The modernization of communication technologies has trickled down to the frameworks of emergency management. On July 29, 2014, the 'White House Innovation for Disaster Response and Recovery Demo Day” brought together the disaster response community and innovative entrepreneurs from across the country in the hopes of integrating technological advances with preparedness and disaster response efforts.
As the connectivity of the world increases, EHS programs and emergency managers are embracing collaborative and innovative preparedness and response initiatives. However, in order to germinate or sustain an ongoing culture of preparedness, companies must prioritize funding to incorporate new and relevant systems, training, and/or equipment. Unless mandated by regulatory authorities, many companies delay best practice and technological initiatives until an incident propels response planning to the forefront.
According to the Disaster Recovery Planning Benchmark Survey: 2014 Annual Report, “more than 60% of those who took the survey do not have a fully documented disaster recovery (DR) plan and another 40% admitted that the DR plan they currently have did not prove very useful when it was called on to respond to their worst disaster recovery event or scenario.
As the “Y” or the “Millennial” generation” (those born between 1980’s and 2000) continues to enter the workforce, emerging technologies will become more ingrained into society and the workplace. These educated and tech savvy individuals accustomed to fast-paced technological advancements consider technology as an essential aspect in their lives. Based on current trends, upcoming generations will be acclimated to instantaneous communication and data extraction from any location. Text, social media, and web-based technologies will be expected as commonplace emergency management frameworks, rather than the traditional means that most companies still utilize today. In order to integrate societal norms and stay relevant with upcoming generations of employees, emergency management and disaster response framework must be aligned with currently available utilized tools.
“Statistics suggest that every dollar invested in disaster preparedness yields savings of $4–$11 in disaster response, relief, and recovery.” The Harvard Humanitarian Initiative
Just as computers replaced typewriters to expand productivity, web-based response systems are replacing one-dimensional paper-based plans. Web-based response systems offer a greater streamlined functionality, renovated efficiency, and varied accessibility when compared with traditional paper-based plans. Web-based planning system software offers every option of instant accessibility: viewed via the Internet from any location, downloaded, or printed. Increasing accessibility options while improving efficiency, functionality, and effectiveness can bolster an entire emergency management program.
In order for new functionalities to be introduced to the workplace, emergency managers often are required to justify the initial investment. A cost-benefit analysis of a renovated emergency management program can highlight the potential cost savings of an effective program. Any prevention, mitigation, or plan maintenance costs should be compared with the financial impact of situational recovery processes and the overall costs of an incident. These costs may include, but are not limited to:
- Human life
- Short term or long term business interruption
- Infrastructure damage
- Equipment failure
- Inventory/stock losses
- Environmental destruction
The relevance of innovative techniques and lessons learned should be continually evaluated and incorporated into an emergency preparedness program if appropriate. While often suppressed in favor of short-term profits, budgets for pertinent emergency management initiatives should be prioritized for long-term corporate sustainability. But “change for change’s sake” does not typically enhance programs. The evolution process of an emergency management program should aim to perpetuate improved responses and operational recovery times, and enhance company viability despite crisis scenarios.
For a free download on essential preparedness measures, click here or on the image below.
As complex, advanced technologies, systems, and networks become ingrained in industrial operations and processes, the potential impacts from even minor disruptions increases. Industrial companies that prepare for a large variety of disruptions can limit its impact on business processes and accelerate the return to normal operations. For those not prepared, a targeted incident can become an escalated situation, negatively affecting profitability, customer relationships, and overall business performance. Business continuity plans (BCP) are crucial to ensure long-term viability, yet many industrial companies do not prioritize them.
Many business continuity issues can start as minor, isolated instances or aggravating inconveniences. However, if not addressed in a timely manner, incidents can escalate, potentially spreading to other key processes. With an effective BCP, mitigation measures, and proper employee training, potential disruptions and operational impacting events can be prevented.
Regardless of the size of your enterprise or scope of facility operations, industrial locations should have the following continuity elements in place.
- Standard procedures and assigned responsibilities regarding risk management, restoration, and IT recovery for each critical business area.
- A BIA (Business Impact Analysis)
- A risk assessment that identifies and prioritizes operational imposing scenarios
- Recovery Time Objectives (RTOs) based on cost-benefit analyses and BIAs
- Documented BCP with response, recovery, and restoration procedures
- BCP exercises aimed at improving RTOs and strategies by ensuring plans are accurate, actionable, and thorough
- Audits that test corporate-level standardization and policy implementations
- BCP training for managers and employees
The process of developing a BCP can identify continuity weaknesses within an enterprise and at specific facilities, as well as lapses within individual responsibility and operational processes. To strengthen the prospects of corporate viability, planning and training should include detailed standard operating procedures for BCP activation and address RTOs for each key business process. The BCP should offer procedural flexibility based on real-time situational assessment, as well as procedural variations for each scenario. Precise, site-specific, and accurate BCPs in conjunction with effective training and carefully planned exercises can often counteract a lack of general continuity awareness.
Many industrial facilities managers typically have expertise in proper hazard communications and emergency response techniques. However, industrial facility managers and their employees may lack business continuity experience and necessary expertise. If establishing BCPs or initiating continuity efforts are beyond the scope of managers, companies should consider hiring consultants who specialize in business continuity planning.
Employees who are trained in daily continuity procedures, in addition to response and restorative continuity methods will be better prepared in the event of a business-interrupting incident. By incorporating business continuity training, companies can expand their resilience strategies while minimizing risks to their employees, operations, reputation, and the financial bottom line.
BCP training should include a detailed account of specific roles and responsibilities. This will ensure continuity of knowledge among participants, enterprise-wide standard operating procedures, and site-specific business continuity processes. Companies should also be vigilant in training new hires, as well as be receptive to unique business continuity lesson learned that can be used to strengthen the BCP.
Although all companies should prepared for inevitable business disruptions, industrial facilities typically have heightened levels of vulnerabilities. In an industrial setting, hazards are often identified in order for potential impacts to be fully analyzed and countermeasures to be implemented. For business continuity strategies, a business impact analysis (BIA) can identify, quantify, and qualify the impacts in time of a loss, interruption or disruption of business activities on an organization, and provides the data from which appropriate continuity strategies can be determined.
Whether business disruptions stem from technological, man-made, or natural disasters, business continuity plans can be a valuable tool for protecting viability, securing resources, and maintaining customer relationships.
Click on the image below to download TRP Corp's free Industrial Preparedness white paper.
Process and procedural effectiveness and efficiency are key elements in determining a company’s success. Critically detailed reviews, evaluations, and improvements to your processes and procedures can contribute to overall corporate viability and profitability. Process and procedural effectiveness and efficiency are also critical when it comes to developing and implementing business continuity plans.
The goal of business continuity planning is to efficiently restore operations through a predetermined, systematic approach. Unfortunately, many companies lack adequate recovery planning, and recuperative procedures to restore critical information, essential processes, and normal business operations within an acceptable recovery time frame. The lack of business continuity preparedness can adversely affect corporate reputation, financial stability, and overall resilience.
The business continuity recovery process is typically a sequence of concurrent activities and interdependent activities that facilitate measured advances toward a successful recovery. Decisions and priorities set early in the recovery process often have a cascading effect on the evolution and speed of the recovery progress and business continuity efforts. Because recovery timeliness has a direct impact on operational viability, pre-planning business continuity implementation processes and intended procedures is critical.
Developing relationships and common understandings of roles and responsibilities prior to a disaster increases post-disaster collaboration and unified decision-making, and streamlines the recovery process. A fully coordinated recovery plan may require utilizing internal and external stakeholders. Business unit management and staff, in conjunction with external participants, must be familiar with and trained in the recovery procedures in order to effectively implement directives and maintain minimal business continuity.
Recovery time and outcomes vary based on incident circumstances, challenges, and priorities. A successful disaster recovery can be characterized as the return of operations to pre-disaster conditions. FEMA’s National Disaster Recovery Framework provides key factors that contribute to a successful recovery. With secured sharing abilities, a web-based, database driven planning system can aid in the management and communication of the key factors of a business continuity recovery process. These factors include:
1. Effective Decision-making and Coordination:
- Confirm roles and responsibilities of recovery team and stakeholders
- Examine recovery alternatives, address conflicts and make informed and timely decisions that best achieve recovery
- Establish metrics for tracking progress, ensuring accountability and reinforcing realistic expectations among stakeholders
- Track progress, ensure accountability, and make procedural adjustments as necessary
2. Integration of Community Recovery Planning Processes:
- Engage all stakeholders in pre-disaster business continuity and recovery planning, training, and exercises
- Establish processes and criteria for identifying and prioritizing key recovery actions and projects
3. Well-managed Recovery:
- Leverage and coordinate recovery teams, local response groups, government liaisons, and non-governmental organizations to accelerate the recovery process and avoid duplication of efforts
- Surge staffing and management structures as necessary to support the workload during recovery
- Establish leadership guidance, including the shift of roles and responsibilities, for the transition from response operations to recovery, and eventually a return to a normal (or new normal) operational state
- Ensure regulatory compliance throughout recovery process
4. Proactive Community Partnerships, Public Participation, and Public Awareness:
- Ensure transparency and accountability
- Communicate recovery objectives (short, intermediate and long-term) and applicable detailed information to employees, stakeholders, and community members
5. Well-administered Financials:
- Clearly identify funding sources and financial recovery processes
- Evaluate and present external programs that can provide financial assistance to aid in the recovery progress
- Allow for budgetary flexibility, yet maintain adequate financial monitoring and accounting systems
- Implement processes and systems that detect and deter fraud, waste, and abuse.
6. Organizational Flexibility:
- Institute scalable and flexible processes that can align with recovery operations objectives
- Institute business processes that can evolve and adapt to address the changing landscape of post-disaster environments
7. Resilient Rebuilding:
- Invoke “Lessons Learned” in the restoration phase to minimize risks and threats, and improve response, recovery and restoration efforts.
For a free Response Procedures Flow Chart download, click the image below:
As part of the Environmental Protection Agency’s (EPA) Oil Pollution Prevention program, certain facilities that store and use oil are required to develop, maintain, and submit an approved Facility Response Plan (FRP). These plans should address the elements and responses associated with substantial threats and worst case discharges of oil. If the Oil Pollution Act regulations are applicable to a facility, the operating company must prioritize response plan compliance in order to minimize fines, negative public perceptions, and potential government mandated shutdown of operations.
Maintaining a FRP is an ongoing process. As company operations evolve, and equipment and employees change, adjustments need to be incorporated into the FRP to ensure accuracy, compliance, and effective response capabilities. Additionally, the plan submittal processes must be observed and applied in order to eliminate the potential for fines.
This FRP assessment is designed to recognize best practices. Following the set of questions, the scoring section can assist in identifying potential necessary actions that can reduce the risk of non-compliance and/or ineffective responses.
1. Have your personally reviewed your company’s FRP within the past 12 months?
Yes _____ No_____
2. Do your employees have a clear understanding the FRP and their designated responsibilities if a worst-case scenario were to occur?
Yes _____ No_____
3. Have your external responders participated in a comprehensive review of your emergency management system or a response exercise within the last 12 months?
Yes _____ No_____
4. Does your plan identify a Qualified Individual and alternate who has full authority to obligate funds required to carry out necessary response actions and act as liaison with Federal On-Scene Coordinator?
Yes _____ No_____
5. Does your FRP identify a public relations contact or information officer who has knowledge of public affairs policies identified in your company’s FRP?
Yes _____ No_____
6. Were representatives of external resources involved in developing and testing the company’s FRP?
Yes _____ No_____
7. Does your company have adequate documentation procedures and capabilities to document plan l changes, training, and exercises?
Yes _____ No_____
8. Is your FRP consistent with the National Contingency Plan and any Area Contingency Plan?
Yes _____ No_____
9. Have you spent more than two hours during the past six months in face-to-face discussion with your incident management team about how to improve spill response management?
Yes _____ No_____
10. Are your response procedures brief and organized in a manner that enables your employees or response teams to effectively respond to a range of incidents?
Yes _____ No_____
11. Does your FRP clearly identify discharge detection procedures and equipment?
Yes _____ No_____
12. Are your current mutual aid agreements or external responder contracts current?
Yes _____ No_____
13. Is your incident response team equipped and trained to set up incident command center?
Yes _____ No_____
14. Does your FRP include detailed disposal procedures and contractors?
Yes _____ No_____
15. Does your FRP contain alternates for each Incident Management Team position in the event that the primary contacts are unavailable?
Yes _____ No_____
16. Do key individuals have secured, immediate access to the most up-to-day FRP without potential “version confusion”?
To assess your emergency management program, give yourself one point for each "yes" and zero points for each “no”. Total your score and grade your risk.
13–16 points: In general, your FRP is well managed. Look back at your "no" answers and decide what you can do to mitigate this area of exposure. Be sure to monitor regulatory requirements and any operational shifts that could alter the effectiveness of your FRP. For a comprehensive understanding of the status of your plan, perform a full FRP audit by qualified in-house experts or experienced consultants.
9-12 points: You are making good progress, but there are a number of actions required to reduce your risk of non-compliance or response inefficiency. You may wish to focus your attention on areas indicated by the "no" answers. Based on the results of reviews in these areas, you can decide what further steps are necessary. An expert evaluation of your current plan with response plan professionals can minimize potential fines and maximize response efficiencies.
5-8 points: Your company may be at risk, but you have taken the first step of mitigation: awareness. This score suggest your emergency management responsibilities are being partially met, but there is significant room for improvement. A response-planning consultant with FRP experience can assist planners with site evaluations, regulatory compliance criteria, mitigation efforts, and plan substantiation.
Fewer than 5 points: Your facility, employees, operations, and reputation are at risk! Prompt action is necessary to ensure a compliant emergency management program. You need to take immediate action for regulatory compliance and to improve the ability to respond effectively to an incident. A comprehensive review of your FRP and preparedness efforts is warranted to reduce your risk.
- Review FRP’s on a cyclical basis. If turnover is high or operations are rapidly evolving, FRPs should be reviewed quarterly, at a minimum.
- Ensure training, drills, and exercises are optimized. Each training event, drill, or exercise presents the opportunity to improve response process responsibility and site-specific response procedure awareness, rendering the potential for a more effective response.
- Despite the added strain of publicity during a crisis, engaging with the media should be incorporated into the planning process. Ensure the facility or company has a designated point of contact for media and site personnel. Consistent, accurate messages alleviate public anxiety and provide a level of credibility. The more information that is provided, the less the media will have room for interpretation.
- Documentation provides historical records, keeps management informed of site practices, serves as a legal instrument, if necessary, and supports time and maintenance costs.
- Consider utilizing a web-based, database driven planning system. A widely accessible emergency response plan can maximize efficiency and minimize impacts of an emergency on employees, the environment, and infrastructure. Incorporating TRP’s enterprise-wide emergency management system can maximize efforts, minimize maintenance costs, and allow for a streamlined and familiar response process.
For free download on facilitating effective oil spill exercises, click on the image below:
Improving the effectiveness of business continuity plans (BCPs) should be an ongoing event. From technological advancements to best practices implementation, continually evolving planning programs can improve recovery time and minimize unexpected impacts of recovery efforts.
Below are eight tips to consider in the continual effort to improve business continuity programs:
1. Data Availability and Accuracy: Establishing readily available, accurate, and up-to-date response information has been proven to limit the duration of the emergency. The faster continuity processes can be accessed and assessed, the sooner business continuity procedures can be implemented, critical business functions can be restored, and “business as usual” operations can be reestablished. Technology advancements and web-based formats enable companies to simplify plan administration efforts and expand availability options.
Site-specific information regarding company operations, critical business units, on-site equipment, and employees are continuously changing. If critical plan information is missing or out-of-date, the recovery will be hindered. Accurate details of personnel or operational modifications, expansions, and adjustments must be incorporated into a business continuity program.
2. Training: Business continuity training programs that include crucial personnel, experienced leadership, best practice guidelines, and proper documentation ensures established processes will be implemented as planned. While peripheral collaboration and partnerships in business continuity efforts can be markedly beneficial, companies should not solely rely on external assistance or government agencies to restore ideal working environments. Company training should be designed to minimize impacts on personnel and the operational infrastructure, while ensuring adequate business continuity responses.
Companies need to perform cyclical internal training program audits to create corporate assurance, add business continuity program value, improve operational productivity, and ideally prevent harmful incidents from dismantling operations. Objective internal auditing that begins with a business impact analysis (BIA) emphasizes corporate responsibility to employees. BIAs, in conjunction with training, can often reveal inadequacies and mitigation opportunities. Training audits can bring a systematic, self-sufficient, and disciplined approach to evaluating and improving the effectiveness of business continuity efforts and corporate governance processes.
3. Exercises: Exercises provide a setting for BCP procedures to be tested. Real world exercise scenarios can often highlight potential deficiencies in the BCP processes and procedures, comprehension of individual roles and responsibilities, and partnership coordination. Identifying BCP deficiencies can lead to unrecognized mitigation and training opportunities.
In preparation for these exercises, companies should develop exercise-planning documents, including participant and controller’s packages that contain exercise objectives, scenarios, ground rules, and simulation scripts. These guidelines, at a minimum, should be provided to all participants prior to the exercise to allow for a thorough examination of exercise expectations.
4. Accessibility: Web-based BCPs offer a secured accessibility option for stakeholders, auditors, and employees. With web-based technology and an Internet connection, enterprise-wide BCP programs embedded with database driven software can be immediately and securely available without the “version confusion” typically found in other formats.
Companies should establish BCP backup and download procedures that ensure the latest version of the plan is always accessible in the event Internet communication is lost. However, a web-based format enables secured access from any location, magnifying accessibility opportunities far from the site of impact. Both paper-based plans and those housed on a company intranet are often out of date with multiple versions in various locations or inaccessible in an emergency scenario.
5. Collaboration: Business continuity program effectiveness can be optimized through efficient interoperability and partnerships. When diverse organizations work together for a greater good, response expertise can dramatically broaden and recovery time minimized. Limiting the timeline of potentially escalating incidents and maximize business continuity efforts can accelerate recovery time and operational restoration. Coordinating planning, training, drills, exercises, and resource availability with local agencies, contractors, and site leadership is an important aspect of business continuity programs.
Local agencies may provide additional knowledge based on particular research, experiences, or occupational training in a particular area of study. Company or facility emergency managers and business continuity leaders should continually meet with government agencies, community organizations, and utility companies throughout the entire planning cycle to discuss likely emergencies and the available resources to minimize the effects on operations.
6. Auditing: Business continuity audits, whether conducted by in-house professionals or experienced consultants, can often reveal the planning inadequacies and mitigation opportunities. Regrettably, most companies address business continuity gaps only after an incident has occurred. With an objective eye, a BIA and plan audit can bolster a business continuity program and minimize the chance of incidents resulting in crippling revenue, operations, and company viability.
7. Mitigation: Adverse conditions, inept processes, or ineffective procedures pose risks to employees, infrastructures, and critical business units. By eliminating or mitigating risks, companies can reduce the potential for business continuity situations. A risk assessment and BIAs can be used to identify situations that may lead to incidents and prolonged response.
While all risks cannot be averted, a company can become better prepared for continuity if the procedural risk mitigation measures are implemented. Mitigation measures may include a variety of tactics including, but not limited to training for employees, updating processes and procedures, or purchasing updated equipment.
8. Best Practices Implementation: Applying “best practices” to a business continuity program enables managers to leverage past experiences as a means to improve planning efforts for future impacting scenarios. By analyzing past incidents and responses, executing enhancements, and reinforcing lessons learned, companies will be better prepared than their historical counterparts.
For a free download on Designing a Crisis Management Program, click the image below:
A well-developed Business Continuity Plan (BCP) can minimize escalating business disruptions, while safeguarding key business interests, relationships, and assets. Unfortunately, many companies do not acknowledge the value of a BCP and fail to prioritize sustainability. This many be especially true of highly regulated industries, such the oil and gas industry, that prioritize mandated compliance measures.
Below are common obstacles in business continuity planning and possible countermeasures to offset these hurdles.
Lack of management support
It is challenging to perform a cost-benefit analysis that measures the benefits of business continuity. There is a high degree of uncertainty associated with implementing BCP measures. Benefits resulting from BCP and mitigation efforts are dynamic in nature, and are not limited to a single structure, department, or operation.
The financial benefits from a BCP implementation must be viewed from the long-term perspective. A BCP can dramatically lessen the financial impact of future crises and promote operational sustainability and corporate viability. However, managers and corporate executives typically do not act based on “what if” scenarios unless regulations require implementation. Managerial actions are generally based on concrete financials that benefit departments, stockholders, and the bottom line.
Countermeasure: Provide managers and corporate decision-makers a detailed vulnerability and hazard analyses with concrete financial statistics of their effects. This may garner support for the development of BCPs. Additionally, professional reports and documentation that highlight increasing threats and vulnerabilities, such as the 2014 Global Risks Report by The World Economic Forum, makes a compelling case that may provoke and inspires leaders to implement continuity efforts.
Because companies are in the business of making a profit, business continuity planning budgets are often compromised for other priorities.
Countermeasure: It may be helpful to estimate the cost of implementation for each critical process in relation to the cost of a critical process breakdown. This exercise may highlight the need for a designated business continuity budget.
It may also be necessary to prioritize BCP implementation by each critical process with a step-by-step timeline for completion. Companies can identify and rank the most critical business processes, and implement BCP and mitigation measures based on those priorities. While most processes are intertwined, taking small steps to ensure process continuity is a step toward overall business continuity. Managers may be more likely to implement a BCP if it can be initiated over time.
Maintaining a culture of preparedness
Unless a company has experienced an eye-opening business continuity issue, the presence of a realistic, tangible threat may be the only protagonist to champion a culture of preparedness.
Countermeasure: Managers who emphasize, embrace, and enact safety and continuity measures, as part of standard operating procedures will create a work environment that reflects the guiding principles preparedness. As preparedness measures and best practices are ingrained in operational processes, personnel will be more apt to embrace the culture
Lack of business continuity awareness and training
When identifying company, operational, and process vulnerabilities, managers and employees frequently recognize the limits of their business continuity expertise. Oil and gas management and employees may have expertise in hazardous response planning measures and tactics, however their business continuity experience may be limited. The process of identifying business continuity mitigation opportunities, developing recovery processes, and training personnel in continuity roles and responsibilities often requires experience. Companies often disregard business continuity training and awareness as a result of ineptitude.
Countermeasure: If implementing continuity efforts are beyond the scope of managers, companies should consider hiring consultants who specialize in business continuity planning. External resources can address site-specific business continuity needs, detailed standard operating procedures for BCP activation, and personnel training. Training should convey procedural flexibility based on continuing assessment of disaster demands and provide options for each scenario. Companies can also assign a designated manager to become proficiently trained in business continuity in order to pass down preparedness guidelines and best practices.
Identifying critical processes:
Many mid to large sized companies often operate with separate, independent business units (or departments). Each critical business process within each unit must be identified and quantified in order to determine its role in the business continuity planning process. Most business unit processes are often intertwined with other critical functions, contributing to the overall profitability of a company. When critical business processes are not functional, a company’s ability to operate and reputation may be in jeopardy.
Countermeasures: Overall resilience capabilities should be prioritized to mitigate any interruption. Understanding response procedures, the interconnected structure of processes between units, and the intricacies of a “Plan B” can make the difference between corporate survival or failure. Crisis and disaster situations usually result in the loss or temporary disruption of one or more of the following necessary key business resources:
- IT Applications/Systems
- Supply Chain
Unidentified threats and vulnerabilities:
Threats and vulnerabilities must be identified in order for potential impacts to be analyzed and countermeasures to be implemented. Identification can be complicated by the continuing evolving nature of potential threats and vulnerabilities. Threats and vulnerabilities can stem from both external and internal actions. New technologies, best practices, and mitigation efforts can often minimize threats. However, as operations evolve and new concepts are introduced, additional threats and vulnerabilities can emerge.
Countermeasures: An annual risk and hazard analysis can identify potential undiscovered threats and vulnerabilities relating to business continuity. This analysis indicates the likeliness that specific threats that could occur, considering existing site-specific factors, capabilities, mitigation measures, and history. Companies should analyze potential continuity threats from typical weather patterns, geographical influences, security efforts, inherent operational hazards, as well as facility design and potential maintenance issues.
For a free download on Designing a Crisis Management Program, click the image below:
Emergency management is continually evolving. The changing threat environment, including acts of nature, accidents, infrastructure weaknesses, cyber security attacks, and terrorist related incidents, coupled with tightly intertwined supply chains, has increased the urgency to revamp emergency management and business continuity efforts.
Building business continuity and emergency response plans to maintain personnel safety, and protect and restore operations is vital. Companies continue to develop and improve upon existing processes to seamlessly aid in managing risk and the rapid restoration of operational processes. However, with ever-changing threats, multiple sites, and human resource variables across an enterprise, most companies find it challenging to develop and maintain accurate and realistic business continuity plans (BCPs).
While the planning process may be executed with in-house staff, some companies prefer to use seasoned consultants for impartial critical process evaluations and experienced guidance. Consultants should have hands-on experience in business continuity and disaster preparedness. Specialized consultants may offer web-based, database driven platforms that incorporate site-specific business continuity information while streamlining company formats across an enterprise. The web-base option eases maintenance efforts and reduces administrative costs associated with managing BCPs. However, consultants must be able to comprehend core business needs and clearly communicate recommendations in order to successfully develop a customized, site specific, and functional BCP.
According to FEMA, the ability to perform essential functions lies within four key resources.
- Communications and Technology
Site-specific information must be applied to the key resources. It is necessary for continued operation to evaluate and identify alternate site-specific resources that may be utilized during an incident. If one or more of the key resources are lost, critical business processes may be affected. Keep in mind that any new business operations that may have developed also need to be included in these evaluations.
Business Continuity Coordinators (BCCs) are typically responsible for the development and maintenance of business continuity plans. They must work closely with critical business units to understand their processes, identify risks, and provide solutions to help manage and minimize those risks. However, once an incident occurs, the BCCs must communicate, manage, and control activities associated with damage assessments and the recovery of critical business functions. Depending on the enterprise, a BCC may be assigned to an individual facility or a specific geographic location that encompasses numerous facilities with like-operations.
The BCC, in conjunction with the Incident Commander, may be tasked with activating and coordinating organization elements in accordance with an incident action plan. By working with the appropriate business unit leaders assigned to business continuity/recovery plans, the BCC can also provide guidance for compliance with Incident Action Plan (IAP) components.
The BCP should systematically guide specifically assigned personnel to restore operations that are affected by abnormal conditions. It is critical to identify the implications of a sudden loss for each business unit or necessary resource by performing a business impact analysis. While critical process evaluations can determine operational dependencies that are required to maintain normal operations, staff must be trained to carry out the BCP objectives. BCP training and exercises should occur (at a minimum) on an annual basis, or as required by regulations or company policy.
A BCP should identify the minimum staffing levels necessary to remain operational. As recovery advances, staffing levels may require adjustments. Depending on the scenario, the least critical process participants might have to vacate the facility while leaving critical players in motion to maintain or restore necessary functions. Companies should ensure staff, contractors, and suppliers understand their initial and adjusted responsibilities, and recovery time objectives.
Communications and Technology
Clear and effective communication channels and critical technologies must be available in order to disseminate information to employees, assess and relay incident updates, and implement necessary recovery strategies. As part of the business continuity mitigation process, companies should evaluate available communication equipment, mass notification systems, and technology storage and backup processes to ensure accessibility and functionality in multiple business continuity scenarios. All critical communication and technology should be included in a BCP with detailed recovery procedures and recovery time objectives.
Facility management should be a crucial aspect of a business continuity plan. If an area or facility cannot sustain minimum service or operational levels, companies should mobilize resources, and/or relocate equipment and personnel to alternate areas, facilities, or redundant sites. If deemed acceptable, this may include “working from home” strategies. In order to respond quickly and effectively to facility damage, BCPs should include predetermined suppliers/contractors (tree services, plumbers, electricians, restoration companies, and/or necessary skilled trades and suppliers).
For a free download on Designing a Crisis Management Program, click the image below:
There are various types of types of emergency response drills and exercises that target specific goals. They can range from small group discussions to complex, multi-faceted exercises. But each drill or exercise presents the opportunity to improve site-specific response plans, rendering the potential for a more effective response.
Response plan testing can begin with simple exercises intended to validate general response plan comprehension or incorporate an all-inclusive, full-scale, realistic, multi-scenario exercise. Managers should determine the goals of the exercise before settling on a particular method. To fully execute a response plan, synergistic drills or exercises should be developed to assess the following critical response skills:
- Resource management
An exercise should prepared employees and responders to minimize the impacts of an incident. Below are three of the most basic exercises.
1. Orientations: The purpose of an orientation is to familiarize participants with roles, responsibilities, plans, procedures, and equipment. Orientations can resolve questions of coordination and assignment of responsibilities. The inclusion of first responders and facility staff promotes the development of an effective plan.
2. Drills: The goal of a drill is to practice aspects of the response plan and prepare teams and participants for more extensive exercises in the future. A drill can test a specific operation or function of the response plan. Facilities should conduct evacuations, shelter in place, and lockdown drills to demonstrate emergency response actions. Drills can be altered to incorporate various scenario situations. The procedures, individual responsibilities, and public safety coordination may be addressed depending on the presented scenario or outcome of the drill.
3. Tabletop Exercises: A tabletop exercise simulates an emergency situation in an informal, stress-free environment. The participants, usually comprised of decision-making level staff and responders, gather to discuss simulated procedures and general problems/solutions in the context of an emergency scenario. The focus is on training and familiarization with roles, procedures, and responsibilities relative to the emergency synopsis and potential injects.
Below is a list of common tabletop exercise planning considerations:
Condensed Exercise Time Frame: In order to exercise the emergency scenario, the exercise must progress in a condensed timeframe (not real-time). Events should move rapidly through the phases of the exercised response. However, it should be clearly understood that under real conditions the same events or actions might require additional time to complete. Conversely, real world scenarios can quickly change and transition from a basic emergency to a full scale crisis within a short time frame that require rapid decision making and expeditious responses.
Scenario Information and Position-Specific Tools: Detailed scenario information, ICS forms, and position specific events should be prepared to guide all participants through the execution of their roles and responsibilities. These tools should be included in a participation package and distributed to all participants prior to the exercise. A web-based drill and exercise management tool can streamline the distribution of these tools.
Weather Conditions: Depending on the scenario and if the weather is a critical factor, either real or simulated weather conditions may be utilized during the exercise.
“This is a Drill” Exercise Communications: All radio, telephone, fax and written communications must begin and end with the statement "This is a Drill". Include this statement in all verbal communications, and in a prominent location on all written correspondence, including report forms, fax communications, and press releases. It may be helpful to add the date to any written documentation for organizational and regulatory compliance purposes.
Communications with external agencies, contractors, medical responders, or other parties not participating directly in an exercise must begin and end with the statement, "This is a Drill". This may involve state or federal regulatory notifications or contact with suppliers or vendors to source simulated logistical needs. In all cases, exercise participants must ensure that the all involved parties clearly understand that no actual emergency exists, and no resources or equipment should be mobilized or dispatched.
Response Equipment Deployment: Emergency equipment and vehicles should be simulated for tabletop exercises. Staging area locations should be identified.
Injects: Injects may be provided to some participants or as a component of the exercise. An inject describes an additional event or circumstance that requires a response or action from the participant.
Exercise Termination and Debriefing: Following termination of the exercise, a debriefing of all exercise participants should be conducted. All participants should have the opportunity to provide feedback on the exercise and complete an exercise evaluation form. Feedback should be evaluated for potential response plan mitigation opportunities.
Follow-up on Action Items: Exercises may provide insight into the deficiencies in an emergency response plan. In order to take response efforts to the next level, action items resulting from the exercises should be completed in a timely manner.
Managing the Facility Security Plan (FSP) related administrative duties and associated training requirements can be time-consuming and complex, particularly for large companies. With multiple, dynamic, and security-related response planning variables, many large companies implement a response planning system with a training and exercises management component. Advanced web-based systems can ease the burdens of training documentation, scheduling, and maintenance while verifying regulatory compliance. Managing an enterprise-wide security training program can be complicated by:
- Multiple fluctuating certification/expiration dates
- Diverse and varying scope of responder/employee responsibilities
- Site-specific operations and response objectives
- Maintaining company standards and best practice priorities
- Regulatory compliance measures
- Multiple facilities across several locations
- Employee turnover
A FSP and those facilities required to comply with U.S. Coast Guard’s (USCG) 40 CFR 105 regulation should include site-specific details on the following components:
Notification: The Facility Security Officer must have a means to effectively notify facility personnel of changes in security conditions at a facility. Transportation security incidents are reported to the National Response Center and to appropriate emergency responders. At each active facility access point, a system must be in place to allow communication with authorities with security responsibilities, including the police, security control, and the emergency operations center.
Fencing and monitoring: The FSP must describe security measures to prevent unauthorized access to cargo storage areas, including continuous monitoring through a combination of lighting, security guards, and other methods.
Evacuation: The owner or operator must identify the location of escape and evacuation routes and assembly stations to ensure that personnel are able to evacuate during security threats.
Assessment: The Facility Security Assessment requires description of the layout of the facility, and response procedures for emergency conditions, threat assessment, and vulnerabilities, with a focus on areas at the facility that may be vulnerable to a security threat, such as utility equipment and services vital to operations.
Training: A security plan should describe the training, drills, and security actions of persons at the facility. These actions should deter, to the maximum extent practicable, a transportation security incident, or a substantial security threat. If a facility is required to comply with §105.210, facility personnel with security duties must be trained in the following: (Note: These guidelines are also beneficial to facilities not required to comply with the USCG’s 40 CFR part 105 requirement)
- Knowledge of current security threats and patterns
- Recognition and detection of dangerous substances and devices
- Recognition of characteristics and behavioral patterns of persons who are likely to threaten security
- Techniques used to circumvent security measures
- Crowd management and control techniques
- Security related communications
- Knowledge of emergency procedures and contingency plans
- Operation of security equipment and systems
- Testing, calibration, and maintenance of security equipment and systems
- Inspection, control, and monitoring techniques
- Relevant provisions of the FSP
Proper documentation is a critical aspect of any emergency management program. If a facility is required to comply with the USCG’s 40 CFR part 105 regulations, certain documentation is required to be available at the facility and made available to the USCG upon request. A web-based planning system can ensure plan documentation is available from various locations and can expedite plan distribution. The USCG’s 40 CFR 105 requires the following documentation:
- The approved FSP, as well as any approved revisions or amendments thereto, and a letter of approval from the COTP dated within the last 5 years.
- The FSP submitted for approval and an acknowledgement letter from the COTP stating that the USCG is currently reviewing the FSP submitted for approval, and that the facility may continue to operate so long as the facility remains in compliance with the submitted FSP.
- For facilities operating under a USCG-approved Alternative Security Program as provided in §105.140, a copy of the Alternative Security Program the facility is using, including a facility specific security assessment report generated under the Alternative Security Program, as specified in §101.120(b)(3), and a letter signed by the facility owner or operator, stating which Alternative Security Program the facility is using and certifying that the facility is in full compliance with that program.
Luck runs out, but safety is good for life. ~Author Unknown
Whether an industrial facility is domestically located or abroad, ensuring compliance, employee safety, and an effective response requires a comprehensive training and exercise program. All training and exercise components within a corporate enterprise should address site-specific operations, appropriate response processes, standardized company-wide best practices, and maintain location-specific regulatory compliance.
The challenge of managing and ensuring compliant training programs for multiple facilities and various regulatory agencies is complex. Certification efforts, enforcement mandates, and costly non-compliance fines may result from the lack of implemented, thorough, or effective programs. By utilizing available technology to manage an enterprise-wide training approach, companies can verify compliance and response readiness through a cohesive, yet site-specific standardization of best practices.
Through proper maintenance of a training portal, individuals will remain at peak optimal response capabilities. Training should include, but not be limited to:
- Response plan familiarization
- Individual roles and responsibilities
- Plan review training whenever a substantial change or revision is made to the plan that affects organization, procedures, roles and responsibilities, or response capability.
- Refresher courses, as necessary
Mid to large size companies should implement a preparedness and response training management system with the ability to identify and sort specialized data. When a company has multiple facilities, a centralized web-based database of scheduled, lapsed, and completed training enable facility managers to focus their efforts on operations and profitability. With a comprehensive, web-based, database-driven training management system, emergency managers and health, safety, and environmental departments can:
- Simplify training reviews
- Easily identify training inception and expiration dates
- Verify responder knowledge and ensure employee accountability
- Identify regulatory compliance training gaps
- Account for preparedness endeavors and associated costs
- Ease maintenance and administrative efforts
For companies looking to systematically manage the training and development of their staff, an enterprise-wide training management system is critical. Managing several disparate systems and multiple paper files is cumbersome and time consuming. Maintaining training information in a single, consolidated system provides significant benefits. A web-based training management system provides authorized users with secured access from a variety of locations. As facilities are added or modified, operations are revised, or employees are re-assigned, training records can be conveniently added, accessed, transferred, or updated for accuracy and compliance. A comprehensive, web-based training management system will:
- Reduce the need for multiple site training management and documentation
- Minimize administrative costs
- Minimize training discrepancies across an enterprise
- Provide a historical record of training certifications
- Streamline training directives from one source
- Serve as a legal instrument, if necessary
- Engage management in prioritizing preparedness efforts
- Enhance reporting functionality
- Identify regulatory compliance training gaps
Training administration can be time-consuming and difficult, particularly in medium to large companies with staff employed in different roles across a variety of physical locations. A customized training management system can streamline this administrative effort, making it easy to ensure staff members receive the appropriate training, and instructors are supported with the necessary resources. A comprehensive system can
- Track and report training completion or status by discipline, skill, position, individual, location, or over a specific time period
- Generate summary reports that provide a snapshot of various mandated training versus completed and scheduled events
- Print automated certifications and wallet cards
Advanced web-based technologies can also facilitate online training and provide classroom resources. While it is not essential to implementing web-based training, it can reduce costs associated with classroom instruction. Some web-based training solutions include tools to share critical training information and lesson plans with students, reducing the time required to duplicate and distribute training materials across an enterprise.
While optimizing training is critical for regulatory compliance and safety, cost is always a deciding factor. Implementing a customized training management system in highly regulated environments is a proactive, cost-savings measure that can reduce the overall costs associated with incidents, training maintenance, and non-compliance.