Your Solution for SMART Response Plans

Are your Business Continuity Plans Ready for the Next Irma or Harvey?

Posted on Thu, Sep 21, 2017

Words like catastrophic, unprecedented and record-breaking should be reserved for works of fiction. However, when you see the communities impacted by Hurricanes Harvey and Irma, those words become reality. Intense weather systems appear to be developing with more frequency. In preparation, companies must ensure that their operations can withstand an unprecedented business disruption. They must be ready for the next Harvey or Irma.

 

Many companies have Business Continuity Plans (BCP) in place. However, they are often untested or ill-suited for extensive conditions or durations. How would a catastrophic event impact your operations? How will your employees work? Will your supply chain be disrupted and for how long? Mitigating business continuity response processes, procedures, and personnel responsibilities must be adaptive enough to account for destructive weather conditions.

The BCP and Corporate Leadership

Every organization is unique and requires a tailored BCP to suit their particular needs. A well-developed plan should be able to sustain the viability of the affected businesses unit while ensuring the continuity of, and safeguarding of key business interests, relationships, and assets.


The primary purpose of a BCP is to minimize operational, regulatory, financial, and reputational impacts of a significant business disruption to accelerate the time frame to return to “business as usual”. Simply stated, a business continuity plan is a ‘restoration plan.’  In order to effectively implement a relevant BCP, company leadership must be support the development and implementation of an effective plan. In order to ensure critical operations can withstand unprecedented events, corporate leadership should:


  • Support budget allocations for the BCP program
  • Appoint key personnel to lead the program
  • Ensure the BCP team is staffed and fully trained to implement the plan
  • Provide the resources necessary to maintain an up-to date program that accounts for any site-specific changes to facilities, personnel, or processes
  • Provide ancillary support and resources to implement the BCP process and recovery strategies

Once an initial BCP is developed, company leadership should continually support plan evaluations that account for evolving operations, potential disrupting scenarios, and identified vulnerabilities. If new vulnerabilities or threats are identified, the BCP should be updated to address those newly identified variables.

Background conceptual image with papers flying in air.jpeg

The Business Continuity Plan

When effectively developed, tested and accessible, a business continuity plan can address operational disruptions of key business resources including:

  • Facilities or Workspace
  • Infrastructure or IT Applications/Systems
  • People
  • Supply Chain

Your business continuity plan should include, but are not limited to the following considerations:

  • Notification procedures for key stakeholders
  • Internal and external contact directories
  • Business Continuity Team notification and activation procedures
  • Business Continuity Team structure, organization charts, and interfaces
  • Position-specific checklists
  • Facility information and documentation forms
  • Detailed critical process recovery tasks, workaround procedures and reference documents
  • Identification of staff required to recover those critical processes
  • Detailed information concerning alternate facilities
  • Plan Review and Update procedure

Site specific recovery strategies should be developed with the assumption that the disruption occurred during the peak business cycle, when the services or output are at the highest level and most critical point. This will improve the potential for that plan to be effective.

Managing Vulnerabilities

BCP managers should regularly monitor incidents that may cause a business disruption and/or have a serious impact to operations.  A BCP manager should:

  • Comprehend basic BC principles and methods
  • Ensure consistency in business impact analysis to identify critical business functions
  • Understand the correlation between operations, business continuity, IT disaster recovery, and emergency planning
  • Ensure that the BCP reflects the current hazard risk analysis, mitigation processes, business impact analysis, response management, and recovery strategies
  • Encourage coordination between all company staff while implementing a BCP
  • Identify and initiate appropriate, cost-effective strategies and procedures to recover critical business functions and information assets
  • Formally assign BC responsibilities to appropriate department managers and ensure each receives proper training to implement the BCP
  • Ensure that necessary contractual agreements exist for recovery of critical business functions and information resources
  • Review, update, and communicate BCP content changes
  • Continual improve the BCP as required

Note: The list of vulnerabilities is not all-inclusive. Additional vulnerabilities may be applicable to your company.

TRP Corp Hurricane Checklist

Tags: Business Continuity Plan

Business Continuity Scenarios to Review for Effective Preparedness

Posted on Thu, Aug 04, 2016

Many companies are looking for greater assurance that their business could withstand an unprecedented operational disruption. Yet, as potential influences continue to evolve, companies must ensure effective and applicable Business Continuity Plans (BCPs) are in place and are well-maintained. Mitigating business continuity response processes, procedures, and personnel responsibilities must be adaptive enough to account for current instigating conditions.

In order to effectively implement a relevant and applicable BCP, company leadership should:

  • Support budget allocations for the BCP program
  • Appoint key personnel to lead the program
  • Ensure the BCP team is staffed and fully trained to implement the plan
  • Provide the resources necessary to maintain an up-to date program that accounts for any site-specific changes to facilities, personnel, or processes
  • Provide support and resources to implement the BCP process and recovery strategies

 

Business Continuity Vulnerabilities

At any time, unforeseen circumstances beyond a company’s control can influence the operational status of a business unit. Managers should regularly monitor incidents that may cause a business disruption and/or have a serious impact to operations. Companies should continually evaluate the following scenarios to identify any vulnerabilities that may affect operational continuity. (Note: The list of vulnerabilities is not all-inclusive. Additional vulnerabilities may be applicable to your company.) 

  • Human errors or failures
    • Lack of training or policy guidance
    • Inadequate supervision
    • Intentional or unintentional disruptive practices
  • Human resource limitations
    • Strike
    • Inaccessibility to site
    • Pandemic outbreak
    • Aging population
  • Supply chain dependencies
  • Equipment damage
    • Vehicles
    • Critical industrial mechanisms
  • Technology-related failures
    • Cyber-attacks
    • Data fraud/theft
    • Critical system or network failures
    • Communication network failure
  • Infrastructure failures
    • Power failure
    • Water damage
    • Improper maintenance
    • Water supply crisis
31256.jpg
  • Failure of regulatory compliance
    • Fines
    • Mandated shutdowns
    • Reporting obligations
  • Natural disasters
    • Fires
    • Earthquake
    • Severe flooding
    • Hurricane/typhoon
    • Tornado
    • Volcanic eruption
    • Tsunami
    • Landslides
  • Regional and civil disturbances
    • Urbanization
    • Terrorism
    • Corruption
    • Religious fanaticism
    • Protests
  • Economic
    • Price fluctuations in critical commodities and/or natural resources
    • Dependence on central and/or commercial banks
    • Political influences
While many companies have BCPs in place, oftentimes they are untested or ill-suited for evolving conditions and potential threats. The BC program manager should ensure BCPs are applicable to relevant, realistic risks, and threats to their critical operations. A BC manager should:
  • Comprehend basic BC principles and methods
  • Ensure consistency in business impact analysis to identify critical business functions
  • Understand the correlation between operations, business continuity, IT disaster recovery, and emergency planning
  • Ensure that the BCP reflects the current hazard risk analysis, mitigation processes, business impact analysis, response management, and recovery strategies
  • Encourage coordination between all company staff while implementing a BCP
  • Identify and initiate appropriate, cost-effective strategies and procedures to recover critical business functions and information assets
  • Formally assign BC responsibilities to appropriate department managers and ensure each receives proper training to implement the BCP
  • Ensure that necessary contractual agreements exist for recovery of critical business functions and information resources
  • Review, update, and communicate BCP content changes
  • Continual improve the BCP as required

Preparedness and Emergency Management - TRP Corp

Tags: Business Continuity Plan

Cyber-Security Framework Aids in Business Continuity Planning

Posted on Thu, Jul 30, 2015

Company operations are increasingly intertwined with critical technology. A company’s business continuity plan (BCP) should include processes related to critical technologies that may be lost during an incident. A BCP is a vital tool that companies can use to plan for the restoration of normal operations after a business disrupting incident. In order to minimize the risk of technology-related continuity incidents, company-wide computer security best practices are essential.

Computer and cyber security mitigation measures, along with BCP reviews, can safeguard necessary integrated technologies, prevent hacking, and ensure business continuity. A breach in computer security can create a temporary or permanent loss of operations, software, and/or vital records.

In 2014, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) received and responded to 245 incidents reported by asset owners and industry partners. The Energy Sector reported the most reported incidents, followed by critical manufacturing. It is essential that companies share cyber security breach information, review lessons learned, and protect technologies in order to minimize the threat to critical infrastructure.

Reported Cyber-Security Incidents by Industry Sector

cyber_security__FY_2014_incidents_reported_by_sector

Source: ICS-CERT  245 incidents reported by sector (FY2014)

According to ICS-CERT, the graph represent only reported incidents. Many more incidents occur in critical infrastructure that go unreported. The Energy Sector Cybersecurity Framework Implementation Guidance manual states, “ICS-CERT continues to encourage asset owners to report malicious activity impacting their environment even if assistance is not needed or requested.” As incidents are reported, ICS-CERT can provide situational awareness to critical infrastructure industries about similar or related incidents, as well as share data regarding potential hacking and evasive techniques and tactics.

Identifying the procedural details of computer backups, data restoration methods, and minimum software requirements are crucial to re-establish technology-related critical business processes and business continuity planning. In early 2015, the Energy Department released guidance to help the energy sector establish or align existing cybersecurity risk management programs to meet the objectives of the Cybersecurity Framework released by the National Institutes of Standards and Technology (NIST). In an effort to maintain business continuity, a cyber-security program framework should be implemented.

Cyber-Security Program Framework

The cyber-security program framework consists of a continuous seven-step approach that enables organizations to address the steadily evolving risk environment. In order to secure business continuity efforts, companies should evaluate the framework against their current cyber-security efforts.

Cybresecurity_Framework_Implementation_ApproachSTEP 1: Prioritize and Scope

  • Address how to frame, assess, respond to, and monitor risk.
  • Evaluate industry specific critical infrastructure protection objectives and priorities

STEP 2: Orient

  • Focus on critical systems and assets
  • As resources permit, expand focus to include less critical systems and assets
  • Determine evaluation approach used to identify current cyber security and risk management environment (ex: self-evaluations, third-party evaluations)
STEP 3: Create a Current Profile
  • Evaluate and determine status of current systems and security protocols
  • Identify existing cyber security risk management practices and measure them against best practices and proven frameworks. “It is important to understand that the purpose of identifying a Current Profile is not simply to create a map between organizational practices and Category and Subcategory outcomes, but also to understand the degree to which those practices achieve the outcomes outlined by the Framework.”  (Energy Sector Cybersecurity Framework Implementation Guidance, page 10)

STEP 4: Conduct a Risk Assessment

  • Perform cybersecurity risk assessments to identify and evaluate cyber security risks, and determine which are outside of current tolerances.

STEP 5: Target Outcomes

  • Identify the desired outcomes and associated cyber security and risk management standards, tools, methods, and guidelines that will mitigate cyber security risks, commensurate with the risk to organizational and critical infrastructure security.
  • When creating a Target Profile, the organization should consider:
    • current risk management practices
    • current risk environment
    • legal and regulatory requirements
    • business and mission objectives
    • organizational constraints

STEP 6: Determine, Analyze, and Prioritize Gaps

  • Identify gaps between current profile and targeted outcomes.
    ● Mitigation priority levels should be assigned to all identified gaps. Prioritization of gaps should include consideration of current:
    • risk management practices
    • risk environment
    • legal and regulatory requirements
    • business and mission objectives
    • any applicable organizational constraints
  • Develop a plan of prioritized mitigation actions to advance to “Targeted Outcome” based on available resources, business needs, and current risk environment.

STEP 7: Implement Action Plan

  • Execute the implementation plan
  • Track progress and completion
  • Evaluate to ensure gaps are closed and risks are monitored

 

Receive TRP's Example Response Procedures Flowchart:

New Call-to-Action

Tags: Business Continuity key points, Cyber-Security, Business Continuity Plan

Supply Chain Business Continuity: Have you Planned for Disruptions?

Posted on Thu, Jun 25, 2015

Weather, natural disasters, and other uncontrollable events can interrupt transportation flow and your supply chain – anytime, anywhere, and with little warning. - FedEx.com service alert

In January and February of 2015, blizzards, ice, and frigid cold temperatures targeted the eastern half of the United States. The deluge of extreme weather brought residents, cities, and supply chains to their knees. Meanwhile on the west coast, labor disputes between the International Longshore and Warehouse Union and the Pacific Maritime Association created the partial closure of 29 ports. The Port of Oakland experienced a 39% drop in cargo imports because of the circumstances (Wall Street Journal). The trucking and railroad industries lost valuable time and money, and customers experienced delayed delivery of tons of expected goods. The ripple effect of delayed shipments forced many customers to stockpile goods when available, and alter contracted shipping means when time sensitive goods were required.

Ensuring ample supplies in the midst of an incident can be challenging, especially when external forces create delays. Supply continuity and preparedness efforts are becoming more important as more companies depend on world-wide suppliers. These recent major supply disruptions, both on the east and west coasts, emphasize the need to develop business continuity plans (BCPs) that identify primary and secondary suppliers and alternate resources. By identifying and contracting with vendors and alternate suppliers prior to an incident, a company improves its ability to quickly and successfully respond to unforeseen disruptions.

Pre-emptive identification and mitigation efforts are crucial to preventing supply chain interruptions and costly consequences. Factors to consider in the identification of critical suppliers are complex and extend well beyond first glance analyses. While suppliers of material goods and business-specific products may be critical to business practices, suppliers may also include those that provide the following services, utilities, or infrastructures:

  • Sole source services
  • Electrical power
  • Water
  • Fuel
  • Telecommunications
  • Transportation
  • Staffing
  • Waste Management
  • Facilities

Companies should utilize BCPs to prepare for incidents that could impair or impede the ability to operate as a result of a temporary or permanent loss of required supplies, equipment, critical staff, data, and necessary infrastructure. A BCP can help minimize or counteract many of the potential impacts of a supply interruption or set procedures in motion that limit the effects on operations.

Identification of risks and business impact analyses (BIA) should be performed for critical supply chains as part of the development of BCPs. For common disruptions, inept supplier performance, required resources forecasting errors, and transportation and delivery breakdowns, companies can typically utilize historical data to quantify the level of risk and necessary response effort. However, when extraordinary events impact the supply chain, such as the east and west coast incidents, companies may encounter atypical and domino effect impacts. Continuity plans with supply chain response measure must be in place to mitigate the disruption, sustain operations, and restore “business as usual”.  The following supply chain related questions, while not all-inclusive, can be used as response planning discussion points to identify necessary supply-related business continuity and response elements:

  • How would a potential critical material supply disruption affect both internal and external resources?
  • Have critical supplies, interdependencies, and potential bottleneck scenarios been identified?
  • Have critical materials and response equipment needs, minimum levels, and recovery time limits been evaluated and defined?
  • Are processes in place to monitor internal and external supply chains that identify potential delivery disruption?
  • Have back up suppliers been identified and communicated with?
  • Are memorandum of understandings (MOUs) for services, and equipment or supply contracts been established and/or up-to-date?
  • Do business continuity initiation procedures encompass verified primary and secondary supply chain contacts?
  • Is there historical data that indicates potential impacts and durations that can be used for planning?
  • Are “Best Practices” supply chain continuity procedures available from like-companies and industry experts?
  • Do critical suppliers have alternate processes and delivery methods in case an event affects their operations?
  • Have supply disruption scenarios been included in emergency response and business continuity exercises?
  • Are employees trained in the event of supply disruption?
  • Have mitigation measures been examined and implemented based on BIAs?

TRP Corp - Emergency Response Planning Crisis Management

Tags: BCM Standards, Business Continuity key points, Business Continuity Plan, Business Disruption, Mitigation

The Basics of Business Continuity Planning

Posted on Thu, Mar 12, 2015

The primary purpose of a Business Continuity Plan (BCP) is to minimize the negative impacts of a business interruption by accelerating the return to “business as usual”.  A BCP should be applied to every business, small or large, to provide a framework to ensure operational resilience in the event of business disruption. Industries including manufacturing, healthcare, education, financial, energy, and retail can benefit from business continuity planning, but each organization must create a detailed and specific plan for each of their locations, business units, or functional groups.

Numerous events, such as this winter’s perpetual snow storms, can cause business disruptions. Business interrupting events typically result in the loss or temporary disruption of key business resources including:

  • Facilities or Workspace
  • Infrastructure or IT Applications/Systems
  • People
  • Supply Chain

In order to protect a company’s viability, site-specific recovery strategies should be developed with the assumption that a disruption will occur during a peak business cycle, when the services or output are at the highest level and most critical point. A Business Impact Analysis (BIA) enables a company to identify and quantify which business unit that, when absent, would impact profitability and threaten its survival. While the size and complexity of essential business elements required for sustainability vary among companies, the ability to quantify and prioritize critical workflow components is a key business continuity element. Some departments to consider when conducting a BIA for peak cycles include, but are not limited to:

  • Finance and Treasury
  • Contracts
  • Supply and Trading
  • Financial Accounting
  • Emergency Response/Crisis Management Team
  • Payroll
  • Benefits
  • Accounts Payable
  • Environmental Health and Safety

Once critical components are identified, managers should review the following business continuity planning elements for each critical business function:

  • Determine what personnel, software, and vendors are required to continue these processes.
  • Identify the duration and point in time when an interruption would impair critical processes and develop recovery time objectives.
  • Estimate the maximum allowable downtime for each specific business function.
  • Identify alternate locations where these processes can be maintained in the event normal facilities are not accessible.
  • Identify how communications will be maintained
  • Provide training for BCP personnel that are assigned to support the continuity of operations.

1091

A BCP should include site-specific details that can direct process continuation or restoration. The following continuity plan components should be included in a site-specific BCP.

1. Plan distribution list: Names, addresses, and contact information of those that retain secured access to the BCP.

2. Key contacts and notification procedures: Identify all primary and secondary contacts that must be made aware of a business interruption. It is important to routinely verify contact information for accuracy, and train personnel in BCP activation and notification procedures.

3. Key staff roles and responsibilities: Develop position-specific checklists and procedures detailing responsibilities from business continuity implementation through recovery. Task teams should be formed, at a minimum, to cover each critical business process. Business Continuity Team structure, organization charts, and interfaces should be clearly communicated. It may be necessary to provide cross team training, in the event that primary team members are not available.

4. Off-site recovery location(s): Include address, contact information, available on-site equipment, and any necessary external equipment for effective operations.

5. Recovery action plan: Identify/develop incremental processes and procedures necessary to recover each critical business process.   Response checklist timelines may include time increments such as 1st hour, 24-hours, 48 hours, one week, one month, and long-term recovery.

6. Customer data:  Identify communication methods and necessary contact information in order to inform customers of disruptions of deliverables. Effective customer relations and communication may be critical in retaining clients and maintaining positive relationships during a business interruption.

7. Primary suppliers contact list: Identify contact information of supply dependencies and interdependencies. Transportation delays or events at suppliers’ locations could affect delivery times; therefore the plan should address this issue.

8. Alternate suppliers list: Primary supply chain failures can be crippling to key business components. Through the planning process, alternative suppliers should be explored, and contact information and materials should be documented in order to reduce the impact of primary suppliers’ disruption.

9. Documentation and Insurance details: Identify details of insurance coverage and accurate contact information. The burden of proof when making claims typically lies with the policyholder. Accurate and detailed records are imperative. Documentation forms should be made available to all critical business unit leaders for timely documentation.

10. Technology requirements: Identify necessary hardware and software, and the minimum recovery time requirements for each business unit.

11. Backup data details: Business continuity plans should identify details of data backups and recovery methods. If current backup procedures are questionable, mitigation measures should be evaluated prior to a business disrupting event.

12. Equipment requirements: Identify equipment requirements for each business unit, primary and alternate suppliers, and recovery time goals.

13. Review and revise:  On an annual basis or following an incident, incorporate newly identified hazards and vulnerabilities into the business continuity plan. Include necessary equipment used (requiring replacement or replenishment), altered processes, and lessons learned.

Preparedness and Emergency Management - TRP Corp

Tags: Business Continuity key points, Business Continuity, Business Continuity Plan

The Role of Communications Planning in Business Continuity

Posted on Thu, Nov 06, 2014

The primary goal of business continuity planning is to efficiently restore operations through predetermined, systematic processes and procedures. However, in order to minimize the impacts and rapidly respond to operational hindrances, companies must ensure business continuity communication methods and procedures are clearly defined and functional.

Communication planning is an intricate part of preparedness and any continuity process. Clear and effective communication channels must remain available in order to disseminate information to employees, assess and relay damage, and coordinate a recovery strategy. Failed communication often results in failed business continuity efforts. Thoroughly planning, testing, and exercising communication procedures within the following four phases is essential to ensure effective business continuity and viability of critical business operations.

1. Notification- The notification process begins upon the anticipation or discovery of a business continuity situation. Appropriate personnel and applicable business unit managers should be initially notified and updated on the current scenario. The initial notification format can be dictated by company policy, however all known information should be provided at that time, including:

  1. Location of impact or potential impact
  2. Scenario details (fire, explosion, etc.)
  3. Implementation timeline

The person responsible for each critical business process should begin documenting response actions.  Necessary continuity information should be maintained and updated as necessary to ensure all management and affected personnel can quickly initiate proper actions.

In the planning phase, initial communication procedures, available communications equipment, and alternative communication formats should be evaluated.  Initial and back up communication formats should be agreed upon during training and exercises to certify that managers, continuity personnel, external suppliers, and possibly the public receive pertinent messages.

Primary and alternate resources contact information should be included in the business continuity plan (BCP) to ensure consistent delivery and continued operations in the event suppliers are subjected to business continuity circumstances. Up-to-date contact information for internal and external responders should be verified for accuracy.

2. Verification - Verification of contact information for personnel, continuity supervisors, and external responders should be done on a periodic basis. Business continuity planners must be certain that new employees are included in the plan, as necessary, and that notifications are being delivered to accurate e-mail addresses and/or contact numbers.

If maintaining accurate contact information is challenging, consider opting for an e-mail notification verification system that enables the contact to verify their information through hyperlinks. Companies can also offer incentives, such as drawings or prizes, to encourage all personnel to verify contact information as requested.

3. Stabilization - Stabilization is the result of the corrective actions initiated by the business continuity coordinator, business unit managers, and response personnel. Stabilization includes such actions as initiating proper notifications and implementing a procedural course of action. Planners should identify and procure necessary communication equipment and establish processes for continued operations and recovery. This will prevent unnecessary downtime and additional recovery efforts. Effective communications is the bridge to stabilization.

4. Recovery - Recovery begins once the affected area, personnel, equipment, and/or operations are accounted for and stabilized. Recovery communications includes actions such as damage assessment reporting, interactions with response personnel, removal and disposal of disruptive element, and safety verification prior to reentry or a return to operations. The lines of communications need to remain open in order to return to a “business as usual” level.

Developing relationships and common understandings of roles and responsibilities prior to a continuity event increases overall communication, post-disaster collaboration, and unified decision-making, streamlining the recovery process.

Upon termination of the incident and restoration of operations, an oral and written critique of the response should be conducted among personnel and the key business continuity members.  Communicating through evaluations and post-incident summaries can lead to the identification of continuity challenges and procedural obstacles. Items requiring action should be documented, communicated to involved parties, and tracked to ensure that potential corrective actions are identified and mitigation efforts are completed.

For a free informative download on Crisis Management Planning, click the image below:

TRP Corp - Emergency Response Planning Crisis Management

 

Tags: Business Continuity key points, Business Continuity, Crisis Management, Communication Plan, Business Continuity Plan

The Business Impact Analysis: A Step Towards Business Continuity

Posted on Thu, Sep 18, 2014

Companies may not consider the interdependencies between critical operations, departments, personnel, and services until an event disrupts normal operations. A Business Impact Analysis (BIA), a key component in business continuity planning, presents the ability to identify and quantify which business unit that, when absent, would significantly impact a company. While the size and complexity of essential business elements required for sustainability varies among industries, companies, and specific facilities, the ability to quantify and prioritize critical workflow components is a key business continuity element.

Critical business units, associated functions, and a trained workforce provide the greatest financial value to companies. Companies that prioritize process sustainability initiatives that can meet recovery time objectives have a better chance of minimizing impacts of impeding disruptions.

Within each key business unit, additional business functions should be considered and evaluated. By identifying cross business unit dependencies, the need for integrated risk mitigation solutions can be highlighted and proactive measures can be taken. A workflow analysis may prioritize those business functions and processes that must be recovered in order for business continuity plans to be effective. Functions within each business unit may include, but are not limited to:

  •  Finance 
  • Contracts 
  • Supply and trading 
  • Personnel and payroll 
  • Benefits 
  • Accounts payable
  • Environmental health and safety 
  • Information technology

Once critical business functions and workflows are assessed and prioritized, a BIA should be performed.  The goal of the analysis should be to identify the potential impacts of identified risks, uncontrolled threats, and potential non-specific events on these business functions and dynamic processes. Any potential resilience capabilities should be prioritized and mitigation opportunities should be examined.  Operational and process managers should explore and quantify the following aspects to initiate the BIA process:

Timing:

  • Identify critical operational time periods when an interruption would have greater impacts (seasonal, end of quarter, specific month, etc.).
  • Priorities should be determined if an interruption during high-output timeframes creates amplified operational and financial impacts.

Likelihood Level:

  • Indicate how likely each specific threat could occur, considering existing capabilities, mitigation measures, and history.

Duration:

  • Identify the duration and point in time when an interruption would impair operational processes and have financial impact.
  • Estimate the maximum allowable downtime for each specific business function
  • Consider downtime impacts from less than 1 hour to greater than one month

BCP duration: TRP CORP

Staffing minimums:

  • Identify staffing level requirements (including contractors or suppliers) to meet typical daily productivity goals, as well as recovery time objectives.

Operational Impacts:

  • Identify the effects associated with a business unit interruption, considering existing mitigation measures. These may include, but are not limited to:
    • Lost sales and income
    • Negative cash flow resulting from delayed sales or income
    • Increased expenses due to overtime, outsourcing or other operations that increase costs
    • Regulatory fines and legal implications
    • Contractual penalties or loss of contractual bonuses
    • Customer dissatisfaction or withdrawal
    • Delay of business plan execution or strategic initiatives

Recovery Time:

  • Identify the time frame necessary to recover specific critical processes under existing capabilities and, if possible, potentially altered conditions.

Financial Impact:

  • Determine and quantify financial impacts,  considering existing mitigation measures.
  • Critical functions that have the highest financial impacts should be prioritized in business continuity plans.

If a business continuity incident affects two or more business processes, the incident has a greater potential for impact. Interoperable communication and coordination among departments must be exercised for a swift recovery. The effects of a multi-tiered business continuity event can extend beyond the facility borders to affect personnel, multiple critical business processes, vendors or suppliers, and customers.

Adverse information technology (IT) conditions may affect numerous company departments, units and functions. IT components may include networks, servers, desktop and laptop computers and wireless devices. The ability to utilize both office productivity and enterprise-wide software may be essential to restore normal operations. Therefore, time critical recovery strategies for information technology, such as exercised data backup and restoration procedures, should be developed in order to limit the effects of interruptions across multiple business units.

Once critical business units are identified and the BIA is completed, companies can develop an applicable business continuity plan, ensuring a faster state of recovery.

Click HERE or the image below for a free download on Enterprise-Wide Response Planning.

Multiple Facility Response Planning Company Preparedness Guide DOWNLOAD

Tags: Business Continuity key points, Business Continuity, Resiliency, Business Risk, Redundant Systems, Business Continuity Plan

Checklist for Web-Based Business Continuity Plans

Posted on Thu, Sep 11, 2014

In business, every threat can result in the same consequence: the loss or temporary cessation of key business processes. In order to minimize impacts when a threat materializes, business continuity plans (BCPs) must be intuitive, yet dynamic, to account for each critical business process. Effective business continuity planning institutes a clear path to sustainability and operational recovery.

The following core business continuity elements should be included in a BCP. Each element must be cyclically assessed for accuracy, potential mitigation opportunities, and lesson-learned insights in order for established processes and communication to be effectively maximized.

1. Plan distribution list and contacts: Business continuity planners must be certain that the current employees listed in the plan, as well as those on the plan distribution list is verified for accuracy.  If maintaining accurate contact information is challenging, consider opting for notification verification system with email or text message capability that enables the contact to verify personal information and automatically update associated response plans.

2. Communication: By aligning mass notification methods with typical daily communication habits (cell phone, emails, texting), planners can ensure key contacts are made aware of any business interruption and BCP activation. Clear and effective communication channels must remain available in order to disseminate information to employees, assess and relay damage, and coordinate recovery strategies. Provide employees training in primary and established secondary communication methods in case of disruption of primary communications.

3. Key Staff Roles and Responsibilities: From business continuity implementation through recovery, job specific checklists and assigned procedures should be incorporated in a BCP. Task teams should be formed, at a minimum, to cover each essential business process. Each site may require unique minimum staffing levels to remain operational.
In the event that primary team members are not available, cross team training should be conducted to provide backups. Planners should make appropriate plan changes as operations and staff evolve.

4. Off-site Recovery Location: Include address, contact information, available on-site equipment, and any external equipment necessary for effective continuity of operations. 

5. Recovery Time Objectives: Incremental processes and procedures should be identified to meet specific critical business process goals.  Recovery goals may include increments of one hour, 24-hours, 48 hours, one week, one month, and long-term recovery.

6. Key Customers’ Data:  Identify effective customer communication methods and necessary contact information required to inform customers of disruptions of deliverables or services. Effective customer relations and communication may be critical in retaining clients and maintaining positive relationships during a business interruption. 

7. Key Supplier Contact List: Identify critical business unit dependencies and interdependencies and key contacts. Transportation delays could affect delivery times. Plan and mitigate accordingly.

8. Alternate Suppliers List: The consequences of a supply chain failure on associated key business components can be crippling.  Alternate suppliers should be included in the BCP to ensure consistent delivery and continued operations in the event primary suppliers are affected by similar business continuity circumstances. As a company’s needs change and new suppliers come online, plans should be updated to include these critical suppliers.

9. Insurance Details: Identify details of insurance coverage and accurate contact information. The burden of proof when making claims typically lies with the policyholder. Accurate and detailed records are imperative.

10. Data Backup Details: Identify the procedural details of computer backups, data restoration methods, and the minimum program needs to re-establish critical business processes.  

11. Technology Requirements: Identify necessary hardware and software, and the associated minimum recovery time requirements for each business unit. Companies should examine current data center outsourcing to ensure continuity and accessibility or research continually advancing alternatives.

12. Equipment Requirements: Detail applicable equipment requirements for each business unit and recovery time goals. To prevent unnecessary downtime and additional recovery efforts, identify and procure necessary equipment and establish processes for continued operations and recovery.

13. Review Log: Incorporate newly identified hazards and vulnerabilities into the business continuity plan. A log can include necessary equipment used (requiring replacement or replenishment), altered processes, and lessons learned.

A web-based platform can speed up the cycle of business continuity events. By transitioning from paper-based business continuity plans to a web-based approach, companies have the ability to maximize data and streamline information. A web-based plan enables a standardized, enterprise-wide business continuity template, yet allows for site-specific details for each particular site.

 

Web based response planning - TRP CORP

Tags: BCM Standards, Business Continuity, Data Backup, Business Continuity Plan, Disaster Recovery

Incorporating Business Continuity into Industrial Settings

Posted on Thu, Aug 21, 2014

As complex, advanced technologies, systems, and networks become ingrained in industrial operations and processes, the potential impacts from even minor disruptions increases. Industrial companies that prepare for a large variety of disruptions can limit its impact on business processes and accelerate the return to normal operations. For those not prepared, a targeted incident can become an escalated situation, negatively affecting profitability, customer relationships, and overall business performance. Business continuity plans (BCP) are crucial to ensure long-term viability, yet many industrial companies do not prioritize them.

Many business continuity issues can start as minor, isolated instances or aggravating inconveniences. However, if not addressed in a timely manner, incidents can escalate, potentially spreading to other key processes. With an effective BCP, mitigation measures, and proper employee training, potential disruptions and operational impacting events can be prevented.

Regardless of the size of your enterprise or scope of facility operations, industrial locations should have the following continuity elements in place.

  • Standard procedures and assigned responsibilities regarding risk management, restoration, and IT recovery for each critical business area.
  • A BIA (Business Impact Analysis)
  • A risk assessment that identifies and prioritizes operational imposing scenarios
  • Recovery Time Objectives (RTOs) based on cost-benefit analyses and BIAs
  • Documented BCP with response, recovery, and restoration procedures
  • BCP exercises aimed at improving RTOs and strategies by ensuring plans are accurate, actionable, and thorough
  • Audits that test corporate-level standardization and policy implementations
  • BCP training for managers and employees

The process of developing a BCP can identify continuity weaknesses within an enterprise and at specific facilities, as well as lapses within individual responsibility and operational processes. To strengthen the prospects of corporate viability, planning and training should include detailed standard operating procedures for BCP activation and address RTOs for each key business process. The BCP should offer procedural flexibility based on real-time situational assessment, as well as procedural variations for each scenario. Precise, site-specific, and accurate BCPs in conjunction with effective training and carefully planned exercises can often counteract a lack of general continuity awareness.

Many industrial facilities managers typically have expertise in proper hazard communications and emergency response techniques. However, industrial facility managers and their employees may lack business continuity experience and necessary expertise. If establishing BCPs or initiating continuity efforts are beyond the scope of managers, companies should consider hiring consultants who specialize in business continuity planning.

Employees who are trained in daily continuity procedures, in addition to response and restorative continuity methods will be better prepared in the event of a business-interrupting incident. By incorporating business continuity training, companies can expand their resilience strategies while minimizing risks to their employees, operations, reputation, and the financial bottom line.

BCP training should include a detailed account of specific roles and responsibilities. This will ensure continuity of knowledge among participants, enterprise-wide standard operating procedures, and site-specific business continuity processes. Companies should also be vigilant in training new hires, as well as be receptive to unique business continuity lesson learned that can be used to strengthen the BCP.

Although all companies should prepared for inevitable business disruptions, industrial facilities typically have heightened levels of vulnerabilities. In an industrial setting, hazards are often identified in order for potential impacts to be fully analyzed and countermeasures to be implemented. For business continuity strategies, a business impact analysis (BIA) can identify, quantify, and qualify the impacts in time of a loss, interruption or disruption of business activities on an organization, and provides the data from which appropriate continuity strategies can be determined.  

Whether business disruptions stem from technological, man-made, or natural disasters, business continuity plans can be a valuable tool for protecting viability, securing resources, and maintaining customer relationships.

Click on the image below to download TRP Corp's free Industrial Preparedness white paper.

Preparedness and Emergency Management - TRP Corp

Tags: BCM Standards, Business Continuity, Resiliency, Training and Exercises, Business Continuity Plan, Business Disruption

7 Key Points for Industrial Business Continuity and Disaster Recovery

Posted on Thu, Aug 14, 2014

Process and procedural effectiveness and efficiency are key elements in determining a company’s success. Critically detailed reviews, evaluations, and improvements to your processes and procedures can contribute to overall corporate viability and profitability. Process and procedural effectiveness and efficiency are also critical when it comes to developing and implementing business continuity plans.

The goal of business continuity planning is to efficiently restore operations through a predetermined, systematic approach. Unfortunately, many companies lack adequate recovery planning, and recuperative procedures to restore critical information, essential processes, and normal business operations within an acceptable recovery time frame. The lack of business continuity preparedness can adversely affect corporate reputation, financial stability, and overall resilience.

The business continuity recovery process is typically a sequence of concurrent activities and interdependent activities that facilitate measured advances toward a successful recovery. Decisions and priorities set early in the recovery process often have a cascading effect on the evolution and speed of the recovery progress and business continuity efforts. Because recovery timeliness has a direct impact on operational viability, pre-planning business continuity implementation processes and intended procedures is critical.

Developing relationships and common understandings of roles and responsibilities prior to a disaster increases post-disaster collaboration and unified decision-making, and streamlines the recovery process. A fully coordinated recovery plan may require utilizing internal and external stakeholders. Business unit management and staff, in conjunction with external participants, must be familiar with and trained in the recovery procedures in order to effectively implement directives and maintain minimal business continuity.

Recovery time and outcomes vary based on incident circumstances, challenges, and priorities. A successful disaster recovery can be characterized as the return of operations to pre-disaster conditions. FEMA’s National Disaster Recovery Framework provides key factors that contribute to a successful recovery.  With secured sharing abilities, a web-based, database driven planning system can aid in the management and communication of the key factors of a business continuity recovery process. These factors include:

1. Effective Decision-making and Coordination:

  • Confirm roles and responsibilities of recovery team and stakeholders
  • Examine recovery alternatives, address conflicts and make informed and timely decisions that best achieve recovery
  • Establish metrics for tracking progress, ensuring accountability and reinforcing realistic expectations among stakeholders
  • Track progress, ensure accountability, and make procedural adjustments as necessary

2. Integration of Community Recovery Planning Processes:

  • Engage all stakeholders in pre-disaster business continuity and recovery planning, training, and exercises
  • Establish processes and criteria for identifying and prioritizing key recovery actions and projects

3. Well-managed Recovery:

  • Leverage and coordinate recovery teams, local response groups, government liaisons, and non-governmental organizations to accelerate the recovery process and avoid duplication of efforts
  • Surge staffing and management structures as necessary to support the workload during recovery
  • Establish leadership guidance, including the shift of roles and responsibilities, for the transition from response operations to recovery, and eventually a return to a normal (or new normal) operational state
  • Ensure regulatory compliance throughout recovery process

4. Proactive Community Partnerships, Public Participation, and Public Awareness:

  • Ensure transparency and accountability
  • Communicate recovery objectives (short, intermediate and long-term) and applicable detailed information to employees, stakeholders, and community members

5. Well-administered Financials:

  • Clearly identify funding sources and financial recovery processes
  • Evaluate and present external programs that can provide financial assistance to aid in the recovery progress
  • Allow for budgetary flexibility, yet maintain adequate financial monitoring and accounting systems
  • Implement processes and systems that detect and deter fraud, waste, and abuse.

6. Organizational Flexibility:

  • Institute scalable and flexible processes that can align with recovery operations objectives
  • Institute business processes that can evolve and adapt to address the changing landscape of post-disaster environments

7. Resilient Rebuilding:

  • Invoke “Lessons Learned” in the restoration phase to minimize risks and threats, and improve response, recovery and restoration efforts. 

For a free Response Procedures Flow Chart download, click the image below:

New Call-to-Action

 

Tags: Business Continuity key points, Business Continuity, Business Continuity Plan, Disaster Recovery, Disaster Response, Business Disruption