Starbucks: Disaster Recovery Portfolio

Starbucks is the largest coffee company in the world that since its foundation in 1971 in Seattle, the United States, has expanded into more than sixty countries. In North America, Starbucks is a phenomenon: it is a recognizable and beloved brand. In some countries outside North America, Starbucks enjoys as much popularity and customer loyalty: for instance, in China, a new Starbucks store opens every 15 hours (Lock, 2018).

At present, Starbucks earns $24.72 billion worldwide per year and is in control of over 39.8% share of the US coffee market (Lock, 2018). Standing at $44.5 billion, the American coffee company comes second only to McDonalds in the fast food sector (Lock, 2018). Starbucks popularized coffee in North America and many other countries and created a culture that emphasized not only consumption but also the social and emotional experience of going to a coffee shop.

Restaurant safety is often overlooked because it is considered a non-hazardous sector both by employees and customers. However, workplace hazards at food places do exist and when unaddressed, might compromise the integrity, safety, and reputation of the company. Starbucks needs elaborate emergency plans because of the public scrutiny that any big corporation has to face. If an incident happens, it is likely to be extensively covered by the press, which will hurt the company’s image.

Customers expect a coffee store to be a place with a quiet, enjoyable ambiance, and recent news about safety breaches might make them cautious of ever going to one. Besides, as one of North America’s largest employers with more than 346,000 employees as of 2019, Starbucks is responsible for providing them with adequate work conditions. This paper is organized in four sections each of which is a specific type of plan: business incident response, occupant emergency, critical incident, and information system contingency plan.

Business Incident Response Plan (BIP)

It should be noted that Starbucks may experience safety threats not only in the physical world but also in cyberspace. Today, cyber attacks are becoming more frequent and sophisticated than ever, and big corporations such as Starbucks might be an attractive target for cyber criminals. At the moment, Starbucks is using technology to make customer experience smoother and more tailored. The company has a mobile application that does not only let customers make orders but also analyzes their behavior and makes recommendations based on their history of past orders (Sokolowsky, 2019).

In some coffee shops, Starbucks has already introduced IoT technologies (Internet of Things) where coffee machines and other appliances are controlled by a computer (Sokolowsli, 2019). A glitch in a single coffee machine can paralyze the work of an entire store, which is why any changes are logged and monitored through a computer network. In summation, Starbucks has customers’ personal data, including financial information, and store performance at stake.

A business incident response plan (BIP) for Starbucks should be set up to tackle a suspected safety breach in a series of steps. The key phases include preparation, identification, containment, eradication, and recovery (Kaplan et al., 2015). At the preparation stage, the company needs to take proactive measures to make sure that employees are well aware of the reality of cybertreaths. Namely, employees need to receive adequate training regarding their incident response roles. Their responsibilities need to be well-documented and accessible by all the authorized parties. Identification is a process in which the company needs to establish whether a safety breach has taken place. After the initial identification, key details as to what happened, when the event happened, who discovered, and others should be clarified.

The moment when a safety breach is identified, Starbucks employees’ first instinct would be to take radical measures and delete everything to get rid of malware. While such a measure can be relatively effective in the short term, it is unlikely to yield long-term benefits. Erasing evidence means that Starbucks will be unable to detect where the breach started and other important details. Instead, the company’s employees should try to contain the breach so that its destructive impact does not spread any further (Wallace & Webber, 2018).

For example, if there was a cyber attack that affected Starbucks’ mobile application, the company might want to prevent users from making transactions that include sharing financial information. If it is the IoT that is suffering from an attack, store employees might be required to disconnect the machines from the Internet.

In any case, it is imperative for Starbucks to notify customers about an accident so that they are not left in confusion and frustration. If it is possible the company’s PR and social media team should monitor users’ comments and respond to complaints. Silence after an accident would mean neglect or agreement with what is happening. Active engagement, on the other hand, will demonstrate that the company is socially responsible and cares about its customers.

Ideally, Starbucks needs to have both long-term and short-term containment strategies prepared. In order to save the compromised data and make sure that it is not lost for good, the company is advised to set up a redundant back-up that would allow it to quickly restore business operations. The containment stage might also be the time for updating and patching systems, checking remote access protocols, and making changes to user and administrative access credentials.

Following the containment stage, Starbucks should proceed with eradication, which can be done whether by the company’s in-house security specialists or third-party professionals. Regardless of the option that Starbucks chooses to go with, the eradication of malware needs to be thorough so that no trace of it remains. Finally, the last stage is recovery, a process in which Starbucks should be returning affected systems back into their usual environment.

Occupant Emergency Plan (OEP)

Occupant emergency plans (OEP) serve the purpose of escorting employees and customers to safety in the event of an incident. For the food sector, probably the most commonly encountered hazard is fire. Statistically, in 2016 alone, the US has seen more than 1.3 million fires with a third of them being structural, which includes cafes, restaurants, and coffee shops (Granville, Mehta, & Pike, 2016). Other emergencies include natural disasters such as floods or tornados, human disasters (example: terrorist attacks), chemical spills, and machinery accidents. No matter how elaborate, a single occupant emergency plan cannot account for all the possibilities. Which is why it needs to be comprehensive but flexible to allow for some adjustments depending on a situation.

An occupant emergency plan for Starbucks needs to prioritize the health and safety of occupants. The plan may be implemented in the four following steps:

  • Organize employees and assess capabilities and resources.

Before developing an occupant emergency plan, it is critical to establish a responsible team that would improve the stature of the planning process as well as provide a diversity of opinions on the subject matter. The size and structure of the planning team depends on each outlet’s needs, requirements, and resources. For a large organization such as Starbucks, a list of positions may include but is not limited to the designated official, the incident command, safety officer, public information officer, medical advisor, and others. At this stage, it is important to brainstorm and outline possible emergency situations. These assumptions can be based on a variety of factors such as the past history of incidents, characteristics of the physical location, the quality of training and maintenance, and others.

  • Address emergency considerations

The team needs to identify emergency scenarios informed by the detected threats to safety (see Step 1). Depending on the actual level of preparedness of a facility, the team should develop emergency response processes and protocols.

  • Develop an occupant emergency plan

The output of the first and second steps should serve as a source for a facility-specific occupant emergency plan that includes all the outline scenarios. Each plan should have three parts: preparation, response, and recovery (see Table 1 for an example). Preparation is a proactive measure that either decreases the chances of either an adverse event happening or diminishes its negative effects. Response is valid if an event has already happened or is happening. Lastly, recovery ends the cycle: it provides recommendations for handling the consequences of an event, learning from it, and making adjustments to prevent it from happening in the future.

Prepare Make sure the building is insulated, assemble an emergency kit, refill heating fuel, have extra clothes and blankets;
Respond Stay indoors, conserve heat, help the vulnerable (infants, elderly people, people with special needs), inform the authorities and follow their orders;
Recover Monitor the situation to be prepared for potential weather changes, make changes to the facility to make it more resilient to natural disasters, and train employees.

Table 1. OEP in the event of a snowstorm

  • Once all steps are completed, the plan needs to be distributed, implemented, maintained, and updated. It is critical to learn from the past and adjust these parts of the plan that have proven to be inefficient in the event of an actual disaster.

Critical Incident Protection (CIP)

A critical incident is an extraordinary event that leads to some form of human suffering or angst. Critical incidents cause a great deal of distress; they derive strong emotional responses from those who are affected. Because such events are so emotionally charged, the reactions of the individuals involved are typically difficult to control. The emotional outbursts do not readily allow for the implementation of normal coping strategies, which is disruptive to the workplace. Starbucks has seen quite a lot of critical incidents of such nature. For instance, in 2019 in Philadelphia, US, a man attempted to light himself on fire in a local Starbucks store (“How police saved a man who set himself on fire inside Pennsylvania Starbucks,” 2019).

He was successfully saved by the police and escorted from the building. This year in Oakland, New Zealand, a laptop theft ended in the death of the victim who was celebrating his birthday (“Victim, 2 suspects identified in deadly Oakland Starbucks laptop theft,” 2020). This incident resulted in a tragedy that at the moment of happening, caused panic among Starbucks’ employees and visitors.

Starbucks needs to set up a critical incident protection plan (CIP) in order to mitigate the effects of critical incidents on the work environment and resolve them as quickly as possible. The plan needs to become an integral part of the company’s emergency management processes. Ideally, it is to include not only post-factum measures but also actions that the company could undertake in a preventive effort.

Firstly, there needs to be a critical incident recovery team established with roles and responsibilities allocated and documented. Secondly, every major office or outlet should consider setting up a recovery room or at least a safe space with first aid. Thirdly, employees should be informed about common workplace hazards as well as the history of incidents specific to Starbucks.

In the first 24 hours after a critical incident has taken place, a Starbucks office or outlet needs to go through the following steps:

  1. During or right after a critical accident, managers or employees need to share information about the nature of the incident, location, time, and other relevant details with respective organizations. Starbucks’ higher-level coordinators and supervisors need to be notified about the critical incident as well;
  2. The team needs to ensure that the rest of the staff and customers are safe from harm and injury. Since individuals might be responding strongly to an incident, they should be guided carefully but firmly away from the epicenter. Some distressed individuals might be inclined to hide or seek exit paths on their own, in which case it is critical to examine the entire space and ensure that everyone is escorted out of it (DeFraia, 2016). At this stage, media should be kept away from the staff and customers; any interactions should be prevented. Employees should be trained not to make hysterical calls as it could intervene with the administration of safety procedures;
  3. A Starbucks office or outlet that has been affected by a critical accident should continue working with authorities and following their guidelines closely;
  4. The staff and customers should not be deprived of the information about what happened. They should be informed in detail; the staff needs to be given time to discuss the incident among themselves. Starbucks managers should keep in mind that the traumatic event might have put a strain on the mental health of some of the people involved. If this is the case, these individuals should be referred to services that can provide them with counselling and necessary psychological support.
  5. In the post-incident phase, businesses need to consider preventive and preparatory measures to improve their resilience. As noted by DeFraia (2016), the seriousness of post-incident response is typically associated with the severity of a critical incident.

Information System Contingency Plan (ISCP)

An information system contingency plan (ISCP) is developed with the purpose of establishing procedures required for the assessment and recovery of a system after a system disruption (Kaplan et al., 2015). The ISCP differs from a disaster recovery plan because it does not take into consideration the site and location of a disruption. Typically, it can be activated at the system’s present location or from an alternative site. A good ISCP needs to be detailed enough to guide people’s actions in the event of a system disruption. However, the level of detail should not be at the expense of the plan’s versatility: it should still be flexible enough to allow for changes and adjustment.

The activation and notification phase includes the initial actions that need to be undertaken following a detection of a system disruption or when a system disruption is imminent. A predefined set of actions elaborates on how to notify recovery personnel, assess the scale of damage, and activate the plan. Upon the completion of this step, the staff is prepared to take measures targeted at recovery and the restoration of system functions. The activation of the plan should only be done if an event meets one or more activation criteria. Activation criteria can be based on metrics such as the extent of damage to the system (physical, operational, or financial) and the importance of the system to the organization’s operations.

As for notification, an outage or disruption may occur with or without notice. The first case (example: authorities notifying about an imminent natural disaster) might be easier to handle in terms of spreading information. However, events such as equipment failure or cyberattacks may happen without any preliminary signs. In this case, it is important to implement both manual and automated notification as soon as possible. On top of that, the first stage also includes an assessment of the event that focuses on areas such as the cause of the disruption, potential for additional damage, type of damage, and estimated time to return back to normal.

The second phase is recovery that involves procedures needed for restoring the system and enabling the restart of business operations. As Wallace and Webber (2018) point out the sequence of activities matters, and it should be based on the priorities outlined in the Business Impact Analysis (2018). Ideally, there needs to be a step-by-step plan for any category of events. The necessary recovery procedures depend on the nature of the event. They include but are not limited to:

  • Accessing damaged facilities or geographic area on the while;
  • Contacting external business partners associated with the system;
  • Identifying and obtaining needed office supplies;
  • Installing hardware components needed for the recovery of a system;
  • Obtaining and loading backup files;
  • Restoring the operating system and software;
  • Testing the functionality of the restored system.

During the reconstitution phase, the system is fully restored, and the business can restart its usual operations. The reconstitution phase seeks to draw meaningful conclusions from what just happened and avert similar events in the future. It includes taking measures that would make the system more resilient against malicious attacks and force-majeure occurrences. It is important to notify Starbucks’ clients about the event, its management, and potential consequences before social media and the press take control of the narrative. On the technical side, it is only reasonable to create system backups and document events, logging what actions were taken and what kind of problems were encountered.


Starbucks is the biggest coffee chain in the world for whom safety and security mean continuity of operations and reputation among its customers. The American company is a large employer both on its domestic market and abroad. Besides, due to its wide use of technology, Starbucks manages user data and applies the Internet of Things in its daily operations. The four plans presented in this paper tackle different aspects: business incidents, occupant emergency, critical incidents, and information system contingency.

The four plans share flexibility and customization as key characteristics. While each of them imply stepwise procedures, they leave space for change and adjustment. Besides, they take into account Starbucks’ specific characteristics, which makes them more tailored and apt for a variety of situations that are likely to occur at the company’s outlets.


DeFraia, G. S. (2016). Workplace disruption following psychological trauma: Influence of incident severity level on organizations’ post-incident response planning and execution. The International Journal of Occupational and Environmental Medicine, 7(2), 75.

Granville, F., Mehta, A., & Pike, S. (2016). Destinations, disasters and public relations: Stakeholder engagement in multi-phase disaster management. Journal of Hospitality and Tourism Management, 28, 73-79.

How police saved a man who set himself on fire inside Pennsylvania Starbucks. (2019). NBC Philadelphia. Web.

Kaplan, J. M., Bailey, T., O’Halloran, D., Marcus, A., & Rezek, C. (2015). Beyond cybersecurity: protecting your digital business. John Wiley & Sons.

Lock, S. (2018). Starbucks – statistics & facts. Web.

Sokolowski, J. (2019). Starbucks turns to technology to brew up a more personal connection with its customers. Web.

Victim, 2 suspects identified in deadly Oakland Starbucks laptop theft. (2020). ABC7 News. Web.

Wallace, M., & Webber, L. (2018). The disaster recovery handbook: A step-by-step plan to ensure business continuity and protect vital operations, facilities, and assets (3rd ed.). New York, NY: AMACOM.

Cite this paper

Select style


BusinessEssay. (2023, August 7). Starbucks: Disaster Recovery Portfolio. Retrieved from


BusinessEssay. (2023, August 7). Starbucks: Disaster Recovery Portfolio.

Work Cited

"Starbucks: Disaster Recovery Portfolio." BusinessEssay, 7 Aug. 2023,


BusinessEssay. (2023) 'Starbucks: Disaster Recovery Portfolio'. 7 August.


BusinessEssay. 2023. "Starbucks: Disaster Recovery Portfolio." August 7, 2023.

1. BusinessEssay. "Starbucks: Disaster Recovery Portfolio." August 7, 2023.


BusinessEssay. "Starbucks: Disaster Recovery Portfolio." August 7, 2023.