Your Solution for SMART Response Plans

Business Continuity Planning Doesn't Have to Be Complicated!

Posted on Thu, Jul 28, 2016

Some incidents, regardless of size, can escalate rapidly, impact employees, disrupt typical operations, and affect your company’s financial stability. To prevent and reverse impacts from spreading to multiple departments and critical business processes, companies should prepare a thorough Business Continuity Plan (BCP). However, the path to sustainability and recovery is often complicated by ambiguous information, overlooked linked business processes, and static  plan formats. Business continuity planning does not have to be a complicated process. When companies utilize systematic methods to identify objectives and implement potential response in conjunction with intuitive formats, the process of recovery, continuity, and sustainability can be streamlined.

Business Continuity Plan Objectives

At a minimum, a BCP should provide the following:

  • Key operations and critical activities
  • Critical processes and strategies for recovery
  • Resources necessary to assess, declare, and recover from disruption
  • Evacuation and relocation information and policies
  • Key response personnel

However, identifying the potential implications of a sudden loss can be a daunting process. Determining business function inter-dependencies required to maintain operations is a significant step in effective response planning. Managers should not exaggerate the importance of departmental business functions, critical priorities, or recovery expectations. This can lead to further failures and prolonged recovery. A workflow analysis may assist managers in prioritizing each function and the necessary process to be recovered. At a minimum, managers should examine the following applicability and their critical function within their business unit:

  • Information Technology
  • Environmental, Health, and Safety
  • Personnel
  • Supply and Trading
  • Contracts
  • Accounts Payable and Benefits
  • Finance and Payroll

BusinessContinuity.jpg

 

Key Business Continuity Information

Once each department’s key functions and critical processes are identified, mitigated and tested, details can be implemented into the plan. Continuity processes should be aligned with company protocols, site-specific personnel details, and specialized training and exercise programs. At a minimum, the BCP should include

  • Notifications and activation details
  • Team roles and responsibilities
  • Facilities
  • Detailed Response Strategies
    •  Communications
    • Accountability
    • Evacuation
    • Relocation
    • Employee policies
    • Damage assessment processes
  • Critical Process Recovery Information
  • Termination and Demobilization
  • Documentation
  • Training and Exercises

 

Web-Based Business Continuity Formats

Effective BCPs should contain detailed and site-specific information for each operational facility. Because of the dynamic nature of operations and incidents, managing and communicating evolving counteractive process can be complicated by a static BCP format. Dynamic BCP formats and modern communication techniques can streamline evolutionary business process countermeasures. By transitioning from paper-based BCPs to a web-based approach, companies have the ability to integrate data into a standardized, enterprise-wide business continuity template with site-specific details for each particular site. Web-based BCP formats simplify business continuity planning by enabling:

  1. Efficiency: Maintaining up-to-date and actionable BCPs can be administratively time consuming. The most advanced web-based software programs utilize a database, allowing for specific repetitive information to be duplicated in the various necessary plan types across an entire enterprise. By minimizing administratively tasking duties, accuracy of the plans are optimized.
  1. Accessibility of plans: In the event of a business disruption, web-based plans are typically available from all company locations. However, web-based BCP software should offer every option of instant accessibility: via the Internet, downloaded, or printed to ensure accessibility in a variety of forms. Increasing accessibility options can bolster the entire business continuity program.
  1. Instantaneous Updates: Multiple versions of paper-based and intranet-based plans can potentially confuse and misinform the response team(s), prolonging a response and the business disruption. Web based software eliminates “version confusion” and allows the business continuity team to apply the most up-to-date and tested processes.
  1. Superior functionality: Simplifying documentation during an incident enables prompt response progress and faster return to “business as usual”. Web-based plans can provide hyperlinks, forms libraries, and simplified interfaces to improve streamlined functionality for plan users.
  1. Multi-purpose data: BCPs often share common data. Web-based, database driven plans utilize one database to manage this information, effectively leveraging plan content and revision efforts to all plans and locations that utilize that data.

TRP Corp - Emergency Response Planning Crisis Management

Tags: Business Continuity

Business Continuity Plan Tips: Are Your Concerns Addressed?

Posted on Thu, Mar 03, 2016

Every corporate threat may result in the same consequence: the loss or temporary cessation of key business processes. In February 2016, the Business Continuity Institute released its fifth annual Horizon Scan report highlighting the level of concern to different risks and threats. The report tabulated survey results from 568 worldwide organizations from 74 countries.

According to the report, the following are the top 10 concerns for businesses:

  1. Cyber attack
  2. Data breach
  3. Unplanned IT and telecom outage
  4. Act of terrorism
  5. Security incident
  6. Interruption to utility supply
  7. Supply chain disruption
  8. Severe weather
  9. Availability of talent/key skills
  10. Health and safety incident

Threats to a company’s ability to conduct “business as usual” is a continual concern for large, multinational companies, as well as smaller, domestic operations. Regardless of size, establishing methods to preserve critical business processes during any of the adverse concerns listed in the Horizon Scan report can improve the probability of operational sustainability and minimize the potential of lost revenues. Failure to develop an effective business continuity plan that address these concerns can lead to costly and devastating impacts, often affecting the long-term growth of a company.

motherboardtrpcorp.jpg

In order to combat concerns, the following must be identified for each operational site or location

  • Potential risks/threats
  • Trigger events
  • Impacted critical business processes/activities
  • Incident response structure
  • Warning and communication process
  • Recovery time objectives

While reviewing a plan that addresses targeted risks and threats, key details and alternate provisional elements should be considered. The following basic Business Continuity Plan components should be reviewed to ensure concerns are addressed and processes are in place to minimize loss or the temporary cessation of key business processes.

  1. Key contacts: Identify and confirm all primary and secondary key contacts that must be made aware of a business interruption. Due to possible employee turnover or contact detail changes, it is important to routinely verify contact information for accuracy.
  1. Plan distribution list: Identify and confirm names, addresses, and contact information of those that retain access to one or more plans.
  1. Recovery plan:
  • Identify/develop parameters of business continuity strategies with regards to each identified risk/threat. This includes incremental processes and necessary procedures required to recover each critical business process.
  • Ensure communication methods and backup equipment will be adequate for each trigger event.
  • Response checklist time lines may include increments such as 1st hour, 24-hours, 48 hours, one week, one month, and long-term recovery.
  1. Key staff roles and responsibilities:
  • Develop job specific checklists and procedures detailing responsibilities, from business continuity implementation through recovery.
  • Identify Critical Staff, at a minimum, for each critical business process.
  • If necessary, provide cross team training, in the event that primary team members are not available.
  1. Off-site recovery location: Identify and include addresses, contact info, available on-site equipment, and any necessary external equipment for effective continuity and recovery operations.
  1. Key customers’ data: Effective customer relations and communication may be critical in retaining clients and maintaining positive relationships during a business interruption. Identify communication methods, platforms, and required contact information in order to inform customers of disruptions of deliverables.
  1. Key supplier contact list: Logistics and transportation delays could affect delivery times; therefore the plan should address this issue. Identify dependencies and interdependencies along with key contact information.
  1. Alternate suppliers list: The consequences of a supply chain failure on associated key business components can be crippling. Through the planning process, alternatives can be explored to reduce the impact of supply chain disruptions.
  1. Back up data details: Identify details of computer back-ups and recovery methods. Ensure that staff training is in place to ensure data accessibility, security, and recovery.
  1. Technology requirements: Identify necessary hardware and software, and the minimum recovery time requirements for each business unit. Ensure best practices are in place regarding backups and IT security.
  1. Equipment requirements: Identify equipment requirements for each business unit and recovery time goals.
  1. Implement improvements
  • Track and update key details and associated processes as deficiencies and inaccuracies are identified
  • Incorporate newly identified hazards and vulnerabilities into the business continuity plan.
  • Include necessary equipment used (requiring replacement or replenishment)
  • Incorporate lessons learned into the plans and necessary training
  • Periodically evaluate critical business processes to ensure that evolving businesses practices are captured.
  • Periodically evaluate risks and threats to ensure that concerns are addressed in the plan.

Preparedness and Emergency Management - TRP Corp

Tags: Business Continuity

Business Continuity Planning Strategies to Follow in 2016!

Posted on Thu, Jan 14, 2016

With the new year, every company should assess their business continuity risks, operational vulnerabilities, and recovery time objectives for each critical business function. Companies who understand these threats to financial resilience can become better prepared for and possibly mitigate these business continuity issues.

Mitigation includes recognition, comprehension, communication, and implementation of modifications, procedures, preparations, and/or assets that can directly minimize the impact or likelihood of the threat, simplify/automate recovery requirements, and/or accelerate recovery time. Every company and each facility has its own unique associated risks, however through dedicated risk mitigation analysis and proactive measures, hazards and business disruptions can be minimized.

Threats and vulnerabilities can stem from both external and internal actions. Therefore, companies must analyze potential threats from a variety of potential sources. A localized vulnerability and impact analysis should include, but is not limited to:

  • Weather patterns
  • Geographical influences
  • Security efforts
  • Cyber evaluations
  • Inherent operational hazards
  • Facility design
  • Maintenance issues

A business impact analysis should be used to identify critical business processes, potential recovery strategies, and areas that could benefit from risk mitigation. This resilience assessment tool should identify potential vulnerabilities and initiate proactive changes to minimize impacts if a disaster were to occur. If the level of risk identified is deemed unsafe or unacceptable for operational viability, additional recovery options, safety procedures, or applicable strategies may need to be developed and implemented.

Risk recognition can occur through many paths including inspections, audits, and job hazard analyses. However, a detailed risk analysis should include, but is not limited to the following:

  • Identify site specific assets that are unique to a specific location, facility, and operation
  • List hazards that corresponds with each asset: Multiple hazards may be applicable to a singular asset.
  • For each hazard, consider both high probability/low impact scenarios and low probability/high impact scenarios.
  • Mitigation opportunities: As you assess potential impacts, identify any asset vulnerabilities or weaknesses that would make it susceptible to loss. These vulnerabilities are opportunities for hazard prevention through procedures/processes upgrades or risk mitigation.
  • Identify threat scenario probability as low, medium or high.
  • Identify impact potential as low, medium or high for each of the following:
    • People
    • Property
    • Operations
    • Environment
    • Financial
    • Regulatory or legal
    • Contractual
    • Brand image or reputation
    • Determine priority level for planning and mitigation

The probability and impact severity should determine the priority level for correcting the vulnerability. The higher the probability and impact severity, the higher the emphasis should be on corrective actions. With priorities in place, mitigation measures may include:

  • Changes in daily processes and procedures
  • Isolation and elimination of the root cause of a potential threat
  • Addressing non-compliance issues
  • Implementing risk reducing engineering controls, when applicable
  • Implementing proactive administrative controls or work place practices
  • Establishing a process to identify inoperable or malfunctioning equipment and machinery through systematic inspections
  • Developing or amending site specific Business Continuity Plans (BCP) to reflect vulnerabilities

An effective BCP is able to capture and maintain essential information for responding to unplanned incidents that cause business interruption. Being able to conduct business, despite uncontrollable circumstances, can ensure a company viability in the shadow of adversity.

The cycle of the business continuity planning should be incorporated into every business process. By instituting the following cycle, business interrupting events can be planned for and procedures can be implemented to maintain critical business processes.

  1. PLAN: Identify potential risks/threats, specialized trigger events, impacted business processes/activities, incident response structure, warning and communication process.
  2. ESTABLISH: Define parameters of business continuity strategy, communication and documentation processes, training requirements, detailed employee/ vendor contact information, and key vendor and/or supplier dependencies.
  3. IMPLEMENT: Initiate response checklists and potential relocation strategies in the event of business disruption.
  4. TRAIN: Train employees on continuity roles, responsibilities, and procedures.
  5. MONITOR: Verify equipment requirements, primary and alternate facility details, and application and software requirements.
  6. REVIEW: Analyze processes of the BCP to ensure critical business processes can be maintained.
  7. EXERCISE: Perform simulations to verify comprehension of the BCP.
  8. MAINTAIN: Update key details and processes if deficiencies and inaccuracies are identified
  9. OPERATE: Engage critical processes and Recovery Time Objectives, as necessary.
  10. IMPROVE: Incorporate the cyclical process in an overall business continuity program to continuously align a response to critical business processes and their associated risks.

 

TRP Corp - Emergency Response Planning Crisis Management

Tags: Business Continuity, Business Risk

Business Continuity Planning Until Infrastructure Resilience Secured

Posted on Wed, May 13, 2015

For the power, oil, and natural gas industries, a growing array of physical and electronic threats, coupled with decaying infrastructures and strained budgets is a recipe for disaster. Over the past few years, countless broadcasts of threats, risks, and actual incidents have been reported. From computer system hackings to gas pipeline failures, the energy industry is under continuous pressure to preserve and upgrade the resiliency of our critical infrastructures. However, until resilience is secured and infrastructures have been upgraded, companies must continue to prioritize safety and preparedness best practices.

Reliable operations are crucial to the economic stability of companies, communities, and commerce. There has been a surge by public and private stakeholders to identify steps to improve the cyber resilience of computer-based systems that manage operational processes in the power, oil, and natural gas industries. These industries are also keenly aware of the inherited deteriorating infrastructures that support their operations.

Until effective, sustainable policies, regulatory compliance initiatives, and corporate budgets embrace widespread modernization and effectively mitigate for infrastructure resilience, companies should ensure emergency management programs and business continuity plans are current and effective. In an effort to maximize preparedness and minimize inherent risks, an emergency management program should provide:

  • A system for assessing and prioritizing incidents
  • Streamlined and standardized response methods
  • Communication and notification procedures
  • Roles and responsibilities for corporate and incident level response teams
  • Optimized training, drills and exercises
  • A demonstrated commitment to safety

According to experts, the maze of infrastructure that support the energy industries and end users requires extensive upgrades to effectively meet the nation’s energy demands. Ensuring the resilience, reliability, safety, and security of energy transmission, storage, and distribution (TS&D) infrastructure is vital.

According to the Quadrennial Energy Review (QER), the TS&D, “includes approximately 2.6 million miles of interstate and intrastate pipelines; 414 natural gas storage facilities; 330 ports handling crude petroleum and refined petroleum products; and more than 140,000 miles of railways that handle crude petroleum, refined petroleum products, LNG and coal.”

The QER was developed to identify the threats, risks, and opportunities for U.S. energy and climate security. The goal of the review is to enable the federal government to translate policy goals into a set of integrated actions. In April 2015, the QER recommended the following actions:

  • Establish a competitive program to accelerate pipeline replacement and enhance maintenance programs for natural gas distribution systems. The Department of Energy should establish a program to provide financial assistance to:
    • Incentivize cost-effective improvements in the safety and environmental performance of natural gas distribution systems
    • Enhance direct inspection and maintenance programs
  • Update and expand state energy assurance plans. The Department of Energy should establish a program to provide financial assistance to:
    • Improve the capacity of states and localities to identify potential energy disruptions, quantify their impacts, share information, and develop and exercise comprehensive plans that respond to those disruptions and reduce the threat of future disruptions.
    • Establish a competitive grant program to promote innovative solutions to enhance energy infrastructure resilience, reliability, and security.

Facility and supply chain management should be a crucial aspect of business continuity planning. At a minimum, the following planning considerations should be taken into account in order to safeguard critical operations:

  • Establish preventive inspection and maintenance schedules for all systems and equipment. 
  • Ensure that key safety and maintenance personnel are thoroughly familiar with all building systems, such as alarms, utility shutoffs, elevators, etc.
  • Establish company-wide computer security, download, and backup practices in order to secure technologies and communications networks.
  • Determine the impact of service disruptions and mitigate if possible (generators, fuel, relocating inventory, back up suppliers etc.) 
  • Establish procedures for restoring systems. 

NOTE: The April 2015 QAR can be read in its entirety here.

Preparedness and Emergency Management - TRP Corp

Tags: Business Continuity, Resiliency, Emergency Management Program

Incident Management and Business Continuity Go Hand-In-Hand

Posted on Thu, Mar 19, 2015

Some of the greatest challenges in incident management stem from the unpredictability of an ongoing situation and concurrent communication shortfalls. The ability to establish a quick and effective response through a real-time, transparent management process improves response time, reduces impacts, and provides the best opportunity for the implementation of a Business Continuity Plan (BCP).

An incident or emergency scenario that activates an Incident Management Plan can also spur the activation of a BCP. Both incident commanders and BCP team leaders need timely, yet accurate information to assess necessary response requirements. When incidental impacts and response scenarios are effectively communicated, the outcome can greatly support both incident management efforts and continuity of operations initiatives.

A BCP that is guided by a functional incident management process can provide the information to enact necessary continuity processes.  In order to be effective to business continuity leaders, Incident Management Systems need to include a means to provide the following:

  • Initial Response Statistics - Employees should be able to obtain essential information in real-time.  This allows responders to provide swift and appropriate resolutions to the current or escalating scenario(s). Having the ability to establish an intuitive, customizable system is a key component of incident management.
  • Reporting - To improve responses to an ongoing process, incident commanders must be able to quantify the response based on accurately reported information. In incident management, this means the process of providing and receiving current, real-time information and customizing an appropriate response. Necessary information that can assist in an effective response includes:
    • Actual response times
    • Initial response actions and resolutions
    • Incident command position roles and responsibilities
    • Incident planning /follow up assignments
    • Action status (Assigned, Delayed, Overdue, Complete)
    • Sustained response actions
    • Demobilization
    • Review proceedings (Examine overall performances and processes.)
  • Feedback - After an incident has been resolved, the company should solicit honest feedback from responders, regulators, and employees. This may highlight areas for improvement in your incident management process.

handshaketrp.jpg

When multiple plans are concurrently enacted, communication failures, rumors, and speculation can escalate, affecting the functionality and effectiveness of the response. Real-time system mechanisms with automated dynamic workflows can greatly improve incident response, continuity opportunities, and corporate viability. Incident management information, considering existing incident response capabilities, response measures, and history can assist business continuity leaders in determining the best path towards continuity or restoration. This specific information includes, but is not limited to the following criteria:

  • Incident Timing - If an interrupting incident occurs during high-output timeframes, continuity priorities and process implementation should be amplified in order to limit operational and financial impacts.
  • Likelihood Level - Based on accurate and timely incident impact information, the business continuity team can decipher how likely the incident will affect each critical business unit, suppliers’ availability, or set deliverables.
  • Duration and recovery time - Determine if the incident duration and demobilization efforts will impact and/or impair critical operational processes. Based on this information, processes and alternate facilities may be necessary to account for maximum allowable downtimes. This will allow for recovery time of specific critical processes under existing capabilities and, if possible, potentially altered conditions.
  • Staffing minimums - Identify available staffing levels and whether the number meet minimum requirements to meet typical daily productivity goals, as well as recovery time objectives.
  • Operational Impacts -Determine how the incident affects and will affect operations Functions that may be affected include, but are not limited to:
    • Lost sales and income
    • Negative cash flow resulting from delayed sales or income
    • Increased expenses due to overtime, outsourcing or other operations that increase costs
    • Regulatory fines and legal implications
    • Contractual penalties or loss of contractual bonuses
    • Customer dissatisfaction or withdrawal
    • Delay of business plan execution or strategic initiative

Interoperable communication and coordination among incident commanders and business continuity leaders should be exercised for a swift recovery. If an incident has the potential to impact two or more business processes, it is critical that an effective BCP be enacted. An incident can become a multi-tiered business continuity event that extends beyond the facility borders, affecting personnel, multiple critical business processes, vendors or suppliers, and customers.

Web based response planning - TRP CORP

Tags: Business Continuity, Incident Management

The Basics of Business Continuity Planning

Posted on Thu, Mar 12, 2015

The primary purpose of a Business Continuity Plan (BCP) is to minimize the negative impacts of a business interruption by accelerating the return to “business as usual”.  A BCP should be applied to every business, small or large, to provide a framework to ensure operational resilience in the event of business disruption. Industries including manufacturing, healthcare, education, financial, energy, and retail can benefit from business continuity planning, but each organization must create a detailed and specific plan for each of their locations, business units, or functional groups.

Numerous events, such as this winter’s perpetual snow storms, can cause business disruptions. Business interrupting events typically result in the loss or temporary disruption of key business resources including:

  • Facilities or Workspace
  • Infrastructure or IT Applications/Systems
  • People
  • Supply Chain

In order to protect a company’s viability, site-specific recovery strategies should be developed with the assumption that a disruption will occur during a peak business cycle, when the services or output are at the highest level and most critical point. A Business Impact Analysis (BIA) enables a company to identify and quantify which business unit that, when absent, would impact profitability and threaten its survival. While the size and complexity of essential business elements required for sustainability vary among companies, the ability to quantify and prioritize critical workflow components is a key business continuity element. Some departments to consider when conducting a BIA for peak cycles include, but are not limited to:

  • Finance and Treasury
  • Contracts
  • Supply and Trading
  • Financial Accounting
  • Emergency Response/Crisis Management Team
  • Payroll
  • Benefits
  • Accounts Payable
  • Environmental Health and Safety

Once critical components are identified, managers should review the following business continuity planning elements for each critical business function:

  • Determine what personnel, software, and vendors are required to continue these processes.
  • Identify the duration and point in time when an interruption would impair critical processes and develop recovery time objectives.
  • Estimate the maximum allowable downtime for each specific business function.
  • Identify alternate locations where these processes can be maintained in the event normal facilities are not accessible.
  • Identify how communications will be maintained
  • Provide training for BCP personnel that are assigned to support the continuity of operations.

1091

A BCP should include site-specific details that can direct process continuation or restoration. The following continuity plan components should be included in a site-specific BCP.

1. Plan distribution list: Names, addresses, and contact information of those that retain secured access to the BCP.

2. Key contacts and notification procedures: Identify all primary and secondary contacts that must be made aware of a business interruption. It is important to routinely verify contact information for accuracy, and train personnel in BCP activation and notification procedures.

3. Key staff roles and responsibilities: Develop position-specific checklists and procedures detailing responsibilities from business continuity implementation through recovery. Task teams should be formed, at a minimum, to cover each critical business process. Business Continuity Team structure, organization charts, and interfaces should be clearly communicated. It may be necessary to provide cross team training, in the event that primary team members are not available.

4. Off-site recovery location(s): Include address, contact information, available on-site equipment, and any necessary external equipment for effective operations.

5. Recovery action plan: Identify/develop incremental processes and procedures necessary to recover each critical business process.   Response checklist timelines may include time increments such as 1st hour, 24-hours, 48 hours, one week, one month, and long-term recovery.

6. Customer data:  Identify communication methods and necessary contact information in order to inform customers of disruptions of deliverables. Effective customer relations and communication may be critical in retaining clients and maintaining positive relationships during a business interruption.

7. Primary suppliers contact list: Identify contact information of supply dependencies and interdependencies. Transportation delays or events at suppliers’ locations could affect delivery times; therefore the plan should address this issue.

8. Alternate suppliers list: Primary supply chain failures can be crippling to key business components. Through the planning process, alternative suppliers should be explored, and contact information and materials should be documented in order to reduce the impact of primary suppliers’ disruption.

9. Documentation and Insurance details: Identify details of insurance coverage and accurate contact information. The burden of proof when making claims typically lies with the policyholder. Accurate and detailed records are imperative. Documentation forms should be made available to all critical business unit leaders for timely documentation.

10. Technology requirements: Identify necessary hardware and software, and the minimum recovery time requirements for each business unit.

11. Backup data details: Business continuity plans should identify details of data backups and recovery methods. If current backup procedures are questionable, mitigation measures should be evaluated prior to a business disrupting event.

12. Equipment requirements: Identify equipment requirements for each business unit, primary and alternate suppliers, and recovery time goals.

13. Review and revise:  On an annual basis or following an incident, incorporate newly identified hazards and vulnerabilities into the business continuity plan. Include necessary equipment used (requiring replacement or replenishment), altered processes, and lessons learned.

Preparedness and Emergency Management - TRP Corp

Tags: Business Continuity key points, Business Continuity, Business Continuity Plan

Be Ready with Hats, Gloves, and Business Continuity Plans

Posted on Mon, Nov 17, 2014

Winter is rushing in with a vengeance this November. But it wasn't too long ago that the meteorological term “Polar Vortex” was indoctrinated in the minds of millions across the United States. In January 2014, arctic temperature plummeted unusually south and two-thirds of the nation was paralyzed by record breaking cold. Will we have another Polar Vortex-filled winter that impacts businesses across the country?

According to Evan Gold, Senior Vice President at Planalytics, a business weather intelligence company, January’s polar vortex resulted in a $50 billion economic disruption, the most delivered by a weather phenomenon since Superstorm Sandy in 2012.

Severe weather habitually effects routine business operations and profitability. Weather can be the culprit of power outages, dangerous temperatures, supply disruptions, safety hazards, and potentially impair access to key infrastructures. The January 2014 events, which impacted nearly 200 million people, is one of the many examples of how severe weather affects operational continuity.

As we begin another winter season, companies should perform a business impact analysis (BIA), a precursor to a business continuity plan. The process of a BIA allows for targeted recovery strategies to be developed in the event of an emergency. A BIA should be utilized to identify likely consequences of critical business process disruptions.

After each critical business process is identified, the potential impacts resulting from loss of facilities and/or necessary infrastructure, personnel, or supply chain can be examined for each process. Key minimum recovery components along with incremental recovery time objectives should be detailed for each critical area identified. The following components should be evaluated for each critical business process.

  1. Recovery Time: Identify how long it would take to recover a specific critical process under scenario specific circumstances.
  2. IT requirements: If electronic data must be available to recover specific processes to a minimum service level, identify the necessary requirements.
  3. Data Backup History: Indicate how old the data can be to satisfy recovery (i.e. last weekly backup, last monthly backup, last quarterly backup, etc.) and review recovery methods.
  4. Review alternate location options: Identify needs and review options for off-site backup processes.
  5. Staffing minimums: Identify needs throughout recovery time objectives to optimize recovery.
  6. Impact Level: Indicate how severely the process would be impacted considering current/existing mitigation measures (ex. minimal, somewhat severe, severe).
  7. Likelihood Level: Indicating how likely each specific threat could occur considering current/ existing capabilities, mitigation measures, and history.

Timely recovery also depends on specific preparedness and planning initiatives. Establishing processes, training employees, and restocking necessary equipment can drastically reduce the overall potential damage to operations and the financial bottom line. In order to minimize the effects of severe winter weather on continuity, preparedness protocols should be established. Depending on location and specific operations, these protocols should include, but are not limited to the following:

  • Monitor news and weather reports on television or the radio (with battery backup)
  • Alert employees or others on-site that severe weather is approaching and communicate expectations
  • Be aware of the dangers posed extreme temperatures, and ice and snow falling from equipment and buildings; mediate if possible
  • Identify infrastructure dangers posed by cold weather on exposed piping (hazardous releases, flooding, etc)
  • Prepare and insulate exposed piping
  • Winterize and shut off landscaping sprinkler systems
  • Contract snow removal services or obtain the necessary equipment (snow shovels, ice scrapers, rock salt, tire chains, etc.)
  • Ensure that company vehicles have a full tank of gas and are functioning properly (heater, deicing fluid, antifreeze levels, windshield wipers)
  • Ensure flashlights are in proper working order and have additional batteries on site.
  • Monitor ice and snow accumulation on any on site tanks, sheds, or buildings and identify non-hazardous procedures for mitigation.
  • If necessary, obtain generators to re-power facilities or necessary equipment
  • If appropriate, leave water taps slightly open so they drip continuously to prevent pipes from freezing.
  • Understand and implement cold weather response techniques when responding to product spills as released product may flow under ice or snow.
  • Establish and maintain communication with personnel
  • Consider limiting vehicle traffic
  • Maintain building temperature at acceptable levels and understand safety measures if using space heaters.
  • Notify supervisors if facility(s) loses power or is otherwise unable to operate

Preparedness and Emergency Management - TRP Corp

Tags: Business Continuity, Event Preparedness, Extreme Weather

The Role of Communications Planning in Business Continuity

Posted on Thu, Nov 06, 2014

The primary goal of business continuity planning is to efficiently restore operations through predetermined, systematic processes and procedures. However, in order to minimize the impacts and rapidly respond to operational hindrances, companies must ensure business continuity communication methods and procedures are clearly defined and functional.

Communication planning is an intricate part of preparedness and any continuity process. Clear and effective communication channels must remain available in order to disseminate information to employees, assess and relay damage, and coordinate a recovery strategy. Failed communication often results in failed business continuity efforts. Thoroughly planning, testing, and exercising communication procedures within the following four phases is essential to ensure effective business continuity and viability of critical business operations.

1. Notification- The notification process begins upon the anticipation or discovery of a business continuity situation. Appropriate personnel and applicable business unit managers should be initially notified and updated on the current scenario. The initial notification format can be dictated by company policy, however all known information should be provided at that time, including:

  1. Location of impact or potential impact
  2. Scenario details (fire, explosion, etc.)
  3. Implementation timeline

The person responsible for each critical business process should begin documenting response actions.  Necessary continuity information should be maintained and updated as necessary to ensure all management and affected personnel can quickly initiate proper actions.

In the planning phase, initial communication procedures, available communications equipment, and alternative communication formats should be evaluated.  Initial and back up communication formats should be agreed upon during training and exercises to certify that managers, continuity personnel, external suppliers, and possibly the public receive pertinent messages.

Primary and alternate resources contact information should be included in the business continuity plan (BCP) to ensure consistent delivery and continued operations in the event suppliers are subjected to business continuity circumstances. Up-to-date contact information for internal and external responders should be verified for accuracy.

2. Verification - Verification of contact information for personnel, continuity supervisors, and external responders should be done on a periodic basis. Business continuity planners must be certain that new employees are included in the plan, as necessary, and that notifications are being delivered to accurate e-mail addresses and/or contact numbers.

If maintaining accurate contact information is challenging, consider opting for an e-mail notification verification system that enables the contact to verify their information through hyperlinks. Companies can also offer incentives, such as drawings or prizes, to encourage all personnel to verify contact information as requested.

3. Stabilization - Stabilization is the result of the corrective actions initiated by the business continuity coordinator, business unit managers, and response personnel. Stabilization includes such actions as initiating proper notifications and implementing a procedural course of action. Planners should identify and procure necessary communication equipment and establish processes for continued operations and recovery. This will prevent unnecessary downtime and additional recovery efforts. Effective communications is the bridge to stabilization.

4. Recovery - Recovery begins once the affected area, personnel, equipment, and/or operations are accounted for and stabilized. Recovery communications includes actions such as damage assessment reporting, interactions with response personnel, removal and disposal of disruptive element, and safety verification prior to reentry or a return to operations. The lines of communications need to remain open in order to return to a “business as usual” level.

Developing relationships and common understandings of roles and responsibilities prior to a continuity event increases overall communication, post-disaster collaboration, and unified decision-making, streamlining the recovery process.

Upon termination of the incident and restoration of operations, an oral and written critique of the response should be conducted among personnel and the key business continuity members.  Communicating through evaluations and post-incident summaries can lead to the identification of continuity challenges and procedural obstacles. Items requiring action should be documented, communicated to involved parties, and tracked to ensure that potential corrective actions are identified and mitigation efforts are completed.

For a free informative download on Crisis Management Planning, click the image below:

TRP Corp - Emergency Response Planning Crisis Management

 

Tags: Business Continuity key points, Business Continuity, Crisis Management, Communication Plan, Business Continuity Plan

Global Response Planning Extends Beyond Operational Hazards

Posted on Thu, Oct 09, 2014

Current world events, such as the Ebola outbreak, ISIS threats, and Super Typhoon Vongfong continue to alter the focus of emergency management. With each pandemic, security crisis, natural disaster, or emergency incident, a renewed emphasis on specific preparedness initiatives and associated countermeasures evolves. Despite site-specific operation hazards, a well-developed response plan should examine all risks and vulnerability factors in order to provide employees with the knowledge, procedures, and resources necessary to respond appropriately to any situation.

When companies expand globally, identifying, evaluating, mitigating, and planning for continually evolving location-specific risks and vulnerabilities is challenging. Those with the responsibility of global preparedness and planning must address site-specific regulatory compliance measures, inherent risks (including operational and location-specific), technological and physical security needs, and each operational response plan component. Cultural disparities, infrastructure challenges, or security provocations may leave sites vulnerable to particular events and heighten the urgency of preparedness initiatives and planning efforts.

Preparedness, operational sustainability, and employee safety requires a streamlined, coordinated, and exercised response plan. Response plans must be developed to account for each potential emergency and non-emergency scenario that could impact or cause damage to a particular facility or its operations.  Aside from innate operational hazards, both physical site security and electronic security must be considered in preparedness measures. (Note: A security breach is just as likely to come in the form of a computer hacker or virus as it is from an actual intrusion, uprising, or physical attack.)

While emergency scenarios may affect the safety and health of employees, operations, and/or the facility infrastructure, non-emergency situations can arise that potentially impact company reputation and operational longevity.  A poorly managed situation can negatively affect a company’s reputation, business interests, and relationship with key regulators and partners.

Below are some crisis management situations that could affect business continuity for companies with multinational facilities. Business continuity and crisis management plans should be developed for each of these scenarios that could likely cause significant damage to the business.

Environmental Stewardship: Disparity in international, country, state, county and corporate environmental standards.  Environmental regulations may vary regarding:

  • Facility or site requirements
  • Transportation
  • Hazardous spills
  • Equipment safety
  • Fire fighting methods
  • Gas releases

Natural Disasters: Each geographic location has specific historical and potential natural threats.

  • Earthquakes
  • Hurricanes/typhoons
  • Sand/wind storms
  • Tornados
  • Flooding
  • Tsunami

Employee issues: While every facility must prepared for potential employee issues, global companies must pay specific attention to:

  • Cultural differences
  • Language barriers
  • Labor relations challenges
  • Workplace discrimination or harassment
  • Disgruntled workers
  • Health and safety disparagements

Marketing: Global markets and unethical business practices can create non-emergency scenarios resulting in the need for crisis management:

  • Price gouging
  • Supply availability
  • Recalls
  • Deceptive business practices

Security Breach: A security breach can affect multiple aspects of a company, from business continuity to the physical safety of employees.

  • Computer hacking
  • Catastrophic IT failure
  • Facility security measures
  • Civil unrest
  • Personnel/employee security

Corporate Governance:  Corporate changes can initiate unrest, disrupt operations, and company reputation:

  • Mergers
  • Organizational restructuring
  • Downsizing
  • Facility closings
  • Management successions/promotions
  • Financial reporting integrity

Industry/Sector Issues: As industry specific equipment, regulatory advancements, and technologies evolve, preparedness should continually adapt to include safety processes, continuity procedures and best practices.

  • Supply disruptions
  • Punitive regulations

Illegal Activity: Faults in humanity may be intensified by location specific conditions, supply and demand, and/or greed. Preparedness measures should include business continuity and crisis management procedure for the following circumstances:

  • Extortion
  • Bribery
  • Fraud
  • Malfeasance
  • Criminal Investigation

Political/Social issues: As companies strive to be profitable, political and social issues can interfere with daily operations. Situations that may affect productivity include, but are not limited to:

  • Human rights
  • Terrorism
  • War
  • Political or social unrest
  • Economic disparity
  • Discrimination
 

Have locations across the globe? Download TRP Corp's free guide,"Response Planning for Large Organizations with Multi-Facility Operations".

Multiple Facility Response Planning Company Preparedness Guide DOWNLOAD

Tags: Social Unrest, Business Continuity, Resiliency, Crisis Management, Incident Management, Terrorism Threat Management, Workplace Safety

The Business Impact Analysis: A Step Towards Business Continuity

Posted on Thu, Sep 18, 2014

Companies may not consider the interdependencies between critical operations, departments, personnel, and services until an event disrupts normal operations. A Business Impact Analysis (BIA), a key component in business continuity planning, presents the ability to identify and quantify which business unit that, when absent, would significantly impact a company. While the size and complexity of essential business elements required for sustainability varies among industries, companies, and specific facilities, the ability to quantify and prioritize critical workflow components is a key business continuity element.

Critical business units, associated functions, and a trained workforce provide the greatest financial value to companies. Companies that prioritize process sustainability initiatives that can meet recovery time objectives have a better chance of minimizing impacts of impeding disruptions.

Within each key business unit, additional business functions should be considered and evaluated. By identifying cross business unit dependencies, the need for integrated risk mitigation solutions can be highlighted and proactive measures can be taken. A workflow analysis may prioritize those business functions and processes that must be recovered in order for business continuity plans to be effective. Functions within each business unit may include, but are not limited to:

  •  Finance 
  • Contracts 
  • Supply and trading 
  • Personnel and payroll 
  • Benefits 
  • Accounts payable
  • Environmental health and safety 
  • Information technology

Once critical business functions and workflows are assessed and prioritized, a BIA should be performed.  The goal of the analysis should be to identify the potential impacts of identified risks, uncontrolled threats, and potential non-specific events on these business functions and dynamic processes. Any potential resilience capabilities should be prioritized and mitigation opportunities should be examined.  Operational and process managers should explore and quantify the following aspects to initiate the BIA process:

Timing:

  • Identify critical operational time periods when an interruption would have greater impacts (seasonal, end of quarter, specific month, etc.).
  • Priorities should be determined if an interruption during high-output timeframes creates amplified operational and financial impacts.

Likelihood Level:

  • Indicate how likely each specific threat could occur, considering existing capabilities, mitigation measures, and history.

Duration:

  • Identify the duration and point in time when an interruption would impair operational processes and have financial impact.
  • Estimate the maximum allowable downtime for each specific business function
  • Consider downtime impacts from less than 1 hour to greater than one month

BCP duration: TRP CORP

Staffing minimums:

  • Identify staffing level requirements (including contractors or suppliers) to meet typical daily productivity goals, as well as recovery time objectives.

Operational Impacts:

  • Identify the effects associated with a business unit interruption, considering existing mitigation measures. These may include, but are not limited to:
    • Lost sales and income
    • Negative cash flow resulting from delayed sales or income
    • Increased expenses due to overtime, outsourcing or other operations that increase costs
    • Regulatory fines and legal implications
    • Contractual penalties or loss of contractual bonuses
    • Customer dissatisfaction or withdrawal
    • Delay of business plan execution or strategic initiatives

Recovery Time:

  • Identify the time frame necessary to recover specific critical processes under existing capabilities and, if possible, potentially altered conditions.

Financial Impact:

  • Determine and quantify financial impacts,  considering existing mitigation measures.
  • Critical functions that have the highest financial impacts should be prioritized in business continuity plans.

If a business continuity incident affects two or more business processes, the incident has a greater potential for impact. Interoperable communication and coordination among departments must be exercised for a swift recovery. The effects of a multi-tiered business continuity event can extend beyond the facility borders to affect personnel, multiple critical business processes, vendors or suppliers, and customers.

Adverse information technology (IT) conditions may affect numerous company departments, units and functions. IT components may include networks, servers, desktop and laptop computers and wireless devices. The ability to utilize both office productivity and enterprise-wide software may be essential to restore normal operations. Therefore, time critical recovery strategies for information technology, such as exercised data backup and restoration procedures, should be developed in order to limit the effects of interruptions across multiple business units.

Once critical business units are identified and the BIA is completed, companies can develop an applicable business continuity plan, ensuring a faster state of recovery.

Click HERE or the image below for a free download on Enterprise-Wide Response Planning.

Multiple Facility Response Planning Company Preparedness Guide DOWNLOAD

Tags: Business Continuity key points, Business Continuity, Resiliency, Business Risk, Redundant Systems, Business Continuity Plan