Your Solution for SMART Response Plans

Geographical Risks and Business Continuity

Posted on Thu, Dec 06, 2012

Despite a company’s location, natural hazards are a risk to business continuity. Natural hazards have a tendency to be location specific. However, images of the devastation left behind by these events are widespread. Unfortunately, many companies and their employees believe such disasters will not happen to them and fail to plan for plausible business disruption. 

The CMI 2012 Business Continuity Management Survey detailing Business Continuity efforts stated that 54% of companies surveyed that don’t have  business continuity plans stated their reasoning that they experience disruptions. This statistic is not uncommon. However, every year, rivers overflow their banks, high winds break treetops and tear away roofs, and power outages leave entire areas in the dark.

Despite the likelihood of a business disrupting natural disaster, many companies do not implement a Business Continuity Plan. Earthquakes and hurricanes are persistent and ingrained in location-specific cultures. Changing weather patterns, unprecedented seismic activity, strong winds and tropical rainfall impact many communities. Yet, 50% of all companies do not practice continuity planning.

Threats from extreme weather, wildfires, and flooding can affect any business in any location.  The below graphic from the Institute for Business and Home Safety demonstrates the potential risks of naturally occurring events across the United States.

These natural events can result in the loss or temporary disruption of key business resources including:

  • Facilities or Workspace
  • Infrastructure or IT Applications/Systems
  • People
  • Supply Chain

While natural weather events are not avoidable, companies may limit damage, loss, or prolonged interruption to key business resources with mitigation measures and business continuity planning. A detailed company identification and evaluation of critical business processes should be performed as an integral part of a business continuity plan.

A “bare bones” evaluation should list the minimum criteria necessary to keep a business in operation. Subsequent continuity plans should include procedures for the prevention of loss or restoration of operations.  Necessary resources for business continuity may include:

  • Alternate workplace location(s)
  • Necessary equipment
  • Critical software
  • Client records
  • Off-site storage
  • Key vendors lists
  • Inventory and supplier requirements
  • Notification procedures for key stakeholders
  • Predefined personnel roles and responsibilities with current and alternate contact information
  • Business Continuity Team notification and activation procedures
  • Staff relocation requirements, including name, department, title, function code, home address, type of PC (PC or Laptop), number of adults and children in immediate family, pets /other, relocation priority, recovery location or facility, relocation seat number/room assignment, alternate employees, and special needs

A business continuity effort for an impending or existing natural event should incorporate the following four phases into the plan:

  1. Initial Response: This phase covers initial response to an active or potential business interruption and immediate efforts to minimize downtime.
  2. Relocation:  Mobilization of resources and relocation of equipment and personnel to alternate facilities or redundant sites may become necessary if forecasted or current conditions dictate. The relocation phase ensures that the recovery phase can be fully implemented to sustain minimum service levels defined for each critical process. This stage may include “Work from Home” and “Alternate Facility” relocation strategies.
  3. Recovery:  The time after personnel and equipment have been relocated to an alternate site to before primary facilities have been restored or permanent alternate facilities have been secured. This phase incorporates the processes and procedures necessary to recover lost or interrupted resources.
  4. Restoration:  Personnel are able to return to restored facilities, or permanent alternate facilities, and critical resources are in full operational status.

A business continuity natural disaster event may be initiated from a single contained incident that affects one facility, or a large-scale incident that affects an entire region. Regardless of the incident, business restoration can be accelerated if communication processes and continuity of operations plans have been developed, tested, and properly implemented.

For a sample Emergency Response Checklist, download our helpful and informative guide.

Tags: Climate Change, Fire Preparedness, Extreme Weather, Business Continuity Plan, Hurricane Preparedness, Flood Preparedness, Business Disruption, Tornado Preparedness, BCM

Emergency Response Interoperability and Mutual Aid Agreements

Posted on Thu, Nov 29, 2012

Broadening the scope of response expertise can greatly benefit companies in the event of an emergency incident or disaster. Interoperability and associated agreements with local, state and federal agencies may provide additional resources based on particular experiences, research, or occupational training in a particular area, potentially reducing response time during a dire situation.

According to FEMA, “mutual aid agreements and assistance agreements are agreements between agencies, organizations, and jurisdictions that provide a mechanism to quickly obtain emergency assistance in the form of personnel, equipment, materials, and other associated services.” 

Emergency managers should regularly meet with government agencies, community organizations, and specialized response organizations  to discuss likely emergencies and their ability to contribute resources. Mutual aid agreements should facilitate a rapid, short-term deployment of emergency support prior to, during, and after an incident. However, the National Incident Management System (NIMS) Planning Guide states that a response from state or federal resources can take up to 72 hours or longer to arrive.

FEMA states that mutual aid agreements do not obligate agencies, organization or jurisdictions to supply provisions or aid, but rather provide a need-based tool should the incident dictate the requirement. These agreements ensure the efficient deployment of standardized, interoperable equipment and other incident services or resources during incident operations. However, emergency managers should consult their company’s legal representative prior to entering into  any agreement.

The designated emergency manager will typically establish mutual aid agreements.  However, the incident commander, in coordination with a liaison officer, must have full knowledge of the agreements and respective roles the organization(s) will play during a response.

The NIMS Planning Guide identifies several types of mutual aid agreements that can benefit companies. These agreements include, but not limited to:

Automatic Mutual Aid Agreement:  Permit the automatic dispatch and response of requested resources without incident-specific approvals. These agreements are usually basic contracts.

Local Mutual Aid Agreement: Neighboring jurisdictions or organizations that involve a formal request for assistance and generally covers a larger geographic area than automatic mutual aid.

Regional Mutual Aid Agreement: Multiple jurisdictions that are often sponsored by a council of governments or a similar regional body.

Statewide/Intrastate Mutual Aid Agreement: A coordinated agreement throughout a State or between states that incorporate both State and local governmental and nongovernmental assets in an attempt to increase preparedness statewide.

Interstate Agreement: Out-of-State assistance through formal State-to-State agreements such as the Emergency Management Assistance Compact, or other formal State-to-State agreements that support the response effort.

International Agreement: Agreements between the United States and other nations for the exchange of Federal assets in an emergency.

Other Agreements: Any agreement, whether formal or informal, used to request or provide assistance and/or resources among jurisdictions at any level of government (including foreign), NGOs, or the private sector.

Memorandums of understanding (MOUs), or letters of intent, may be used with the private sector and nongovernmental organizations (NGOs) to facilitate potential collaborative efforts in the event of an incident.  MOUs can be legally binding depending on the intention of the contractual parties, the language used in the document, and the residing jurisdiction. However, other MOUs can be construed as a non-binding, “gentlemen's’ agreement”. 

The U.S. Department of State suggests the following regarding MOUs. 

“While the use of a title such as “Memorandum of Understanding” is common for non-binding documents, we caution that simply calling a document a “Memorandum of Understanding” does not automatically denote for the United States that the document is non-binding under international law. The United States has entered into MOU’s that are considered binding international agreements.”. 

Download this free 9-Step sample Emergency Response Procedures Check List.

TRP Corp -Response Procedure flowchart

Tags: BCM Standards, Emergency Response, Department of Homeland Security, Supply Chain, Disaster Recovery, Business Disruption

Corporate Inter-dependencies Require Emergency Preparedness Efforts

Posted on Thu, Nov 15, 2012

Growing corporate interdependencies present significant challenges when infrastructure disruptions or loss occurs. Basic physical structures are necessary for society to be operational. However, critical services and the companies that provide them depend on these structures in order for an economy to function. When these structures are damaged, those economy stabilizing companies must seek alternate ways to remain operational.

Securing the critical physical infrastructure through mitigation, emergency preparedness, and business continuity planning efforts is on the forefront of the U.S Department of Homeland Security (DHS).  But efforts should not be left to government entities. Companies must prioritize emergency preparedness and business continuity initiatives in order to minimize supply chain interruptions that could affect the ability to provide critical services.

“Mitigating our most significant vulnerabilities and/or mounting a timely and efficient response and recovery effort at a major municipal, regional or national level requires strategic thinking, investment and capacity building well in advance of a paralyzing disaster.”      -Revitalizing American Manufacturing to Protect, Respond and Recover

The present global risk environment is highly unpredictable and incidental impacts may be far reaching. After the massive 2011 earthquake and subsequent tsunami in Japan, the world’s manufacturing supply chains, most notably in the auto and electronics sectors, felt the aftershocks of limited supplies. Businesses within Japan and internationally, experienced production problems and supply chain interruptions. The loss of critical infrastructure will have an effect on local companies; however the disruption proved to adversely affect businesses far from the impact zone. Risk managers and business continuity advisers should be alert to lessons learned from the crisis in Japan and re-evaluate their company’s ability to respond as necessary if loss of critical infrastructure affects supply chains.

In addition to naturally occurring events with the potential to damage or disable U.S. infrastructure, the infrastructures are deteriorating due to generations of use. The 2009 American Society of Civil Engineer (ASCE) Report Card gives the U.S. infrastructure an overall grade of "D" or "Poor". The report reveals that an investment of more than $2.2 trillion through 2014 is necessary to address the most critical needs. Unfortunately, a sluggish economy has slowed reinforcement efforts.

The combination of deteriorating infrastructures and naturally occurring threats make emergency preparedness and business continuity planning crucial for companies, especially those that fall into DHS’s critical infrastructure sector. Companies should prioritize and initiate response coordination with local authorities and establish continuity plans to counteract infrastructure failure.

TRP Corp - Critical Infrastructure

Threats and risk that have the potential to affect infrastructure and supply lines include, but are not limited to:

  • domestic and international terrorism
  • floods
  • hurricanes
  • earthquakes
  • oil spills and other environmental incidents
  • technological failures
  • pandemic influenza
  • malicious cyber intrusions and disruptions

Given the current state of the U.S. infrastructure and the continual occurrence of high-risk scenarios, supply chains that perpetuate operational productivity may be unreliable and fleeting. According to the Business Continuity Institute’s “Supply Chain Resilience 2011” study, supply chain incidents led to productivity loss for almost half of businesses surveyed. If essential resources, both internal and external, fail, companies need to arrange sustainability through outside resources. Highlighted areas to review include, but are not limited to:

  • External facilities and equipment needed to produce company’s products and services
  • Necessary products and services provided by suppliers, especially sole source vendors
  • Lifeline services such as electrical power, water, sewer, gas, telecommunications, and transportation
  • Operations and personnel vital to continued operation

Corporate and facility emergency managers should pre-identify critical processes and the equipment necessary to function. Through this process, alternatives can be explored and a business continuity plan can be developed that may reduce the impacts of infrastructure disorder and associated supply chain disruptions. Business continuity preparedness can prevent unnecessary downtime, increased recovery efforts, and protect the financial bottom line.

For tips and best practices on designing a crisis management program, download Tips for Effective Exercises.

Exercises - TRP Corp

Tags: DHS, Business Continuity, Department of Homeland Security, Business Continuity Plan, Disaster Recovery, Business Disruption

The Top Ten Reasons to Advance Company Emergency Preparedness

Posted on Mon, Nov 12, 2012

Revisions made to emergency response plans during or following an incident are often the results of unforeseen circumstances or inadequate planning. However, continual improvement of an emergency management program is necessary to ensure company preparedness.

Innovative techniques and lessons learned should be continually incorporated into an emergency preparedness program.  Companies should prioritize advancements and emergency management budgets accordingly. But “change for change’s sake” does not typically enhance programs. The evolution process of an emergency management program should aim to perpetuate improved response and operational recovery times, and enhance company viability despite crisis scenarios.

Regardless of regulatory compliance initiatives or history of actual emergencies, companies should budget to advance emergency preparedness.  Below are the Top 10 Reasons companies should advance their emergency preparedness program:

#10. Streamline and standardize improved response methods:  A consistent company-wide emergency response management system that delivers common processes with site specific details for assessing, prioritizing, and responding to incidents allows employees and responders to conceptualize their roles and responsibilities throughout the company. Standardization allows a common understanding, enabling a synchronized response.

#9. Optimize drills and training: Employee training, emergency response drills, and applicable exercises identify deficiencies in emergency response planning programs. Testing emergency plans with detailed scenarios and incorporating appropriate response training will improve response capabilities and coordination, and reduce response times.

#8 Improve regulatory compliance: Costly non-compliance fines result from the lack of  implemented, thorough,  compliance programs. By systematically aligning emergency plans and their components with corresponding regulations, companies can identify and amend plan deficiencies that may result in fines and potential government mandated shutdowns.

#7. Simplify and automate emergency management: Emergency management can be an administratively taxing endeavor. Continual administrative duties associated with personnel contact information, assignments, training records, exercises, and continual plan updates may be inadequate to sustain an optimal program. Maximizing efficiency through advancements in technology can minimize  time associated with maintaining emergency response plans

#6. Improve asset utilization: Companies must utilize employees, responders, equipment, and budgets effectively in order to minimize the effects of a crisis or disaster. Realigning current tangible assets (equipment and/or personnel), mitigating current inefficiencies, and/or budgeting for additional response training or improved equipment will improve the overall effectiveness of an emergency management program.

#5. Proactively demonstrate a commitment to safety:  By prioritizing an emergency management program, a company demonstrates the foresight to address a crisis situation and associated challenges, and proactively affirm efforts to ensure the safety of employees, the environment, and the surrounding communities.

#4. Improve conditions:  Harmful conditions pose a risk to occupants, facilities, the environment, and/or surrounding communities. By eliminating or mitigating potentially adverse conditions, unsafe activities, or ineffective responses, companies can reduce the potential for and effect of emergency situations. The risk assessment process can be used to reduce or eliminate harmful conditions that lead to incidents.

#3. Reduce Incidents:  By identifying potential threats and risks, mitigation and preventative measures can be taken to reduce the potential of an incident from occurring. Mitigation measures may include a variety of tactics including, but not limited to training for employees, updating safety processes and procedures, or securing or purchasing updated equipment.

#2. Help reduce downtime:  Operational downtime and production loss reduces revenues.  By optimizing and implementing the most effective and functional emergency management program possible, incidents can be promptly managed and rapidly demobilized, thereby reducing response-related costs and downtime.  The repercussions from an incident can include detrimental relationships with customers, the surrounding community, and stakeholders.

#1. Cost savings:  Proactive compliance efforts, safety initiatives, training and exercises measures, and response and resiliency planning are typically less expensive than regulatory fines, sustained response efforts, and overall repercussions resulting from an incident. 

Implementing a new enterprise-wide emergency management system offers advantageous opportunities to better the effectiveness of the overall framework of the emergency management program. Gathering lessons learned from various site managers, performing site regulatory gap analyses, and implementing new proven concepts will ensure the best possible functionality and processes within a program.

Emergency preparedness programs shouldn’t be created for “if an emergency happens”, but for “when an emergency happens.” Disaster can and will strike at any time – whether it’s from human error, faulty equipment, or the elements.

For a sample Emergency Response Checklist, download our helpful and informative guide.

Tags: Emergency Management, Resiliency, Business Risk, Emergency Management Program, Safety, Workplace Safety, Business Disruption

The Critical Numbers of Business Continuity and Emergency Mitigation

Posted on Mon, Sep 10, 2012

Successful businesses track their financial statistics. A company’s ability to engage in daily operations is inevitably linked to its financial bottom line. However, if an emergency incident, natural disaster, or business continuity issue arises, a company may be unable to continue operations, which could result in loss of revenue and significant impact in financial performance or potential bankruptcy.

According to a Feb. 2012 survey by Sage, only 38% of the 539 small businesses polled have a formal emergency or disaster preparedness plans in place. But if critical numbers are the basis of a successful business, companies need to ensure its longevity by investing in a functional emergency response or business continuity plan. A 2005 widely cited study by the Multihazard Mitigation Council (MMC) entitled, Natural Hazard Mitigation Saves: An Independent Study to Assess the Future Savings from Mitigation Activities, indicated that money spent on reducing the risk of natural hazards is a sound investment. The study revealed that for every $1 spent on hazard mitigation, an average of $4 is saved in the future.

Cost_of_emergencies_TRP.jpg

It is challenging to perform a cost-benefit analysis for hazard mitigation efforts. According to the MMC’s study, the cost analysis portion is typically a straightforward assessment of capital expenditures to upgrade the facility or equipment, operational costs for programs, and added maintenance expenses. However, on the benefits side of the equation, the avoided loss due to identification and mitigation efforts are much more difficult to assess. Typically, benefits resulting from mitigation efforts are dynamic in nature, and are not limited to a single structure, department or operation. Additionally, there is a high degree of beneficial uncertainty in implementing hazard mitigation efforts over a specific time span.

A benefit-cost analysis requires that hazard mitigation costs and hazard losses be measured in terms of the value of all resources used (or destroyed) and at prices that represent their efficient allocation ─ not necessarily at market prices, which often do not account for inefficiencies or may not even exist in cases such as environmental resources (Boardman et al., 1996). - Natural Hazard Mitigation Saves: An Independent Study to Assess the Future Savings from Mitigation Activities

The Business Continuity Institute released their The CMI 2012 Business Continuity Management Survey detailing Business Continuity efforts in the United Kingdom. According to the survey, 81% of managers with a business continuity plans (BCP) stated that the planning efforts effectively reduced disruptions and agreed that the initial mitigation costs justify the benefits. The research stated that overall business continuity planning of the companies polled increased by 3% from the previous year. Despite the improvements, the reports stated that there are still certain industries, such as manufacturing, that are lagging behind in dedicated efforts. Below are a few key numbers from surveyed managers from the study:

  • 61% state they have a BCP in place in 2012, up from 49% in 2010
  • 42% stated corporate governance initiated BCP efforts
  • 37% were prompted for a BCP by potential of existing customers
  • 33% cited legislation of the catalyst for a BCP
  • 54% without a BCP stated their company rarely experiences disruptions
  • 46% without a BCP stated they will deal with disruptions on an as-needed basis
  • 55% experienced business disruption due to public sector strikes
  • 49% experienced business disruption due to severe weather
  • 39% state they would have to look up their business continuity role in case of disruption
  • 47% with a BCP have exercised their plan
  • Develop the plan
  • Train employees on the plan

Transforming a company into a dynamic and responsive organization requires set, monitored and unified goals. The critical numbers in mitigation efforts may be abstract, but business continuity plan can provide the bridge to longevity and a clear direction for success. To begin the process of building an effective business continuity plan, a company must:

  • Involve key employees in the process
  • Define business goals for each department or facility
  • Utilize goals to develop objectives
  • Determine how to measure potential costs and benefits
  • Analyze data
  • Mitigate where possible
  • Develop the plan
  • Train employees on the plan
  • Exercise the plan

For a sample Crisis Management Framework, download our helpful and informative guide.

Corporate Crisis Management

 

Tags: Business Continuity key points, Business Risk, Business Continuity Plan, Business Disruption

Viral Outbreaks, Pandemic Planning, and Business Continuity

Posted on Thu, Aug 30, 2012

On August 16, 2012, the city of Dallas declared a state of emergency over the West Nile virus, a disease spread by infected mosquitoes. As of August 21, 2012, the outbreak in Texas caused 19 deaths and 537 illnesses. According to the Center for Disease Control (CDC), over 1100 people and 41 deaths had resulted from this latest surge of West Nile Virus nationwide. The Dallas outbreak spurred officials to commence aerial pesticide spraying aiming to eradicate the local mosquito population, despite concerns from the public.

 “The risks of being harmed by these pesticides are not at all unreasonable.  Basically, in this case, I think the benefits of these sprays far, far outweigh the risk.” - Mike Raupp, of the University of Maryland College of Agriculture

To limit exposure to West Nile Virus, the CDC urges preventative measures such as bug repellent and eliminating extraneous standing water, a breeding ground for mosquitoes. Preventative measures can limit the implications of of an outbreak and minimize potential pandemic situations. 

Companies should also institute preventative measures to limit potential outbreaks through pandemic planning. Pandemic Response Plans (PRP) are a specific emergency response planning annexes that aim to establish and preserve business continuity in the event of a pandemic outbreak among the local population and/or the local workforce/contractors. The PRPs should document procedures and methods to sustain critical business functions with minimal staffing throughout different stages of an outbreak.

“Best practices” dictates that PRPs, like emergency plans, should be developed during normal conditions, prior to any threatened outbreak. When developing enterprise-wide PRPs, the procedures corresponding to the various outbreak impact levels would be incremental, building on the previous outbreak level.  Examples of level and procedures are as follows:

  • Level 1 - The outbreak is being controlled within the affected area with minimal hazard to personnel, property, process or the environment.
    • Establish contact verification and notification measures with key stakeholder (both internal and external)
    • Decide whether it is appropriate to progress to using the PRP or if normal management procedures can manage the incident
    • Conduct pandemic plan briefings and promote awareness
    • Determine and validate current priority projects and processes to determine which to suspend, if necessary
    • Direct staff to maintain and backup all business information and working files (data and documents) so that content is accessible to alternates and other staff members
    • Acquire necessary peripherals (e.g. external disk drives) for home use, if needed
  • Level 2 - The outbreak is contained but disturbs two or more critical areas affecting personnel, processes, or the environment beyond the origin.
    • Notify staff members of PRP activation
    • Contacts staff to inform them of the revised operational procedures. Staff may be directed to work from remote locations, if feasible
    • Maintain tracking of all staff, assess well-being of staff, and identify any needs for support.
    • Direct staff to maintain and backup all business information and working files (data and documents) so that content is accessible to alternates and other staff members
  • Level 3 - The outbreak has escalated to a situation that is potentially dangerous to personnel, the surrounding community, and the environment. It would likely involve business as usual scenario with limited on-site staff. 
    • Only essential employees who cannot work remotely would report on-site
    • Determine and validate current priority projects and processes to determine which to suspend, if necessary
    • Review and establish guidelines for backfilling of resources and business group leadership
    • Confirm availability of local and/or remote alternates for critical roles
    • Maintain tracking of all staff, assess well-being of staff, and identify any needs for support.
    • Direct staff to maintain and backup all business information and working files (data and documents) so that content is accessible to alternates and other staff members
  • Level 4 - Emergency Service Level with minimum staffing. However, typical business operations can continue to function.
    • Notifies internal and external entities with dependencies on critical business operations.
    • Determine and validate current priority projects and processes to determine which to suspend, if necessary
    • Proactively notify corporate executives, team leads, and other contacts of availability and work location, and maintain out of office phone, e-mail notices, and calendars, as appropriate.
    • Distribute peripherals (e.g. external disk drives) for home use and distribute as needed
    • Direct all staff to work at home, if possible. Staff that are not able to work from home may work from the site, as necessary.
  • Level 5 - All non-critical operations are suspended and critical business processes are examined for those that can be suspended.
    • Maintain tracking of all staff, assess well-being of staff, and identify any needs for support. Confirm contact information through calling tree:
    • Implement modified operations schedule with critical staff.  Excuse non-critical staff and place on standby.
    • Maintain critical staffing levels and engaging emergency contractors.
    • Secure facilities
  • Level 6 - Return to normal operations after situational assessment.
    • Communicate resuming operations date with staff
    • Review time records and pay overtime as required
    • Update and archive file directories, if necessary
    • Update Pandemic Plans, as necessary

To limit business disruption from severe weather and HUrricane preparation, download the Corporate Hurricane Planning Checklist.

Hurricane Planning

Tags: Pandemic Planning, Business Continuity key points, Emergency Management, Incident Management, Workplace Safety, Business Disruption

Protect Critical Systems from Cyber Disaster for Business Continuity

Posted on Thu, Aug 23, 2012

In July, General Keith Alexander, head of the National Security Agency and U.S. Cyber Command chief warned that the changing nature of dangerous cyber attacks is taking a toll on American business. A Department of Homeland Security report on cyber security revealed 198 cyber attack incidents were reported to DHS in 2011. This is a sharp contrast to the nine incidents reported in 2009. The report noted that companies who control critical infrastructure reported higher numbers of attacks on their systems over the past three years.

With cyber threats to these computer systems on the rise, the U.S. Department of Homeland Security (DHS) is working to better protect control systems of critical infrastructure. DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) provides operational capabilities for defense of control system environments against emerging cyber threats. ICS-CERTs were deployed to investigate and analyze threats in 17 of the 198 cases in 2011. By understanding the threats and effectively managing the risks, actions can be taken to reduce the occurrences and sustain critical systems. Specific company names were not released in order to maintain a level of confidentiality and encourage reporting of other cyber attack incidents. Alexander said that for every intrusion detected by the FBI, there are 100 others that remain undetected.

DHS admits that the number of incidents reported to DHS's ICS-CERT has increased partly due to this increased communication between ICS-CERT and the private sector. However, through proper mitigation and business continuity measures companies will be prepared to combat their current lapses in technology.

According to the EPA, “Technological emergencies include any interruption or loss of a utility service, power source, life support system, information system or equipment needed to keep the business in operation.”  Identifying all critical technology related operations is the first step in mitigating and combating threats. Possible critical technologies involved in business operations include, but are not limited to:

  • Utilities including electric power, gas, water, hydraulics, compressed air, municipal and internal sewer systems, wastewater treatment services
  • Security and alarm systems, elevators, lighting, life support systems, heating, ventilation and air conditioning systems, electrical distribution system.
  • Manufacturing equipment, pollution control equipment
  • Communication systems, both data and voice computer networks
  • Transportation systems including air, highway, railroad and waterway

Once technology systems are identified, the following planning considerations should be taken into account in order to safeguard critical systems and develop an effective business continuity plan:

  • Determine the impact of technology service disruptions.
  • Ensure that key safety and maintenance personnel are thoroughly familiar with all building systems, such as alarms, utility shutoffs, elevators, etc.
  • Establish company-wide computer security practices, such as password-protected information, in order to secure technologies. (See CSET Assessment to determine system vulnerabilities)
  • Establish procedures for restoring systems. Determine the need for backup systems.
  • Establish preventive maintenance schedules for all systems and equipment.

ICS-CERT encourages companies to report suspicious cyber activity, incidents and vulnerabilities affecting critical infrastructure control systems. Online reporting forms are available at https://forms.us-cert.gov/report/.

For a sample Emergency Response Checklist, download our helpful and informative guide.

Tags: Data Recovery, Cloud Computing, Data Loss, Cyber-Security, Business Continuity Plan, Business Disruption, Information Security

Review Business Continuity Plan for Height of Hurricane Season

Posted on Mon, Jun 18, 2012

The Atlantic Hurricane season runs from June 1st to November 30th, with the height of the season being late August through September. In order to be prepared, companies need to systematically review their business continuity plans (BCP) to ensure continued operations should a natural disaster strike. 

Hurricanes can affect the continuity of operations as the result of;

  • mandatory evacuations
  • extended power outages
  • facility damage from high winds or flooding
  • potential supply chain interruptions

Critical processes necessary for operation need to be identified. However, updating a BCP should be a continuously evolving process. In a business continuity review, each department should evaluate current critical processes, mitigate identified deficiencies, and update the plan as necessary. 

The following concepts should be analyzed and identified for each BCP update and prior to the arrival of hurricane season:

Data and computer needs: Identifying the procedural details of computer backups, data restoration methods, and minimum software requirements are crucial to re-establish critical business processes.  Companies may examine data center outsourcing to ensure continuity and accessibility.

Notification lists: Regularly update lists to ensure all contact information is up-to-date. Business continuity planners must be certain that notifications are being delivered to accurate e-mail addresses and/or phone numbers, especially in case of an evacuation. If maintaining accurate contact information is challenging, consider opting for an e-mail notification verification system that enables individuals to verify their own information. Companies can also offer incentives, such as drawings or prizes, to encourage all personnel to register for notifications.

Communication needs: Clear and effective communication channels must remain available in order to disseminate information to employees, assess and relay damage, and coordinate a recovery strategy. A mass notification system, such as provided by Everbridge, may assure a reliable method to communicate to key individuals, company employees, or an entire client base.

Supply Chain: As a company’s needs change and new suppliers come online, plans should be updated to include these critical suppliers. Additionally, preselected alternate resources should be included in the BCP to ensure consistent delivery and continued operations in the event primary suppliers are not able to provide required services.

Essential Personnel: Identify necessary minimum staffing levels to remain on-site during a storm. As the storm passes, ensure staff, contractors, and suppliers understand their individual responsibilities and recovery time objectives.

Equipment needs: Identify and procure necessary equipment and establish processes for continued operations and recovery. This will prevent unnecessary downtime and additional recovery efforts after a hurricane. The process of relocating equipment prior to a storm or arranging for these essentials after a storm is time consuming, labor intensive, and potentially costly.

Through hurricane and BCP exercises and training, employees can react as planned and understand expectations. 

Hurricane Response Checklist - TRP

Tags: Extreme Weather, Business Continuity Plan, Hurricane Preparedness, Business Disruption