Are Your Plans Smart Enough?

Cyber-Security Framework Aids in Business Continuity Planning

Posted on Thu, Jul 30, 2015

Company operations are increasingly intertwined with critical technology. A company’s business continuity plan (BCP) should include processes related to critical technologies that may be lost during an incident. A BCP is a vital tool that companies can use to plan for the restoration of normal operations after a business disrupting incident. In order to minimize the risk of technology-related continuity incidents, company-wide computer security best practices are essential.

Computer and cyber security mitigation measures, along with BCP reviews, can safeguard necessary integrated technologies, prevent hacking, and ensure business continuity. A breach in computer security can create a temporary or permanent loss of operations, software, and/or vital records.

In 2014, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) received and responded to 245 incidents reported by asset owners and industry partners. The Energy Sector reported the most reported incidents, followed by critical manufacturing. It is essential that companies share cyber security breach information, review lessons learned, and protect technologies in order to minimize the threat to critical infrastructure.

ICS_CERT_2014Source: ICS-CERT  245 incidents reported by sector (FY2014)

According to ICS-CERT, the graph represent only reported incidents. Many more incidents occur in critical infrastructure that go unreported. The Energy Sector Cybersecurity Framework Implementation Guidance manual states, “ICS-CERT continues to encourage asset owners to report malicious activity impacting their environment even if assistance is not needed or requested.” As incidents are reported, ICS-CERT can provide situational awareness to critical infrastructure industries about similar or related incidents, as well as share data regarding potential hacking and evasive techniques and tactics.

Identifying the procedural details of computer backups, data restoration methods, and minimum software requirements are crucial to re-establish technology-related critical business processes and business continuity planning. In early 2015, the Energy Department released guidance to help the energy sector establish or align existing cybersecurity risk management programs to meet the objectives of the Cybersecurity Framework released by the National Institutes of Standards and Technology (NIST). In an effort to maintain business continuity, a cyber-security program framework should be implemented.

The cyber-security program framework consists of a continuous seven-step approach that enables organizations to address the steadily evolving risk environment. In order to secure business continuity efforts, companies should evaluate the framework against their current cyber-security efforts.

Cybresecurity_Framework_Implementation_ApproachSTEP 1: Prioritize and Scope

  • Address how to frame, assess, respond to, and monitor risk.
  • Evaluate industry specific critical infrastructure protection objectives and priorities

STEP 2: Orient

  • Focus on critical systems and assets
  • As resources permit, expand focus to include less critical systems and assets
  • Determine evaluation approach used to identify current cyber security and risk management environment (ex: self-evaluations, third-party evaluations)
STEP 3: Create a Current Profile
  • Evaluate and determine status of current systems and security protocols
  • Identify existing cyber security risk management practices and measure them against best practices and proven frameworks. “It is important to understand that the purpose of identifying a Current Profile is not simply to create a map between organizational practices and Category and Subcategory outcomes, but also to understand the degree to which those practices achieve the outcomes outlined by the Framework.”  (Energy Sector Cybersecurity Framework Implementation Guidance, page 10)

STEP 4: Conduct a Risk Assessment

  • Perform cybersecurity risk assessments to identify and evaluate cyber security risks, and determine which are outside of current tolerances.

STEP 5: Target Outcomes

  • Identify the desired outcomes and associated cyber security and risk management standards, tools, methods, and guidelines that will mitigate cyber security risks, commensurate with the risk to organizational and critical infrastructure security.
  • When creating a Target Profile, the organization should consider:
    • current risk management practices
    • current risk environment
    • legal and regulatory requirements
    • business and mission objectives
    • organizational constraints

STEP 6: Determine, Analyze, and Prioritize Gaps

  • Identify gaps between current profile and targeted outcomes.
    ● Mitigation priority levels should be assigned to all identified gaps. Prioritization of gaps should include consideration of current:
    • risk management practices
    • risk environment
    • legal and regulatory requirements
    • business and mission objectives
    • any applicable organizational constraints
  • Develop a plan of prioritized mitigation actions to advance to “Targeted Outcome” based on available resources, business needs, and current risk environment.

STEP 7: Implement Action Plan

  • Execute the implementation plan
  • Track progress and completion
  • Evaluate to ensure gaps are closed and risks are monitored

TRP Corp - Emergency Response Planning Crisis Management

Tags: Business Continuity key points, Cyber-Security, Business Continuity Plan

An Evaluation of Industrial Response Planning Technology

Posted on Thu, Jul 23, 2015

Industrial facilities are continually challenged to maintain compliant, up-to-date, and effective response plans. Companies willing to embrace proven innovative tools are often the ones that outperform their counterparts. Long before tablet computers and smartphones, industrial companies composed and shared multiple binder-bound response plans. These formidable plan binders, which are still used in large numbers today, were/are printed and reprinted for responders, auditors, inspectors, and stakeholders, and were mailed to multiple agencies for regulatory approval. Fortunately, technology provides a solution to the countless challenges associated with maintaining multiple plans types often required of industrial facilities.

The notion of a securely accessible emergency response planning system capable of adapting to a company’s every location, regulatory requirement, and plan type is within reach to many companies. Web-based, database driven planning systems have proven to enhance compliance and ease plan maintenance demands. Before companies assimilate to planning software, maintaining multiple plans can be challenging when:

  • A company has multiple facilities with various planning requirements
  • The template put forth by the company did not allow for the facility-specific information required for regulatory compliance
  • Plan updates result in “version confusion” or lack of data consistency
  • Known quantities of hazardous materials varied and fluctuated, depending on facility and operational status

Companies strive to stretch budgets, boost response planning efficiency, and minimize the negative reputation associated with non-compliance. However, incorporating new software is often seen as an expensive and questionable expense. If processes are working, why change them? That same question can be asked of other archaic entities that simplified challenges, encouraged productivity, and minimized efforts. What would your enterprise be like today if technological advancements were not incorporated into corporate structures?

AG060-resized-600

A comprehensive planning system should identify the resources required to effectively manage potential hazards, document necessary response actions, and fulfill multiple compliance mandates. Upgrading to web-based planning software will enable emergency managers across an enterprise to;

  • Reduce the need for multiple plans
  • Minimize administrative costs
  • Simplify plan reviews
  • Minimize discrepancies across various plans
  • Streamline response directives from one source

Company leadership and EHS teams must evaluate the case for integrating response planning software across an enterprise. Below are key questions that may help determine if an enterprise-wide response planning system is right for your company:

REGULATORY COMPLIANCE

  1. Do you have more than one facility that is governed by regulatory requirements?
  2. Are individual facilities required to comply with multiple agencies requirements?
  3. How do you integrate frequently evolving regulatory requirements across your various facilities?
  4. How often are you audited and would you be ready if an auditor appeared tomorrow?
  5. Have audits result in fines or violations?

PLAN ACCURACY

  1. Do you have multiple versions of plans, leading to “version confusion”?
  2. Does employee turnover rate create inaccuracies in your response plans?
  3. How effectively do you handle contact information updates and verification?
  4. Are your plans updated quarterly or annually?
  5. Do you plans address site operational hazards, risks, and threats?
  6. Is there repetitive information in multiple plans at multiple facilities?
  7. Do plans include site-specific criteria for provisional tiered responses?
  8. Do spill trajectory maps mimic local observations and historical tendencies?
  9. Do your personnel and responders have access to your existing plans?
  10. Have plot plans and area mapping been integrated with the most recent GIS data and knowledge?
  11. Do all sites have plans, or have you recently gone through a merger or acquisition?
  12. Do responses reflect lessons learned and exercise findings?

EFFECTIVENESS

  1. Do local responders have access to your most up-to-date emergency response plan?
  2. Are your plans updated quarterly or annually, and how do you integrate new regulatory requirements.
  3. How much time is dedicated to maintaining, updating, and distributing your plans?
  4. Can you use your existing plan to expedite training?
  5. Do you have a record of changes and revisions?

Regulatory Compliance with TRP Corp

7 Corporate Social Media Strategies for Incident Management

Posted on Thu, Jul 16, 2015

In today’s expansive world of smartphones and instantaneous social media reporting, incident commanders no longer have the luxury of controlling communication with the public and media. As a result, a company must establish an incident management communication plan that includes a facet for assessing and distributing communication through social media.

Social media communication has advanced from its origins as a picture-sharing medium strictly used by young adults, to a comprehensive, informative, and responsive communication tool. Companies must incorporate these platforms that instantly validate observations, enable shared experiences, and provide valuable information.

Public relations planning that includes a social media element must be developed as part of an overall incident management plan. In order to sustain a positive, productive, and profitable relationship with stakeholders and communities, proactive corporate visibility and timely communications is essential. Established Twitter feeds, Facebook pages, and company websites can be used as sources of incident communications. Employees, the press, and communities want to know the details of “what happened”, “who/what was impacted”, “why did the incident occur”, and “what will happen” in the near future.

incident_management

The more timely and detailed the information, the less chance the public and media outlets will have room for interpretation. In order to regulate inaccurate perceptions, an incident management communication plan must contain the following elements:

  1. An initial brief, focused, and factual description of the situation: Even if the situation is ongoing, the current facts must be presented barring any information that may cause further harm.
  2. Initial response action details: Identify the “who, what, when, and where”. The “why” is often speculative in the early stages of an incident. Refrain from communicating the “why” until all the facts can be evaluated and confirmed.
  3. Ongoing processes established to minimize and counteract the emergency: Identify what process and procedures will be in place in order to restore the scene to a “business as usual” scenario. This may include, but is not limited to:
    1. ongoing security measures
    2. safety mandates, such as shelter in place or evacuations
    3. supply chain disruptions
    4. employee directives
    5. request for assistance/volunteers
  4. A statement of commitment to return to “business as usual”: Companies must communicate their intent/attempt to return the affected area to its original or improved state. If ‘business as usual” will be delayed or altered, details of those terms must be communicated when logistics and associated details are confirmed.
  5. An expression of empathy to those affected by the incident: If an incident affects employees, stakeholders, and/or the community, a company should make every effort to “be human” and show compassion. However, communicating “acts of compassion” speak louder than words.
  6. Access to subject matter experts to answer media inquiries: Experts that understand the details of the incident and how it relates to operations can often provide specific, factual information. These individuals can often be representatives that explain “why” an incident occurred. If a company does not provide expert analysis, the public and media may seek out alternative sources that may not have all the necessary deductive and accurate information to the specific incident.
  7. Timing for follow up information: Companies should only promise what can be delivered. A companies should refrain from predicting response times. While exercises should give incident commanders a general sense of time frame, each scenario is unique. Companies should provide employees, the press, and the public with incremental times for situational updates. Those times should be hard scheduled but should not interfere with the response. Even if additional factual information is not available, the public information officer (PIO), or the designated representative, should maintain communication.

Social media engagement has become one of the “lessons learned” from the 2013 West, TX fertilizer plant explosion. Frank Patterson, Waco-McLennan County emergency management coordinator, called the incident a “CNN event”. “We didn’t use social media. It ate us up,” said Patterson. Misinformation and rumors surrounding the explosion saturated the Internet.

It is imperative for a PIO or representative to effectively manage and engage in media communication and social media chatter. For larger companies or if operational risks and worst-case scenarios have the potential for a considerable impact, it may be advantageous to establish a communications team that includes a social media monitoring facet. Regardless, companies must be tuned into the vast digital network of social chatter. While the specific incident circumstances will define a response strategy, basic communications processes typically remain consistent. Viral rumors and antagonistic communications can often be inhibited with a timely, factual, and proactive incident management communications campaign.

Tags: Incident Management, Media and Public Relations

Essential Elements for a Successful Company Crisis Management Response

Posted on Thu, Jul 09, 2015

Crisis situations can erupt suddenly and without warning. Most successful responses result from a prepared strategy, with a cooperative understanding of the incident, response roles, and assigned responsibilities. It is critical that a crisis management framework, response measures, and communication strategies be established and exercised before a crisis actually occurs.

“Drive thee business, or it will drive thee” – Benjamin Franklin

Regardless of the circumstances, every crisis has the potential to significantly impact a company’s short and long-term reputation, daily operations, and financial performance if the situation is not handled properly. Resolutions require a prepared crisis management plan (CMP) with flexible, yet pre-identified responses and actions. A CMP should be viewed as a reference tool, not a stagnant directive.

The following concepts should be utilized to generate effective corporate crisis management plans:

Potential threats: Identify all potential threats to “business as usual” operations. This can range from safety incidents and life-threatening emergencies, to social media glitches and human resource controversies.

Evaluate responses: Since each crisis is unique and comes with varying degrees of impact, each potential threat must be evaluated and resolved individually based on:

  • The potential impact on current and potential clients and customers
  • The potential impact to employees and the company
  • Stakeholders interested in the outcome of the incident
  • The level of control the company has over the situation
  • Complexity of the crisis and specialists required

Position: Determine the company’s public position or viewpoint for each potential issue. A public relations strategy and communications plan to relate this information should be established.

Mitigation Measures: Take preventive measures to avert emergency situations and proactively deter negative perceptions, including generating effective response procedures and recovery processes for a variety of potential threats.

Plan: Prepare a CMP for responding to all internal and external aspects of the crisis. This may include identifying all stakeholders that may be affected by each crisis situation, communicating effectively, and collaborating with additional necessary resources.

Persevere: Proactive efforts, honesty, empathy, and preparedness will assist in maintaining company viability and reputation. Utilize your plan, modify per incident specifics, and communicate company positions and ongoing activities to counteract the incident commotion.

shutterstock_cellphonetower

The composition of a crisis management team (CMT) will vary depending on the nature and scale of the crisis. Depending on the requirements, following roles may be designed to provide the company with the essential functions necessary to manage most events (*denotes support positions activated as necessary):

1. Crisis Manager (CMT Team Leader) - Approve theCMP  and provide overall leadership.

2. Security Advisor - Provide input regarding security related procedures contained in the CMP during scheduled plan reviews, and provide guidance regarding current or potential security issues during a crisis.

3. Public Affairs Advisor - Provide input and participate on all aspects of Crisis Communications.

4. Medical Advisor - Assess and assist in human health impacts during a crisis.

5. Human Resource Advisor -– Provide guidance relating to communications with employees, and work to minimize impacts to employees and their families. Maintain a current, accessible contact list of all employees, contract employees, and responders,

6. Health, Safety, Security, and Environmental Advisor (HSSE) – Provide guidance regarding actual or potential environmental, safety, and health issues related to the crisis. Coordinate direct implementation, and training and updating of Incident Response Plans.

7. Legal Advisor - Ensure a Legal representative is available at all times in case of a crisis to assess potential legal impacts of response actions and communications.

8. CM Advisor - Supervise and coordinate necessary support roles. However, individual Aides may be assigned to work directly under any core CMT position to fill a specific need. Also responsible for the readiness of a Crisis Management Center, if necessary.

9. *Aide(s) - Administrative resource(s).

10. *Business Unit Advisor(s) - Anticipate Business Unit issues, develop strategic plans to proactively address these issues, and adjust staffing of Business Unit Group to suit evolving incident needs.

11. *Subject Matter Expert(s) (SME) - Be available to assist crisis manager on as “as needed” basis. Examples of potential SMEs may include specialized technical, legal, or environmental experts

CMPs and activated CMTs are of little value to a situation if they are never tested on realistic crisis scenarios. Exercising a plan with established and communicated objectives and expectations can vastly improve the effectiveness of required responses, the decision making process, and task-related performances.

TRP Corp - Emergency Response Planning Crisis Management

Tags: Crisis Management

Oil Spills and Water Do Not Mix: Guidance for Company SPCC Plans

Posted on Thu, Jul 02, 2015

Most analogies regarding oil and water convey an image of chaotic polarity. If oil comes in contact with water in an industrial setting, it can be destructive and costly. Oil spills that discharge into waterways have adversely affected environments and wildlife, caused substantial economic losses to communities, and inflicted financial penalties on companies.

If a company is subject to the Environmental Protection Agency’s Spill Prevention, Control, and Countermeasure (SPCC) rule, they must ensure plans are established, accurate, and compliant. The EPA estimates that approximately 640,000 U.S. facilities are potentially subject to regulations under the following rule:

A facility that stores, processes, refines, uses or consumes oil and is non-transportation-related is potentially subject to the SPCC rule. The EPA requires these plans for facilities that could discharge oil into navigable water and store more than 1,320 gallons aboveground or more than 42,000 gallons underground.

Since 1974, owners and operators of certain oil-handling facilities have been subject to the regulation. When referring to a recently plan delinquent and fined rail facility, the EPA stated that the failure to “maintain and fully implement an adequate SPCC plan leaves a facility unprepared to deal with an oil spill and to prevent a spill from having potentially serious consequences.”

Compliant "spill prevention" plans can prevent spills from occurring, as well as speed up necessary response and recovery actions. For EPA compliance, plans should provide site-specific details that allow responders to best access, assess, and quickly respond to off-site spills, limiting the effects of a spill on sensitive environments. The plans also relay site specific information related to the storage and management of oil. These plans require that facilities identify sufficient containment and/or other applicable countermeasures to reduce the potential for oil spills to reach navigable waters.

44303-resized-600

Typical elements of an SPCC Plan include:

  • Professional Engineer Certification
  • Discussion of conformance with federal regulations
  • Facility description, plot plan, and contacts
  • Potential spill volume and flow rates
  • Inspections, tests and record keeping processes
  • Personnel training requirements
  • Loading/Unloading and transfer details
  • Discharge prevention measures
  • Security Measures
  • Recovered material drainage and disposal methods
  • Bulk Storage tanks details
  • Secondary containment locations and volumes
  • Discharge notification information and procedure
If a facility has more than 10,000 gallons of aggregate aboveground oil storage capacity, the plan must be inspected and certified by a professional engineer (PE). The certifying engineer must:
  • Be familiar with plan requirements
  • Visit applicable site and examine the facility
  • Certify that the plan has been prepared in accordance with good engineering practices, including consideration of applicable industry standards
  • Confirm that procedures for required inspections and testing have been established
  • Certify that the plan is adequate for the specific facility

Facilities that require these plans, yet have an aboveground oil storage capacity of less than 10,000 gallons, may self-certify these plans if they meet the following criteria;

The facility must not have had

  1. A single discharge of oil to navigable waters exceeding 1,000 U.S. gallons
  2. Two discharges of oil to navigable waters each exceeding 42 U.S. gallons within any twelve-month period, in the three years prior to the SPCC Plan certification date, or since becoming subject to Title 40, Part 112 of the Code of Federal Regulations (CFR) if facility has been in operation for less than three years.

If a facility owner meets the above criteria, then the company may;

  • Prepare a self-certified plan
  • Meet tailored facility security and tank integrity inspection requirements without PE certification
  • Prepare a Plan which includes required PE certification for only the portions dealing with environmental equivalence and impracticability determinations. The remaining portions of the plan could be self-certified by the facility owner/operator.

TRP - SPCC and FRP

Tags: SPCC

Preparedness & Response Planning for Supply Chain Business Continuity

Posted on Thu, Jun 25, 2015

Weather, natural disasters, and other uncontrollable events can interrupt transportation flow and your supply chain – anytime, anywhere, and with little warning. - FedEx.com service alert

In January and February of 2015, blizzards, ice, and frigid cold temperatures targeted the eastern half of the United States. The deluge of extreme weather brought residents, cities, and supply chains to their knees. Meanwhile on the west coast, labor disputes between the International Longshore and Warehouse Union and the Pacific Maritime Association created the partial closure of 29 ports. The Port of Oakland experienced a 39% drop in cargo imports because of the circumstances (Wall Street Journal). The trucking and railroad industries lost valuable time and money, and customers experienced delayed delivery of tons of expected goods. The ripple effect of delayed shipments forced many customers to stockpile goods when available, and alter contracted shipping means when time sensitive goods were required.

Ensuring ample supplies in the midst of an incident can be challenging, especially when external forces create delays. Supply continuity and preparedness efforts are becoming more important as more companies depend on world-wide suppliers. These recent major supply disruptions, both on the east and west coasts, emphasize the need to develop business continuity plans (BCPs) that identify primary and secondary suppliers and alternate resources. By identifying and contracting with vendors and alternate suppliers prior to an incident, a company improves its ability to quickly and successfully respond to unforeseen disruptions.

Pre-emptive identification and mitigation efforts are crucial to preventing supply chain interruptions and costly consequences. Factors to consider in the identification of critical suppliers are complex and extend well beyond first glance analyses. While suppliers of material goods and business-specific products may be critical to business practices, suppliers may also include those that provide the following services, utilities, or infrastructures:

  • Sole source services
  • Electrical power
  • Water
  • Fuel
  • Telecommunications
  • Transportation
  • Staffing
  • Waste Management
  • Facilities

city_redsky

Companies should utilize BCPs to prepare for incidents that could impair or impede the ability to operate as a result of a temporary or permanent loss of required supplies, equipment, critical staff, data, and necessary infrastructure. A BCP can help minimize or counteract many of the potential impacts of a supply interruption or set procedures in motion that limit the effects on operations.

Identification of risks and business impact analyses (BIA) should be performed for critical supply chains as part of the development of BCPs. For common disruptions, inept supplier performance, required resources forecasting errors, and transportation and delivery breakdowns, companies can typically utilize historical data to quantify the level of risk and necessary response effort. However, when extraordinary events impact the supply chain, such as the east and west coast incidents, companies may encounter atypical and domino effect impacts. Continuity plans with supply chain response measure must be in place to mitigate the disruption, sustain operations, and restore “business as usual”.  The following supply chain related questions, while not all-inclusive, can be used as response planning discussion points to identify necessary supply-related business continuity and response elements:

  • How would a potential critical material supply disruption affect both internal and external resources?
  • Have critical supplies, interdependencies, and potential bottleneck scenarios been identified?
  • Have critical materials and response equipment needs, minimum levels, and recovery time limits been evaluated and defined?
  • Are processes in place to monitor internal and external supply chains that identify potential delivery disruption?
  • Have back up suppliers been identified and communicated with?
  • Are memorandum of understandings (MOUs) for services, and equipment or supply contracts been established and/or up-to-date?
  • Do business continuity initiation procedures encompass verified primary and secondary supply chain contacts?
  • Is there historical data that indicates potential impacts and durations that can be used for planning?
  • Are “Best Practices” supply chain continuity procedures available from like-companies and industry experts?
  • Do critical suppliers have alternate processes and delivery methods in case an event affects their operations?
  • Have supply disruption scenarios been included in emergency response and business continuity exercises?
  • Are employees trained in the event of supply disruption?
  • Have mitigation measures been examined and implemented based on BIAs?

TRP Corp - Emergency Response Planning Crisis Management

Tags: BCM Standards, Business Continuity key points, Business Continuity Plan, Business Disruption, Mitigation

6 Goals of Effective Corporate Emergency Management Communication

Posted on Thu, Jun 18, 2015

When the Memorial Day torrential rains hit southeast Texas, smartphones equipped with Wireless Emergency Alerts (WEA) services were buzzing! WEAs of flash flood alert warnings were sent out by the National Weather Service to thousands of individuals in the affected areas through their smartphones. The idea of instantaneous communication for emergency management alerts is now a reality. However, in order to be effective for companies, corporate emergency management communications must lead to heightened awareness and/or action at the employee or responder level.

“Modern technology has brought us the greatest level of warning dissemination in our lifetime, but even with all that said there’s always going to be that situation where people may not be aware of what’s going on around them,” says Walt Zaleski, the warning coordinator at the National Weather Service’s southern region headquarters in Fort Worth, Texas.

While WEA technology adds another layer of resiliency to the suite of communication tools, companies must establish and train employees on their specific workplace emergency communications protocols. When employees are aware of corporate communication procedures and the roles that they play in each scenario, necessary responses can be effectively played out. If a widespread incident were to occur in your area, do you have effective communication procedures in place to communicate with employees and/or initiate a response?

shutterstock_cellphonetower

If and when an emergency occurs, clear communication is crucial to establish response expectations, which can protect lives, the environment, and the surrounding community. Effective corporate emergency communications should:

  1. Result from accurate data collection
  2. Be timely and current
  3. Remain concise to accurately define the “next step” or necessary tasks
  4. Clarify initial emergency response initiatives, if applicable
  5. Include time parameters and follow up procedures
  6. Be strategic in how tasks should be accomplished

An effective emergency communications strategy must be developed with a commitment from corporate leadership. In the event of an emergency scenario or incident, consistently accurate messages by company representatives alleviate potential anxiety, safeguard employees, and provide a level of credibility. This commitment must include, but is not limited to:

  • Utilizing advanced contact verification procedures: Contact lists should be verified on a regular basis to ensure all information is accurate. If maintaining accurate contact information is challenging, consider opting for notification verification system with email or text message capability that enables the contact to verify their own information through hyperlinks.
  • Establishing a communications strategic framework: Verify necessary checklists and response criteria that will guide the communications decision-making process for a variety of emergency scenarios and incidents.
  • Optimizing notification procedures: Establish a proven communications methods that will relay information to both internal and external individuals and/or organizations.
  • Testing emergency communications: Ensure communication among site managers and all business units is effective and initiates the required responses.

Successful corporate emergency communications are those that are taken seriously and responded to in a timely and effective manner. Communication procedure training should be included as part of the corporate and site emergency response plans. It may be necessary to cross-train response team members in order to provide extended knowledge in case primary team members are not available. Each team member should have a clear understanding of the procedures for receiving and disseminating information. In case of communication disruption, companies should provide employees training in primary and established secondary communication methods.

Because traditional and social media outlets can disseminate information quickly, public relations personnel should be included in emergency planning and associated exercises. Establishing and committing to communications and public relations efforts define lines of communications with employees and all partners, enables leaders to communicate response efforts and requirements, and ensures that public affairs staff has the training and the tools to be successful to maintain company reputation and client relationships.


TRP Corp Emergency Response Planning Exercises

Tags: Communication Plan

Oil Prices, Facility Response Plan Compliance, and Corporate Shuffling

Posted on Thu, Jun 11, 2015

Historically, low oil prices have triggered energy sector consolidations, reorganizations, and liquidations. As the industry responds to plunging company profits, a wave of mergers and potential acquisitions may be on the horizon. Once again, the dynamic nature of the oil industry will require corporate emergency managers to re-evaluate their approach to emergency management and regulatory compliance.

When companies merge and facilities are acquired, a company-wide emergency management program must consolidate and verify the regulatory compliance and the accuracy of facility response plans. Companies undergoing corporate structural changes should perform gap analyses or audits to identify procedural, policy, or regulatory compliance deficiencies.

Integrating plans under one centralized format consolidates preparedness and response objectives. In company merger circumstances, this process requires clear, concise, and frequent communication among multiple parties. A cohesive team, in cooperation with facility managers, should manage the consolidation of emergency management practices. It is critical to define preparedness objectives, response roles, and responsibilities in order to eliminate ambiguity and confusion. Responsible parties must verify and apply data, site assessments, and personnel information into cohesive, compliant, and effective plans for the new enterprise.

The following fundamental preparedness and response questions may assist companies in unifying facilities into a compliant emergency management program. Determining site-specific information, possible mitigation efforts, and response capabilities can mobilize stakeholders to develop necessary and required response planning objectives. (Note: The questions below are meant to initialize conversations and should not be considered a thorough checklist for preparedness and response planning)

Who is assigned to an emergency response?
  • Identify Incident Commander for each location
  • Create or update Emergency Management Team organizational chart
  • Identify and verify Emergency Management Team activation measures
  • Create or update Emergency Management Team roles and responsibilities checklists

Does the facility have a compliant response plan?

  • Update necessary personnel, contact information, and notifications procedure
  • Perform a gap analysis of the current plan(s) against new operations, equipment, company policies, industry best practices, and applicable local and state regulations
  • Review agency approval and electronic submittal processes, and comply as necessary

tanks-resized-600

What threats affect the facility or employees?

  • Perform a detailed hazard and risk analysis
  • Prioritize and carry out necessary mitigation measures
  • Verify or create response procedures for each identified threat
  • Identify the new process for incident documentation
  • Utilize appropriate ICS Forms
  • Identify current and/or necessary equipment necessary for response
  • Establish training and scenario-specific exercises to ensure process are responses are effective for identified threats/hazards

What regulatory requirements apply to each facility?

  • Evaluate all applicable regulations based on:
    • location
    • industry
    • operations
    • hazards
    • response specifics
  • Identify required training and implement compliant program
  • Review submitted response plan information
  • Confirm training and planning documentation
  • Perform plan(s) compliance audits

What is required for an effective and timely response?

  • Identify response capabilities and determine if additional resources are necessary
  • Initiate a Memorandum of Understanding or contract specific response needs
  • Confirm contact information, availability, and response times
How will an emergency be reported and response initiated?
  • Create site-specific notification procedures. (Emergency notifications may include 911, National Response Center, internal or external response team, emergency services, and others)
  • Test alarms to confirm they are in proper working condition
  • Ensure employees are trained in alarm procedures and immediate response actions per roles and responsibilities
  • Implement company approved emergency classification levels to associated response procedures with emergency conditions to prevent the incident from escalating
  • Create multiple evacuation routes
  • Identify the muster point(s) and head count procedures

How are response actions sustained?

  • Establish command post location
  • Identify internal and external response resources and equipment for necessary sustained response actions
  • Share plans with appropriate responders/stakeholders
  • Develop a communications plan and identify sustainable communications equipment
  • Identify hazard control applicability and methods
  • Detail external communications and public relations policies

What is done after the incident is secured?

  • Create checklist to demobilize the response
  • Identify post incident review and debriefing objectives
  • Generate a means to apply “lessons learned”
  • Update plan accordingly and amend necessary training

Regulatory Compliance with TRP Corp

Tags: Facility Response Plan, Regulatory Compliance, Facility Management

Company FRP and SPCC Compliance within Proposed 2016 EPA Budget

Posted on Thu, Jun 04, 2015

As part of the proposed $8.6 billion Environmental Protection Agency (EPA) 2016 budget, the agency is allocating $18.5 million for the Oil Spill Prevention, Preparedness and Response program. The program aims to protect U.S. environment by effectively preventing, preparing for, responding to, and monitoring oil spills.

According to the EPA’s Budget in Brief, the agency “will perform inspections of regulated high-risk oil facilities to better implement prevention approaches and to bring 60 percent of Spill Prevention, Control, and Countermeasure (SPCC) and Facility Response Plan (FRP) inspected facilities found to be non-compliant during the FY 2010 through FY 2015 inspection cycle into compliance.”

Oil spills can threaten human health, cause severe environmental damage, and create financial loss to businesses and the public. According to the EPA, there are currently over 600,000 SPCC-regulated facilities under the EPA’s jurisdiction, including a subset of roughly 4,300 facilities subject to FRP requirements. Rather than be susceptible to fines, penalties, and negative publicity, companies that are required to comply with SPCC and FRP regulations should ensure response plans are up-to-date and effective. Evaluating company operations and each facility’s site-specific information will determine necessary elements for regulatory compliance and response plan requirements.

Compliance monitoring is comprised of all activities that determine whether regulated entities are in compliance with applicable laws, regulations, permit conditions, and settlement agreements. In coordination with these governances, the EPA’s Compliance Monitoring program’s goal is to determine whether conditions exist that may present imminent and substantial threat to public health or welfare of the United States.

The 2016 proposed budget enables the EPA to have a greater emphasis on emergency preparedness, particularly through the use of unannounced drills and exercises. It is imperative that facilities and responders can effectively implement established response plans according to regulations. In FY 2014, the EPA was able to bring 79% of FRP and 72% of SPCC facilities into compliance due to the development of improved guidance and procedures. The compliance program will continue to focus resources on bringing non-compliant facilities into compliance.

EPA_OIl_Facility_ComplianceSource: EPA (Chart presents data as of end of FY2014. Data represent the percentage of facilities found initially compliant in a particular year and facilities previously found to not be in compliance that were brought into compliance out of the respective sets of facilities inspected. Therefore, the numbers do not total to 100 percent.)

Compliance monitoring activities include data collection, analysis, data quality review, on-site compliance inspections/evaluations, investigations, and reviews of facility records and reports.
The EPA ensures that the management and oversight of the compliance monitoring program is enhanced by the exchange of information from the FRP and SPCC data systems to the EPA’s Integrated Compliance Information System (ICIS). This exchange provides the EPA the opportunity to focus compliance monitoring resources on areas of highest risk, and increase transparency to the public of this enforcement, and compliance data. In addition, submitting information into ICIS electronically improves data coverage and quality.

The ability to streamline the regulatory submission process is advantageous for both industry and regulatory agencies. As opposed to paper plans, web-based planning is extremely beneficial for organizations that are subject to multiple applicable regulatory requirements. A web-based planning system with a regulatory tracking element can eliminate redundancies across converging compliance requirements, which maximizes informational consistency and administrative productivity. Many companies have embraced the benefits of streamlined web-based preparedness programs because of cost efficiency, information accessibility, and the ability to verify compliance. By advancing submission practices and raising industry standards, the EPA embraces a higher level of accuracy, availability, and consistency.

As part of the 2016 budget, the EPA states it will finalize the development and begin implementation of the National Oil Database including identifying requirements for electronic submission of Facility Response Plans (FRP) in order to create reporting efficiencies for the agency, states, local government and industry. The ICIS and database will support a more comprehensive analysis and better management of the FRP and SPCC compliance programs.

Note: FRP facilities are currently required to submit their plans to the EPA Regional Offices, while SPCC facilities maintain their plans onsite.

Regulatory Compliance with TRP Corp

Tags: Facility Response Plan, SPCC, EPA

Company Fire Pre-Plans and Response Planning for Storage Tank Facilities

Posted on Thu, May 28, 2015

An emergency can quickly escalate if a storage tank containing flammable material catches fire. Developing detailed response procedures and site-specific fire pre-plans as part of an overall emergency management program provides employees, emergency responders, and firefighters with valuable information that can facilitate a safe, timely, and effective response. By exercising and sharing response plans and fire pre-plans prior to an incident, the potential for catastrophic, chain-reaction consequences can be minimized.

When employees and responders are familiar with fire pre-plans, site-details, and respective responsibilities, they can quickly evaluate tank fires and initiate proven tactical responses with minimal delays. Pre-incident planning, preparedness and coordination of response strategies should be considered and made part of response plans, drills, and exercises

Identification of tank location in relation to facility entrances and fire-fighting equipment is critical in a timely response. This can be securely shared with responders through a web-based system with facility plot plans and detailed photographs. Other key fire pre-plan information should include individual tank specifications such as:
  • Tank roof type
  • Capacity
  • Tank surface area
  • Internal diameter
  • Tank height
  • Tank insulation
  • Total dike surface area
  • Dike capacity
  • Dike drain valve location
  • Exposures

Many established plans, including fire pre-plans, are inadequate for an effective response, out-of-date, or inaccessible to those that need the plans the most. These mistakes may stem from a failure to coordinate during the plan developmental process, inconsistent plan formats, or a lack of change management procedures. In order to be effective, site-specific tank and facility details must be incorporated any response plan. The following generic emergency management procedures should be considered when developing site-specific response plans for facilities with storage tanks. (NOTE: Specific characteristics of the tank, product, and available resources should be evaluated prior to implementing any response plan procedures.)

Initial Response Actions/Notifications/Warning:

  • Warn others in the immediate area through verbal communication and/or activate local alarms.
  • Take immediate personal protective measures (PPE, move to safe location, etc.).
  • Activate emergency services and other firefighting resources.
  • Implement local response actions if safe to do so, and consistent with level of training and area specific procedures (process shutdowns, activate fire protection systems, etc.).
Notifications and warnings:
  • Proceed with internal and external notifications.
  • Determine and communicate shelter-in-place and/or evacuation directives

fire4-resized-600

Site Control:
  • Account for all personnel at the site. Confirm with entry/exit log if applicable
  • Evacuate, as necessary, and monitor routes for safety
  • Establish secure perimeters, safety zones, and required security measures.
  • Minimize site entry to essential personnel and responders.
  • If appropriate, ground fires should be extinguished first. Exercise care after the ground fire is extinguished to avoid disrupting the foam blanket over the spilled materials.
  • Cease tank operations, such as filling or withdrawing product, as soon as possible to eliminate tank content turbulence.
Fire Fighting and Containment:
  • Trained company personnel, such as those on the internal fire brigade may extinguish the fire if it is within their training level parameters. It is imperative that responses are conducted in accordance with personnel training levels.
  • A response effort may be required by an internal fire brigade or external emergency personnel (ex. mutual aid groups, local fire departments, etc.)
  • The following concepts should be considered in the event of a crude tank fire when developing response procedures:
    1. A boil over covers approximately 7 times the tank area and extends into the air approximately 10 times the tank diameter. 
    2. Consumption rate of crude oil due to burning is approximately 12-18 inches per hour.
    3. The heat wave advances from the top of the liquid towards the bottom of the tank at approximately 24-36 inches per hour.
    4. A modified fog cooling stream may be periodically applied to the side of the tank to help determine the location of the heat wave in the tank.
    5. Evacuation of the area should be considered as the heat wave approaches the bottom few feet of the tank.
    6. Foam solution should only be applied through the tank foam chambers, if possible, to avoid the risk of static build-up
    7. During an atmospheric tank fire, while using cooling streams on the tank exterior, additional attention should be given to applying cooling streams on the foam chambers and foam supply lines as well as the process lines within the dike area.
    8. Cooling streams on adjacent tanks should be applied as needed only. A cooling stream should periodically be applied to the exposed tank. If stream is given off, the cooling stream application should be continued until steam is no longer apparent. This will help reduce the demands on the fire water delivery system, and will minimize the water handling and disposal concerns from the tank dike areas.
    9. Pumping out the product of the tank may worsen the fire if the sides have been distorted and the roof does not lower evenly.
    10. Mid-range gravity crude oils have the potential for a boil over during fires that last for extended periods.

TRP Corp Fire Pre-Plans Pre Fire Plan