Your Solution for SMART Response Plans

Checklist for Web-Based Business Continuity Plans

Posted on Thu, Sep 11, 2014

In business, every threat can result in the same consequence: the loss or temporary cessation of key business processes. In order to minimize impacts when a threat materializes, business continuity plans (BCPs) must be intuitive, yet dynamic, to account for each critical business process. Effective business continuity planning institutes a clear path to sustainability and operational recovery.

The following core business continuity elements should be included in a BCP. Each element must be cyclically assessed for accuracy, potential mitigation opportunities, and lesson-learned insights in order for established processes and communication to be effectively maximized.

1. Plan distribution list and contacts: Business continuity planners must be certain that the current employees listed in the plan, as well as those on the plan distribution list is verified for accuracy.  If maintaining accurate contact information is challenging, consider opting for notification verification system with email or text message capability that enables the contact to verify personal information and automatically update associated response plans.

2. Communication: By aligning mass notification methods with typical daily communication habits (cell phone, emails, texting), planners can ensure key contacts are made aware of any business interruption and BCP activation. Clear and effective communication channels must remain available in order to disseminate information to employees, assess and relay damage, and coordinate recovery strategies. Provide employees training in primary and established secondary communication methods in case of disruption of primary communications.

3. Key Staff Roles and Responsibilities: From business continuity implementation through recovery, job specific checklists and assigned procedures should be incorporated in a BCP. Task teams should be formed, at a minimum, to cover each essential business process. Each site may require unique minimum staffing levels to remain operational.
In the event that primary team members are not available, cross team training should be conducted to provide backups. Planners should make appropriate plan changes as operations and staff evolve.

4. Off-site Recovery Location: Include address, contact information, available on-site equipment, and any external equipment necessary for effective continuity of operations. 

5. Recovery Time Objectives: Incremental processes and procedures should be identified to meet specific critical business process goals.  Recovery goals may include increments of one hour, 24-hours, 48 hours, one week, one month, and long-term recovery.

6. Key Customers’ Data:  Identify effective customer communication methods and necessary contact information required to inform customers of disruptions of deliverables or services. Effective customer relations and communication may be critical in retaining clients and maintaining positive relationships during a business interruption. 

7. Key Supplier Contact List: Identify critical business unit dependencies and interdependencies and key contacts. Transportation delays could affect delivery times. Plan and mitigate accordingly.

8. Alternate Suppliers List: The consequences of a supply chain failure on associated key business components can be crippling.  Alternate suppliers should be included in the BCP to ensure consistent delivery and continued operations in the event primary suppliers are affected by similar business continuity circumstances. As a company’s needs change and new suppliers come online, plans should be updated to include these critical suppliers.

9. Insurance Details: Identify details of insurance coverage and accurate contact information. The burden of proof when making claims typically lies with the policyholder. Accurate and detailed records are imperative.

10. Data Backup Details: Identify the procedural details of computer backups, data restoration methods, and the minimum program needs to re-establish critical business processes.  

11. Technology Requirements: Identify necessary hardware and software, and the associated minimum recovery time requirements for each business unit. Companies should examine current data center outsourcing to ensure continuity and accessibility or research continually advancing alternatives.

12. Equipment Requirements: Detail applicable equipment requirements for each business unit and recovery time goals. To prevent unnecessary downtime and additional recovery efforts, identify and procure necessary equipment and establish processes for continued operations and recovery.

13. Review Log: Incorporate newly identified hazards and vulnerabilities into the business continuity plan. A log can include necessary equipment used (requiring replacement or replenishment), altered processes, and lessons learned.

A web-based platform can speed up the cycle of business continuity events. By transitioning from paper-based business continuity plans to a web-based approach, companies have the ability to maximize data and streamline information. A web-based plan enables a standardized, enterprise-wide business continuity template, yet allows for site-specific details for each particular site.

 

Web based response planning - TRP CORP

Tags: BCM Standards, Business Continuity, Data Backup, Business Continuity Plan, Disaster Recovery

Concepts of Secured and Redundant Response Plan Accessibility

Posted on Thu, Apr 24, 2014

In preparedness and emergency management, the concept of risk and hazard identification is fundamental. However, the potential inability to access important documents, particularly during an emergency scenario, is often overlooked. If you experienced a catastrophic loss and could not access response plan documents, would you be able to conduct an effective response?

Companies must mitigate the risk that an incident may incapacitate access to response plansIn order to manage risks and build resilience, Traditional risk-management tools must be incorporated with new technology-based concepts. With more people owning multiple computing devices such as laptops, tablets and smart phones, the idea of data being restricted to a single desktop computer or binder without adequate redundancies is antiquated. Cloud and web-based technology offer enterprise-wide, up-to-date redundancies that traditional record keeping methods cannot provide.

Response Team and Stakehold Accessibilty

To counteract potential incidents, fallout vulnerabilities, and regulatory noncompliance, response plans should be securely shared with and accessible to regulators, auditors, inspectors, and responders. Having up-to-date information readily available to trained responders has been proven to limit the duration of the emergency.  The faster responders can locate, assess, access, and mitigate the emergency, the sooner an incident can be contained. However, in order to minimize additional vulnerabilities, applicable data and confidential information must be secured.

A recent survey conducted by IT industry association CompTIA, found that more than 90% of companies use or have transitioned to some form of cloud technology in order to increase flexibility and reduce costs. However, the report revealed that only 48% of those surveyed utilize cloud-based methodology for business continuity/disaster recovery processes. When authorized users can access response plans information from any location, response expertise can be maximized and maintenance efforts can be shared.

Response_Plan_Accessibility.jpg

In the event of an emergency, up-to-date paper plans may not be available from other locations. Although some companies post electronic plans to their intranet that can be accessed remotely, the process of updating these plans is time-consuming and inefficient. In addition, if a catastrophic event occurs, there is the possibility that the main data source or server will be inaccessible.

When an incident is isolated to a particular location, cloud or web-based response plans can enable response measures on a company-wide scale. Cloud or web-based plans can also provide hyperlinks, forms libraries, simplified interfaces, and other tools designed to improve functionality for plan users.

Cyber-Security and Response Plan Redundancy

But with any data system cyber-security and back up efforts are essential. In the event Internet connectivity is terminated or inaccessible, emergency managers must have alternative means to access plans. Redundant data centers, scheduled download, and security measures must be a part of any web or cloud based emergency management program

When first responders can exercise approved response processes and procedures, responses can become second nature. Plan accessibility allows appointed responders to clarify critical contact information and responses to altered site circumstances, operations, or materials. Inaccessible response plan can facilitate confusion, inconsistency, and potentially accelerate impacts and financial loss.

As technology dependencies become more ingrained in company operations and emergency management programs, it is essential to institute company-wide best practices for computer security, downloads, and backups in order to secure necessary technologies and communications networks.

Cyber exercises allow stakeholders to simulate real-world situations, to improve communications and coordination, and to increase the effectiveness of broad-based critical infrastructure protection capabilities without the consequences of real cyber event.  These specific exercises educate employees on technological policies and provide a means to evaluate cyber incident preparedness, mitigation, response, and recovery capabilities.

Be prepared for your next incident! Click the image below to receive your free guide.

Preparedness and Emergency Management - TRP Corp

Tags: Data Recovery, Response Plans, Redundant Systems, Training and Exercises, Cyber-Security, Data Backup

Cyber-Security for ICS Necessary in Business Continuity Planning

Posted on Thu, Nov 21, 2013

The 2013 Global Risk Report ranks cyber-attacks in the “Top Five” of highly probability occurring incidents within the next ten years. According to the report, cyber-attacks and critical system failures are considerable technological risks to companies and organizations across the globe.

As technology dependencies become more ingrained in company operations, it is essential to institute company-wide best practices for risk analysis, computer security, downloads, and backups in order to secure necessary integrated technologies. A recent report by The European Union Agency for Network and Information Security (ENISA) highlighted security concerns over Industrial Control Systems (ICS), including the widely utilized Supervisory Control and Data Acquisition (SCADA) systems, distributed control systems (DSC), and programmable logic controllers (PLC). These concerns are echoed in recent publications by the Department of Homeland Security’s Industrial Control System Cyber Emergency Response Team (ICS-CERT).

ICS are often used to control industrial processes, such as manufacturing, product handling, production, and distribution, and is a necessary element to promote business continuity. The main concern expressed by ENISA and ICS-CERT is that prevalent industrial control systems are riddled with varying outdated and un-patched software, leaving them exposed and vulnerable to hackers and cyber-attacks. Mitigating this high risk is critical for maintaining continuity of operations.

Recent SCADA and ICS security incidents greatly emphasize the importance of vigilant observation, analysis, and control of SCADA infrastructures. The ICS-CERT quarterly newsletter entitled Monitor, stated that the response team responded to 198 incidents across all critical infrastructures in 2012. That number was surpassed by May 2013 with energy infrastructures comprising 53 percent of the targeted attacks.  That percentage was up from 41 percent in 2012.

Cyber-Security-response-planning.jpg

ICS-CERT urges operators to embrace coordination by sharing attack data, specifically indicators of system compromises, and established a secure portal to allow companies to actively engage in protecting critical infrastructure. Through the portal, ICS-CERT was able to identify 10 IP addresses that participated in a recent attack against a gas compressor station. The alert prompted other station owners to investigate their own networks and they eventually reported another 39 IP addresses associated with attacks.

According to ENISA, critical infrastructure companies should employ continual risk-based assessments of cyber security policies to prioritize and tailor recommended guidelines and solutions to fit specific security, business, and operational requirements. ICS-CERT offers recommended practices, vetted by subject-matter experts, to bolster technology security. In addition to these recommended practices, identifying procedural details of computer backups, data restoration methods, and minimum software requirements are crucial to re-establishing technology and business continuity of critical business processes, in the event of an attack.  

There must be a mutual understanding between IT personnel and crisis managers regarding their respective roles, available resources, security efforts, and response measure during cyber disruption events.  The ability to respond to critical incidents and identify root causes are key aspects in the ability to mitigate potential threats. With technology-based incidents, analyzing the deficiencies that led to IT downtime enables countermeasures to be implemented. ENISA offers four key areas that promote investigative capabilities that allow mitigated efforts: These key areas include:

  1. Facilitate integration with existing structures
    • Determine source of evidence of security breach
    • Clarify data retention impact on systems
    • Streamline operational and IT interfaces
  2. Safeguard systems and configurations
    • Deploy security controls
    • Ensure logging controls
  3. Review key roles and responsibilities
  4. Embrace partnership coordination and cooperation

 

Free resources from TRP Corp: Receive the Example Response Procedures Flow Chart

New Call-to-Action

Tags: ICS, Security plans, Department of Homeland Security, Data Loss, Cyber-Security, Data Backup

Top Five Reasons to Utilize Emergency Management Software

Posted on Thu, Aug 15, 2013

Companies need an enterprise-wide, universally accessible emergency response planning system capable of adapting to every site, regulatory requirement, and plan type. Incorporating a definitive company emergency management system across an enterprise allows for a streamlined and familiar response process. Whether plans are mandated by corporate policy or regulatory agencies, an effectively exercised and accessible emergency response plan can minimize impacts of an emergency on employees, the environment, and infrastructure. The benefits of web-based emergency management systems are:

1. Efficiency:  Effective response plans require cyclical maintenance. As a result of changing personnel, fluctuating external response contacts, and revolving equipment availability and inventory levels, maintaining up-to-date and actionable response plans can be administratively time consuming. Emergency management software should eliminate the need for duplicate updates. The most advanced web-based software programs utilize a database, allowing for specific repetitive information to be duplicated in the various necessary plan types across an entire enterprise. By minimizing administratively tasking duties, plan changes are more likely to be transferred into the system, optimizing the accuracy of the plans.

2. Accessibility of plans: In the event of an emergency, updated paper plans are typically not available from all company locations. Additionally, accessing plans housed on a company intranet may be dubious if an incident renders company servers inaccessible.  Although the intranet approach has improved overall plan accessibility, a number of significant difficulties remain. With an intranet approach, plan maintenance, version control, and consistency across multiple plans remain challenging and time consuming.

Web-based planning system software offers every option of instant accessibility: viewed via the Internet from any location, downloaded, or printed. Increasing accessibility options while improving efficiency, functionality, and effectiveness can bolster an entire emergency management program.

3. Instantaneous updates: With web-based technology and an Internet connection, revised information is immediately available to all approved stakeholders. Both paper-based plans and those housed on a company intranet are often out of date with multiple versions in various locations, potentially misinforming the response team.  Microsoft Word or PDF documents, often the format used in response plans, are cumbersome to revise for various plan types and locations. Web based software eliminates” version confusion” and allows responders to apply the most up-to-date and tested processes to a response.

4. Superior functionality: Web-based plans can provide hyperlinks, forms libraries, simplified interfaces, and other tools designed to improve functionality for plan users. Simplifying documentation during an incident enables prompt response progress, improved regulatory compliance, and a more accurate account of the response. Easy to follow response plans allow responders to carry out specified industry and company procedures in accordance with proven best practices responses.

5. Multi-purpose data: Typically, response plans share common data with a variety of additional plan types including business continuity, pre-fire plans, hurricane plans, and others. Web-based, database driven plans utilize one database to manage this information, effectively leveraging plan content and revision efforts to all plans and locations that utilize that data.

If best practices are implemented, and training and exercises confirm effective response processes and procedures are in place, response plans can be an effective tool for responders. However utilizing web-based, database software allows registered users to swiftly and accurately identify confirmed response contacts, response procedures, and available resources, expediting the response and minimizing impacts.

Resource management is a key practice in the National Incident Management System (NIMS). Web-based software streamlines the resource data incorporated into a response plan allowing NIMS components to be utilized more effectively. NIMS resource management includes:

  • Resource identification: Integrated data allows for all resources to be quantified.
  • Procurement: Through automated contact verification systems, the process of procuring resources is simplified. Accurate contacts, contact numbers, and resource lead times have already been confirmed.
  • Mobilization:  Plan transportation and logistics needs easily identified based on response priorities
  • Track and report:  Web-base response software’s links and forms database allows for easy resource reporting and documentation. Real-time incident management systems can ensure efficient use, coordination, and movement of equipment.
  • Recover and demobilize: Accurate data allocation ensures timely demobilization of equipment, including decontamination, disposal, repair, and restocking activities, as required.
  • Reimburse:  Web-based software contains documentation measures that assisting in tracking costs. This allows for accurate allocations of incident expenses, including contractors, equipment, transportation services, and other costs.
  • Inventory and replenishments: Resource data contained within the web-based software can be utilized to inventory response requirements or site equipment. This feature streamlines the ability to assess the availability of on-site equipment and supplies and determine external resource levels.
For an introduction to web-based planning click HERE:

 

Tags: Data Recovery, Redundant Systems, Cloud Computing, Emergency Response Planning, Data Backup, Safety

Spike in Cyber Attacks Requires Specific Business Continuity Efforts

Posted on Mon, Jun 03, 2013

“According to recent estimates, this global network of networks encompasses more than two billion people with at least 12 billion computers and devices, including global positioning systems, mobile phones, satellites, data routers, ordinary desktop computers, and industrial control computers that run power plants, water systems, and more. While this increased connectivity has led to significant transformations and advances across our country – and around the world – it also has increased complexity of our shared risk.” - Department of Homeland Security

Based on statistics from the Department of Homeland Security (DHS), it is critical for companies to establish business continuity plans associated with technology, and related applications. As technology dependencies become more ingrained in company operations, it is essential to institute company-wide best practices for computer security, downloads, and backups in order to secure necessary technologies and communications networks.

A company’s business continuity plan (BCP) should include processes related to critical technologies that may be lost or suspended due to an incident or cyber attack. A BCP is a vital tool that companies can use to plan for the restoration of normal operations after a business-disrupting incident. Incidents can create a temporary or permanent loss of infrastructure, critical staff, software, and/or vital records. According to the DHS, the increasing number of cyber attacks elevates the potential for critical data lapses or loss. Recent cyber statistics include:

  • 68% increase in cyber incidents between 2009 and 2011 (Subcommittee on Cyber Security, Infrastructure Protection, and Security Technologies)
  • Confirmation of cyber intrusion campaign targeting oil and pipeline companies (Janet Napolitano, DHS Secretary)
  • Confirmation that the majority of companies in the energy sector had experienced cyber attacks, and approximately 55% of those attacks targeted control systems (Charles Edwards, DHS Deputy Inspector General)
  • In 2012, DHS responded to 177 cyber control systems incidents, up from 9 in 2012

To counteract the increasing threat on critical technology infrastructure, DHS has developed CSET, Cyber Security Evaluation Tool. “CSET is a desktop software tool that guides users through a step-by-step process to assess their control system and information technology network security practices against recognized industry standards.” After a thorough evaluation, CSET then produces a prioritized list of recommendations for improving the cyber security and industrial control cyber systems. Each recommendation is linked to a set of actions that can be applied to enhance cyber security controls.

In 2012, over 1,000 companies utilized CSET to evaluate cyber security measures. Sectors with the highest number of self-assessments include: water and water treatment, energy, transportation, commercial and government facilities, and public health or health care. By leveraging the CSET application and Control System Security Program onsite consultation opportunities, companies can mitigate cyber security issues and increase the potential for business continuity. Some key business continuity benefits of the programs include:

  • Highlighting vulnerabilities in a company’s system(s) and providing recommendations of mitigation efforts
  • Identifying areas of strength and recommended practices being followed in the organization
  • Providing a method to systematically compare and monitor cyber systems improvement
  • Informing a risk management and decision-making process
  • Raising awareness and facilitating discussion on cyber-security within the organization.

According to the Business Continuity Institute online survey conducted in December 2011, the top identified threat from conducting a thorough risk assessment was an unplanned IT or telecommunication outage. However, the top three identified threats were all related to the viability of technology, highlighting the need for technology-associated business continuity efforts.

Here are the top three threats from Business Continuity Insight survey:

1. 74% - Unplanned IT and telecommunications outages
  • Departments or business units should define workaround procedures, or alternate processes, to support critical process recovery until key systems and applications have been restored.
  • Ensure all business documentation, records, and files necessary for resumption and recovery purposes are backed up and stored/located safely away from the primary office facility to minimize data loss.
  • Identify alternate methods of communication: landlines, cell phones, satellite phones.

2. 68% - Data breach (i.e. loss or theft of confidential information):  Organizations need site specific data security solutions that can detect, prevent, and continually audit interactions with sensitive data. Through continual monitoring of file and application access, organizations can minimize theft of confidential information.

3. 65% - Cyber attack (e.g. malware, denial of service): Companies should follow security best practices and implement practical and effective safeguards to mitigate internal and external attacks.

Each department should be responsible for assessing computer and software needs when developing critical process recovery strategies, and obtaining the review and input of the IT Department in support of any identified computer and software recovery time objectives.

TRP Corp - Emergency Response Planning Crisis Management

Tags: Data Recovery, Computer Security, Data Loss, Cyber-Security, Data Backup, Business Continuity Plan, Terrorism Threat Management

Cyber Security is Essential for Business Continuity

Posted on Thu, Mar 21, 2013

Media organizations, multinational companies, and government agencies have all been victims of recent cyber attacks. February’s highly publicized 60-page Mandiant report entitled APT1: Exposing One of China's Cyber Espionage Units, revealed evidence of cyber data theft of nearly 141 organizations. It was “beyond a shadow of a doubt” that the Chinese government and military is behind growing cyber attacks against the United States, said House Intelligence Committee Chair Mike Roger.

The 2013 Global Risk Report ranks cyber attacks in the “Top Five” of highly probability occurring incidents within the next ten years. According to the report, cyber attacks and critical system failures are considerable technological risks to companies and organizations across the globe.

As technology dependencies become more ingrained in company operations, it is essential to institute company-wide best practices for computer security, downloads, and backups in order to secure necessary technologies and communications networks.  A company’s business continuity plan (BCP) should include processes related to critical technologies that may be lost or suspended during an incident. A BCP is a vital tool that companies can use to plan for the restoration of normal operations after a business-disrupting incident. Incidents can create a temporary or permanent loss of infrastructure, critical staff, software, and/or vital records.

Identifying the procedural details of computer backups, data restoration methods, and minimum software requirements are crucial to re-establish technology related critical business processes.  The Department of Homeland Security’s Cyber Exercise Program (CEP) can assist companies in developing protocols to evaluate their cyber incident preparation, mitigation, response, and recovery capabilities.

Companies should address the following DHS cyber security points to ensure business continuity:

  • Is cyber preparedness integrated with your current all hazards preparedness efforts?
  • Who are your cyber preparedness stakeholders (public, private, non-profit, other)?
  • Are cyber security risk-based policies established in your organization?
  • Does your organization ensure that service providers and vendors that have access to your systems are following appropriate personnel security procedures and/or practices?
  • Does your organization integrate cyber security into the life cycle system (i.e., design, procurement, installation, operation and disposal)?
  • Are audits conducted on cyber security systems?
  • Are cyber  security plan requirement in place and are they being adhered to?
  • Are all systems compliant to company and/or cyber  security plan requirements?
  • Does your organization have an asset inventory of all critical IT systems and a cohesive set of network/system architecture diagrams or other documentation (e.g. nodes, interfaces, and information flows)?
  • Upon being notified of a compromise/breach of security regarding an employee:
    • Who is notified?
    • What steps are followed to ensure this individual’s access to facility and/or equipment has been terminated?
    • What steps are followed?
    • Should legal representation be sought and at what point?
    • Who determines if the employee should be held criminally responsible?
  • Are there policies (formal and informal) pertaining to removable storage devices?
  • What is the priority of cyber preparedness, including cyber security, in your organization?
  • What level of funding and/or resources is devoted to cyber preparedness?
  • What are your estimated losses if a cyber attack were to terminate system functionality?
  • What are your critical business unit software requirements?
  • What are the procedures for backing up and restoring data?
  • How often are security patches updated?

Cyber exercises are an essential tool for organizations to evaluate their cyber incident preparation, mitigation, response, and recovery capabilities. The exercise environment allows stakeholders to simulate real-world situations, to improve communications and coordination, and to increase the effectiveness of broad-based critical infrastructure protection capabilities without the consequences of real cyber event. These types of exercises can also be used to educate employees on technological policies and procedures used to offset cyber attack strategies. DHS identifies two types of exercises that can aid in the advancement of cyber security. 

Discussion based exercises:

  • Familiarize participants with current agreements and procedures or assist in the development of new plans, agreements, and procedures
  • An effective method for bringing together key response team leaders common in mid- to large-scale cyber events
  • Easier to conduct, especially when multiple response team leaders participate using a variety of collaboration and video teleconferencing technologies

Operations based exercises:

  • Validate agreements and procedures, clarify roles and responsibilities, and identify resource gaps in an operational environment
  • May include the use of simulated network environments, “live-fire” events, and active adversary forces to produce realistic scenario inputs and effects
  • Generally involve mobilization and response as opposed to policies and procedures

By exercising key areas of conjunction between IT and other corporate response elements, company cyber security and incident response operations gaps and shortfalls can be identified. In order for business continuity, there must be a mutual understanding between IT personnel and crisis managers regarding their respective roles, available resources, and response measure during events caused by cyber disruption.

For tips and best practices on designing a crisis management program, download Tips for Effective Exercises.

Exercises - TRP Corp

Tags: Data Recovery, Computer Security, Business Continuity, Department of Homeland Security, Data Loss, Cyber-Security, Data Backup

Extended Power Outages Require Business Continuity Planning

Posted on Mon, Jan 28, 2013

In October 2012, nearly 8.1 million homes and businesses lost power, many for an extended time period, due to Hurricane Sandy. According to Jersey Central Power & Light (JCP&L) spokesman Ron Morano, the storm created the worst damage in the company’s history. As a result, power restoration was slowed and businesses across the northeast region suffered.

"In New Jersey alone, nearly 19,000 small businesses sustained damage of $250,000 or more with total business losses estimated at $8.3 billion as a result of Hurricane Sandy, about 1.0 percent of New Jersey Gross State Product in 2012." Economic Impact of Hurricane Sandy - Potential Economic Lost and Gained in New Jersey and New York (U.S. Department of Commerce).

When infrastructure disruptions occur, such as an extended power failure, companies operations can endure significant challenges and potential financial losses. If operations, equipment, or supplies are affected, companies must seek alternate ways to remain operational, or as in Hurricane Sandy’s case, attempt to recover quickly. A business continuity plan (BCP) is a vital tool that prepares organizations for incidents that could impair their ability to operate as a result of temporary or permanent loss of infrastructure, critical staff, software, and vital records.

Although Sandy’s vast devastation was unprecedented, companies must ensure precautionary actions are in place to sustain the viability of their business. By pre-identifying critical processes and the equipment necessary to function, alternatives can be explored and a BCP can be developed.  The process of creating and implementing a BCP may reduce the impacts of infrastructure disorder and associated supply chain disruptions. Business continuity preparedness can prevent unnecessary downtime, increased recovery efforts, and protect the financial bottom line.

Severe_Weather_Planning_TRP.jpg
Identifying critical utility and technology related operations is the first step in mitigating and combating the potential threat of an extended power outage. Possible critical utility and technology involved in business operations include, but are not limited to:

  • Utilities including electric power, gas, water, hydraulics, compressed air, municipal and internal sewer systems, wastewater treatment services
  • Security and alarm systems, elevators, lighting, life support systems, heating, ventilation and air conditioning systems, electrical distribution system.
  • Manufacturing and pollution control equipment
  • Voice and data communication systemsand computer networks
  • Air, highway, railroad, and waterway transportation systems

Once utility and technology related operations are identified, the following planning considerations should be taken into account in order to safeguard critical systems and develop an effective business continuity plan:

  • Determine the impact of service disruptions and mitigate if possible (generators, fuel, relocating inventory, back up suppliers etc.)
  • Ensure that key safety and maintenance personnel are thoroughly familiar with all building systems, such as alarms, utility shutoffs, elevators, etc.
  • Establish company-wide computer security, download, and backup practices in order to secure technologies and communications networks.
  • Establish procedures for restoring systems.
  • Establish preventive maintenance schedules for all systems and equipment.

Updating a BCP should be a continuously evolving process capturing changes in personnel, contractors, stakeholders, operations, and equipment. Each department should evaluate current critical processes, mitigate identified deficiencies, and update the plan as necessary. In the event of extended power loss, a BCP should  identify recovery time objectives for the following concepts:

Supply Chain: Pre-selected alternate resources to ensure consistent delivery and continued operations in the event primary suppliers are not able to provide required services.

Essential Personnel: Identify necessary minimum staffing levels to remain on-site during a storm (if deemed safe) and for recovery operations. As the storm passes, ensure staff, contractors, and suppliers understand their individual responsibilities and recovery time objectives.

Equipment needs: Identify and procure necessary equipment, and establish processes for continued operations and recovery. This will prevent unnecessary downtime and additional recovery efforts after a hurricane.  Relocating equipment or inventory prior to a storm may be an option. After a storm, repairing and replacing these essentials can be slow, labor intensive, potentially costly.

Data and computer needs:  Companies may examine data center outsourcing to ensure continuity and accessibility. Identifying the procedural details of computer backups, data restoration methods, and minimum software requirements are crucial to re-establish technology related critical business processes.

Communication needs: Clear and effective communication channels must remain available in order to disseminate information to employees, assess and relay damage, and coordinate a recovery strategy. A mass notification system may assure a reliable method to communicate to key individuals, company employees, or an entire client base.

No storm preparedness, whether for a hurricane or blizzard, goes wasted. Every “close call” storm provides a real-time test of the effectiveness of the preparedness processes. No matter how far a storm veers off path, company facilities, employees, and coordinating responders can gain planning insight by the act of initiating business continuity plans.

Receive TRP's Sample Response Procedure Flow Chart:

New Call-to-Action

 

Tags: Power Failure, Facility Management, Data Backup, Business Continuity Plan, Business Disruption