Your Solution for SMART Response Plans

Cyber-Security Framework Aids in Business Continuity Planning

Posted on Thu, Jul 30, 2015

Company operations are increasingly intertwined with critical technology. A company’s business continuity plan (BCP) should include processes related to critical technologies that may be lost during an incident. A BCP is a vital tool that companies can use to plan for the restoration of normal operations after a business disrupting incident. In order to minimize the risk of technology-related continuity incidents, company-wide computer security best practices are essential.

Computer and cyber security mitigation measures, along with BCP reviews, can safeguard necessary integrated technologies, prevent hacking, and ensure business continuity. A breach in computer security can create a temporary or permanent loss of operations, software, and/or vital records.

In 2014, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) received and responded to 245 incidents reported by asset owners and industry partners. The Energy Sector reported the most reported incidents, followed by critical manufacturing. It is essential that companies share cyber security breach information, review lessons learned, and protect technologies in order to minimize the threat to critical infrastructure.

Reported Cyber-Security Incidents by Industry Sector

cyber_security__FY_2014_incidents_reported_by_sector

Source: ICS-CERT  245 incidents reported by sector (FY2014)

According to ICS-CERT, the graph represent only reported incidents. Many more incidents occur in critical infrastructure that go unreported. The Energy Sector Cybersecurity Framework Implementation Guidance manual states, “ICS-CERT continues to encourage asset owners to report malicious activity impacting their environment even if assistance is not needed or requested.” As incidents are reported, ICS-CERT can provide situational awareness to critical infrastructure industries about similar or related incidents, as well as share data regarding potential hacking and evasive techniques and tactics.

Identifying the procedural details of computer backups, data restoration methods, and minimum software requirements are crucial to re-establish technology-related critical business processes and business continuity planning. In early 2015, the Energy Department released guidance to help the energy sector establish or align existing cybersecurity risk management programs to meet the objectives of the Cybersecurity Framework released by the National Institutes of Standards and Technology (NIST). In an effort to maintain business continuity, a cyber-security program framework should be implemented.

Cyber-Security Program Framework

The cyber-security program framework consists of a continuous seven-step approach that enables organizations to address the steadily evolving risk environment. In order to secure business continuity efforts, companies should evaluate the framework against their current cyber-security efforts.

Cybresecurity_Framework_Implementation_ApproachSTEP 1: Prioritize and Scope

  • Address how to frame, assess, respond to, and monitor risk.
  • Evaluate industry specific critical infrastructure protection objectives and priorities

STEP 2: Orient

  • Focus on critical systems and assets
  • As resources permit, expand focus to include less critical systems and assets
  • Determine evaluation approach used to identify current cyber security and risk management environment (ex: self-evaluations, third-party evaluations)
STEP 3: Create a Current Profile
  • Evaluate and determine status of current systems and security protocols
  • Identify existing cyber security risk management practices and measure them against best practices and proven frameworks. “It is important to understand that the purpose of identifying a Current Profile is not simply to create a map between organizational practices and Category and Subcategory outcomes, but also to understand the degree to which those practices achieve the outcomes outlined by the Framework.”  (Energy Sector Cybersecurity Framework Implementation Guidance, page 10)

STEP 4: Conduct a Risk Assessment

  • Perform cybersecurity risk assessments to identify and evaluate cyber security risks, and determine which are outside of current tolerances.

STEP 5: Target Outcomes

  • Identify the desired outcomes and associated cyber security and risk management standards, tools, methods, and guidelines that will mitigate cyber security risks, commensurate with the risk to organizational and critical infrastructure security.
  • When creating a Target Profile, the organization should consider:
    • current risk management practices
    • current risk environment
    • legal and regulatory requirements
    • business and mission objectives
    • organizational constraints

STEP 6: Determine, Analyze, and Prioritize Gaps

  • Identify gaps between current profile and targeted outcomes.
    ● Mitigation priority levels should be assigned to all identified gaps. Prioritization of gaps should include consideration of current:
    • risk management practices
    • risk environment
    • legal and regulatory requirements
    • business and mission objectives
    • any applicable organizational constraints
  • Develop a plan of prioritized mitigation actions to advance to “Targeted Outcome” based on available resources, business needs, and current risk environment.

STEP 7: Implement Action Plan

  • Execute the implementation plan
  • Track progress and completion
  • Evaluate to ensure gaps are closed and risks are monitored

 

Receive TRP's Example Response Procedures Flowchart:

New Call-to-Action

Tags: Business Continuity key points, Cyber-Security, Business Continuity Plan

Supply Chain Business Continuity: Have you Planned for Disruptions?

Posted on Thu, Jun 25, 2015

Weather, natural disasters, and other uncontrollable events can interrupt transportation flow and your supply chain – anytime, anywhere, and with little warning. - FedEx.com service alert

In January and February of 2015, blizzards, ice, and frigid cold temperatures targeted the eastern half of the United States. The deluge of extreme weather brought residents, cities, and supply chains to their knees. Meanwhile on the west coast, labor disputes between the International Longshore and Warehouse Union and the Pacific Maritime Association created the partial closure of 29 ports. The Port of Oakland experienced a 39% drop in cargo imports because of the circumstances (Wall Street Journal). The trucking and railroad industries lost valuable time and money, and customers experienced delayed delivery of tons of expected goods. The ripple effect of delayed shipments forced many customers to stockpile goods when available, and alter contracted shipping means when time sensitive goods were required.

Ensuring ample supplies in the midst of an incident can be challenging, especially when external forces create delays. Supply continuity and preparedness efforts are becoming more important as more companies depend on world-wide suppliers. These recent major supply disruptions, both on the east and west coasts, emphasize the need to develop business continuity plans (BCPs) that identify primary and secondary suppliers and alternate resources. By identifying and contracting with vendors and alternate suppliers prior to an incident, a company improves its ability to quickly and successfully respond to unforeseen disruptions.

Pre-emptive identification and mitigation efforts are crucial to preventing supply chain interruptions and costly consequences. Factors to consider in the identification of critical suppliers are complex and extend well beyond first glance analyses. While suppliers of material goods and business-specific products may be critical to business practices, suppliers may also include those that provide the following services, utilities, or infrastructures:

  • Sole source services
  • Electrical power
  • Water
  • Fuel
  • Telecommunications
  • Transportation
  • Staffing
  • Waste Management
  • Facilities

Companies should utilize BCPs to prepare for incidents that could impair or impede the ability to operate as a result of a temporary or permanent loss of required supplies, equipment, critical staff, data, and necessary infrastructure. A BCP can help minimize or counteract many of the potential impacts of a supply interruption or set procedures in motion that limit the effects on operations.

Identification of risks and business impact analyses (BIA) should be performed for critical supply chains as part of the development of BCPs. For common disruptions, inept supplier performance, required resources forecasting errors, and transportation and delivery breakdowns, companies can typically utilize historical data to quantify the level of risk and necessary response effort. However, when extraordinary events impact the supply chain, such as the east and west coast incidents, companies may encounter atypical and domino effect impacts. Continuity plans with supply chain response measure must be in place to mitigate the disruption, sustain operations, and restore “business as usual”.  The following supply chain related questions, while not all-inclusive, can be used as response planning discussion points to identify necessary supply-related business continuity and response elements:

  • How would a potential critical material supply disruption affect both internal and external resources?
  • Have critical supplies, interdependencies, and potential bottleneck scenarios been identified?
  • Have critical materials and response equipment needs, minimum levels, and recovery time limits been evaluated and defined?
  • Are processes in place to monitor internal and external supply chains that identify potential delivery disruption?
  • Have back up suppliers been identified and communicated with?
  • Are memorandum of understandings (MOUs) for services, and equipment or supply contracts been established and/or up-to-date?
  • Do business continuity initiation procedures encompass verified primary and secondary supply chain contacts?
  • Is there historical data that indicates potential impacts and durations that can be used for planning?
  • Are “Best Practices” supply chain continuity procedures available from like-companies and industry experts?
  • Do critical suppliers have alternate processes and delivery methods in case an event affects their operations?
  • Have supply disruption scenarios been included in emergency response and business continuity exercises?
  • Are employees trained in the event of supply disruption?
  • Have mitigation measures been examined and implemented based on BIAs?

TRP Corp - Emergency Response Planning Crisis Management

Tags: BCM Standards, Business Continuity key points, Business Continuity Plan, Business Disruption, Mitigation

The Basics of Business Continuity Planning

Posted on Thu, Mar 12, 2015

The primary purpose of a Business Continuity Plan (BCP) is to minimize the negative impacts of a business interruption by accelerating the return to “business as usual”.  A BCP should be applied to every business, small or large, to provide a framework to ensure operational resilience in the event of business disruption. Industries including manufacturing, healthcare, education, financial, energy, and retail can benefit from business continuity planning, but each organization must create a detailed and specific plan for each of their locations, business units, or functional groups.

Numerous events, such as this winter’s perpetual snow storms, can cause business disruptions. Business interrupting events typically result in the loss or temporary disruption of key business resources including:

  • Facilities or Workspace
  • Infrastructure or IT Applications/Systems
  • People
  • Supply Chain

In order to protect a company’s viability, site-specific recovery strategies should be developed with the assumption that a disruption will occur during a peak business cycle, when the services or output are at the highest level and most critical point. A Business Impact Analysis (BIA) enables a company to identify and quantify which business unit that, when absent, would impact profitability and threaten its survival. While the size and complexity of essential business elements required for sustainability vary among companies, the ability to quantify and prioritize critical workflow components is a key business continuity element. Some departments to consider when conducting a BIA for peak cycles include, but are not limited to:

  • Finance and Treasury
  • Contracts
  • Supply and Trading
  • Financial Accounting
  • Emergency Response/Crisis Management Team
  • Payroll
  • Benefits
  • Accounts Payable
  • Environmental Health and Safety

Once critical components are identified, managers should review the following business continuity planning elements for each critical business function:

  • Determine what personnel, software, and vendors are required to continue these processes.
  • Identify the duration and point in time when an interruption would impair critical processes and develop recovery time objectives.
  • Estimate the maximum allowable downtime for each specific business function.
  • Identify alternate locations where these processes can be maintained in the event normal facilities are not accessible.
  • Identify how communications will be maintained
  • Provide training for BCP personnel that are assigned to support the continuity of operations.

1091

A BCP should include site-specific details that can direct process continuation or restoration. The following continuity plan components should be included in a site-specific BCP.

1. Plan distribution list: Names, addresses, and contact information of those that retain secured access to the BCP.

2. Key contacts and notification procedures: Identify all primary and secondary contacts that must be made aware of a business interruption. It is important to routinely verify contact information for accuracy, and train personnel in BCP activation and notification procedures.

3. Key staff roles and responsibilities: Develop position-specific checklists and procedures detailing responsibilities from business continuity implementation through recovery. Task teams should be formed, at a minimum, to cover each critical business process. Business Continuity Team structure, organization charts, and interfaces should be clearly communicated. It may be necessary to provide cross team training, in the event that primary team members are not available.

4. Off-site recovery location(s): Include address, contact information, available on-site equipment, and any necessary external equipment for effective operations.

5. Recovery action plan: Identify/develop incremental processes and procedures necessary to recover each critical business process.   Response checklist timelines may include time increments such as 1st hour, 24-hours, 48 hours, one week, one month, and long-term recovery.

6. Customer data:  Identify communication methods and necessary contact information in order to inform customers of disruptions of deliverables. Effective customer relations and communication may be critical in retaining clients and maintaining positive relationships during a business interruption.

7. Primary suppliers contact list: Identify contact information of supply dependencies and interdependencies. Transportation delays or events at suppliers’ locations could affect delivery times; therefore the plan should address this issue.

8. Alternate suppliers list: Primary supply chain failures can be crippling to key business components. Through the planning process, alternative suppliers should be explored, and contact information and materials should be documented in order to reduce the impact of primary suppliers’ disruption.

9. Documentation and Insurance details: Identify details of insurance coverage and accurate contact information. The burden of proof when making claims typically lies with the policyholder. Accurate and detailed records are imperative. Documentation forms should be made available to all critical business unit leaders for timely documentation.

10. Technology requirements: Identify necessary hardware and software, and the minimum recovery time requirements for each business unit.

11. Backup data details: Business continuity plans should identify details of data backups and recovery methods. If current backup procedures are questionable, mitigation measures should be evaluated prior to a business disrupting event.

12. Equipment requirements: Identify equipment requirements for each business unit, primary and alternate suppliers, and recovery time goals.

13. Review and revise:  On an annual basis or following an incident, incorporate newly identified hazards and vulnerabilities into the business continuity plan. Include necessary equipment used (requiring replacement or replenishment), altered processes, and lessons learned.

Preparedness and Emergency Management - TRP Corp

Tags: Business Continuity key points, Business Continuity, Business Continuity Plan

The Role of Communications Planning in Business Continuity

Posted on Thu, Nov 06, 2014

The primary goal of business continuity planning is to efficiently restore operations through predetermined, systematic processes and procedures. However, in order to minimize the impacts and rapidly respond to operational hindrances, companies must ensure business continuity communication methods and procedures are clearly defined and functional.

Communication planning is an intricate part of preparedness and any continuity process. Clear and effective communication channels must remain available in order to disseminate information to employees, assess and relay damage, and coordinate a recovery strategy. Failed communication often results in failed business continuity efforts. Thoroughly planning, testing, and exercising communication procedures within the following four phases is essential to ensure effective business continuity and viability of critical business operations.

1. Notification- The notification process begins upon the anticipation or discovery of a business continuity situation. Appropriate personnel and applicable business unit managers should be initially notified and updated on the current scenario. The initial notification format can be dictated by company policy, however all known information should be provided at that time, including:

  1. Location of impact or potential impact
  2. Scenario details (fire, explosion, etc.)
  3. Implementation timeline

The person responsible for each critical business process should begin documenting response actions.  Necessary continuity information should be maintained and updated as necessary to ensure all management and affected personnel can quickly initiate proper actions.

In the planning phase, initial communication procedures, available communications equipment, and alternative communication formats should be evaluated.  Initial and back up communication formats should be agreed upon during training and exercises to certify that managers, continuity personnel, external suppliers, and possibly the public receive pertinent messages.

Primary and alternate resources contact information should be included in the business continuity plan (BCP) to ensure consistent delivery and continued operations in the event suppliers are subjected to business continuity circumstances. Up-to-date contact information for internal and external responders should be verified for accuracy.

2. Verification - Verification of contact information for personnel, continuity supervisors, and external responders should be done on a periodic basis. Business continuity planners must be certain that new employees are included in the plan, as necessary, and that notifications are being delivered to accurate e-mail addresses and/or contact numbers.

If maintaining accurate contact information is challenging, consider opting for an e-mail notification verification system that enables the contact to verify their information through hyperlinks. Companies can also offer incentives, such as drawings or prizes, to encourage all personnel to verify contact information as requested.

3. Stabilization - Stabilization is the result of the corrective actions initiated by the business continuity coordinator, business unit managers, and response personnel. Stabilization includes such actions as initiating proper notifications and implementing a procedural course of action. Planners should identify and procure necessary communication equipment and establish processes for continued operations and recovery. This will prevent unnecessary downtime and additional recovery efforts. Effective communications is the bridge to stabilization.

4. Recovery - Recovery begins once the affected area, personnel, equipment, and/or operations are accounted for and stabilized. Recovery communications includes actions such as damage assessment reporting, interactions with response personnel, removal and disposal of disruptive element, and safety verification prior to reentry or a return to operations. The lines of communications need to remain open in order to return to a “business as usual” level.

Developing relationships and common understandings of roles and responsibilities prior to a continuity event increases overall communication, post-disaster collaboration, and unified decision-making, streamlining the recovery process.

Upon termination of the incident and restoration of operations, an oral and written critique of the response should be conducted among personnel and the key business continuity members.  Communicating through evaluations and post-incident summaries can lead to the identification of continuity challenges and procedural obstacles. Items requiring action should be documented, communicated to involved parties, and tracked to ensure that potential corrective actions are identified and mitigation efforts are completed.

For a free informative download on Crisis Management Planning, click the image below:

TRP Corp - Emergency Response Planning Crisis Management

 

Tags: Business Continuity key points, Business Continuity, Crisis Management, Communication Plan, Business Continuity Plan

The Business Impact Analysis: A Step Towards Business Continuity

Posted on Thu, Sep 18, 2014

Companies may not consider the interdependencies between critical operations, departments, personnel, and services until an event disrupts normal operations. A Business Impact Analysis (BIA), a key component in business continuity planning, presents the ability to identify and quantify which business unit that, when absent, would significantly impact a company. While the size and complexity of essential business elements required for sustainability varies among industries, companies, and specific facilities, the ability to quantify and prioritize critical workflow components is a key business continuity element.

Critical business units, associated functions, and a trained workforce provide the greatest financial value to companies. Companies that prioritize process sustainability initiatives that can meet recovery time objectives have a better chance of minimizing impacts of impeding disruptions.

Within each key business unit, additional business functions should be considered and evaluated. By identifying cross business unit dependencies, the need for integrated risk mitigation solutions can be highlighted and proactive measures can be taken. A workflow analysis may prioritize those business functions and processes that must be recovered in order for business continuity plans to be effective. Functions within each business unit may include, but are not limited to:

  •  Finance 
  • Contracts 
  • Supply and trading 
  • Personnel and payroll 
  • Benefits 
  • Accounts payable
  • Environmental health and safety 
  • Information technology

Once critical business functions and workflows are assessed and prioritized, a BIA should be performed.  The goal of the analysis should be to identify the potential impacts of identified risks, uncontrolled threats, and potential non-specific events on these business functions and dynamic processes. Any potential resilience capabilities should be prioritized and mitigation opportunities should be examined.  Operational and process managers should explore and quantify the following aspects to initiate the BIA process:

Timing:

  • Identify critical operational time periods when an interruption would have greater impacts (seasonal, end of quarter, specific month, etc.).
  • Priorities should be determined if an interruption during high-output timeframes creates amplified operational and financial impacts.

Likelihood Level:

  • Indicate how likely each specific threat could occur, considering existing capabilities, mitigation measures, and history.

Duration:

  • Identify the duration and point in time when an interruption would impair operational processes and have financial impact.
  • Estimate the maximum allowable downtime for each specific business function
  • Consider downtime impacts from less than 1 hour to greater than one month

BCP duration: TRP CORP

Staffing minimums:

  • Identify staffing level requirements (including contractors or suppliers) to meet typical daily productivity goals, as well as recovery time objectives.

Operational Impacts:

  • Identify the effects associated with a business unit interruption, considering existing mitigation measures. These may include, but are not limited to:
    • Lost sales and income
    • Negative cash flow resulting from delayed sales or income
    • Increased expenses due to overtime, outsourcing or other operations that increase costs
    • Regulatory fines and legal implications
    • Contractual penalties or loss of contractual bonuses
    • Customer dissatisfaction or withdrawal
    • Delay of business plan execution or strategic initiatives

Recovery Time:

  • Identify the time frame necessary to recover specific critical processes under existing capabilities and, if possible, potentially altered conditions.

Financial Impact:

  • Determine and quantify financial impacts,  considering existing mitigation measures.
  • Critical functions that have the highest financial impacts should be prioritized in business continuity plans.

If a business continuity incident affects two or more business processes, the incident has a greater potential for impact. Interoperable communication and coordination among departments must be exercised for a swift recovery. The effects of a multi-tiered business continuity event can extend beyond the facility borders to affect personnel, multiple critical business processes, vendors or suppliers, and customers.

Adverse information technology (IT) conditions may affect numerous company departments, units and functions. IT components may include networks, servers, desktop and laptop computers and wireless devices. The ability to utilize both office productivity and enterprise-wide software may be essential to restore normal operations. Therefore, time critical recovery strategies for information technology, such as exercised data backup and restoration procedures, should be developed in order to limit the effects of interruptions across multiple business units.

Once critical business units are identified and the BIA is completed, companies can develop an applicable business continuity plan, ensuring a faster state of recovery.

Click HERE or the image below for a free download on Enterprise-Wide Response Planning.

Multiple Facility Response Planning Company Preparedness Guide DOWNLOAD

Tags: Business Continuity key points, Business Continuity, Resiliency, Business Risk, Redundant Systems, Business Continuity Plan

7 Key Points for Industrial Business Continuity and Disaster Recovery

Posted on Thu, Aug 14, 2014

Process and procedural effectiveness and efficiency are key elements in determining a company’s success. Critically detailed reviews, evaluations, and improvements to your processes and procedures can contribute to overall corporate viability and profitability. Process and procedural effectiveness and efficiency are also critical when it comes to developing and implementing business continuity plans.

The goal of business continuity planning is to efficiently restore operations through a predetermined, systematic approach. Unfortunately, many companies lack adequate recovery planning, and recuperative procedures to restore critical information, essential processes, and normal business operations within an acceptable recovery time frame. The lack of business continuity preparedness can adversely affect corporate reputation, financial stability, and overall resilience.

The business continuity recovery process is typically a sequence of concurrent activities and interdependent activities that facilitate measured advances toward a successful recovery. Decisions and priorities set early in the recovery process often have a cascading effect on the evolution and speed of the recovery progress and business continuity efforts. Because recovery timeliness has a direct impact on operational viability, pre-planning business continuity implementation processes and intended procedures is critical.

Developing relationships and common understandings of roles and responsibilities prior to a disaster increases post-disaster collaboration and unified decision-making, and streamlines the recovery process. A fully coordinated recovery plan may require utilizing internal and external stakeholders. Business unit management and staff, in conjunction with external participants, must be familiar with and trained in the recovery procedures in order to effectively implement directives and maintain minimal business continuity.

Recovery time and outcomes vary based on incident circumstances, challenges, and priorities. A successful disaster recovery can be characterized as the return of operations to pre-disaster conditions. FEMA’s National Disaster Recovery Framework provides key factors that contribute to a successful recovery.  With secured sharing abilities, a web-based, database driven planning system can aid in the management and communication of the key factors of a business continuity recovery process. These factors include:

1. Effective Decision-making and Coordination:

  • Confirm roles and responsibilities of recovery team and stakeholders
  • Examine recovery alternatives, address conflicts and make informed and timely decisions that best achieve recovery
  • Establish metrics for tracking progress, ensuring accountability and reinforcing realistic expectations among stakeholders
  • Track progress, ensure accountability, and make procedural adjustments as necessary

2. Integration of Community Recovery Planning Processes:

  • Engage all stakeholders in pre-disaster business continuity and recovery planning, training, and exercises
  • Establish processes and criteria for identifying and prioritizing key recovery actions and projects

3. Well-managed Recovery:

  • Leverage and coordinate recovery teams, local response groups, government liaisons, and non-governmental organizations to accelerate the recovery process and avoid duplication of efforts
  • Surge staffing and management structures as necessary to support the workload during recovery
  • Establish leadership guidance, including the shift of roles and responsibilities, for the transition from response operations to recovery, and eventually a return to a normal (or new normal) operational state
  • Ensure regulatory compliance throughout recovery process

4. Proactive Community Partnerships, Public Participation, and Public Awareness:

  • Ensure transparency and accountability
  • Communicate recovery objectives (short, intermediate and long-term) and applicable detailed information to employees, stakeholders, and community members

5. Well-administered Financials:

  • Clearly identify funding sources and financial recovery processes
  • Evaluate and present external programs that can provide financial assistance to aid in the recovery progress
  • Allow for budgetary flexibility, yet maintain adequate financial monitoring and accounting systems
  • Implement processes and systems that detect and deter fraud, waste, and abuse.

6. Organizational Flexibility:

  • Institute scalable and flexible processes that can align with recovery operations objectives
  • Institute business processes that can evolve and adapt to address the changing landscape of post-disaster environments

7. Resilient Rebuilding:

  • Invoke “Lessons Learned” in the restoration phase to minimize risks and threats, and improve response, recovery and restoration efforts. 

For a free Response Procedures Flow Chart download, click the image below:

New Call-to-Action

 

Tags: Business Continuity key points, Business Continuity, Business Continuity Plan, Disaster Recovery, Disaster Response, Business Disruption

8 Expert Tips for Improving Oil and Gas Business Continuity Programs

Posted on Thu, Jul 31, 2014

Improving the effectiveness of business continuity plans (BCPs) should be an ongoing event. From technological advancements to best practices implementation, continually evolving planning programs can improve recovery time and minimize unexpected impacts of recovery efforts.

Below are eight tips to consider in the continual effort to improve business continuity programs:

1. Data Availability and Accuracy: Establishing readily available, accurate, and up-to-date response information has been proven to limit the duration of the emergency.  The faster continuity processes can be accessed and assessed, the sooner business continuity procedures can be implemented, critical business functions can be restored, and “business as usual” operations can be reestablished. Technology advancements and web-based formats enable companies to simplify plan administration efforts and expand availability options.

Site-specific information regarding company operations, critical business units, on-site equipment, and employees are continuously changing.  If critical plan information is missing or out-of-date, the recovery will be hindered.  Accurate details of personnel or operational modifications, expansions, and adjustments must be incorporated into a business continuity program.

2. Training: Business continuity training programs that include crucial personnel, experienced leadership, best practice guidelines, and proper documentation ensures established processes will be implemented as planned. While peripheral collaboration and partnerships in business continuity efforts can be markedly beneficial, companies should not solely rely on external assistance or government agencies to restore ideal working environments. Company training should be designed to minimize impacts on personnel and the operational infrastructure, while ensuring adequate business continuity responses.

Companies need to perform cyclical internal training program audits to create corporate assurance, add business continuity program value, improve operational productivity, and ideally prevent harmful incidents from dismantling operations. Objective internal auditing that begins with a business impact analysis (BIA) emphasizes corporate responsibility to employees. BIAs, in conjunction with training, can often reveal inadequacies and mitigation opportunities. Training audits can bring a systematic, self-sufficient, and disciplined approach to evaluating and improving the effectiveness of business continuity efforts and corporate governance processes.

3. Exercises: Exercises provide a setting for BCP procedures to be tested. Real world exercise scenarios can often highlight potential deficiencies in the BCP processes and procedures, comprehension of individual roles and responsibilities, and partnership coordination. Identifying BCP deficiencies can lead to unrecognized mitigation and training opportunities.

In preparation for these exercises, companies should develop exercise-planning documents, including participant and controller’s packages that contain exercise objectives, scenarios, ground rules, and simulation scripts. These guidelines, at a minimum, should be provided to all participants prior to the exercise to allow for a thorough examination of exercise expectations.

4. Accessibility: Web-based BCPs offer a secured accessibility option for stakeholders, auditors, and employees. With web-based technology and an Internet connection, enterprise-wide BCP programs embedded with database driven software can be immediately and securely available without the “version confusion” typically found in other formats.

Companies should establish BCP backup and download procedures that ensure the latest version of the plan is always accessible in the event Internet communication is lost. However, a web-based format enables secured access from any location, magnifying accessibility opportunities far from the site of impact. Both paper-based plans and those housed on a company intranet are often out of date with multiple versions in various locations or inaccessible in an emergency scenario.

5. Collaboration: Business continuity program effectiveness can be optimized through efficient interoperability and partnerships. When diverse organizations work together for a greater good, response expertise can dramatically broaden and recovery time minimized. Limiting the timeline of potentially escalating incidents and maximize business continuity efforts can accelerate recovery time and operational restoration. Coordinating planning, training, drills, exercises, and resource availability with local agencies, contractors, and site leadership is an important aspect of business continuity programs.

Local agencies may provide additional knowledge based on particular research, experiences, or occupational training in a particular area of study. Company or facility emergency managers and business continuity leaders should continually meet with government agencies, community organizations, and utility companies throughout the entire planning cycle to discuss likely emergencies and the available resources to minimize the effects on operations.

6. Auditing: Business continuity audits, whether conducted by in-house professionals or experienced consultants, can often reveal the planning inadequacies and mitigation opportunities.  Regrettably, most companies address business continuity gaps only after an incident has occurred. With an objective eye, a BIA and plan audit can bolster a business continuity program and minimize the chance of incidents resulting in crippling revenue, operations, and company viability.

7. Mitigation: Adverse conditions, inept processes, or ineffective procedures pose risks to employees, infrastructures, and critical business units. By eliminating or mitigating risks, companies can reduce the potential for business continuity situations. A risk assessment and BIAs can be used to identify situations that may lead to incidents and prolonged response.

While all risks cannot be averted, a company can become better prepared for continuity if the procedural risk mitigation measures are implemented. Mitigation measures may include a variety of tactics including, but not limited to training for employees, updating processes and procedures, or purchasing updated equipment.

8. Best Practices Implementation: Applying “best practices” to a business continuity program enables managers to leverage past experiences as a means to improve planning efforts for future impacting scenarios. By analyzing past incidents and responses, executing enhancements, and reinforcing lessons learned, companies will be better prepared than their historical counterparts.

For a free download on Designing a Crisis Management Program, click the image below:

TRP Corp - Emergency Response Planning Crisis Management

Tags: Business Continuity key points, Business Continuity, Resiliency, Business Continuity Plan

Managing The Key Resources of Industrial Business Continuity Plans

Posted on Mon, Jul 21, 2014

Emergency management is continually evolving. The changing threat environment, including acts of nature, accidents, infrastructure weaknesses, cyber security attacks, and terrorist related incidents, coupled with tightly intertwined supply chains, has increased the urgency to revamp emergency management and business continuity efforts.

Building business continuity and emergency response plans to maintain personnel safety, and protect and restore operations is vital. Companies continue to develop and improve upon existing processes to seamlessly aid in managing risk and the rapid restoration of operational processes. However, with ever-changing threats, multiple sites, and human resource variables across an enterprise, most companies find it challenging to develop and maintain accurate and realistic business continuity plans (BCPs).

While the planning process may be executed with in-house staff, some companies prefer to use seasoned consultants for impartial critical process evaluations and experienced guidance. Consultants should have hands-on experience in business continuity and disaster preparedness. Specialized consultants may offer web-based, database driven platforms that incorporate site-specific business continuity information while streamlining company formats across an enterprise. The web-base option eases maintenance efforts and reduces administrative costs associated with managing BCPs. However, consultants must be able to comprehend core business needs and clearly communicate recommendations in order to successfully develop a customized, site specific, and functional BCP.

According to FEMA, the ability to perform essential functions lies within four key resources.

  • Leadership
  • Staff
  • Communications and Technology
  • Facilities

Site-specific information must be applied to the key resources. It is necessary for continued operation to evaluate and identify alternate site-specific resources that may be utilized during an incident.  If one or more of the key resources are lost, critical business processes may be affected. Keep in mind that any new business operations that may have developed also need to be included in these evaluations.

Leadership

Business Continuity Coordinators (BCCs) are typically responsible for the development and maintenance of business continuity plans. They must work closely with critical business units to understand their processes, identify risks, and provide solutions to help manage and minimize those risks. However, once an incident occurs, the BCCs must communicate, manage, and control activities associated with damage assessments and the recovery of critical business functions. Depending on the enterprise, a BCC may be assigned to an individual facility or a specific geographic location that encompasses numerous facilities with like-operations.

The BCC, in conjunction with the Incident Commander, may be tasked with activating and coordinating organization elements in accordance with an incident action plan.  By working with the appropriate business unit leaders assigned to business continuity/recovery plans, the BCC can also provide guidance for compliance with Incident Action Plan (IAP) components.

Staff

The BCP should systematically guide specifically assigned personnel to restore operations that are affected by abnormal conditions. It is critical to identify the implications of a sudden loss for each business unit or necessary resource by performing a business impact analysis. While critical process evaluations can determine operational dependencies that are required to maintain normal operations, staff must be trained to carry out the BCP objectives. BCP training and exercises should occur (at a minimum) on an annual basis, or as required by regulations or company policy.

A BCP should identify the minimum staffing levels necessary to remain operational. As recovery advances, staffing levels may require adjustments. Depending on the scenario, the least critical process participants might have to vacate the facility while leaving critical players in motion to maintain or restore necessary functions. Companies should ensure staff, contractors, and suppliers understand their initial and adjusted responsibilities, and recovery time objectives.

Communications and Technology

Clear and effective communication channels and critical technologies must be available in order to disseminate information to employees, assess and relay incident updates, and implement necessary recovery strategies. As part of the business continuity mitigation process, companies should evaluate available communication equipment, mass notification systems, and technology storage and backup processes to ensure accessibility and functionality in multiple business continuity scenarios. All critical communication and technology should be included in a BCP with detailed recovery procedures and recovery time objectives.

Facilities

Facility management should be a crucial aspect of a business continuity plan. If an area or facility cannot sustain minimum service or operational levels, companies should mobilize resources, and/or relocate equipment and personnel to alternate areas, facilities, or redundant sites. If deemed acceptable, this may include  “working from home” strategies. In order to respond quickly and effectively to facility damage, BCPs should include predetermined suppliers/contractors (tree services, plumbers, electricians, restoration companies, and/or necessary skilled trades and suppliers).

For a free download on Designing a Crisis Management Program, click the image below:

TRP Corp - Emergency Response Planning Crisis Management

Tags: BCM Standards, Business Continuity key points, Business Continuity, Cloud Computing, Business Continuity Plan

Securing Critical Business Functions Through BC Preparedness Planning

Posted on Mon, Feb 24, 2014

Human nature is such that we go about our days under the impression that disasters will never happen to us. As a result, preparedness is often low on the list of priorities. Beneficial uncertainty, financial strain, and daily workloads leave many companies without a sustainable and actionable business continuity plan (BCP).

The 24/7 news bombardments of impending doom and heart wrenching disasters continually emphasizes the need for a BCP, despite its high degree of beneficial uncertainty associated with implementation. Unless regulations require implementation, business practices are not typically based on “what if” scenarios. To add to the complexity, performing a cost-benefit analysis for business continuity is challenging. Managerial decisions are generally based on concrete financials that benefit departments, stockholders, and profitability. Benefits resulting from BCP and mitigation efforts are dynamic in nature, and are not limited to a single structure, department, or operation.

However, nearly every company relies on the following essential functions and/or resources for productivity and profitability:

  • Leadership
  • Staff
  • Communications/Technology
  • Infrastructure

If one or more of these essential functions and/or resources fails, companies must have alternative processes in order to remain functional.  When the disruptions or failures are extended over hours, days, or weeks, a company's general viability is at risk.

Awareness has made it evident that business continuity plans are crucial to insure long-term viability. Companies that prepare for disruptions limit their impact on the overall business processes and accelerate the return to normal business operations.  For those not prepared, the situation can negatively affected profitability, customer relationships, and overall business performance.

Most C-level executives’ role is to support and protect company assets.  Implementing a BCP with key details and alternate provisional elements can better ensure that a company will survive any type of disruption or disaster. The following elements can be used as a basic outline for a BCP.

1. Plan distribution list: Names, addresses, and contact information of those that retain access to business continuity plan.

2. Key contacts: Identify all primary and secondary contacts that must be made aware of the business interruption. It is important to routinely verify contact information for accuracy.

3. Key Staff Roles and Responsibilities: Job specific checklists and procedures detailing responsibilities from business continuity implementation through recovery. Task teams should be formed, at a minimum, to cover each essential business process. It may be necessary to provide cross team training and provide extended knowledge in case primary team members are not available.

4. Off-site recovery location: Include address, contact info, available on-site equipment, and any necessary external equipment for effective operations.

5. Recovery Action Plan: Incremental processes and procedures necessary for each critical business process to meet goals. Checklists  may be developed in increments such as, 1st hour, 24-hour, 48-hour, one week, one month, and long-term recovery.

6. Key customers’ data:  Identify communication methods and necessary contact information in order to inform customers of disruptions of deliverables. Effective customer relations and communication may be critical in retaining clients and maintaining positive relationships during a business interruption.

7. Key supplier contact list: Dependencies and interdependencies should be identified and contact information confirmed and detailed. Transportation delays could affect delivery times. Plan  mitigate, and communicate accordingly.

8. Alternate suppliers list: The consequences of a supply chain failure on associated key business components can be crippling to productivity. Through the planning process, alternate suppliers should be explored to reduce the impact of supply chain disruptions.

9. Insurance details: Identify details of insurance coverage and accurate contact information. The burden of proof when making claims typically lies with the policyholder. Accurate and detailed records of disruption are imperative.

10. Back-up data: Identify details of computer-back ups and the recovery methods.

11. Technology requirements: Identify necessary hardware and software, and the minimum recovery time requirements for each business unit.

12. Equipment requirements: Detail applicable equipment requirements for each business unit and recovery time goals.

13. Review log: Newly identified hazards and vulnerabilities should be incorporated into the business continuity plan. Log can include necessary equipment used (requiring replacement or replenishment), altered processes, and lessons learned.

 

For a free download on conducting effective exercises, click the image below:

TRP Corp Emergency Response Planning Exercises

Tags: Business Continuity key points, Resiliency, Business Continuity Plan, Business Disruption

Hats, Gloves, and Business Continuity Planning

Posted on Thu, Feb 13, 2014

In January 2014, the meteorological term “Polar Vortex” was indoctrinated in the minds of millions across the United States. With arctic temperature plummeting unusually south, two-thirds of the nation was paralyzed by record breaking cold.  According to Evan Gold, Senior Vice President at Planalytics, a business weather intelligence company, January’s polar vortex resulted in a $50 billion economic disruption, the most delivered by a weather phenomenon since Superstorm Sandy in 2012.

Severe weather habitually effects routine business operations and profitability. Weather can be the culprit of power outages, dangerous temperatures, supply disruptions, safety hazards, and potentially impair access to key infrastructures. The January events, which impacted nearly 200 million people, is one of the many examples of how severe weather affects operational continuity.  Fortunately, temperatures will generally rise over the next few weeks and winter gear can be stored until next season. However, with every new season come new risks and the  need for an effective business continuity plan.

Despite seasonal specifics, companies should perform a business impact analysis (BIA), a precursor to a business continuity plan. The process of a BIA, in conjunction with a Business Continuity Plan allows for targeted recovery strategies to be developed in the event of an emergency. A BIA should be utilized to predict the consequences of business functions and process disruptions. Through a detailed analysis of potential lapses, predetermining applicable recovery strategies can reduce the length and severity of disruption impacts. These preparedness strategies allow for a smoother transition from critical business process disruptions to “business as usual”.

After each critical process is identified, the potential impacts resulting from loss of facilities, infrastructure, personnel, or supply chain can be examined for each process. Key minimum recovery components along with incremental recovery time objectives should be detailed for each critical process. Timely recovered critical processes reduce the overall potential damage to operations.

To identify the minimum service level requirements for specific key process, the following components should be evaluated for each critical business process.

  1. Recovery Time: Identify how long it would take to recover a specific critical process under scenario specific circumstances.
  2. IT requirements: If electronic data must be available to recover specific processes to a minimum service level, identify the necessary requirements.
  3. Data Backup History: Indicate how old the data can be to satisfy recovery (i.e. last weekly backup, last monthly backup, last quarterly backup, etc.) and review recovery methods.
  4. Review alternate location options: Identify needs and review options for off-site backup processes.
  5. Staffing minimums: Identify needs throughout recovery time objectives to optimize recovery.
  6. Impact Level: Indicate how severely the process would be impacted considering current/existing mitigation measures (ex. minimal, somewhat severe, severe).
  7. Likelihood Level: Indicating how likely each specific threat could occur considering current/ existing capabilities, mitigation measures, and history.

Once critical business units are identified and the BIA is completed, companies can develop a business continuity plan (BCP). For predictable naturally occurring events such as  severe weather, business continuity planning can minimize potentially dire financial impacts. Such planning should include, but not limited to the following:

  • Conduct awareness training, including facility evacuation routes and procedures
  • Coordinate activities with local and state response agencies
  • Communicate recommended community evacuation routes
  • Procure emergency supplies
  • Monitor radio and/or television reports
  • Secure facility
  • Secure and backup critical electronic files

Preparedness efforts, specific to winter weather, should include, but are not limited to the following:

  • Monitor news and weather reports on television or the radio (with battery backup)
  • Alert employees or others on-site that severe weather is approaching and communicate expectations
  • Be aware of the dangers posed extreme temperatures, and ice and snow falling from equipment and buildings; mediate if possible
  • Identify infrastructure dangers posed by cold weather on exposed piping (hazardous releases, flooding, etc)
  • Prepare and insulate exposed piping
  • Contract snow removal services or obtain the necessary equipment (snow shovels, ice scrapers, rock salt, tire chains, etc.)
  • Ensure that company vehicles have a full tank of gas and are functioning properly (heater, deicing fluid, antifreeze levels, windshield wipers)
  • Ensure flashlights are in proper working order and have additional batteries on site.
  • Monitor ice and snow accumulation on any on site tanks, sheds, or buildings and identify non-hazardous procedures for mitigation.
  • If necessary, obtain generators to re-power facilities or necessary equipment
  • If appropriate, leave water taps slightly open so they drip continuously to prevent pipes from freezing.
  • Understand and implement cold weather response techniques when responding to product spills as released product may flow under ice or snow.
  • Establish and maintain communication with personnel
  • Consider limiting vehicle traffic
  • Maintain building temperature at acceptable levels and understand safety measures if using space heaters.
  • Notify supervisors if facility(s) loses power or is otherwise unable to operate
For a free guide on designing a crisis management program, click the image below:
TRP Corp - Emergency Response Planning Crisis Management

Tags: Climate Change, Business Continuity key points, Resiliency, Business Continuity Plan, Business Disruption