Your Solution for SMART Response Plans

National Preparedness Month and Corporate Response Planning

Posted on Mon, Sep 23, 2013

In 2004, The U.S. Department of Homeland Security (DHS), The America Prepared Campaign, the American Red Cross, the National Association of Broadcasters, and the U.S. Department of Education joined a coalition of more than 50 national organizations to engage American citizens in emergency preparedness by designating September as National Preparedness Month. This year, more than 3,000 organizations are taking part in supporting emergency preparedness efforts. National Preparedness Month provides a variety of opportunities to learn more about ways they can prepare for an emergency, get an emergency supply kit, establish a family communications plan, and become better aware of threats that may impact communities.

By prioritizing and encouraging preparedness, companies can set the example for employees, customers, and the surrounding communities. Disasters not only devastate individuals and neighborhoods, but entire communities, including businesses of all sizes. Employers should designate National Preparedness Month to encourage preparedness training, develop business continuity plans (BCP), review and evaluate existing plans, or advance preparedness practices through exercises and gap analyses.

Large and small businesses that are able to continue operations throughout a crisis situation or quickly restore services may avoid economic hardship and potential failure. Determining how to maintain critical business functions in less than ideal situations may be the key to company survival.

Understanding and exercising effective response procedures and the intricacies of a business continuity plan can minimize the effects of an incident. Business continuity events typically result in the loss or temporary disruption of one or more of the following necessary key business resources:

  • Facilities
  • Infrastructure
  • IT Applications/Systems
  • People
  • Supply Chain

A detailed identification and evaluation of critical business processes, focusing  on the key business resources above should be performed as an integral part of a business continuity plan. This “bare bones” evaluation should list the minimum criteria necessary to keep your business in operation. Necessary minimum criteria may include:

Infrastructure needs: An incident that results in facility damage or mandatory evacuations may require relocation of critical business processes.  Companies must identify and arrange for potential alternate locations, if applicable (ex. satellite offices, work from home, alternate locations).

Data and computer needs: Identifying computer backup solutions, data restoration methods, and minimum software requirements are crucial to re-establish critical business processes.  Companies may examine data center outsourcing to ensure continuity and accessibility, as well as alternative/backup power sources for laptops.

Notification lists: Regularly update lists to ensure all contact information is up-to-date. Business continuity planners must be certain that notifications are being delivered to accurate e-mail addresses and/or phone numbers, especially in case of an evacuation. If maintaining accurate contact information is challenging, consider opting for an e-mail notification verification system that enables individuals to verify their own information.

Communication needs: Clear and effective communication channels must remain available in order to disseminate information to employees, assess and relay damage, and coordinate a recovery strategy. A mass notification system may assure a reliable method to communicate to key individuals, company employees, or an entire client base. However, in order for communication to be effective, contact information must be accurate.

Supply Chain: Plans should be constantly updated to include new suppliers. Additionally, pre-selected alternate suppliers should be included in the BCP to ensure consistent delivery and continued operations in the event primary suppliers are not able to provide required services.

Essential Personnel: Identify necessary minimum staffing levels to remain on-site during a storm. As the storm passes, ensure staff, contractors, and suppliers are in communication, and understand their individual responsibilities and recovery time objectives.

Equipment needs: Identify and procure necessary equipment and establish processes for continued operations and recovery. This will prevent unnecessary downtime and additional recovery efforts. The process of relocating equipment arranging for these essentials after-the-fact is time consuming, and potentially costly.

For a free download on Tips on Conducting an Effective Excersise, click the image below:

TRP Corp Emergency Response Planning Exercises

Tags: DHS, Business Continuity key points, Business Continuity, Department of Homeland Security, Communication Plan, Business Continuity Plan, Business Disruption

How to Maintain Business Continuity throughout Disaster Recovery

Posted on Thu, Jun 20, 2013

The goal of business continuity planning is to restore operations efficiently through a systematic approach. In the event of a disaster, many companies lack adequate recovery planning and backup capabilities to restore critical information, essential processes, and normal business operations within an acceptable recovery time frame. The lack of recovery preparedness can adversely affect corporate reputation, financial stability, and overall resilience.

The recovery process is a sequence of interdependent and often concurrent activities that allow for measured advances toward a successful recovery. The time frame between temporary relocation and securing permanent facilities (either at the original or alternate facility) describe the recovery phase. Decisions and priorities set early in the recovery process often have a cascading effect on the evolution and speed of the recovery progress and business continuity efforts. Business unit management and staff must be familiar with and trained in the recovery procedures in order to effectively implement directives and maintain minimal business continuity.

Establishing plans that include comprehensive recovery processes and protocols prior to a disaster is essential. A fully coordinated post-disaster recovery plan should be implemented with internal and external stakeholders. Developing relationships and common understandings of roles and responsibilities prior to a disaster increases post-disaster collaboration and unified decision-making, streamlining the recovery process.

After the initial response and relocation of operations and personnel, the recovery phase includes, but is not limited to:

  • Damage assessments of primary facilities
  • Mobilization of tactical recovery teams
  • Recovery debriefings
  • Identification of recovery objectives
  • Initiation of restoration activities

The restoration phase addresses return of personnel to restored facilities, or permanent alternate facilities, and restoration of operations, and  includes:

  • Confirmation of the restoration of primary facilities and infrastructure
  • Confirmation of staff relocation schedules
  • Relocation to permanent facility
  • Consolidation and archiving incident documentation
  • Review and updating Business Continuity Plan based on lessons learned
  • Return to business as usual

Recovery outcomes vary based on incident circumstances, challenges,  and priorities. In the corporate world, a successful disaster recovery is typically characterized as the return of operations to pre-disaster conditions. FEMA’s National Disaster Recovery Framework provides key factors that contribute to a successful recovery.  These factors include:

1. Effective Decision making and Coordination:

    • Confirm roles and responsibilities of recovery team and stakeholders
    • Examine recovery alternatives, address conflicts and make informed and timely decisions that best achieve recovery
    • Establish metrics for tracking progress, ensuring accountability and reinforcing realistic expectations among stakeholders
    • Track progress, ensure accountability, and make procedural adjustments as necessary

2. Integration of Community Recovery Planning Processes:

    • Engage all stakeholders in pre-disaster business continuity and recovery planning, training, and exercises
    • Establish processes and criteria for identifying and prioritizing key recovery actions and projects

3. Well-managed Recovery:

    • Leverage and coordinate recovery teams, local response groups, government liaisons, and non-governmental organizations to accelerate the recovery process and avoid duplication of efforts
    • Surge staffing and management structures as necessary to support the workload during recovery
    • Establish leadership guidance, including the shift of roles and responsibilities, for the transition from response operations to recovery, and eventually a return to a normal (or new normal) operational state
    • Ensure regulatory compliance throughout recovery process

4. Proactive Community Engagement, Public Participation, and Public Awareness:

    • Ensure transparency and accountability
    • Communicate recovery objectives (short, intermediate and long-term) and applicable detailed information to employees, stakeholders, and community members

5. Well-administered Financials:

    • Clearly identify funding sources and financial recovery processes
    • Evaluate and present external programs that can provide financial assistance to aid in the recovery progress
    • Allow for budgetary flexibility, yet maintain adequate financial monitoring and accounting systems
    • Implement processes and systems that detect and deter fraud, waste, and abuse.

6. Organizational Flexibility:

    • Institute scalable and flexible processes that can align with recovery operations objectives
    • Institute business processes that can evolve and adapt to address the changing landscape of post-disaster environments

7. Resilient Rebuilding:

    • Invoke “Lessons Learned” in the restoration phase to minimize risks and threats, and improve response, recovery and restoration efforts.

For tips and best practices on designing a crisis management program, download Tips for  Effective Exercises.

TRP Corp Emergency Response Planning Exercises

Tags: Data Recovery, Resiliency, Business Continuity Plan, Disaster Recovery, Business Disruption

Business Continuity: Testing, Training, and Exercises

Posted on Thu, Jun 13, 2013

The overall purpose of business continuity planning is to ensure the continuity of essential functions during an event that causes damage or loss to critical infrastructure. A continually changing threat environment, including severe weather, accidents, fires, technological emergencies, and terrorist-related incidents, coupled with a tightly intertwined supply chain, have increased the need for business continuity efforts.

To ensure long-term viability, companies should develop, maintain, conduct, and document a business continuity testing, training, and exercise (TT&E) program. The business continuity plan should document these training components, processes, and requirements to support the continued performance of critical business functions. Training documentation should include dates, type of event(s), and name(s) of participants. Documentation also includes test results, feedback forms, participant questionnaires, and other documents resulting from the event.

Elements of a viable business continuity program include, but are not limited to:

  1. Program plans and procedures
  2. Budgeting and acquisition of required equipment and alternate sites
  3. Essential functions of each department
  4. Identification of authority, orders of succession, and roles and responsibilities.
  5. Interoperable communications methods
  6. Vital records management
  7. Testing, training, and exercise
  8. Recovery requirements

trp corp tabletop exercises

The 2010 Department of Homeland Security Continuity of Operations plan template identifies business continuity concepts that should be tested, training priorities, and exercise recommendations. While these concepts are directed at government entities, companies should utilize these directives to evaluate their own business continuity program. Unless noted, the specific testing, training, or exercises should occur (at a minimum) on an annual basis, or as required by regulations or company policy.

TRAINING

  • Train continuity personnel on roles and responsibilities
  • Conduct continuity awareness briefings or orientations for the entire workforce
  • Train organization’s leadership on continuity of essential critical business functions
  • Train personnel on all reconstitution plans and procedures
  • Provide opportunities for continuity personnel to demonstrate familiarity with continuity plans and procedures and demonstrate organization’s capability to continue essential functions
  • Conduct exercises that incorporate the deliberate and pre-planned movement of continuity personnel to alternate facilities
  • Conduct assessments of organization’s continuity TT&E programs, and continuity plans and programs
  • Report documented training to regulatory agencies, if applicable
  • Conduct successor training for all personnel who assume the authority and responsibility of the organization’s leadership, if that leadership becomes otherwise unavailable during a continuity situation
  • Train on the identification, protection, and availability of electronic and hardcopy documents, references, records, information systems, and data management software and equipment needed to support essential functions during a continuity situation for all staff involved in the vital records program
  • Train on the organization’s recovery process, addressing how the organization will identify and conduct its essential functions during an increased threat situation or in the aftermath of a catastrophic emergency

TESTING and EXERCISE

  • Test and validate equipment monthly to ensure internal and external interoperability
  • Test the viability of communications systems monthly and mitigate if necessary
  • Test alerts, notifications, and activation procedures quarterly for all continuity personnel
  • Test primary and backup infrastructure systems and services at primary and secondary recovery sites
  • Test capabilities to perform mission essential functions
  • Test plans for recovering vital records, critical information systems, services, and data
  • Test capabilities for protecting classified and unclassified vital records and for providing access to them from the primary and secondary recovery sites
  • Test physical security capabilities at primary and secondary recovery sites
  • Test internal and external interdependencies of critical functions
  • Conduct exercises on continuity plans that involve using or relocating to primary and secondary recovery sites
  • Demonstrate coordinated communications capability
  • Demonstrate the sufficiency of backup data and records required for supporting essential functions
  • Allow opportunity for continuity personnel to demonstrate their familiarity with the recovery and restoration procedures to transition from a continuity environment to normal activities
TRP Corp Emergency Response Planning Exercises

Tags: Testing, Business Continuity key points, Business Continuity, Training and Exercises, Business Continuity Plan, Business Disruption

Disaster Recovery, Roles, and Responsibilities

Posted on Mon, Jun 10, 2013

The National Disaster Recovery Framework is a guide that enables effective recovery support to disaster-impacted States, Tribes, Territorial and local jurisdictions. It provides a flexible structure that enables disaster recovery managers to operate in a unified and collaborative manner with recovery partners. Although the framework is aimed at the public sector and governmental jurisdictions, companies should evaluate the recovery elements for site-specific applicability, and incorporate pertinent and beneficial aspects.

A business disruption that extends beyond normal operating procedures and exceeds maximum downtime allotment requires a disaster recovery plan. The ability to institute a successful plan requires stakeholders to maintain a clear understanding of post-disaster roles, responsibilities, and objectives.  Clearly defined roles and responsibilities are the foundation to identify opportunities, foster partnerships, and optimize required resources.

Recovery objectives should include the meticulous restoration, strengthening, and revitalization of the site, surrounding infrastructures, and operations. Disaster response operations should prioritize timely and accurate communication to facility managers, critical decision makers, emergency response teams, stakeholders, vendors and contractors, and, if applicable, the public, in order to accelerate recovery without duplicating efforts.

Pre-planning for recovery allows for a collaborative understanding of necessary recovery elements and critical business processes. Business continuity plans should include recovery planning and operational components, including, but not limited to:

RECOVERY PLANNING

  • Coordinate development, training, and exercise of jurisdiction disaster recovery plan.
  • Establish and maintain contacts and networks for disaster recovery resources and support systems.
  • Promulgate principles and practices that further resiliency and sustainability in development and strategic planning initiatives.

RECOVERY OPERATIONS

  • Assess damage
  • Verify facility accessibility and safety
  • Identify internal and external recovery team contacts and contractors
  • Identify the scope of repair work
  • Develop site-specific repair plans and schedules
  • Restore operations
  • Institute mitigation measures
  • Apply “lessons learned” and update plans
The Incident Commander shall initiate the business continuity plan and associated recovery efforts. In the event the incident causes major damage to company facilities, the Incident Commander should serve as primary point of contact for supporting team members during disaster recovery planning and operations. Once the recovery period begins and/or appears that it will extend beyond the recovery capabilities of the facility, the Incident Commander should be responsible for the following:
  • Initialize and coordinate the activities of local recovery organizations and initiatives
  • Work with the Federal, State, and Local agency coordinators to develop a unified and accessible communication strategy
  • Participate in damage and impact assessments with other recovery partners
  • Organize recovery-planning processes to fully engage stakeholders and identify recovery objectives, priorities, resources, capabilities, and recovery capacity
  • Ensure inclusiveness of the community in the recovery process through media and public relations efforts
  • Continually communicate recovery priorities to government liaisons, recovery stakeholders, employees, and the community
  • Incorporate critical mitigation, resilience, sustainability and accessibility building measures into the recovery plans and efforts
  • Lead the development of an actionable and feasible recovery plan based on available funding and capacity
  • Collaborate with government liaisons to identify external financial support for recovery, leverage the resources, and resolve potential duplication of assistance
  • Work closely with the recovery leadership at all levels to ensure a well-coordinated, timely, and well-executed recovery
  • Develop and implement recovery progress measures and communicate adjustments and improvements to applicable stakeholders and authorities

For tips and best practices on designing a crisis management program, download Best Practices for Crisis Management.

TRP Corp - Emergency Response Planning Crisis Management

Tags: Business Continuity, Crisis Management, Redundant Systems, Training and Exercises, Disaster Recovery, Business Disruption

Applying FEMA's Mitigation Core Capabilities to Corporate EHS - Part 3

Posted on Thu, May 16, 2013

While all risks cannot not be avoided, companies can minimize the potential of an incident if risk mitigation measures are identified and implemented. FEMA has identified 31 core capabilities that should be incorporated into emergency management programs. Four of these core capabilities fall under the mission area of mitigation.

In Part 3 of this series on core capabilities, we will explore the concepts relating to FEMA’s mission area of mitigation. Although the FEMA concepts of the core capabilities are aimed at the public sector and governmental jurisdictions, companies should evaluate these mitigation elements for site specific applicability. Implementation of identified mitigation measures can minimize risks and advance corporate strategic and tactical environmental, health, and safety (EHS) goals.

MITIGATION

According to FEMA, the concept of mitigation includes the core capabilities necessary to reduce the potential for loss of life, property damage, and environmental impacts. By reducing the potential, consequences and impacts, the duration, and the financial and human costs related to response and recovery, a company becomes more resilient.

Risk mitigation includes recognizing, understanding, communicating, and planning for possible arrangements, procedures, and/or assets that can directly minimize the impact or likelihood of the threat, or simplify or automate recovery requirements. Each facility has its own unique associated risks, however, through dedicated risk mitigation analysis and proactive measures, hazards and business disruptions can be minimized.

Community Resilience: “Lead the integrated effort to recognize, understand, communicate, plan, and address risks so that the community can develop a set of actions to accomplish Mitigation and improve resilience.”

It is critical to gain corporate support to ensure reliance and the financial backing for necessary mitigation efforts. EHS programs should include training efforts that highlight potential threats/hazards and instruct individuals on procedures and processes that minimize those risks. An enterprise-wide program that prioritizes safety reinforces its commitment to individuals and the surrounding environment.

Long-term Vulnerability Reduction: “Build and sustain resilient systems, communities, and critical infrastructure and key resources lifelines so as to reduce their vulnerability to natural, technological, and human-caused incidents by lessening the likelihood, severity, and duration of the adverse consequences related to these incidents.”

A continual effort to improve safety measures, mitigate risks, and apply lessons learned bolsters the long-term viability of a company. Quantifying measurable safety statistics with baseline information allows companies to determine if mitigation efforts and safety measures are successful. By analyzing preparedness measures, companies can determine which priorities to implement to reduce long-term vulnerabilities. As companies grow and infrastructure expands, proven safety measures can be incorporated into site specific preparedness and operational activities.

Risk and Disaster Resilience Assessment: “Assess risk and disaster resilience so that decision makers, responders, and community members can take informed action to reduce their entity's risk and increase their resilience.”

A business impact analysis should be used to identify critical business processes, potential recovery strategies, and areas that could benefit from risk mitigation. This resilience assessment should be used as a tool for EHS management to identify potential vulnerabilities and initiate proactive changes to minimize impacts if a disaster were to occur. If the level of risk identified is deemed unsafe or unacceptable for operational viability, additional recovery options, safety procedures, or applicable strategies may need to be developed and implemented.

Threats and Hazard Identification: “Identify the threats and hazards that occur in the geographic area; determine the frequency and magnitude; and incorporate this into analysis and planning processes so as to clearly understand the needs of a community or entity.”

Threats and vulnerabilities can stem from both external and internal actions. Therefore, companies must analyze potential threats from a variety of potential sources. A localized vulnerability and impact analysis should include typical weather patterns, geographical influences, security efforts, cyber evaluations, inherent operational hazards, as well as facility design and potential maintenance issues. Companies who understand associated risks can better prepare for and possibly mitigate vulnerabilities.

The next blog, Part 4 of this series, will address the core capabilities related to response. To begin reading Part 1 of this series, click here.

TRP Corp Emergency Response Planning Exercises

Tags: Business Continuity, Facility Management, Terrorism Threat Management, Workplace Safety, Business Disruption

Top Flood Emergency Response Plan Tips

Posted on Mon, Apr 01, 2013

Spring brings warmer weather and longer days, but it also brings a variety of weather conditions that can result in heavy rains and flooding. Floods are one of the most common hazards across the United States. They can develop slowly over a few hours or days, leaving ample time to prepare and implement established flood procedures. However, flash floods can develop within minutes from intense rainfall, tropical storms and their remnants, or dam failures several miles upstream from a facility. Facilities must have an established and exercised flood emergency response plan in order to minimize the potential impact on life, the environment, and business operations.

The National Weather Service offers real time river observations data across the United States. Monitoring water levels allows companies to determine the likelihood of flooding resulting from local conditions, and enables prompt and accurate response decisions. In addition, FloodSmart.gov offers a variety of assessment tools, including a free hypothetical flood risk scenarios guide that can assist companies to better protect against financial losses due to flooding. Developing a flood emergency plan can prepare employees and facilities before, during, and after a flood to minimize health and safety impacts.

The following flood planning tips can be implemented to minimize risks to your business or industrial facility:

Flood Fatalities - TRP Corp

  1. Assess the flood risk potential in your area. Be aware of stream, ditches, drainage areas, and other low-lying areas on the property.
  2. Map facility and identify multiple access and egress routes.
  3. Familiarize staff with the evacuation plan and alternate routes.
  4. Ensure important documents and server(s) are not stored in basement or on ground level and review backup procedures.
  5. Update employee contact lists with alternate contact information in the event evacuation is necessary.
  6. If evacuation is necessary, assign trained personnel to secure the premises and equipment (such as sandbagging and/or extending regulator vents and relief stacks above the level of anticipated flooding, as appropriate.).
  7. Perform continuous monitoring of the flood through various media outlets and weather tracking.
         Flash flood watch:  flooding is possible
         Flash flood warning: flooding is occurring or is imminent
  8. If flooding is probable, request that gas and electric services are turned off.
  9. Communicate imminent flood status updates to supervisory personnel.
  10. Deploy personnel so that they will be in position to take emergency actions, such as shutdown, isolation, or containment in the event of emergency.
  11. Implement developed data backup procedures.
  12. If applicable, identify, contract, and communicate with water damage specialist(s).
  13. Ensure clean-up equipment is available, adequate, and ample. If clean up will be done by employees, Personal Protective Equipment (PPE) may be required. OSHA requires Personal Protective Equipment (PPE) for cleanup operations if water source is contaminated with sewage, chemicals, or other biological pollutants.
  14. Evaluate the accessibility of necessary equipment (such as valves, storage sheds, regulators, relief sets, etc.). Mitigate accessibility, if possible.
  15. Consider obtaining portable pumps and hoses from local suppliers.
  16. Unplug all electrical devices.
  17. If applicable, determine if flooding can expose or undermine pipelines as a result of erosion or scouring.
  18. If applicable, coordinate with emergency and spill responders on pipeline location(s) and condition, and provide maps and other relevant information to them.
  19. If applicable, advise the State Pipeline Safety Office (for intrastate lines), or RSPA's Regional Pipeline Safety Office (interstate lines) prior to returning pipelines to service, on increasing the operating pressure, or otherwise changing the operating status of the line.
  20. Conduct a post-incident review and identify mitigation opportunities to prevent future flooding impacts.

Download this free 9-Step sample Emergency Response Procedures Flow Chart.

TRP Corp -Response Procedure flowchart

Tags: NOAA, Business Continuity, Flood Preparedness, Workplace Safety, Business Disruption

Preparing for Supply Chain Disruptions with Business Continuity Plans

Posted on Mon, Mar 25, 2013

In October 2012, Hurricane Sandy’s unprecedented devastation caused havoc on the mid-Atlantic and east coast of the U.S. Infrastructure and supplies chain disruptions occurred across highly populated areas and multiple jurisdictions, severely affecting thousands of companies.  Ensuring ample supplies in the midst of an incident can be challenging. By identifying and pre-contracting vendors and alternate suppliers prior to an incident, a company improves its ability to quickly and successfully respond to incidents.

Hurricane Sandy’s storm surges and consequential flooding disrupted port operations and cut off dockage of incoming fuel tankers. Flooded automated pipeline fuel delivery equipment became inoperable. Power failures ceased fuel terminals transfers of gasoline into tanker trucks, and gas stations could not be restocked or operate pumps. As a result of the shortage, frustrated residents and businesses were forced to either go without the essential fuel or endure long lines and extreme supply uncertainty. The severe supply interruption created an additional level of business continuity issues.

Companies are often at the mercy of the “red tape” of governmental processes when disruptions envelope a wide area. In a business-driven society, regulations safeguard employees' rights, protect the environment, and/or monitor potential injustices. But in the case of Hurricane Sandy, licensing requirements and potential financial penalties exacerbated an already fragile supply chain.

Two bills, co-sponsored by Sen. Jennifer Beck and Sen. Robert Gordon, have been presented by the Senate Transportation Committee to streamline gasoline supply chain disruptions in the event of an emergency.

1. “Bill S-2581, provides a mechanism for fuel merchants to import motor fuel during the time of a state of emergency. Under current law, fuel merchants cannot purchase motor fuel from another state and import it in New Jersey unless the merchant first obtains a distributor’s license. After Hurricane Sandy, Governor Christie issued an executive order temporarily waiving this licensing provision to allow fuel to travel across state lines to boost supplies in New Jersey. The bill would eliminate the need for the Governor to issue future executive orders.” - Senator Jennifer Beck

2.  “Bill S-2582, provides that during a state of emergency, when a retail motor fuel dealer exhausts the supply of a lowest grade gas that dealer can sell any remaining supply of higher octane motor fuel at the same price as the price of the lowest grade motor fuel.”  - Senator Jennifer Beck

Senator Beck stated that the fuel shortage slowed the recovery process. “These bills remove regulatory hurdles that restrict the fuel supply during emergencies when we can ill afford red tape”, said Beck. While minimizing “red tape” helps streamline and ease the recovery process, companies should also prepare for, and expect delayed or interrupted supply availability after large-scale incident.

A business continuity plan (BCP) can help minimize or counteract many of the potential impacts of an incident.  Companies should utilize this tool to prepare for incidents that could impair or impede the ability to operate as a result of a temporary or permanent loss of infrastructure, equipment, supplies, critical staff, or data. Companies  can endure significant challenges and potential financial losses.

The following minimum business continuity planning elements should be considered when developing a BCP:

  • Identify critical business processes to maintain continued operation and mitigate as practicable.
  • Identify the triggering events that initiate an emergency action, and specify checklist items to be taken.
  • Train assigned personnel to complete required checklist action(s) in case business continuity implementation is necessary.
  • Identify typical transportation methods and necessary staffing levels to reveal potential threats to continued productivity.
  • Identify key vendor and supply chain requirements. Transportation delays could affect delivery times of essential supplies. Plan and mitigate accordingly.
  • Identify technology requirements such as back up timelines, communication methods, and if possible, mitigate any potential networking disruptions.
  • Identify and arrange for potential alternate locations, if applicable (ex. satellite offices, home-based opportunities, alternate locations).
  • Identify recovery time objectives for each critical process.
  • Review and update personnel contact information and notification procedures.
  • Minimize vulnerabilities by proactively implementing measures to ensure the safety and security of the facility and employees, as needed.
  • Review emergency action and response plans with employees.

For tips and best practices on designing a crisis management program, download Best Practices for Crisis Management.

TRP Download

Tags: DOT, Business Continuity, Supply Chain, Business Continuity Plan, Business Disruption

Top 10 Business Continuity Planning Obstacles

Posted on Thu, Mar 14, 2013

A well-developed Business Continuity Plan can minimize business disruptions, while safeguarding key business interests, relationships, and assets. Unfortunately, some companies do not place a high value on Business Continuity Planning and fail to institute sustainability efforts. 

Below are ten common obstacles in Business Continuity Planning (BCP), and possible countermeasures to offset these hurdles.

1 Lack of Management Support:

It is challenging to perform a cost-benefit analysis for business continuity. Managers and corporate executives may not act based on “what if” scenarios, unless regulations require implementation. Managerial decisions are generally based on concrete financials that benefit departments, stockholders, and the bottom line. There is a high degree of beneficial uncertainty associated with implementing BCP measures. Benefits resulting from BCP and mitigation efforts are dynamic in nature, and are not limited to a single structure, department, or operation.

Providing managers and corporate decision-makers a detailed vulnerability and hazard analyses with concrete financial statistics of their effects may garner some support. Additionally, professional reports and documentation that highlight increasing threats and vulnerabilities, such as the 2013 Global Risks Report by The World Economic Forum, makes a compelling case that may provoke and inspire leaders to implement continuity efforts.

2. Budget Restraints:

Because companies are in the business of making a profit, planning and mitigation measures are often compromised for other priorities. It may be helpful to estimate the cost of implementation for each critical process in relation to the cost of a critical process breakdown.  This exercise may highlight the need for a designated budget.

It may also be necessary to prioritize BCP implementation by each critical process with a step-by-step timeline for completion. Companies can identify and rank the most critical business processes, and implement BCP and mitigation measures based on those priorities. While most processes are intertwined, taking small steps to ensure process continuity is a step toward overall business continuity.

3. Maintaining a Culture of Preparedness:

Employees who are trained in business continuity recovery procedures will be prepared in the event of an operational failure. Managers who emphasize and embrace safety and continuity measures will create a work environment that reflects those principals, and maintain an overall culture of preparedness.

4. Lack of Training and Business Continuity Awareness:

Managers and employees frequently recognize the limits of their business continuity expertise after identifying company and process vulnerabilities. Planning and training should address overall business continuity efforts and detailed standard operating procedures for BCP activation. Training should convey procedural flexibility based on continuing assessment of disaster demands and provide options for each scenario. If implementing continuity efforts are beyond the scope of managers, companies should consider hiring consultants who specialize in business continuity planning.

5. Employee Turnover:

A review of specific business continuity plan roles and responsibilities should be part of any new hire training practices. This will ensure continuity of knowledge, standard operating procedures, and emergency and business continuity procedures. Companies can also benefit from employee turnover.  New employee may have unique business continuity experiences or knowledge that can be used to strengthen the plan.

6. Achieving a Constant State of Readiness:

Business continuity processes can be implemented as part of standard operating procedures (SOP).  By instituting best practices, such as backup procedures, mobile or flexible working environments, and alternate supply chains, a constant level of continuity can be sustainable if a facility, personnel, or process is inaccessible.

7. Coordination with External Responder/Suppliers(s):

The adoption of NIMS has allowed for adoption of consistent response language and processes. However, exercised coordination and two-way communication are key factors in successful continuity efforts. One of the greatest challenges in disaster preparedness is the continual effort of contact verification.  Dedicated man-hours or an automated cycle of contact verification should be in place as part of the maintenance phase of planning.  A contact verification tool that integrates with web-based, database-driven planning systems can save time-consuming maintenance efforts and eliminate a potential lapse in continuity efforts.  Every effort should be made to regularly confirm contact information and available supplies with partnering entities. Delays in contacting these partners and confirming their involvement may lead to additional business disruptions.

8. Identifying Critical Processes:

The ability to identify and quantify which critical business processes that, when not functional, may damage a company’s reputation or ability to operate, is a critical stage in the business continuity planning process. Overall resilience capabilities should be prioritized to mitigate any interruption. Understanding response procedures and the intricacies of a “Plan B” can make the difference between corporate survival or failure. Crisis and disaster situations usually result in the loss or temporary disruption of one or more of the following necessary key business resources:

  • Facilities
  • Infrastructure
  • IT Applications/Systems
  • People
  • Supply Chain

9. Unidentified Threats and Vulnerabilities: 

Threats and vulnerabilities must be identified in order for potential impacts to be analyzed and countermeasures implemented. A hazard analysis indicates the likeliness that each specific threat could occur, considering existing capabilities, mitigation measures, and history. Threats and vulnerabilities can stem from both external and internal actions. Companies should analyze potential threats from typical weather patterns, geographical influences, security efforts, inherent operational hazards, as well as facility design and potential maintenance issues.

10. Securing Suppliers for Business Continuity:

Identify potential alternative supply arrangements that can directly minimize the impact of the identified threats. Disruptions in supply may be outside a company’s domain, yet can severely impact the ability to provide “business as usual”. Factors to consider in the identification of critical suppliers are complex and extend well beyond first glance analyses; however, they may include those that provide:

  • Certain business specific products
  • Sole source services or products
  • Electrical power
  • Water
  • Fuel
  • Telecommunications
  • Transportation
  • Staffing
  • Waste Management
  • Facility or facilities

Download this free 9-Step sample Emergency Response Procedures Flow Chart.

TRP Corp -Response Procedure flowchart

Tags: Business Continuity key points, Business Continuity, Business Continuity Plan, Business Disruption

Global Connectivity Creates Need for Business Continuity Planning

Posted on Thu, Jan 31, 2013

The World Economic Forum recently released Global Risks 2013, Eighth Edition detailing the greatest 50 global risks for 2013. The identified risks were analyzed from a survey of over 1000 experts from industry, government, and academia in terms of impact, likelihood and interconnections. The survey revealed that respondents see increased risks with a higher impact level than in previous years. While the growth of a global interconnected marketplace may be financially beneficial, it also appears to increase a company’s vulnerabilities to business continuity issues.

A sudden loss of critical and supporting business functions and resources can be detrimental to a business. Many of the risks in the latest edition are enhanced by this “hyper connected world”, yet all of the risks fall into one of the following five categories:

  1. Economic
  2. Environmental
  3. Geopolitical
  4. Societal
  5. Technological

Companies need to determine how these categorical risks can impinge on their daily site-specific business operations to determine the best antidote for disruption and/or potential failure.  Detailed and exercised business continuity planning minimizes business disruption and the potential for financial loss. However, identifying risks, examining potential threats, and incorporating the effects on these critical functions require budgeting and staffing.  Preparation for a disaster can maximize optimal business functionality, yet companies still do not budget accordingly.

Interim results of a Business Continuity Insights’ survey regarding business continuity trends for 2013 revealed that 84% of respondents’ businesses intended to change the way it manages business continuity. Many of the changes may come in the form of initial plan implementation, updates, or manner of accessibility (mobile internet connectivity).  The downside is that many of these businesses will not increase budgets allocated for emergency preparedness.

According to the January 2013 edition of ISHN Magazine, only 16% of environmental, health, and safety professionals will see a budget increase in 2013, leaving 84% with the stagnant or decreased budgets. The statistics go on to reveal that staffing will only increase 14% while responsibilities will increase 46%.  Unfortunately, changes are expected without an increased budget while studies reveal global risks and impact levels affecting continuity are increasing.

The Global Risk 2013 study revealed the following risks associated with each threat category (pg 46) and the likelihood of the event occurring over the next ten years. While some risks are a result of the global governmental landscape, the interconnectivity of the worldwide marketplace may result in affecting continuity of operations far from the incident site. This occurred when the Japanese earthquake and subsequent tsunami affected automakers and electronic component production across many continents. Companies should utilize these finding to determine if their operations are at risk of the following:

  • Economic
    • Failure to address government debt
    • Severe income disparities and unemployment
    • Price fluctuations in critical commodities
  • Environmental
    • Governments, businesses and consumers fail to reduce greenhouse gas emissions and expand carbon sinks.
    • Increasing damage linked to greater concentration of property in risk zones, urbanization or increased frequency of extreme weather events.
    • Governments, businesses and consumers fail to reduce greenhouse gas emissions and expand carbon sinks.
  • Geopolitical
    • Weak or inadequate global institutions, agreements or networks, combined with competing national and political interests, impede attempts to cooperate on addressing global risks.
    • Terrorism: Individuals or a non-state group successfully inflict large-scale human or material damage.
    • Corruption: The widespread and deep-rooted abuse of entrusted power for private gain.
  • Societal
    • Water supply crisis: Decline in the quality and quantity of fresh water combine with increased competition among resource-intensive systems, such as food and energy production.
    • Failure to address both the rising costs and social challenges associated with population ageing.
    • Religious fanaticism: Uncompromising sectarian views that polarize societies and exacerbate regional tensions.
  • Technological
    • Cyber-attacks: State-sponsored, state-affiliated, criminal or terrorist cyber- attacks.
    • Data fraud/theft on an unprecedented scale
    • Critical system failures: Single-point system vulnerabilities trigger cascading failure of critical information infrastructure and networks.

For tips and best practices on designing a crisis management program, download Best Practices for Crisis Management.

TRP Download

Tags: Business Risk, Redundant Systems, Emergency Management Program, Event Preparedness, Business Continuity Plan, Business Disruption

Extended Power Outages Require Business Continuity Planning

Posted on Mon, Jan 28, 2013

In October 2012, nearly 8.1 million homes and businesses lost power, many for an extended time period, due to Hurricane Sandy. According to Jersey Central Power & Light (JCP&L) spokesman Ron Morano, the storm created the worst damage in the company’s history. As a result, power restoration was slowed and businesses across the northeast region suffered.

"In New Jersey alone, nearly 19,000 small businesses sustained damage of $250,000 or more with total business losses estimated at $8.3 billion as a result of Hurricane Sandy, about 1.0 percent of New Jersey Gross State Product in 2012." Economic Impact of Hurricane Sandy - Potential Economic Lost and Gained in New Jersey and New York (U.S. Department of Commerce).

When infrastructure disruptions occur, such as an extended power failure, companies operations can endure significant challenges and potential financial losses. If operations, equipment, or supplies are affected, companies must seek alternate ways to remain operational, or as in Hurricane Sandy’s case, attempt to recover quickly. A business continuity plan (BCP) is a vital tool that prepares organizations for incidents that could impair their ability to operate as a result of temporary or permanent loss of infrastructure, critical staff, software, and vital records.

Although Sandy’s vast devastation was unprecedented, companies must ensure precautionary actions are in place to sustain the viability of their business. By pre-identifying critical processes and the equipment necessary to function, alternatives can be explored and a BCP can be developed.  The process of creating and implementing a BCP may reduce the impacts of infrastructure disorder and associated supply chain disruptions. Business continuity preparedness can prevent unnecessary downtime, increased recovery efforts, and protect the financial bottom line.

Severe_Weather_Planning_TRP.jpg
Identifying critical utility and technology related operations is the first step in mitigating and combating the potential threat of an extended power outage. Possible critical utility and technology involved in business operations include, but are not limited to:

  • Utilities including electric power, gas, water, hydraulics, compressed air, municipal and internal sewer systems, wastewater treatment services
  • Security and alarm systems, elevators, lighting, life support systems, heating, ventilation and air conditioning systems, electrical distribution system.
  • Manufacturing and pollution control equipment
  • Voice and data communication systemsand computer networks
  • Air, highway, railroad, and waterway transportation systems

Once utility and technology related operations are identified, the following planning considerations should be taken into account in order to safeguard critical systems and develop an effective business continuity plan:

  • Determine the impact of service disruptions and mitigate if possible (generators, fuel, relocating inventory, back up suppliers etc.)
  • Ensure that key safety and maintenance personnel are thoroughly familiar with all building systems, such as alarms, utility shutoffs, elevators, etc.
  • Establish company-wide computer security, download, and backup practices in order to secure technologies and communications networks.
  • Establish procedures for restoring systems.
  • Establish preventive maintenance schedules for all systems and equipment.

Updating a BCP should be a continuously evolving process capturing changes in personnel, contractors, stakeholders, operations, and equipment. Each department should evaluate current critical processes, mitigate identified deficiencies, and update the plan as necessary. In the event of extended power loss, a BCP should  identify recovery time objectives for the following concepts:

Supply Chain: Pre-selected alternate resources to ensure consistent delivery and continued operations in the event primary suppliers are not able to provide required services.

Essential Personnel: Identify necessary minimum staffing levels to remain on-site during a storm (if deemed safe) and for recovery operations. As the storm passes, ensure staff, contractors, and suppliers understand their individual responsibilities and recovery time objectives.

Equipment needs: Identify and procure necessary equipment, and establish processes for continued operations and recovery. This will prevent unnecessary downtime and additional recovery efforts after a hurricane.  Relocating equipment or inventory prior to a storm may be an option. After a storm, repairing and replacing these essentials can be slow, labor intensive, potentially costly.

Data and computer needs:  Companies may examine data center outsourcing to ensure continuity and accessibility. Identifying the procedural details of computer backups, data restoration methods, and minimum software requirements are crucial to re-establish technology related critical business processes.

Communication needs: Clear and effective communication channels must remain available in order to disseminate information to employees, assess and relay damage, and coordinate a recovery strategy. A mass notification system may assure a reliable method to communicate to key individuals, company employees, or an entire client base.

No storm preparedness, whether for a hurricane or blizzard, goes wasted. Every “close call” storm provides a real-time test of the effectiveness of the preparedness processes. No matter how far a storm veers off path, company facilities, employees, and coordinating responders can gain planning insight by the act of initiating business continuity plans.

Receive TRP's Sample Response Procedure Flow Chart:

New Call-to-Action

 

Tags: Power Failure, Facility Management, Data Backup, Business Continuity Plan, Business Disruption