Your Solution for SMART Response Plans

The Business Continuity Planning Timeline

Posted on Mon, Nov 11, 2013

Not all business continuity events are instantaneous. Although network disruptions and many emergencies are unforeseeable, instances such as significant weather and other events are often predictable, allowing companies to sequentially initiate business continuity plans, if necessary.

Business continuity planning is an ongoing process that should serve as systematically guide for employees to restore operations that are affected by abnormal conditions. Unfortunately, once a business continuity plan (BCP) has been developed, some companies check it off the list as “completed” project. However, if BCP is to be successfully deployed, it must be periodically reviewed, assessed, and updated according to ebb and flow of its designated operations. Plan development and maintenance efforts are typically aligned with the size, complexity, and volatility of a company, or facility.

Below is a general timeline for business continuity implementation. This timeline is inclusive of predicted events, however, it can be accelerated to account for emergency situations and/or timing disparities.

Weeks leading up to identified events:

  • Execute a business impact analysis (BIA) and review
  • Submit BCP updates for each department, as necessary per the BIA
  • Ensure required information/contact list is accurate
  • Train employees on BCP implementation and restorative operations
  • Make specific recommendations for the yearly training program
  • Identify and coordinate all logistical and administrative resources
  • Identify any additional BCP preparation actions

4 Days from identified event

  • Ensure that all actions required for BCP accuracy are complete
  • Advise the BCP management team regarding the developing situation
  • Establish BCP meeting schedule
  • Set incremental time frame for situational updates
  • Evaluate the need and timetable for BCP implementation
  • Advise department heads/coordinators of BCP intentions regarding the situation
  • If relocating operations, coordinate specifics of the move after initial BCP activation
  • Obtain hotels reservation in alternate location, if applicable
  • Execute the final review of the BCP

Business_Continuity_Plan_TRP.jpg

2 Days (48 hours) from identified event
  • Ensure that all BCP actions required up to this point have been completed
  • If BCP is being implemented, move forward and coordinate implementation procedures
  • If applicable, move operations to alternate site
  • If relocating, review the lodging requirements/assignments with BC staff
  • Review the Communication Plan with staff
  • If evacuation is necessary, communicate expectations to staff

During the event

  • If the event occurs without time for added preparation, immediately implement current BCP procedures
  • Confirm all preparedness activities and required actions for implementation are complete
  • Coordinate operations from alternate site
  • Communicate with Department Heads/Coordinators regarding BCP level/status
  • Produce status reports and distribute to BC management team
  • Produce status reports/press releases for stakeholders, clients, and media
  • Generate information bulletins for employees and contractors

Recovery/Post event

  • Ensure all departments are able to implement a full recovery
  • Receive completed status reports and updates from department coordinators
  • If necessary, mitigate any requirements from critical business units to ensure full recovery
  • If applicable and safe, relocate to original operational site
  • If necessary, continue to coordinate recovery operations from alternate site
  • Organize documentation of all executed actions for review and historical record
  • Communicate current BCP level, or deactivation readiness
  • Review expenditures and submit expense reports
  • Prepare the final report, and send to corporate BCP coordinator
  • Review reports and conduct debrief meetings to identify lessons learned
  • Update BCP with lessons learned
  • Schedule BCP training to review updated BCP procedures

 

For a free download on how to conduct an effective emergency exercise, click the image below:

TRP Corp Emergency Response Planning Exercises

Tags: Business Continuity key points, Business Continuity, Extreme Weather, Business Continuity Plan, BCM Metrics

Business Continuity Plan Reviews Identify Preparedness Gaps

Posted on Mon, Sep 30, 2013

Business is not a stagnant entity.  There are multiple moving parts that embody change, allow for progress, and promote growth. Corporate emergency management programs and business continuity plans (BCP) must be adjusted to reflect these changes. Whether change results from facility modifications, corporate mergers, or employee turnover, BCPs need to be reviewed, at a minimum, on an annual basis.

A business continuity review should evaluate identified critical processes necessary for operation. Through this evaluation, shortcomings in mitigation efforts, response coordination, resource capabilities, and response processes can be revealed. The plan may have to be adjusted to incorporate operational changes, employee turnover, and/or new company policies. In a business continuity review, each department should evaluate current critical processes, mitigate identified deficiencies, and update the plan as necessary.  

The following critical business continuity areas should be assessed for accuracy, potential mitigation opportunities, new equipment or resources, and potential policy changes:

  1. Data and computer needs: Identify the procedural details of computer backups, data restoration methods, and the minimum program needs to re-establish critical business processes.  Companies should examine current data center outsourcing to ensure continuity and accessibility or research alternatives.
  2. Notification lists: Update contact lists to ensure all information is accurate. Business continuity planners must be certain that new employees are included in the plan, as necessary, and that notifications are being delivered to accurate e-mail addresses and/or phone numbers. If maintaining accurate contact information is challenging, consider opting for a e-mail notification verification system the enables the contact to verify their own information through hyperlinks.
  3. Communication needs: Clear and effective communication channels must remain available in order to disseminate information to employees, assess and relay damage, and coordinate recovery strategies. Evaluate current communication equipment and/or mass notification systems to communicate to key individuals, company employees, or an entire client base.
  4. Supply Chain: As a company’s needs change and new suppliers come online, plans should be updated to include these critical suppliers. Alternate suppliers should be included in the BCP to ensure consistent delivery and continued operations in the event primary suppliers are subjected to business continuity circumstances, as well.
  5. Essential Personnel: Ensure necessary minimum staffing levels are acceptable to remain operational. Make changes, as necessary. Ensure staff, contractors, and suppliers understand their adjusted individual responsibilities and recovery time objectives.
  6. Equipment needs: Identify and procure necessary equipment and establish processes for continued operations and recovery. This will prevent unnecessary downtime and additional recovery efforts. If applicable, relocate equipment and arrange for essentials prior to incident. This eliminates time consuming and potentially costly efforts.

One of the most important aspects of updating a BCP is ensuring that employees are trained in plan components, and plan revisions are exercised. Each of the following phases of a BCP should be reviewed with employees:

Initial Response:  The organization’s initial response to a business interruption. The processes and procedures that incorporate the Initial Response Phase may include, but is not limited to, the following:

  • Initial Notifications
  • Business Continuity Team (BCT) activation
  • Business Unit personnel activation
  • Initial BCT briefing
  • Perform Impact Assessments and determine scope of recovery
  • Review specific recovery strategies/tasks for BCP implementation
  • Implementation of Business Continuity Action Plan

Mobilization and Relocation: The mobilization of resources (equipment and personnel) for relocation to alternate sites. Through mobilization and relocation, the BCP can be fully implemented to sustain minimum service levels defined for each critical process. This stage includes “Work from Home” and “Alternate Facility” relocation strategies. The Relocation Phase includes, but is not limited to:

  • Confirmation of staff relocation schedules and assignments
  • Mobilization transportation resources
  • Activation of alternate facility equipment and infrastructure resources
  • Occupation of alternate facilities by necessary department members.

Recovery:  The period after personnel and equipment are relocated, to restoration of primary or permanent alternate facilities. Procedures to include in the recovery phase of the Business Continuity Plan are:

  • Implementation of recovery strategies
  • Damage assessment of primary facilities
  • Evaluation of restoration goals/timeline
  • Mobilization of tactical teams for Recovery
  • Monitoring recovery status and plan updates, as necessary
  • Initialization of restoration

Restoration: The period in which personnel return to restored or permanent alternate facilities, to when normal business operations are resumed. Procedures to include in the restoration phase are:

  • Confirm completion of restoration goals for primary facilities and infrastructure
  • Confirm staff relocation schedules and begin relocation to permanent facility
  • Consolidate and archive incident documentation
  • Review and update BCP based on lessons learned
  • Return to normal operations
TRP Corp Emergency Response Planning Exercises

 

 

Tags: Business Continuity key points, Resiliency, Business Continuity Plan, Disaster Recovery, Business Disruption

National Preparedness Month and Corporate Response Planning

Posted on Mon, Sep 23, 2013

In 2004, The U.S. Department of Homeland Security (DHS), The America Prepared Campaign, the American Red Cross, the National Association of Broadcasters, and the U.S. Department of Education joined a coalition of more than 50 national organizations to engage American citizens in emergency preparedness by designating September as National Preparedness Month. This year, more than 3,000 organizations are taking part in supporting emergency preparedness efforts. National Preparedness Month provides a variety of opportunities to learn more about ways they can prepare for an emergency, get an emergency supply kit, establish a family communications plan, and become better aware of threats that may impact communities.

By prioritizing and encouraging preparedness, companies can set the example for employees, customers, and the surrounding communities. Disasters not only devastate individuals and neighborhoods, but entire communities, including businesses of all sizes. Employers should designate National Preparedness Month to encourage preparedness training, develop business continuity plans (BCP), review and evaluate existing plans, or advance preparedness practices through exercises and gap analyses.

Large and small businesses that are able to continue operations throughout a crisis situation or quickly restore services may avoid economic hardship and potential failure. Determining how to maintain critical business functions in less than ideal situations may be the key to company survival.

Understanding and exercising effective response procedures and the intricacies of a business continuity plan can minimize the effects of an incident. Business continuity events typically result in the loss or temporary disruption of one or more of the following necessary key business resources:

  • Facilities
  • Infrastructure
  • IT Applications/Systems
  • People
  • Supply Chain

A detailed identification and evaluation of critical business processes, focusing  on the key business resources above should be performed as an integral part of a business continuity plan. This “bare bones” evaluation should list the minimum criteria necessary to keep your business in operation. Necessary minimum criteria may include:

Infrastructure needs: An incident that results in facility damage or mandatory evacuations may require relocation of critical business processes.  Companies must identify and arrange for potential alternate locations, if applicable (ex. satellite offices, work from home, alternate locations).

Data and computer needs: Identifying computer backup solutions, data restoration methods, and minimum software requirements are crucial to re-establish critical business processes.  Companies may examine data center outsourcing to ensure continuity and accessibility, as well as alternative/backup power sources for laptops.

Notification lists: Regularly update lists to ensure all contact information is up-to-date. Business continuity planners must be certain that notifications are being delivered to accurate e-mail addresses and/or phone numbers, especially in case of an evacuation. If maintaining accurate contact information is challenging, consider opting for an e-mail notification verification system that enables individuals to verify their own information.

Communication needs: Clear and effective communication channels must remain available in order to disseminate information to employees, assess and relay damage, and coordinate a recovery strategy. A mass notification system may assure a reliable method to communicate to key individuals, company employees, or an entire client base. However, in order for communication to be effective, contact information must be accurate.

Supply Chain: Plans should be constantly updated to include new suppliers. Additionally, pre-selected alternate suppliers should be included in the BCP to ensure consistent delivery and continued operations in the event primary suppliers are not able to provide required services.

Essential Personnel: Identify necessary minimum staffing levels to remain on-site during a storm. As the storm passes, ensure staff, contractors, and suppliers are in communication, and understand their individual responsibilities and recovery time objectives.

Equipment needs: Identify and procure necessary equipment and establish processes for continued operations and recovery. This will prevent unnecessary downtime and additional recovery efforts. The process of relocating equipment arranging for these essentials after-the-fact is time consuming, and potentially costly.

For a free download on Tips on Conducting an Effective Excersise, click the image below:

TRP Corp Emergency Response Planning Exercises

Tags: DHS, Business Continuity key points, Business Continuity, Department of Homeland Security, Communication Plan, Business Continuity Plan, Business Disruption

EHS Planning Alignment with the 2013 National Preparedness Report

Posted on Mon, Jul 08, 2013

The terrorist attacks on September 11, 2001 desensitized America’s sense of security and initiated a heightened urgency for companies to prepare for an alternate “business as usual” world. Over the past decade, key formative events have continued to emphasize corporate preparedness. Highly publicized risks of potential terrorist attacks, site-specific threats, severe weather events, and mass shootings, coupled with countless examples of long-term recovery efforts, continue to demonstrate the need for corporate preparedness and crisis/disaster response initiatives.

The publication of the 2013 Department of Homeland Security’s National Preparedness Report  (NPR) represents an opportunity for both the private and public sectors to reflect on progress made in strengthening preparedness and identify lingering gaps.  The NPR provides a national perspective on critical preparedness trends to use to identify priorities, allocate resources, and communicate with stakeholders about issues of shared concern.

The report presents eight key preparedness trends that reach across multiple fronts, including all levels of government, private and nonprofit sectors, faith-based organizations, communities, and individuals. While the overall preparedness level continues to improve, some areas within the core capabilities still presents challenges. Companies should utilize the list of eight key preparedness trends to analyze and improve their internal preparedness levels.

  1. Identify preparedness challenges: “The Nation has made important progress in the national areas for improvement identified in the 2012 NPR, but challenges remain.” (2013 NPR). NPR identifies the following areas that continue to challenge preparedness measures:
    1. Cyber security
    2. Recovery-focused core capabilities
    3. Preparedness integration for the disabled
  2. Strengthen infrastructure: Identify and reinforce failing critical infrastructure is a newly identified national area for improvement.
  3. Identify partnerships: Enhance the maturing the role of public-private partnerships is a newly identified national area for improvement.
  4. Exercise coordinated response: “Sandy response and recovery efforts highlighted strengths in the Nation’s ability to expedite resources, develop innovative solutions to meet survivors’ needs, and work with nongovernmental partners. However, challenges remain with the Federal Government’s ability to coordinate efforts when surging resources are necessary to respond to disasters.” (2013 NPR)
  5. High priority threats require high response capability: “States and territories continue to report the highest capability levels in those areas frequently cited as high priority. Interstate mutual aid plays a limited role in augmenting the capabilities of states and territories.” (2013 NPR)
  6. Identify external resources and confirm capabilities:” In areas where current capability continues to lag, many states and territories do not expect to build additional capacity and intend to rely on Federal assets to close existing gaps.” (2013 NPR)
  7. Allocate budgets for preparedness planning and mitigation: “Whole community partners continue to use preparedness assistance programs to maintain capability strengths and address identified gaps, while key Federal sponsors are identifying strategies to improve program effectiveness and efficiency.” (2013 NPR)
  8. Institute business continuity measures: “Resilience initiatives are improving the Nation’s ability to measure how well communities can prepare for and adapt to changing conditions, and withstand and recover rapidly from disruptions.” (2013 NPR)

The report also highlights continued progress in enhancing the five mission areas of Prevention, Protection, Mitigation, Response, and Recovery. For companies, the evolution of accessible technology has created the ability to find, create, share, and provide information across a wide base. Companies should utilize available technology to create an integrated, all-hazards planning system that address routine, medium, and worst-case emergency scenarios.

Implementing the National Incident Management System (NIMS) allows multiple stakeholders to utilize shared language and principals.  In 2012, FEMA identified over 900,000 completions of introductory NIMS and Incident Command System courses. Operational coordination through the implementation of the NIMS can sync and streamline preparedness, response, and recovery efforts.

TRP Corp Emergency Response Planning Exercises

Tags: EHS, Business Continuity key points, Emergency Preparedness, Emergency Management Program, Workplace Safety

Business Continuity: Testing, Training, and Exercises

Posted on Thu, Jun 13, 2013

The overall purpose of business continuity planning is to ensure the continuity of essential functions during an event that causes damage or loss to critical infrastructure. A continually changing threat environment, including severe weather, accidents, fires, technological emergencies, and terrorist-related incidents, coupled with a tightly intertwined supply chain, have increased the need for business continuity efforts.

To ensure long-term viability, companies should develop, maintain, conduct, and document a business continuity testing, training, and exercise (TT&E) program. The business continuity plan should document these training components, processes, and requirements to support the continued performance of critical business functions. Training documentation should include dates, type of event(s), and name(s) of participants. Documentation also includes test results, feedback forms, participant questionnaires, and other documents resulting from the event.

Elements of a viable business continuity program include, but are not limited to:

  1. Program plans and procedures
  2. Budgeting and acquisition of required equipment and alternate sites
  3. Essential functions of each department
  4. Identification of authority, orders of succession, and roles and responsibilities.
  5. Interoperable communications methods
  6. Vital records management
  7. Testing, training, and exercise
  8. Recovery requirements

trp corp tabletop exercises

The 2010 Department of Homeland Security Continuity of Operations plan template identifies business continuity concepts that should be tested, training priorities, and exercise recommendations. While these concepts are directed at government entities, companies should utilize these directives to evaluate their own business continuity program. Unless noted, the specific testing, training, or exercises should occur (at a minimum) on an annual basis, or as required by regulations or company policy.

TRAINING

  • Train continuity personnel on roles and responsibilities
  • Conduct continuity awareness briefings or orientations for the entire workforce
  • Train organization’s leadership on continuity of essential critical business functions
  • Train personnel on all reconstitution plans and procedures
  • Provide opportunities for continuity personnel to demonstrate familiarity with continuity plans and procedures and demonstrate organization’s capability to continue essential functions
  • Conduct exercises that incorporate the deliberate and pre-planned movement of continuity personnel to alternate facilities
  • Conduct assessments of organization’s continuity TT&E programs, and continuity plans and programs
  • Report documented training to regulatory agencies, if applicable
  • Conduct successor training for all personnel who assume the authority and responsibility of the organization’s leadership, if that leadership becomes otherwise unavailable during a continuity situation
  • Train on the identification, protection, and availability of electronic and hardcopy documents, references, records, information systems, and data management software and equipment needed to support essential functions during a continuity situation for all staff involved in the vital records program
  • Train on the organization’s recovery process, addressing how the organization will identify and conduct its essential functions during an increased threat situation or in the aftermath of a catastrophic emergency

TESTING and EXERCISE

  • Test and validate equipment monthly to ensure internal and external interoperability
  • Test the viability of communications systems monthly and mitigate if necessary
  • Test alerts, notifications, and activation procedures quarterly for all continuity personnel
  • Test primary and backup infrastructure systems and services at primary and secondary recovery sites
  • Test capabilities to perform mission essential functions
  • Test plans for recovering vital records, critical information systems, services, and data
  • Test capabilities for protecting classified and unclassified vital records and for providing access to them from the primary and secondary recovery sites
  • Test physical security capabilities at primary and secondary recovery sites
  • Test internal and external interdependencies of critical functions
  • Conduct exercises on continuity plans that involve using or relocating to primary and secondary recovery sites
  • Demonstrate coordinated communications capability
  • Demonstrate the sufficiency of backup data and records required for supporting essential functions
  • Allow opportunity for continuity personnel to demonstrate their familiarity with the recovery and restoration procedures to transition from a continuity environment to normal activities
TRP Corp Emergency Response Planning Exercises

Tags: Testing, Business Continuity key points, Business Continuity, Training and Exercises, Business Continuity Plan, Business Disruption

Top 10 Business Continuity Planning Obstacles

Posted on Thu, Mar 14, 2013

A well-developed Business Continuity Plan can minimize business disruptions, while safeguarding key business interests, relationships, and assets. Unfortunately, some companies do not place a high value on Business Continuity Planning and fail to institute sustainability efforts. 

Below are ten common obstacles in Business Continuity Planning (BCP), and possible countermeasures to offset these hurdles.

1 Lack of Management Support:

It is challenging to perform a cost-benefit analysis for business continuity. Managers and corporate executives may not act based on “what if” scenarios, unless regulations require implementation. Managerial decisions are generally based on concrete financials that benefit departments, stockholders, and the bottom line. There is a high degree of beneficial uncertainty associated with implementing BCP measures. Benefits resulting from BCP and mitigation efforts are dynamic in nature, and are not limited to a single structure, department, or operation.

Providing managers and corporate decision-makers a detailed vulnerability and hazard analyses with concrete financial statistics of their effects may garner some support. Additionally, professional reports and documentation that highlight increasing threats and vulnerabilities, such as the 2013 Global Risks Report by The World Economic Forum, makes a compelling case that may provoke and inspire leaders to implement continuity efforts.

2. Budget Restraints:

Because companies are in the business of making a profit, planning and mitigation measures are often compromised for other priorities. It may be helpful to estimate the cost of implementation for each critical process in relation to the cost of a critical process breakdown.  This exercise may highlight the need for a designated budget.

It may also be necessary to prioritize BCP implementation by each critical process with a step-by-step timeline for completion. Companies can identify and rank the most critical business processes, and implement BCP and mitigation measures based on those priorities. While most processes are intertwined, taking small steps to ensure process continuity is a step toward overall business continuity.

3. Maintaining a Culture of Preparedness:

Employees who are trained in business continuity recovery procedures will be prepared in the event of an operational failure. Managers who emphasize and embrace safety and continuity measures will create a work environment that reflects those principals, and maintain an overall culture of preparedness.

4. Lack of Training and Business Continuity Awareness:

Managers and employees frequently recognize the limits of their business continuity expertise after identifying company and process vulnerabilities. Planning and training should address overall business continuity efforts and detailed standard operating procedures for BCP activation. Training should convey procedural flexibility based on continuing assessment of disaster demands and provide options for each scenario. If implementing continuity efforts are beyond the scope of managers, companies should consider hiring consultants who specialize in business continuity planning.

5. Employee Turnover:

A review of specific business continuity plan roles and responsibilities should be part of any new hire training practices. This will ensure continuity of knowledge, standard operating procedures, and emergency and business continuity procedures. Companies can also benefit from employee turnover.  New employee may have unique business continuity experiences or knowledge that can be used to strengthen the plan.

6. Achieving a Constant State of Readiness:

Business continuity processes can be implemented as part of standard operating procedures (SOP).  By instituting best practices, such as backup procedures, mobile or flexible working environments, and alternate supply chains, a constant level of continuity can be sustainable if a facility, personnel, or process is inaccessible.

7. Coordination with External Responder/Suppliers(s):

The adoption of NIMS has allowed for adoption of consistent response language and processes. However, exercised coordination and two-way communication are key factors in successful continuity efforts. One of the greatest challenges in disaster preparedness is the continual effort of contact verification.  Dedicated man-hours or an automated cycle of contact verification should be in place as part of the maintenance phase of planning.  A contact verification tool that integrates with web-based, database-driven planning systems can save time-consuming maintenance efforts and eliminate a potential lapse in continuity efforts.  Every effort should be made to regularly confirm contact information and available supplies with partnering entities. Delays in contacting these partners and confirming their involvement may lead to additional business disruptions.

8. Identifying Critical Processes:

The ability to identify and quantify which critical business processes that, when not functional, may damage a company’s reputation or ability to operate, is a critical stage in the business continuity planning process. Overall resilience capabilities should be prioritized to mitigate any interruption. Understanding response procedures and the intricacies of a “Plan B” can make the difference between corporate survival or failure. Crisis and disaster situations usually result in the loss or temporary disruption of one or more of the following necessary key business resources:

  • Facilities
  • Infrastructure
  • IT Applications/Systems
  • People
  • Supply Chain

9. Unidentified Threats and Vulnerabilities: 

Threats and vulnerabilities must be identified in order for potential impacts to be analyzed and countermeasures implemented. A hazard analysis indicates the likeliness that each specific threat could occur, considering existing capabilities, mitigation measures, and history. Threats and vulnerabilities can stem from both external and internal actions. Companies should analyze potential threats from typical weather patterns, geographical influences, security efforts, inherent operational hazards, as well as facility design and potential maintenance issues.

10. Securing Suppliers for Business Continuity:

Identify potential alternative supply arrangements that can directly minimize the impact of the identified threats. Disruptions in supply may be outside a company’s domain, yet can severely impact the ability to provide “business as usual”. Factors to consider in the identification of critical suppliers are complex and extend well beyond first glance analyses; however, they may include those that provide:

  • Certain business specific products
  • Sole source services or products
  • Electrical power
  • Water
  • Fuel
  • Telecommunications
  • Transportation
  • Staffing
  • Waste Management
  • Facility or facilities

Download this free 9-Step sample Emergency Response Procedures Flow Chart.

TRP Corp -Response Procedure flowchart

Tags: Business Continuity key points, Business Continuity, Business Continuity Plan, Business Disruption

The Need for Common, Enterprise-Wide Response Plan Terminology

Posted on Mon, Feb 25, 2013

Within a company, the difficulty of managing regulatory compliance and response planning grows exponentially with the number of locations or facilities. A systemic understanding and management of business operations within the context of the organization’s culture, beliefs, mission, objectives, and organizational structure should be extended to emergency response planning. For program effectiveness and efficiency, enterprise-wide integration and coordination is necessary to manage multiple response planning functions. While the National Incident Management System (NIMS) Integration Center does not require plain language for internal operations, it strongly encourages the practice of everyday terminology and procedures that will need to be used in emergency situations.

Establishing consistent language across a company’s emergency management structure is critical to provide a common point of understanding. A company must limit the terminology disparities within the company’s emergency management framework in order to align common goals. The following FEMA definitions can serve as a guideline for establishing common company emergency management program language.

Enterprise Management – Enterprise-wide programs and structures, including Business Crisis and Continuity Management, should be aligned and integrated within the overall Enterprise Management structure.

Crisis Communication – All means of communication, both internal and external, used to organize, design, and deliver to support Crisis Management situations.

Risk Management – The synthesis of the risk assessment, business area analysis, business impact analysis, risk communication, and risk-based decision making functions to make strategic and tactical decisions on whether business risks should be ignored, reduced, transferred, or avoided.

Planning – The development of plans, policies and procedures to address the physical and/or business consequences of residual risks which are above the level of acceptance to a business, its assets and its stakeholders.  Planning should be based upon the results of risk management and within the overall context of enterprise management. For companies with multiple locations, each site’s plans should integrate within the overall enterprise management structure.

Program Implementation – The implementation and management of specific programs that support the Crisis, Emergency, and Continuity Management programs within the context of Enterprise Management. Such programs may include, but are not limited to:

  • Physical security
  • Cyber security
  • Business continuity
  • Environmental, health, and safety

Systems Monitoring – Measuring and evaluating program performance in the context of the enterprise as an overall system of interrelated parts.

Awareness/Training/Exercising – A tiered program used to develop and maintain individual, team and organizational awareness and preparedness.  This program can range from individual and group familiarization and skill based training, through full organizational exercises.

Incident Management – The management of operations, logistics, planning, finance, administration, safety, and information flow associated with the operational response to the consequences/impacts of an incident. Through technology, systems are now available that offer real-time incident management.

Incident Response – The tactical reaction to the physical consequences/impacts of an incident. Tactical reactions that support the economic viability of a business may include, but not limited to:

  • Protecting personnel and property
  • Situational assessments
  • Situational stabilization
  • Response operations

Business Continuity – The business specific plans and actions that enable an organization to respond to an incident in a manner such that business units, processes, and sub-functions are recovered and resumed according to a predetermined plan. The recovery efforts should be prioritized by critical function to the economic viability of the business.

Restoration and Transition - Plans and actions to restore and transition a business to “new normal” or “business as usual” operations following an incident.

For tips and best practices on designing a crisis management program, download Best Practices for Crisis Management.

TRP Download

Tags: Business Continuity key points, Business Continuity, Emergency Preparedness, Redundant Systems, Event Preparedness

Identifying Key Business Processes for Business Continuity Planning

Posted on Mon, Oct 15, 2012

Business impact analyses (BIA) should be conducted in order to establish appropriate response priorities in business continuity plans. Identifying the implications of a sudden loss for each business unit can determine process dependencies required to maintain operations of critical business processes. The BIAs should be used to evaluate critical recovery time objectives (RTO) for each unit and establish a comprehensive understanding of core business needs.

The ability to identify and quantify which critical business processes that, when not functional, may damage a company’s reputation or ability to operate, is a critical stage in the business continuity planning process. Overall resilience capabilities should be prioritized to mitigate any interruption.  Operational and process managers should explore and quantify the following aspects to initiate the BIA process:

Timing: Identify critical operational time periods when an interruption would have greater impact (seasonal, end of quarter, specific month, etc.). Priorities should be determined if an interruption during high-output timeframes creates amplified operational and financial impacts.

Likelihood Level: Indicate how likely each specific threat could occur, considering existing capabilities, mitigation measures, and history.

Duration: Identify the duration and point in time when an interruption would impair operational processes and have financial impact. Estimate the maximum allowable downtime for each specific business function: Typical durations may include

  • less or greater than 1 hour
  • less or greater than 8 hours or a typical single shift
  • greater than 24 hrs
  • greater than 36 hours
  • greater than 72 hours
  • greater than one week
  • greater than one month

Staffing minimums: Identify staffing level needs (including contractors or suppliers) to meet typical daily, as well as recovery time objectives.

Operational Impacts: Identify the effects associated with a business unit interruption, considering existing mitigation measures. These may include, but are not limited to:

  • Lost sales and income
  • Negative cash flow resulting from delayed sales or income
  • Increased expenses due to overtime, outsourcing or other operations that increase costs
  • Regulatory fines and legal implications
  • Contractual penalties or loss of contractual bonuses
  • Customer dissatisfaction or withdrawal
  • Delay of business plan execution or strategic initiatives

Recovery Time: Identify the time frame necessary to recover specific critical processes under existing capabilities and, if possible, potentially altered conditions.

Financial Impact: Determine and quantify impacts in financial terms considering existing mitigation measures. Critical functions that have the highest financial impacts should be prioritized in business continuity plans.

Within each business unit, additional business functions should be considered and evaluated. By identifying cross business unit dependencies, the need for integrated risk mitigation solutions can be highlighted and proactive measures taken. Access to these additional functional requirements may be necessary if operations are moved to offsite locations. A workflow analysis may prioritize those business functions and processes that must be recovered. Functions within each business unit may include, but are not limited to:

  • Finance
  • Contracts
  • Supply and Trading
  • Personnel and Payroll
  • Benefits
  • Accounts Payable
  • Environmental Health and Safety
  • Information technology

Adverse information technology (IT) conditions may affect numerous company departments, units and functions. IT components may include networks, servers, desktop and laptop computers and wireless devices. The ability to utilize both office productivity and enterprise-wide software may be essential to restore normal operations. Therefore, time critical recovery strategies for information technology, such as exercised data backup and restoration procedures, should be developed in order to limit the effects of interruptions across multiple business units.

If a business continuity incident affects two or more business processes, the incident has a greater potential for impact. Interoperable communication and coordination among departments must be exercised for a swift recovery. . The effects of a multi-tiered business continuity event can extend beyond the facility borders to affect personnel, multiple critical business processes, vendors or suppliers, and customers. Utilizing business impact analyses can create effective business continuity plans, ensuring a faster state of recovery.

For a sample Emergency Response Checklist, download our helpful and informative guide.

Tags: Business Continuity key points, Business Continuity, Business Continuity Plan

The Critical Numbers of Business Continuity and Emergency Mitigation

Posted on Mon, Sep 10, 2012

Successful businesses track their financial statistics. A company’s ability to engage in daily operations is inevitably linked to its financial bottom line. However, if an emergency incident, natural disaster, or business continuity issue arises, a company may be unable to continue operations, which could result in loss of revenue and significant impact in financial performance or potential bankruptcy.

According to a Feb. 2012 survey by Sage, only 38% of the 539 small businesses polled have a formal emergency or disaster preparedness plans in place. But if critical numbers are the basis of a successful business, companies need to ensure its longevity by investing in a functional emergency response or business continuity plan. A 2005 widely cited study by the Multihazard Mitigation Council (MMC) entitled, Natural Hazard Mitigation Saves: An Independent Study to Assess the Future Savings from Mitigation Activities, indicated that money spent on reducing the risk of natural hazards is a sound investment. The study revealed that for every $1 spent on hazard mitigation, an average of $4 is saved in the future.

Cost_of_emergencies_TRP.jpg

It is challenging to perform a cost-benefit analysis for hazard mitigation efforts. According to the MMC’s study, the cost analysis portion is typically a straightforward assessment of capital expenditures to upgrade the facility or equipment, operational costs for programs, and added maintenance expenses. However, on the benefits side of the equation, the avoided loss due to identification and mitigation efforts are much more difficult to assess. Typically, benefits resulting from mitigation efforts are dynamic in nature, and are not limited to a single structure, department or operation. Additionally, there is a high degree of beneficial uncertainty in implementing hazard mitigation efforts over a specific time span.

A benefit-cost analysis requires that hazard mitigation costs and hazard losses be measured in terms of the value of all resources used (or destroyed) and at prices that represent their efficient allocation ─ not necessarily at market prices, which often do not account for inefficiencies or may not even exist in cases such as environmental resources (Boardman et al., 1996). - Natural Hazard Mitigation Saves: An Independent Study to Assess the Future Savings from Mitigation Activities

The Business Continuity Institute released their The CMI 2012 Business Continuity Management Survey detailing Business Continuity efforts in the United Kingdom. According to the survey, 81% of managers with a business continuity plans (BCP) stated that the planning efforts effectively reduced disruptions and agreed that the initial mitigation costs justify the benefits. The research stated that overall business continuity planning of the companies polled increased by 3% from the previous year. Despite the improvements, the reports stated that there are still certain industries, such as manufacturing, that are lagging behind in dedicated efforts. Below are a few key numbers from surveyed managers from the study:

  • 61% state they have a BCP in place in 2012, up from 49% in 2010
  • 42% stated corporate governance initiated BCP efforts
  • 37% were prompted for a BCP by potential of existing customers
  • 33% cited legislation of the catalyst for a BCP
  • 54% without a BCP stated their company rarely experiences disruptions
  • 46% without a BCP stated they will deal with disruptions on an as-needed basis
  • 55% experienced business disruption due to public sector strikes
  • 49% experienced business disruption due to severe weather
  • 39% state they would have to look up their business continuity role in case of disruption
  • 47% with a BCP have exercised their plan
  • Develop the plan
  • Train employees on the plan

Transforming a company into a dynamic and responsive organization requires set, monitored and unified goals. The critical numbers in mitigation efforts may be abstract, but business continuity plan can provide the bridge to longevity and a clear direction for success. To begin the process of building an effective business continuity plan, a company must:

  • Involve key employees in the process
  • Define business goals for each department or facility
  • Utilize goals to develop objectives
  • Determine how to measure potential costs and benefits
  • Analyze data
  • Mitigate where possible
  • Develop the plan
  • Train employees on the plan
  • Exercise the plan

For a sample Crisis Management Framework, download our helpful and informative guide.

Corporate Crisis Management

 

Tags: Business Continuity key points, Business Risk, Business Continuity Plan, Business Disruption

Viral Outbreaks, Pandemic Planning, and Business Continuity

Posted on Thu, Aug 30, 2012

On August 16, 2012, the city of Dallas declared a state of emergency over the West Nile virus, a disease spread by infected mosquitoes. As of August 21, 2012, the outbreak in Texas caused 19 deaths and 537 illnesses. According to the Center for Disease Control (CDC), over 1100 people and 41 deaths had resulted from this latest surge of West Nile Virus nationwide. The Dallas outbreak spurred officials to commence aerial pesticide spraying aiming to eradicate the local mosquito population, despite concerns from the public.

 “The risks of being harmed by these pesticides are not at all unreasonable.  Basically, in this case, I think the benefits of these sprays far, far outweigh the risk.” - Mike Raupp, of the University of Maryland College of Agriculture

To limit exposure to West Nile Virus, the CDC urges preventative measures such as bug repellent and eliminating extraneous standing water, a breeding ground for mosquitoes. Preventative measures can limit the implications of of an outbreak and minimize potential pandemic situations. 

Companies should also institute preventative measures to limit potential outbreaks through pandemic planning. Pandemic Response Plans (PRP) are a specific emergency response planning annexes that aim to establish and preserve business continuity in the event of a pandemic outbreak among the local population and/or the local workforce/contractors. The PRPs should document procedures and methods to sustain critical business functions with minimal staffing throughout different stages of an outbreak.

“Best practices” dictates that PRPs, like emergency plans, should be developed during normal conditions, prior to any threatened outbreak. When developing enterprise-wide PRPs, the procedures corresponding to the various outbreak impact levels would be incremental, building on the previous outbreak level.  Examples of level and procedures are as follows:

  • Level 1 - The outbreak is being controlled within the affected area with minimal hazard to personnel, property, process or the environment.
    • Establish contact verification and notification measures with key stakeholder (both internal and external)
    • Decide whether it is appropriate to progress to using the PRP or if normal management procedures can manage the incident
    • Conduct pandemic plan briefings and promote awareness
    • Determine and validate current priority projects and processes to determine which to suspend, if necessary
    • Direct staff to maintain and backup all business information and working files (data and documents) so that content is accessible to alternates and other staff members
    • Acquire necessary peripherals (e.g. external disk drives) for home use, if needed
  • Level 2 - The outbreak is contained but disturbs two or more critical areas affecting personnel, processes, or the environment beyond the origin.
    • Notify staff members of PRP activation
    • Contacts staff to inform them of the revised operational procedures. Staff may be directed to work from remote locations, if feasible
    • Maintain tracking of all staff, assess well-being of staff, and identify any needs for support.
    • Direct staff to maintain and backup all business information and working files (data and documents) so that content is accessible to alternates and other staff members
  • Level 3 - The outbreak has escalated to a situation that is potentially dangerous to personnel, the surrounding community, and the environment. It would likely involve business as usual scenario with limited on-site staff. 
    • Only essential employees who cannot work remotely would report on-site
    • Determine and validate current priority projects and processes to determine which to suspend, if necessary
    • Review and establish guidelines for backfilling of resources and business group leadership
    • Confirm availability of local and/or remote alternates for critical roles
    • Maintain tracking of all staff, assess well-being of staff, and identify any needs for support.
    • Direct staff to maintain and backup all business information and working files (data and documents) so that content is accessible to alternates and other staff members
  • Level 4 - Emergency Service Level with minimum staffing. However, typical business operations can continue to function.
    • Notifies internal and external entities with dependencies on critical business operations.
    • Determine and validate current priority projects and processes to determine which to suspend, if necessary
    • Proactively notify corporate executives, team leads, and other contacts of availability and work location, and maintain out of office phone, e-mail notices, and calendars, as appropriate.
    • Distribute peripherals (e.g. external disk drives) for home use and distribute as needed
    • Direct all staff to work at home, if possible. Staff that are not able to work from home may work from the site, as necessary.
  • Level 5 - All non-critical operations are suspended and critical business processes are examined for those that can be suspended.
    • Maintain tracking of all staff, assess well-being of staff, and identify any needs for support. Confirm contact information through calling tree:
    • Implement modified operations schedule with critical staff.  Excuse non-critical staff and place on standby.
    • Maintain critical staffing levels and engaging emergency contractors.
    • Secure facilities
  • Level 6 - Return to normal operations after situational assessment.
    • Communicate resuming operations date with staff
    • Review time records and pay overtime as required
    • Update and archive file directories, if necessary
    • Update Pandemic Plans, as necessary

To limit business disruption from severe weather and HUrricane preparation, download the Corporate Hurricane Planning Checklist.

Hurricane Planning

Tags: Pandemic Planning, Business Continuity key points, Emergency Management, Incident Management, Workplace Safety, Business Disruption