you accountable before the law.
Having plans to avoid the occurrence of crises, where possible, and to respond to them effectively when they do happen – which is to say, without causing any further harm – can be taken as a natural extension of an employer’s general duty under OSHA and similar state laws. It can be argued that things like industrial accidents, workplace violence, terrorism and product tampering are all foreseeable risks: They have happened before, and while every company’s situation and risk factors will be different, none operates in a situation that can guarantee safety and predictability all the time. Plaintiffs’ attorneys are surely paying attention to these circumstances. They, and juries, are likely to say that the standard of care, which employers must apply in maintaining safe workplaces, extends to taking these sorts of risks seriously, and committing whatever resources it requires to prepare properly for them.

What Does Good Business Sense Require?
The financial importance of preparedness was underscored by a recent study, “The Impact of Catastrophes on Shareholder Value,” published by Templeton College of Oxford University. “Firms affected by catastrophes fall into two relatively distinct groups – recoverers and non-recoverers,” the study found. “Although all catastrophes have an initial negative impact on value, paradoxically they offer an opportunity to management to demonstrate their talent in dealing with difficult circumstances.” The companies described as recoverers actually tended to increase their shareholder value over time, while the value of non-recoverers’ shares tended to drop. In explaining the essential differences between recoverers and non-recoverers, the study concluded, “the issue of management’s responsibility for accident or safety lapses appears to explain the shareholder value response.”
Corporate officers and directors are charged with obligations as fiduciaries to the corporation they work for and to the shareholders who own it. What could happen in the event that decisions were taken to not implement a crisis prevention and recovery plan – or when a plan is put in place that could later be shown to have been seriously flawed or useless? Would a plaintiffs’ class action law firm have an interest in pursuing the corporation or its directors and officers, alleging negligent failure to plan, on behalf of shareholders angered by crisis-management behavior that ended up having a negative impact on the company’s stock valuation? The fact that this has not happened yet is no excuse for comfort – or for further negligence in crisis planning. When due care is breached and the result is a diminution in share value, shareholders are a likely pool of plaintiffs – over and above any individuals who may claim damages for injury and suffering.
Comprehensive crisis planning need not be seen as purely defensive, however. Just as the Templeton College study showed that a good response spotlights a company’s resilience and can result in increased share value, surveys following incidents like Hurricane Andrew and the 1995 Oklahoma City bombing have shown that organizations which respond effectively experience notable increases in employee morale in the aftermath of catastrophes. Productivity can be resumed quicker, disruptions can be held to a minimum, reputations for decisive management can be enhanced, and value can be rebuilt. In a good way or a bad one, crisis preparedness goes right to your bottom line.

Some Firms Remain Unprepared
When consciousness of risk is as widespread as it is now, and so many companies have taken seriously their responsibility to plan for crisis, why are some firms still unprepared for the kinds of tragic occurrences they might easily enough foresee? We have heard a number of common rationales and excuses that firms have used in court cases – without much success, it is important to note.
Some have claimed they were unaware of the risks, or that they simply did not pay attention to the warning signs of their vulnerability. Others had felt that such things simply couldn’t happen to them. Willingness to make crisis preparedness an organizational priority was absent in some situations. And several firms took false cover from crisis plans they did have in place – even though those plans had not been tested out, and did not in the end stand up to the pressures of a real catastrophic event.
These are the sorts of reasons companies have given, for instance, for failing to adequately screen job applicants or take action with regard to employees with known substance abuse histories; failing to put in place policies against harassment; failing to address safety risks; or not protecting employees from domestic violence situations (in the form of an enraged spouse, for example) that invade the workplace. Excuses like these do not seem to carry much weight with judges and juries. So identifying such attitudes in your organization now, and eliminating them entirely, would be a prudent first step toward crisis preparedness.
Ignoring the signals of something as unpleasant as a costly and traumatic workplace crisis, and opting for a state of denial instead, is an understandable reflex instinct. Considering vulnerabilities to disaster, and guarding against them, is hardly your organization’s primary purpose in the world. It takes clarity and intention to make this a priority, and to carry it all the way through – not only to do the analysis and make the logistical arrangements a comprehensive preparedness plan demands, but also to continually test and refine that plan in an ongoing way.
Companies owe their employees, their communities, and themselves real protection from foreseeable instances of harm that are brought on by their operations, or that occur on their premises. It’s not only the right thing to do; it is increasingly the legally required thing to do – at least, as it is being defined by judges and juries. Potential victims have come to expect protection and responsiveness. The willingness to allege negligence and to assign blame is growing. If you allow something terrible to happen which you might reasonably have foreseen and avoided, people will ask why. Even the unforeseeable incident offers you no useful defense. If a disaster befalls your company – even something people might agree was simply unavoidable – they will still expect you to respond quickly and effectively. If you do not, they may well seek redress in court.

Crisis Planning Must Be Continually Refined
A crisis response plan should minimize unnecessary harm to employees, during an incident and afterwards. Judges and juries who will consider this issue in the future are likely to expect the obvious measures – such as evacuation; provision of emergency medical care; good communications with employees, their loved ones and the public; and quick restoration of productive business operations. They will also likely expect you to offer competent and constructive support to anyone who has been traumatized emotionally in the course of the events. As of now, there is no explicit legal duty to offer such mental-health services, though most companies try to do so – knowing that it will help get things back to normal sooner, be seen as an expression of their good corporate citizenship, and also reduce potential legal liabilities down the road.
Conditions never remain static, as you have no doubt learned in the course of your normal business operations. These days, employers are being scrutinized not just for whether they offer post-crisis counseling and the like, but also for the way in which those services are provided. Legitimate questions are raised: Did what was provided actually help the people who experienced traumatic stress, or did it possibly make their stress and suffering worse? A current debate on the well-established practice of post-trauma debriefing for distressed employees provides vivid illustration of how the landscape of crisis preparedness is always evolving.
For several decades, many employers have urged, or required, people who were affected by a catastrophic incident to participate in a group debriefing process. In such groups, people are meant to discuss the traumatic experience and their feelings about it. Employees generally welcomed the opportunity to process what they had been through, and probably the majority of them have found relief, and encouragement to recover quickly, in the process. Researchers at a number of universities, however, have compiled data, which show that for some individuals, participation in group debriefings soon after traumatic incidents can be more harmful than helpful. For a subset of people, it seems that debriefings make a later eventual diagnosis of Posttraumatic Stress Disorder significantly more, rather than less likely. So this well-intentioned, and previously lauded, practice may actually become the basis of lawsuits against employers and their trauma counselors for negligence.
We offer this as simply one example of why crisis planning must be seen as an ongoing rather than one-shot project. Others can be found in the constantly emerging ways that organizations find themselves vulnerable. Ten years ago, for instance, computer viruses and massive terrorist acts on American soil were both unheard of; but the organization that does not plan for these risks now would appear unconcerned with its own survival. So does the company that develops a crisis response strategy but neglects to test and refine it through simulations and fresh analysis on a regular basis.
People in and out of your organization have come to believe that you have a duty to both avoid and plan for catastrophic occurrences. Increasingly, the courts agree. If you do not make preparedness a priority, and go about it in a proactive and thorough way, you are giving your company false cover and jeopardizing its survival.

Terri Butler Stivarius is a partner with the Atlanta office of New York-based Epstein, Becker and Green. Her employment law practice encompasses national and regional clients and focuses on discrimination and harassment litigation, human resources counseling, workplace violence, background checks and investigations, and crisis management. She also speaks regularly before various bar, civic and industry associations and is an accomplished trainer in all areas related to employment law. She received her B.S. in law and society from Binghamton University and her J.D. from Syracuse University College of Law.s

To comment on this article, go to 1603-04 at www.drj.com/feedback.

©Copyright 2003 Systems Support Inc. All rights reserved. Reproduction in whole or in part in any form or medium without the express written permission of System Support Inc. is prohibited.