Companies may not consider the interdependencies between critical operations, departments, personnel, and services until an event disrupts normal operations. A Business Impact Analysis (BIA), a key component in business continuity planning, presents the ability to identify and quantify which business unit that, when absent, would significantly impact a company. While the size and complexity of essential business elements required for sustainability varies among industries, companies, and specific facilities, the ability to quantify and prioritize critical workflow components is a key business continuity element.
Critical business units, associated functions, and a trained workforce provide the greatest financial value to companies. Companies that prioritize process sustainability initiatives that can meet recovery time objectives have a better chance of minimizing impacts of impeding disruptions.
Within each key business unit, additional business functions should be considered and evaluated. By identifying cross business unit dependencies, the need for integrated risk mitigation solutions can be highlighted and proactive measures can be taken. A workflow analysis may prioritize those business functions and processes that must be recovered in order for business continuity plans to be effective. Functions within each business unit may include, but are not limited to:
- Supply and trading
- Personnel and payroll
- Accounts payable
- Environmental health and safety
- Information technology
Once critical business functions and workflows are assessed and prioritized, a BIA should be performed. The goal of the analysis should be to identify the potential impacts of identified risks, uncontrolled threats, and potential non-specific events on these business functions and dynamic processes. Any potential resilience capabilities should be prioritized and mitigation opportunities should be examined. Operational and process managers should explore and quantify the following aspects to initiate the BIA process:
- Identify critical operational time periods when an interruption would have greater impacts (seasonal, end of quarter, specific month, etc.).
- Priorities should be determined if an interruption during high-output timeframes creates amplified operational and financial impacts.
- Indicate how likely each specific threat could occur, considering existing capabilities, mitigation measures, and history.
- Identify the duration and point in time when an interruption would impair operational processes and have financial impact.
- Estimate the maximum allowable downtime for each specific business function
- Consider downtime impacts from less than 1 hour to greater than one month
- Identify staffing level requirements (including contractors or suppliers) to meet typical daily productivity goals, as well as recovery time objectives.
- Identify the effects associated with a business unit interruption, considering existing mitigation measures. These may include, but are not limited to:
- Lost sales and income
- Negative cash flow resulting from delayed sales or income
- Increased expenses due to overtime, outsourcing or other operations that increase costs
- Regulatory fines and legal implications
- Contractual penalties or loss of contractual bonuses
- Customer dissatisfaction or withdrawal
- Delay of business plan execution or strategic initiatives
- Identify the time frame necessary to recover specific critical processes under existing capabilities and, if possible, potentially altered conditions.
- Determine and quantify financial impacts, considering existing mitigation measures.
- Critical functions that have the highest financial impacts should be prioritized in business continuity plans.
If a business continuity incident affects two or more business processes, the incident has a greater potential for impact. Interoperable communication and coordination among departments must be exercised for a swift recovery. The effects of a multi-tiered business continuity event can extend beyond the facility borders to affect personnel, multiple critical business processes, vendors or suppliers, and customers.
Adverse information technology (IT) conditions may affect numerous company departments, units and functions. IT components may include networks, servers, desktop and laptop computers and wireless devices. The ability to utilize both office productivity and enterprise-wide software may be essential to restore normal operations. Therefore, time critical recovery strategies for information technology, such as exercised data backup and restoration procedures, should be developed in order to limit the effects of interruptions across multiple business units.
Once critical business units are identified and the BIA is completed, companies can develop an applicable business continuity plan, ensuring a faster state of recovery.
Click HERE or the image below for a free download on Enterprise-Wide Response Planning.
In business, every threat can result in the same consequence: the loss or temporary cessation of key business processes. The process that institutes a path to sustainability and recovery is known as business continuity. Because sources and the likelihood of threats continually evolve, business continuity plans (BCPs) must be dynamic to incorporate evolutionary business process countermeasures.
These countermeasures include modern communication techniques. By transitioning from paper-based business continuity plans to a web-based approach, companies have the ability to maximize data and ensure a streamlined approach to business continuity. A web-based plan enables a standardized, enterprise-wide business continuity template, yet allows for site-specific details for each particular site.
A web-based platform, coupled with wireless technology, can speed up the cycle of continuity events. The following core business continuity elements should be included in a BCP, however they must be cyclically assessed for accuracy, potential mitigation opportunities, and lesson-learned insights in order for established processes and communication to be effectively maximized.
1. Plan distribution list and contacts: Business continuity planners must be certain that all current employees listed in the plan, as well as those on the plan distribution list is verified for accuracy. If maintaining accurate contact information is challenging, consider opting for notification verification system with email or text message capability that enables the contact to verify personal information and automatically update associated response plans.
2. Communication: By aligning mass notification methods with typical daily communication habits (cell phone, emails, texting), planners can ensure key contacts are made aware of any business interruption and BCP activation. Clear and effective communication channels must remain available in order to disseminate information to employees, assess and relay damage, and coordinate recovery strategies. Provide employees training in primary and established secondary communication methods in case of disruption of primary communications.
3. Key Staff Roles and Responsibilities: From business continuity implementation through recovery, job specific checklists and assigned procedures should be incorporated in a BCP. Task teams should be formed, at a minimum, to cover each essential business process. Each site may require unique minimum staffing levels to remain operational.
In the event that primary team members are not available, cross team training should be conducted to provide backups. Planners should make appropriate plan changes as operations and staff evolve.
4. Off-site Recovery Location: Include address, contact information, available on-site equipment, and any external equipment necessary for effective continuity of operations.
5. Recovery Time Objectives: Incremental processes and procedures should be identified to meet specific critical business process goals. Recovery goals may include increments of one hour, 24-hours, 48 hours, one week, one month, and long-term recovery.
6. Key Customers’ Data: Identify effective customer communication methods and necessary contact information required to inform customers of disruptions of deliverables or services. Effective customer relations and communication may be critical in retaining clients and maintaining positive relationships during a business interruption.
7. Key Supplier Contact List: Identify critical business unit dependencies and interdependencies and key contacts. Transportation delays could affect delivery times. Plan and mitigate accordingly.
8. Alternate Suppliers List: The consequences of a supply chain failure on associated key business components can be crippling. Alternate suppliers should be included in the BCP to ensure consistent delivery and continued operations in the event primary suppliers are affected by similar business continuity circumstances. As a company’s needs change and new suppliers come online, plans should be updated to include these critical suppliers.
9. Insurance Details: Identify details of insurance coverage and accurate contact information. The burden of proof when making claims typically lies with the policyholder. Accurate and detailed records are imperative.
10. Data Backup Details: Identify the procedural details of computer backups, data restoration methods, and the minimum program needs to re-establish critical business processes.
11. Technology Requirements: Identify necessary hardware and software, and the associated minimum recovery time requirements for each business unit. Companies should examine current data center outsourcing to ensure continuity and accessibility or research continually advancing alternatives.
12. Equipment Requirements: Detail applicable equipment requirements for each business unit and recovery time goals. To prevent unnecessary downtime and additional recovery efforts, identify and procure necessary equipment and establish processes for continued operations and recovery.
13. Review Log: Incorporate newly identified hazards and vulnerabilities into the business continuity plan. A log can include necessary equipment used (requiring replacement or replenishment), altered processes, and lessons learned.
Is your enterprise still utilizing paper or document style plans? Download the "Top 3 Benefits of a Web-Based Response Planning System" to see how your company can benefit.
Oil spill response planning and preparedness are necessary to satisfy applicable regulatory requirements, protect the environment, and ensure safety for responders and employees. Yet, all plans related to oil spills have one common thread: minimize the impacts!
Effective oil spill response plans can minimize the impacts associated with an oil spill. The objectives of these plans, regardless of type of facility, are to:
- Allow response personnel to prepare for and safely respond to spills
- Ensure an effective and efficient response that takes geographical challenges into account
- Outline spill response procedures and techniques at specific locations
- Improve regulatory compliance efforts
- Identify potential equipment, manpower, and other resources necessary to implement a spill response
History has proven that a single oil spill can have significant impacts to the environment and the responsible party. Off-site spill responses and containment efforts present unique challenges compared with spills occurring within the confines of the facility or secondary containment. These migrating spills require a higher level of coordination, communication, and surveillance in an effort to minimize downstream impacts.
It is critical to identify and provide detailed information regarding area socio-economic and natural resources and vulnerabilities that may be damaged if a spill were to occur. This information should guide response personnel to make reasonable, well-informed response actions to protect public health and the environment. Detailed information of downstream vulnerabilities and applicable response procedures should be included in an oil spill or tactical response plan.
Spill surveillance should begin as soon as possible following the discovery of a release to determine the appropriate response tactics. One future option for surveillance is the use of commercial unmanned aircraft systems (UAS), or more commonly known as drones. The push for commercial use of drones is gaining momentum as affordable devices are increasing in popularity. Currently, commercial use of drones are limited by the Federal Aviation Administration (FAA) authorization and require the operator to have certified aircraft and pilots, as well as FAA operating approval.
The FAA is responsible for establishing a plan for “safe integration” of UAS by September 30, 2015. However, some reports have indicated that the integration plan deadline will be delayed due to privacy debates and various industry specific regulations. “The FAA is still developing regulations, policies, and standards that will cover a wide variety of UAS users, and expects to publish a proposed rule for small UAS (under 55 pounds) later this year.”
A few companies have been granted the FAA’s Certificate of Waiver or Authorization for UAS allowing for the limited use of commercial drones. In July 2014, San Diego Gas & Electric (SDG&E) joined the likes of ConocoPhillips and BP with limited permission to use drones.
Until regulations, best practice protocols, and authorizations are established for the commercial use of drones, standardize surveillance guidelines and best practices can continue to enable response personnel to assess spill size, movement, and potential impact locations. These guidelines should be outlined in an oil spill response plan.
Below are guidelines that are routinely included in spill surveillance procedures:
- Dispatch observers to crossings downstream or down gradient to determine the spill’s maximum reach potential.
- During surveillance, travel beyond known impacted areas to check for additional oil spill sites.
- Clearly describe the locations where oil is observed and the areas where no oil has been seen.
- Educate personnel that clouds, shadows, sediment, floating organic matter, submerged sandbanks, or wind-induced patterns on the water may resemble an oil slick if viewed from a distance.
- Use surface vessels to confirm the presence of any suspected oil slicks (if safe to do so); consider directing the vessels and photographing the vessels from the air, the latter to show their position and size relative to the slick. It may be difficult to adequately observe oil on the water surface from a boat, dock, or shoreline.
- Spill surveillance is best accomplished through the use of helicopters or small planes; helicopters are preferred due to their superior visibility and maneuverability.
- If fixed-wing planes are to be used, high-wing types provide better visibility than low-wing types.
- All observations should be documented in writing and with photographs and/or videotapes; include the name and phone number of the person making the observations.
- Describe the approximate dimensions of the oil slick based on available reference points (i.e. vessel, shoreline features, facilities); use the aircraft or vessel to traverse the length and width of the slick while timing each pass; calculate the approximate size and area of the slick by multiplying speed and time.
- Record aerial observations on detailed maps, such as topographic maps.
- In the event of reduced visibility, such as dense fog or cloud cover, boats may have to be used to patrol the area and document the location and movements of the spill; however, this method may not be safe if the spill involves a highly flammable product.
- Surveillance is also required during spill response operations to gauge the effectiveness of response operations; to assist in locating skimmers; and assess the spill's size, movement, and impact.
For a free white paper on Conducting Effective Exercises, click here
, or on the image below.
The modernization of communication technologies has trickled down to the frameworks of emergency management. On July 29, 2014, the 'White House Innovation for Disaster Response and Recovery Demo Day” brought together the disaster response community and innovative entrepreneurs from across the country in the hopes of integrating technological advances with preparedness and disaster response efforts.
As the connectivity of the world increases, EHS programs and emergency managers are embracing collaborative and innovative preparedness and response initiatives. However, in order to germinate or sustain an ongoing culture of preparedness, companies must prioritize funding to incorporate new and relevant systems, training, and/or equipment. Unless mandated by regulatory authorities, many companies delay best practice and technological initiatives until an incident propels response planning to the forefront.
According to the Disaster Recovery Planning Benchmark Survey: 2014 Annual Report, “more than 60% of those who took the survey do not have a fully documented disaster recovery (DR) plan and another 40% admitted that the DR plan they currently have did not prove very useful when it was called on to respond to their worst disaster recovery event or scenario.
As the “Y” or the “Millennial” generation” (those born between 1980’s and 2000) continues to enter the workforce, emerging technologies will become more ingrained into society and the workplace. These educated and tech savvy individuals accustomed to fast-paced technological advancements consider technology as an essential aspect in their lives. Based on current trends, upcoming generations will be acclimated to instantaneous communication and data extraction from any location. Text, social media, and web-based technologies will be expected as commonplace emergency management frameworks, rather than the traditional means that most companies still utilize today. In order to integrate societal norms and stay relevant with upcoming generations of employees, emergency management and disaster response framework must be aligned with currently available utilized tools.
“Statistics suggest that every dollar invested in disaster preparedness yields savings of $4–$11 in disaster response, relief, and recovery.” The Harvard Humanitarian Initiative
Just as computers replaced typewriters to expand productivity, web-based response systems are replacing one-dimensional paper-based plans. Web-based response systems offer a greater streamlined functionality, renovated efficiency, and varied accessibility when compared with traditional paper-based plans. Web-based planning system software offers every option of instant accessibility: viewed via the Internet from any location, downloaded, or printed. Increasing accessibility options while improving efficiency, functionality, and effectiveness can bolster an entire emergency management program.
In order for new functionalities to be introduced to the workplace, emergency managers often are required to justify the initial investment. A cost-benefit analysis of a renovated emergency management program can highlight the potential cost savings of an effective program. Any prevention, mitigation, or plan maintenance costs should be compared with the financial impact of situational recovery processes and the overall costs of an incident. These costs may include, but are not limited to:
- Human life
- Short term or long term business interruption
- Infrastructure damage
- Equipment failure
- Inventory/stock losses
- Environmental destruction
The relevance of innovative techniques and lessons learned should be continually evaluated and incorporated into an emergency preparedness program if appropriate. While often suppressed in favor of short-term profits, budgets for pertinent emergency management initiatives should be prioritized for long-term corporate sustainability. But “change for change’s sake” does not typically enhance programs. The evolution process of an emergency management program should aim to perpetuate improved responses and operational recovery times, and enhance company viability despite crisis scenarios.
For a free download on essential preparedness measures, click here or on the image below.
As complex, advanced technologies, systems, and networks become ingrained in industrial operations and processes, the potential impacts from even minor disruptions increases. Industrial companies that prepare for a large variety of disruptions can limit its impact on business processes and accelerate the return to normal operations. For those not prepared, a targeted incident can become an escalated situation, negatively affecting profitability, customer relationships, and overall business performance. Business continuity plans (BCP) are crucial to ensure long-term viability, yet many industrial companies do not prioritize them.
Many business continuity issues can start as minor, isolated instances or aggravating inconveniences. However, if not addressed in a timely manner, incidents can escalate, potentially spreading to other key processes. With an effective BCP, mitigation measures, and proper employee training, potential disruptions and operational impacting events can be prevented.
Regardless of the size of your enterprise or scope of facility operations, industrial locations should have the following continuity elements in place.
- Standard procedures and assigned responsibilities regarding risk management, restoration, and IT recovery for each critical business area.
- A BIA (Business Impact Analysis)
- A risk assessment that identifies and prioritizes operational imposing scenarios
- Recovery Time Objectives (RTOs) based on cost-benefit analyses and BIAs
- Documented BCP with response, recovery, and restoration procedures
- BCP exercises aimed at improving RTOs and strategies by ensuring plans are accurate, actionable, and thorough
- Audits that test corporate-level standardization and policy implementations
- BCP training for managers and employees
The process of developing a BCP can identify continuity weaknesses within an enterprise and at specific facilities, as well as lapses within individual responsibility and operational processes. To strengthen the prospects of corporate viability, planning and training should include detailed standard operating procedures for BCP activation and address RTOs for each key business process. The BCP should offer procedural flexibility based on real-time situational assessment, as well as procedural variations for each scenario. Precise, site-specific, and accurate BCPs in conjunction with effective training and carefully planned exercises can often counteract a lack of general continuity awareness.
Many industrial facilities managers typically have expertise in proper hazard communications and emergency response techniques. However, industrial facility managers and their employees may lack business continuity experience and necessary expertise. If establishing BCPs or initiating continuity efforts are beyond the scope of managers, companies should consider hiring consultants who specialize in business continuity planning.
Employees who are trained in daily continuity procedures, in addition to response and restorative continuity methods will be better prepared in the event of a business-interrupting incident. By incorporating business continuity training, companies can expand their resilience strategies while minimizing risks to their employees, operations, reputation, and the financial bottom line.
BCP training should include a detailed account of specific roles and responsibilities. This will ensure continuity of knowledge among participants, enterprise-wide standard operating procedures, and site-specific business continuity processes. Companies should also be vigilant in training new hires, as well as be receptive to unique business continuity lesson learned that can be used to strengthen the BCP.
Although all companies should prepared for inevitable business disruptions, industrial facilities typically have heightened levels of vulnerabilities. In an industrial setting, hazards are often identified in order for potential impacts to be fully analyzed and countermeasures to be implemented. For business continuity strategies, a business impact analysis (BIA) can identify, quantify, and qualify the impacts in time of a loss, interruption or disruption of business activities on an organization, and provides the data from which appropriate continuity strategies can be determined.
Whether business disruptions stem from technological, man-made, or natural disasters, business continuity plans can be a valuable tool for protecting viability, securing resources, and maintaining customer relationships.
Click on the image below to download TRP Corp's free Industrial Preparedness white paper.
Process and procedural effectiveness and efficiency are key elements in determining a company’s success. Critically detailed reviews, evaluations, and improvements to your processes and procedures can contribute to overall corporate viability and profitability. Process and procedural effectiveness and efficiency are also critical when it comes to developing and implementing business continuity plans.
The goal of business continuity planning is to efficiently restore operations through a predetermined, systematic approach. Unfortunately, many companies lack adequate recovery planning, and recuperative procedures to restore critical information, essential processes, and normal business operations within an acceptable recovery time frame. The lack of business continuity preparedness can adversely affect corporate reputation, financial stability, and overall resilience.
The business continuity recovery process is typically a sequence of concurrent activities and interdependent activities that facilitate measured advances toward a successful recovery. Decisions and priorities set early in the recovery process often have a cascading effect on the evolution and speed of the recovery progress and business continuity efforts. Because recovery timeliness has a direct impact on operational viability, pre-planning business continuity implementation processes and intended procedures is critical.
Developing relationships and common understandings of roles and responsibilities prior to a disaster increases post-disaster collaboration and unified decision-making, and streamlines the recovery process. A fully coordinated recovery plan may require utilizing internal and external stakeholders. Business unit management and staff, in conjunction with external participants, must be familiar with and trained in the recovery procedures in order to effectively implement directives and maintain minimal business continuity.
Recovery time and outcomes vary based on incident circumstances, challenges, and priorities. A successful disaster recovery can be characterized as the return of operations to pre-disaster conditions. FEMA’s National Disaster Recovery Framework provides key factors that contribute to a successful recovery. With secured sharing abilities, a web-based, database driven planning system can aid in the management and communication of the key factors of a business continuity recovery process. These factors include:
1. Effective Decision-making and Coordination:
- Confirm roles and responsibilities of recovery team and stakeholders
- Examine recovery alternatives, address conflicts and make informed and timely decisions that best achieve recovery
- Establish metrics for tracking progress, ensuring accountability and reinforcing realistic expectations among stakeholders
- Track progress, ensure accountability, and make procedural adjustments as necessary
2. Integration of Community Recovery Planning Processes:
- Engage all stakeholders in pre-disaster business continuity and recovery planning, training, and exercises
- Establish processes and criteria for identifying and prioritizing key recovery actions and projects
3. Well-managed Recovery:
- Leverage and coordinate recovery teams, local response groups, government liaisons, and non-governmental organizations to accelerate the recovery process and avoid duplication of efforts
- Surge staffing and management structures as necessary to support the workload during recovery
- Establish leadership guidance, including the shift of roles and responsibilities, for the transition from response operations to recovery, and eventually a return to a normal (or new normal) operational state
- Ensure regulatory compliance throughout recovery process
4. Proactive Community Partnerships, Public Participation, and Public Awareness:
- Ensure transparency and accountability
- Communicate recovery objectives (short, intermediate and long-term) and applicable detailed information to employees, stakeholders, and community members
5. Well-administered Financials:
- Clearly identify funding sources and financial recovery processes
- Evaluate and present external programs that can provide financial assistance to aid in the recovery progress
- Allow for budgetary flexibility, yet maintain adequate financial monitoring and accounting systems
- Implement processes and systems that detect and deter fraud, waste, and abuse.
6. Organizational Flexibility:
- Institute scalable and flexible processes that can align with recovery operations objectives
- Institute business processes that can evolve and adapt to address the changing landscape of post-disaster environments
7. Resilient Rebuilding:
- Invoke “Lessons Learned” in the restoration phase to minimize risks and threats, and improve response, recovery and restoration efforts.
For a free Response Procedures Flow Chart download, click the image below:
As part of the Environmental Protection Agency’s (EPA) Oil Pollution Prevention program, certain facilities that store and use oil are required to develop, maintain, and submit an approved Facility Response Plan (FRP). These plans should address the elements and responses associated with substantial threats and worst case discharges of oil. If the Oil Pollution Act regulations are applicable to a facility, the operating company must prioritize response plan compliance in order to minimize fines, negative public perceptions, and potential government mandated shutdown of operations.
Maintaining a FRP is an ongoing process. As company operations evolve, and equipment and employees change, adjustments need to be incorporated into the FRP to ensure accuracy, compliance, and effective response capabilities. Additionally, the plan submittal processes must be observed and applied in order to eliminate the potential for fines.
This FRP assessment is designed to recognize best practices. Following the set of questions, the scoring section can assist in identifying potential necessary actions that can reduce the risk of non-compliance and/or ineffective responses.
1. Have your personally reviewed your company’s FRP within the past 12 months?
Yes _____ No_____
2. Do your employees have a clear understanding the FRP and their designated responsibilities if a worst-case scenario were to occur?
Yes _____ No_____
3. Have your external responders participated in a comprehensive review of your emergency management system or a response exercise within the last 12 months?
Yes _____ No_____
4. Does your plan identify a Qualified Individual and alternate who has full authority to obligate funds required to carry out necessary response actions and act as liaison with Federal On-Scene Coordinator?
Yes _____ No_____
5. Does your FRP identify a public relations contact or information officer who has knowledge of public affairs policies identified in your company’s FRP?
Yes _____ No_____
6. Were representatives of external resources involved in developing and testing the company’s FRP?
Yes _____ No_____
7. Does your company have adequate documentation procedures and capabilities to document plan l changes, training, and exercises?
Yes _____ No_____
8. Is your FRP consistent with the National Contingency Plan and any Area Contingency Plan?
Yes _____ No_____
9. Have you spent more than two hours during the past six months in face-to-face discussion with your incident management team about how to improve spill response management?
Yes _____ No_____
10. Are your response procedures brief and organized in a manner that enables your employees or response teams to effectively respond to a range of incidents?
Yes _____ No_____
11. Does your FRP clearly identify discharge detection procedures and equipment?
Yes _____ No_____
12. Are your current mutual aid agreements or external responder contracts current?
Yes _____ No_____
13. Is your incident response team equipped and trained to set up incident command center?
Yes _____ No_____
14. Does your FRP include detailed disposal procedures and contractors?
Yes _____ No_____
15. Does your FRP contain alternates for each Incident Management Team position in the event that the primary contacts are unavailable?
Yes _____ No_____
16. Do key individuals have secured, immediate access to the most up-to-day FRP without potential “version confusion”?
To assess your emergency management program, give yourself one point for each "yes" and zero points for each “no”. Total your score and grade your risk.
13–16 points: In general, your FRP is well managed. Look back at your "no" answers and decide what you can do to mitigate this area of exposure. Be sure to monitor regulatory requirements and any operational shifts that could alter the effectiveness of your FRP. For a comprehensive understanding of the status of your plan, perform a full FRP audit by qualified in-house experts or experienced consultants.
9-12 points: You are making good progress, but there are a number of actions required to reduce your risk of non-compliance or response inefficiency. You may wish to focus your attention on areas indicated by the "no" answers. Based on the results of reviews in these areas, you can decide what further steps are necessary. An expert evaluation of your current plan with response plan professionals can minimize potential fines and maximize response efficiencies.
5-8 points: Your company may be at risk, but you have taken the first step of mitigation: awareness. This score suggest your emergency management responsibilities are being partially met, but there is significant room for improvement. A response-planning consultant with FRP experience can assist planners with site evaluations, regulatory compliance criteria, mitigation efforts, and plan substantiation.
Fewer than 5 points: Your facility, employees, operations, and reputation are at risk! Prompt action is necessary to ensure a compliant emergency management program. You need to take immediate action for regulatory compliance and to improve the ability to respond effectively to an incident. A comprehensive review of your FRP and preparedness efforts is warranted to reduce your risk.
- Review FRP’s on a cyclical basis. If turnover is high or operations are rapidly evolving, FRPs should be reviewed quarterly, at a minimum.
- Ensure training, drills, and exercises are optimized. Each training event, drill, or exercise presents the opportunity to improve response process responsibility and site-specific response procedure awareness, rendering the potential for a more effective response.
- Despite the added strain of publicity during a crisis, engaging with the media should be incorporated into the planning process. Ensure the facility or company has a designated point of contact for media and site personnel. Consistent, accurate messages alleviate public anxiety and provide a level of credibility. The more information that is provided, the less the media will have room for interpretation.
- Documentation provides historical records, keeps management informed of site practices, serves as a legal instrument, if necessary, and supports time and maintenance costs.
- Consider utilizing a web-based, database driven planning system. A widely accessible emergency response plan can maximize efficiency and minimize impacts of an emergency on employees, the environment, and infrastructure. Incorporating TRP’s enterprise-wide emergency management system can maximize efforts, minimize maintenance costs, and allow for a streamlined and familiar response process.
For free download on facilitating effective oil spill exercises, click on the image below:
Improving the effectiveness of business continuity plans (BCPs) should be an ongoing event. From technological advancements to best practices implementation, continually evolving planning programs can improve recovery time and minimize unexpected impacts of recovery efforts.
Below are eight tips to consider in the continual effort to improve business continuity programs:
1. Data Availability and Accuracy: Establishing readily available, accurate, and up-to-date response information has been proven to limit the duration of the emergency. The faster continuity processes can be accessed and assessed, the sooner business continuity procedures can be implemented, critical business functions can be restored, and “business as usual” operations can be reestablished. Technology advancements and web-based formats enable companies to simplify plan administration efforts and expand availability options.
Site-specific information regarding company operations, critical business units, on-site equipment, and employees are continuously changing. If critical plan information is missing or out-of-date, the recovery will be hindered. Accurate details of personnel or operational modifications, expansions, and adjustments must be incorporated into a business continuity program.
2. Training: Business continuity training programs that include crucial personnel, experienced leadership, best practice guidelines, and proper documentation ensures established processes will be implemented as planned. While peripheral collaboration and partnerships in business continuity efforts can be markedly beneficial, companies should not solely rely on external assistance or government agencies to restore ideal working environments. Company training should be designed to minimize impacts on personnel and the operational infrastructure, while ensuring adequate business continuity responses.
Companies need to perform cyclical internal training program audits to create corporate assurance, add business continuity program value, improve operational productivity, and ideally prevent harmful incidents from dismantling operations. Objective internal auditing that begins with a business impact analysis (BIA) emphasizes corporate responsibility to employees. BIAs, in conjunction with training, can often reveal inadequacies and mitigation opportunities. Training audits can bring a systematic, self-sufficient, and disciplined approach to evaluating and improving the effectiveness of business continuity efforts and corporate governance processes.
3. Exercises: Exercises provide a setting for BCP procedures to be tested. Real world exercise scenarios can often highlight potential deficiencies in the BCP processes and procedures, comprehension of individual roles and responsibilities, and partnership coordination. Identifying BCP deficiencies can lead to unrecognized mitigation and training opportunities.
In preparation for these exercises, companies should develop exercise-planning documents, including participant and controller’s packages that contain exercise objectives, scenarios, ground rules, and simulation scripts. These guidelines, at a minimum, should be provided to all participants prior to the exercise to allow for a thorough examination of exercise expectations.
4. Accessibility: Web-based BCPs offer a secured accessibility option for stakeholders, auditors, and employees. With web-based technology and an Internet connection, enterprise-wide BCP programs embedded with database driven software can be immediately and securely available without the “version confusion” typically found in other formats.
Companies should establish BCP backup and download procedures that ensure the latest version of the plan is always accessible in the event Internet communication is lost. However, a web-based format enables secured access from any location, magnifying accessibility opportunities far from the site of impact. Both paper-based plans and those housed on a company intranet are often out of date with multiple versions in various locations or inaccessible in an emergency scenario.
5. Collaboration: Business continuity program effectiveness can be optimized through efficient interoperability and partnerships. When diverse organizations work together for a greater good, response expertise can dramatically broaden and recovery time minimized. Limiting the timeline of potentially escalating incidents and maximize business continuity efforts can accelerate recovery time and operational restoration. Coordinating planning, training, drills, exercises, and resource availability with local agencies, contractors, and site leadership is an important aspect of business continuity programs.
Local agencies may provide additional knowledge based on particular research, experiences, or occupational training in a particular area of study. Company or facility emergency managers and business continuity leaders should continually meet with government agencies, community organizations, and utility companies throughout the entire planning cycle to discuss likely emergencies and the available resources to minimize the effects on operations.
6. Auditing: Business continuity audits, whether conducted by in-house professionals or experienced consultants, can often reveal the planning inadequacies and mitigation opportunities. Regrettably, most companies address business continuity gaps only after an incident has occurred. With an objective eye, a BIA and plan audit can bolster a business continuity program and minimize the chance of incidents resulting in crippling revenue, operations, and company viability.
7. Mitigation: Adverse conditions, inept processes, or ineffective procedures pose risks to employees, infrastructures, and critical business units. By eliminating or mitigating risks, companies can reduce the potential for business continuity situations. A risk assessment and BIAs can be used to identify situations that may lead to incidents and prolonged response.
While all risks cannot be averted, a company can become better prepared for continuity if the procedural risk mitigation measures are implemented. Mitigation measures may include a variety of tactics including, but not limited to training for employees, updating processes and procedures, or purchasing updated equipment.
8. Best Practices Implementation: Applying “best practices” to a business continuity program enables managers to leverage past experiences as a means to improve planning efforts for future impacting scenarios. By analyzing past incidents and responses, executing enhancements, and reinforcing lessons learned, companies will be better prepared than their historical counterparts.
For a free download on Designing a Crisis Management Program, click the image below:
A well-developed Business Continuity Plan (BCP) can minimize escalating business disruptions, while safeguarding key business interests, relationships, and assets. Unfortunately, many companies do not acknowledge the value of a BCP and fail to prioritize sustainability. This many be especially true of highly regulated industries, such the oil and gas industry, that prioritize mandated compliance measures.
Below are common obstacles in business continuity planning and possible countermeasures to offset these hurdles.
Lack of management support
It is challenging to perform a cost-benefit analysis that measures the benefits of business continuity. There is a high degree of uncertainty associated with implementing BCP measures. Benefits resulting from BCP and mitigation efforts are dynamic in nature, and are not limited to a single structure, department, or operation.
The financial benefits from a BCP implementation must be viewed from the long-term perspective. A BCP can dramatically lessen the financial impact of future crises and promote operational sustainability and corporate viability. However, managers and corporate executives typically do not act based on “what if” scenarios unless regulations require implementation. Managerial actions are generally based on concrete financials that benefit departments, stockholders, and the bottom line.
Countermeasure: Provide managers and corporate decision-makers a detailed vulnerability and hazard analyses with concrete financial statistics of their effects. This may garner support for the development of BCPs. Additionally, professional reports and documentation that highlight increasing threats and vulnerabilities, such as the 2014 Global Risks Report by The World Economic Forum, makes a compelling case that may provoke and inspires leaders to implement continuity efforts.
Because companies are in the business of making a profit, business continuity planning budgets are often compromised for other priorities.
Countermeasure: It may be helpful to estimate the cost of implementation for each critical process in relation to the cost of a critical process breakdown. This exercise may highlight the need for a designated business continuity budget.
It may also be necessary to prioritize BCP implementation by each critical process with a step-by-step timeline for completion. Companies can identify and rank the most critical business processes, and implement BCP and mitigation measures based on those priorities. While most processes are intertwined, taking small steps to ensure process continuity is a step toward overall business continuity. Managers may be more likely to implement a BCP if it can be initiated over time.
Maintaining a culture of preparedness
Unless a company has experienced an eye-opening business continuity issue, the presence of a realistic, tangible threat may be the only protagonist to champion a culture of preparedness.
Countermeasure: Managers who emphasize, embrace, and enact safety and continuity measures, as part of standard operating procedures will create a work environment that reflects the guiding principles preparedness. As preparedness measures and best practices are ingrained in operational processes, personnel will be more apt to embrace the culture
Lack of business continuity awareness and training
When identifying company, operational, and process vulnerabilities, managers and employees frequently recognize the limits of their business continuity expertise. Oil and gas management and employees may have expertise in hazardous response planning measures and tactics, however their business continuity experience may be limited. The process of identifying business continuity mitigation opportunities, developing recovery processes, and training personnel in continuity roles and responsibilities often requires experience. Companies often disregard business continuity training and awareness as a result of ineptitude.
Countermeasure: If implementing continuity efforts are beyond the scope of managers, companies should consider hiring consultants who specialize in business continuity planning. External resources can address site-specific business continuity needs, detailed standard operating procedures for BCP activation, and personnel training. Training should convey procedural flexibility based on continuing assessment of disaster demands and provide options for each scenario. Companies can also assign a designated manager to become proficiently trained in business continuity in order to pass down preparedness guidelines and best practices.
Identifying critical processes:
Many mid to large sized companies often operate with separate, independent business units (or departments). Each critical business process within each unit must be identified and quantified in order to determine its role in the business continuity planning process. Most business unit processes are often intertwined with other critical functions, contributing to the overall profitability of a company. When critical business processes are not functional, a company’s ability to operate and reputation may be in jeopardy.
Countermeasures: Overall resilience capabilities should be prioritized to mitigate any interruption. Understanding response procedures, the interconnected structure of processes between units, and the intricacies of a “Plan B” can make the difference between corporate survival or failure. Crisis and disaster situations usually result in the loss or temporary disruption of one or more of the following necessary key business resources:
- IT Applications/Systems
- Supply Chain
Unidentified threats and vulnerabilities:
Threats and vulnerabilities must be identified in order for potential impacts to be analyzed and countermeasures to be implemented. Identification can be complicated by the continuing evolving nature of potential threats and vulnerabilities. Threats and vulnerabilities can stem from both external and internal actions. New technologies, best practices, and mitigation efforts can often minimize threats. However, as operations evolve and new concepts are introduced, additional threats and vulnerabilities can emerge.
Countermeasures: An annual risk and hazard analysis can identify potential undiscovered threats and vulnerabilities relating to business continuity. This analysis indicates the likeliness that specific threats that could occur, considering existing site-specific factors, capabilities, mitigation measures, and history. Companies should analyze potential continuity threats from typical weather patterns, geographical influences, security efforts, inherent operational hazards, as well as facility design and potential maintenance issues.
For a free download on Designing a Crisis Management Program, click the image below:
Emergency management is continually evolving. The changing threat environment, including acts of nature, accidents, infrastructure weaknesses, cyber security attacks, and terrorist related incidents, coupled with tightly intertwined supply chains, has increased the urgency to revamp emergency management and business continuity efforts.
Building business continuity and emergency response plans to maintain personnel safety, and protect and restore operations is vital. Companies continue to develop and improve upon existing processes to seamlessly aid in managing risk and the rapid restoration of operational processes. However, with ever-changing threats, multiple sites, and human resource variables across an enterprise, most companies find it challenging to develop and maintain accurate and realistic business continuity plans (BCPs).
While the planning process may be executed with in-house staff, some companies prefer to use seasoned consultants for impartial critical process evaluations and experienced guidance. Consultants should have hands-on experience in business continuity and disaster preparedness. Specialized consultants may offer web-based, database driven platforms that incorporate site-specific business continuity information while streamlining company formats across an enterprise. The web-base option eases maintenance efforts and reduces administrative costs associated with managing BCPs. However, consultants must be able to comprehend core business needs and clearly communicate recommendations in order to successfully develop a customized, site specific, and functional BCP.
According to FEMA, the ability to perform essential functions lies within four key resources.
- Communications and Technology
Site-specific information must be applied to the key resources. It is necessary for continued operation to evaluate and identify alternate site-specific resources that may be utilized during an incident. If one or more of the key resources are lost, critical business processes may be affected. Keep in mind that any new business operations that may have developed also need to be included in these evaluations.
Business Continuity Coordinators (BCCs) are typically responsible for the development and maintenance of business continuity plans. They must work closely with critical business units to understand their processes, identify risks, and provide solutions to help manage and minimize those risks. However, once an incident occurs, the BCCs must communicate, manage, and control activities associated with damage assessments and the recovery of critical business functions. Depending on the enterprise, a BCC may be assigned to an individual facility or a specific geographic location that encompasses numerous facilities with like-operations.
The BCC, in conjunction with the Incident Commander, may be tasked with activating and coordinating organization elements in accordance with an incident action plan. By working with the appropriate business unit leaders assigned to business continuity/recovery plans, the BCC can also provide guidance for compliance with Incident Action Plan (IAP) components.
The BCP should systematically guide specifically assigned personnel to restore operations that are affected by abnormal conditions. It is critical to identify the implications of a sudden loss for each business unit or necessary resource by performing a business impact analysis. While critical process evaluations can determine operational dependencies that are required to maintain normal operations, staff must be trained to carry out the BCP objectives. BCP training and exercises should occur (at a minimum) on an annual basis, or as required by regulations or company policy.
A BCP should identify the minimum staffing levels necessary to remain operational. As recovery advances, staffing levels may require adjustments. Depending on the scenario, the least critical process participants might have to vacate the facility while leaving critical players in motion to maintain or restore necessary functions. Companies should ensure staff, contractors, and suppliers understand their initial and adjusted responsibilities, and recovery time objectives.
Communications and Technology
Clear and effective communication channels and critical technologies must be available in order to disseminate information to employees, assess and relay incident updates, and implement necessary recovery strategies. As part of the business continuity mitigation process, companies should evaluate available communication equipment, mass notification systems, and technology storage and backup processes to ensure accessibility and functionality in multiple business continuity scenarios. All critical communication and technology should be included in a BCP with detailed recovery procedures and recovery time objectives.
Facility management should be a crucial aspect of a business continuity plan. If an area or facility cannot sustain minimum service or operational levels, companies should mobilize resources, and/or relocate equipment and personnel to alternate areas, facilities, or redundant sites. If deemed acceptable, this may include “working from home” strategies. In order to respond quickly and effectively to facility damage, BCPs should include predetermined suppliers/contractors (tree services, plumbers, electricians, restoration companies, and/or necessary skilled trades and suppliers).
For a free download on Designing a Crisis Management Program, click the image below: