BUSINESS-OPERATIONAL CONTINUITY PLANNING

Transcription

1 BUSINESS-OPERATIONAL CONTINUITY PLANNING Glenn F. Epier Science Applications International Corporation 1213 Jefferson Davis Highway, Suite 1500 Arlington, Virginia ABSTRACT: U.S. federal and state regulations require industry to develop and maintain detailed crisis and emergency response plans. These plans are, for the most part, well thought out and detailed. As a result, along with extensive training and exercise programs, industry preparedness is better than it has ever been to respond to and manage an emergency. But how well prepared is industry to handle the business or operational continuity aspects of a crisis or emergency? What plans are in place to deal with the requirement for continuing essential business functions in the face of a disaster? If a major incident occurs to a refinery, terminal, or offshore production platform that requires it to be taken off-line, or damages it beyond repair, are there plans in place to minimize the impacts on the rest of the organization and on the downstream customers? How will this be done simultaneously while managing the response? This paper addresses those needs and discusses the requirements that companies in the oil and chemical industry should consider in developing business and operational continuity plans. It explains a multi-step planning process that is being used by many companies around the world to maintain their business edge when a crisis or disaster strikes. This planning process includes such functions as conducting a risk analysis and business impact analysis, developing mitigation and recovery strategies, drafting a continuity plan, developing an awareness program, and building a training and exercising program. The paper also looks at the similarities between business and operational continuity plans and a company 's emergency or crisis management plan and address ways in which the plans may be integrated. Introduction Managers and executives at all levels of a company are paid very well to manage crises and disasters and often do so on more occasions than they care to remember. While not all of these incidents are newsworthy, industry is no stranger to incidents with the potential to disrupt an organization's income sources, operating expenses, stock price, competitive position, and ongoing business, not to mention potential governmental intervention and regulatory changes. The refinery, pipeline, offshore platform, or oil terminal is a profit center in today's business world, yet many corporations do not focus business continuity planning efforts in these locations. Many corporations today that rely on their particular facilities to generate and maintain a certain level of business are overlooking the importance of business continuity planning for facilities and other infrastructure. This problem primarily is due to most plants and facilities not having experienced the level of crisis or disaster where long-term business viability and success are called into question. So how well prepared are most organizations to handle the business and operational aspects of a crisis? How much training and exercising in the area of business continuity and business resumption is being conducted by these organizations? In every major environmental incident, there is always the constant tug between the regulators and the stockholders each pulling the organization in a different direction to satisfy their own particular needs. When responding to a major refinery explosion and fire, or a major oil spill into one of the region's most environmentally sensitive areas, when will business issues be addressed? How should customers learn of a crisis? How will those contracts affected by the loss of that product or service be handled? Who is responsible for these issues? If customer and stakeholder needs are not met in a timely manner, will they turn on the company or abandon it? The business continuity message presented here is that it is nothing short of due diligence on the part of management to develop a mechanism that responds to major environmental disasters without losing the ability to continue the core business. Business continuity process Business continuity can be defined simply as a good business practice an effort to assure that the capability exists to continue essential company functions across a wide range of potential emergencies. Developing a business-operational continuity plan may seem like a huge task, but in actuality, it is a common-sense document that offers valuable insight into business operations. It involves identifying those functions and processes that are critical to business, then designing contingency plans to deal with the potential disruption of one or more of those functions and processes. Business continuity planning is not new. Most companies and organizations developed and exercised Year 2000 plans. Now those companies and organizations need to apply those principles and practices to potential oil and petro-chemical industry business disruptions, such as a major vessel grounding and spilling oil or refinery explosion and fire. The continual reliance on computers, databases, and other electronic information transferences will cause the concept of business-operational continuity planning to become the basis for crisis management in the twenty-first century. Government regulations motivate most companies to conduct field- or facility-level planning. For the most part, the regulations are adequate for dealing with emergencies, but adding information on continuing business operations certainly could enhance the planning effort. Most companies do not want to go beyond the planning required by those government regulations for various reasons, one of which is the higher costs associated with the additional planning effort. Not only does a company have to deal with environmental cleanup costs and liabilities associated with a 903

2 INTERNATIONAL OIL SPILL CONFERENCE major oil spill and the cost of repairs to rebuild the facility and infrastructure, but it also has to deal with potential impacts to its customer base (revenue streams) because of non-performance of existing contracts and the ability of competitors to quickly pick up this business. A well thought out plan to continue business becomes a necessity. So what is a business continuity plan (BCP)? It is a management strategy and set of procedures that defines how a business or corporation will continue its critical functions in the event of an unplanned disruption to its business activities. As with developing any type of crisis management and emergency response plan, business-operational continuity plans start with the process of defining the organization's vulnerabilities to business disruptions and eventually developing contingencies to handle those vulnerabilities (if they cannot be removed or mitigated in some fashion). The risk of potentially disastrous losses from business interruptions compels planners to use a common methodology to business resumption planning. This common approach includes ten basic steps under a program developed by the Disaster Recovery Institute International (DRII). This program has been in existence for a number of years and has proven effective in many major business disruption responses. The process outlined below by DRII is similar to the process used by the oil industry in developing crisis and emergency management plans, as explained later in this paper. These ten steps include: 1. Project initiation establishes the need for a BCP, which includes obtaining management support and organizing and managing the project to completion within established time and budget limits. 2. Risk evaluation and control determine the events and environmental surroundings that can affect an organization and its facilities adversely, the damage such events may cause, and the controls needed to prevent or minimize the effects of potential loss. 3. Business impact analysis identifies the potential impacts resulting from disruptions or facility losses that can affect a company, and the techniques that can be used to quantify and qualify such impacts. Critical functions are identified, their recovery priorities established, and interdependencies determined so that recovery time objectives can be set. 4. Developing business continuity strategies will determine and guide the selection of alternate business recovery operating strategies for a business while maintaining the company's critical functions. This shows how a company will continue to operate after an explosion and destruction of a large refinery or while responding to a major oil spill. 5. Emergency response and operations involves the development and implementation of procedures for responding to and stabilizing the incident. Human safety and health are always the first concern in any crisis or emergency situation. When an incident or disaster occurs, these crisis or emergency plans should be implemented immediately, with the business concerns and issues being a secondary priority. In the oil and chemical industry, these plans normally already exist, but the BCP plan should be compatible with the procedures in the response plans. 6. Developing and implementing BCPs involve the development and implementation of a BCP that provides for recovery within the recovery time objectives developed during the business impact analysis. 7. Awareness and training programs create corporate awareness of a BCP and its associated procedures, and enhance skills required to develop and implement a BCP. 8. Maintaining and exercising BCPs help to plan and coordinate exercises, and evaluate and document exercise results. This also allows for the development of a process to maintain the response capabilities and the plan document in accordance with the company's strategic direction. Major exercises often involve both BCP and emergency response plans. 9. Public relations and crisis coordination provide guidance to work with the media during a crisis or emergency situation. This also outlines information on how to provide crisis communications, such as dealing with key customers, critical suppliers, stockholders, employees and their families, and corporate management during a crisis. It also deals with crisis counseling for those employees or non-employees as required. 10. Coordination with public authorities establishes applicable procedures and policies for coordinating continuity and restoration activities with local authorities while ensuring compliance with applicable statutes or regulations. The above described business continuity process is similar to the process commonly used to develop crisis and emergency management plans. The two can be combined to develop and maintain a truly integrated and comprehensive contingency plan that includes information mandated not only by regulatory authorities, but by fiduciary responsibilities as well. General planning guidelines A crisis is an event or series of events that threaten to fundamentally alter the way an organization conducts business. It can be a significant business disruption that stimulates extensive news media coverage with the resulting public scrutiny having a large effect on the organization's normal operations. The crisis could also have a political, legal, financial, and governmental impact on a business. There are four basic causes of a business crisis: Acts of God, such as earthquakes, storms, volcanoes, etc. Mechanical problems, such as ruptured oil/gas pipelines, tank and valve failures, vessel groundings, etc. Human judgment or errors, such as opening the wrong valve, miscommunication or navigating a vessel aground, etc. Management decisions/indecisions, such as a problem that is perceived as not being very serious and that nobody will discover All could have huge impacts on the way an organization responds to and continues to conduct business. And without an adequate crisis and emergency management plan, as well as business continuity planning guidelines in place, the organization will surely struggle to exist. In many cases where the crisis already has occurred, or it is inevitable that the crisis will impact key stakeholders, a BCP will minimize the disruption and financial damage. A crisis or emergency management plan that does not address continuity planning is unlikely to achieve these results. Maintaining essential operations while responding to a disaster is a strategic, moral, and legal obligation to one's company and its stakeholders. Just as industry spending billions of dollars each year on technology to maintain a competitive edge is viewed as being prudent, not having a BCP to continue operations is an indication of corporate negligence. Standards of care and due diligence are required of all companies; not having a plan violates fiduciary standard of care. What basic elements are needed in a plan? Every good response-planning document should contain three sections/areas of information on how to deal with a catastrophic incident. These areas include: Crisis and emergency management procedures Crisis communications procedures Business continuity procedures

3 POLICY PLANNING CAPACITY 905 As an integrated plan is being developed, the difference between crisis management, crisis communications, and business continuity needs to be clarified. And where should the line between management, communications, and business concerns be drawn in a crisis? That line should not be drawn. In fact, one should do everything possible to coordinate management, operational, and communications response to any major environmental incident. In reality, response efforts should all work in parallel. The crisis and emergency response teams are working toward resolving the life, health, and safety issues; the communications team is providing the media and key stakeholder groups pertinent information; and the business continuity team is dealing with maintaining the company business and profitability. In addition, while building an integrated plan, other questions will surely be asked. At what level does the oil spill become a crisis? When should the crisis communications plan be implemented? When should one become concerned with business issues? What are the trigger points for making this decision? On this subject, trigger points should be clearly defined and well understood by all response team members. Criteria that describe the severity of the problem should be used to determine the type of response that will be provided. These criteria should also be an integral part of business continuity planning and be built into both crisis management and crisis communications sections of a plan. The importance of these criteria is that they will trigger separate responses by: Response team members who have to get the oil spill under control as quickly as possible so normal business can be resumed Top management who have to allocate resources, handle stockholders, deal with legal issues, maintain company image, and make other critical decisions needed to maintain the company business Communications personnel who have to proactively get the company's message out while making sure all stakeholder and media interests are met As indicated above, the process for developing crisis and emergency management plans is similar to developing BCPs. The planning process used in developing any type of crisis and emergency management plans may be consolidated into the following phases: Project initiation phase: The problem initially is identified and detailed. The objectives and the scope of the plan are laid out, budget and resources identified, and final approval given by management. Functional requirements phase: Details of a risk assessment are obtained and alternatives identified during this fact-gathering phase. A business impact analysis and risk assessment is conducted, along with a process for identifying mitigation strategies and acceptable risks. Plan development phase: The plan becomes a reality, a written document. Not only is a company looking at crisis and emergency response procedures, but it also should be considering plan components such as alternate Emergency Operation Center site locations, handling of vital records, escalation and de-escalation procedures, and business continuity, resumption, and restoration procedures. The integrated contingency planning guidelines developed by the National Response Team provide a good framework and meet their conceptual objectives, but they do not go far enough in the planning model to provide for businessoperational continuity information. Training and exercising phase: Once the plan is developed, personnel need to be trained on its contents. As a final link to the planning process, the plan needs to be exercised on a regular basis to determine its validity and effectiveness. Once deficiencies are determined, the plan then needs to be refined. Plan maintenance phase: While this appears self-explanatory, this phase often is neglected. All plans should be reviewed at least annually or whenever new policies and procedures are developed. A plan review schedule should be developed and a budget assigned, with reviews being conducted periodically, such as after conducting an exercise or responding to an actual incident. Organizational responsibilities Crisis situations typically require managers to make critical business decisions under extreme pressure and in most cases using incomplete and insufficient information. By defining in advance what core crisis management and business continuity steps need to be taken and how they should be conducted, corporations can reduce some stress on their staff during a crisis. This advance work may increase the efficiency of their response and may reduce the financial impacts on the company. Previously, a definition for a crisis was presented; however, this will vary from company to company, as the types of events or incidents that can alter the way a company chooses to do business vary. A specific event that may have a substantial impact on a small company may have little impact on a large company working in the same business line. How a company responds to a crisis event may make all the difference when the stock prices come out the next day. Prevention and preparation are two key areas where a company can make huge impacts when responding to a disaster or crisis event. They also will have large impacts on the cleanup and eventual litigation costs when responding to an incident. Anything that can first be prevented from occurring through such programs as enhancing safety standards, inventory control, or engineering design is always the first step in risk reduction. If the potential incident cannot be prevented from occurring, then the company must be prepared to respond to it. The question is not if, but when, the crisis will occur. A standard rule of thumb of crisis management is to influence the course of the crisis, not just respond to it. By being proactive, a company's crisis management team often can prevent a situation from escalating into a crisis, or can mitigate its financial impacts. Being prepared to handle the potential business impacts of such an event is as important as dealing with the emergency aspects of the response. And in most cases, the company should be able to respond to and deal with both (emergency and business continuity) responses simultaneously. Having an experienced and trained response organization in place is necessary to maintain that business edge once a crisis or disaster strikes. All too often, companies emphasize developing crisis and emergency management plans as the cure-all for responding to an incident. Granted, a good plan is very important, but in the long run. companies should be engaging in a process for developing an overall capability to manage the crisis or disaster, then documenting that capability in a suitable plan. Plans should reflect current capabilities, not desired capabilities. The plan and ultimate response are only as good as the organization managing the incident. That response organization should be designed so that it will be able to satisfy the overall response objectives of the company. There are many different types and levels of crisis and emergency management organizations throughout the oil industry, each with its own set of company objectives and goals. No matter how large or small the company, however, certain response objectives must always be met. In any incident, response issues

4 INTERNATIONAL OIL SPILL CONFERENCE such as human health and safety, logistics, personnel and equipment support, financial, legal, human resources, and communications will always need to be addressed. However, at what level, and by whom should these be handled? In most cases, a tiered approach to respond to a potential crisis or disaster is recommended. At the field location, the emergency response organization responds to the crisis event and is usually organized in an incident command structure of some type. Here is where the tactical planning for the response is being conducted. The facility response team will be focused on dealing with the emergency, and once that phase is over, its focus will then be on rebuilding the facility or repairing the damage caused by the incident; commonly referred to as business resumption. Additional company support in such areas as finance, personnel and equipment, legal, human resources, media, and business continuity should come from either the company headquarters or the business unit headquarters, depending on the size and makeup of the corporation. For many larger companies, a three-tiered approach is common with an incident support team (mid-level team) managing the crisis or disaster at the business unit level and a crisis management or executive management team (senior-level team) at the headquarters level. The incident support team would be responsible for providing assistance to the field-level team in such areas as legal, financial, human resources, crisis communications, and marketing, as well as focusing on the continuing business concerns for the business unit. The crisis management or executive management team would consist of very senior-level managers at the corporation headquarters tasked with handling the impacts of the crisis on the overall corporation and its stockholders, as well as continuing those strategic business functions not impacted by the incident. For smaller companies, these two senior-level teams (incident support team and crisis management team) easily can be combined into one crisis management team that would then be tasked with not only providing assistance to the field-level response, but also dealing with the business continuity issues and strategic response plans for the corporation and its stockholders. It is important that each individual responder understands how he/she fits into the response organization, what his/her responsibilities are, and what the roles and responsibilities are of each group in the corporation. Otherwise, overlaps or shortfalls will occur, and the response will not be managed as effectively or efficiently as the stockholders and general public would expect. It is also important that the members of the response teams understand the distinction between crisis and emergency management and how the business continuity issues need to be addressed during the early stages of the response operation. Plan comparison The following planning matrix (Table 1 ) outlines and compares the plan requirements of four commonly accepted standards Area Contingency Plans (ACPs), local emergency planning committee plans (LEPCs), facility response plans (FRPs), integrated contingency plans (ICPs) for oil spill response plans to those generally found in BCPs. What a comprehensive contingency plan needs The integrated contingency plan (as outlined by the National Response Team guidance) is an excellent model for creating an emergency response plan and covers all aspects of responding to a major oil spill. A local facility manager, however, needs to be aware of business continuity issues and priorities, and what his/her roles and responsibilities are to maintain the business when a crisis or disaster strikes. Some of these concerns and decisions will center on such areas as upstream suppliers and downstream customers, decision to rebuild or replace, work status of employees, production level changes, procedures modifications, etc. The focus of this plan comparison is on developing comprehensive response plans, from both a field-level and an incident support team perspective. There are many different concepts on how to develop a contingency plan and many more formats for writing the actual plan. It does not matter whether the plan is required by law, regulation, or company policy; most response plans should contain overall planning elements such as prevention, response, business continuity, and restoration. The plan should be able to address all aspects of dealing with a crisis or emergency ranging from prevention practices to getting the company back into normal operation. In addition, plans should be user friendly and, in many cases, should include information on responses to any type of hazard (e.g., fire, explosion, oil spill, natural disaster, terrorism, etc.). A comprehensive response plan should include information in the following areas: Scope and background information Risk Analysis Business impact analysis Prevention programs Health and safety plan Initial assessment and mobilization Notification procedures Forecasts of oil movement Resources at risk Response strategies and techniques Recovery teams and procedures Investigation procedures Contractor/support listings Alternate site location and setup Demobilization Response management organization Roles and responsibilities Crisis communications/public affairs Facility specific information Product information Training and exercising requirements Business continuity procedures Documentation requirements Concept of operations Humanitarian assistance Post incident review Waste management Evacuation/shelter in place requirements Communications Plan maintenance and review

5 POLICY PLANNING CAPACITY 907 Table 1. Planning matrix. LEPC Plan components ACP (SARA) FRP ICP BCP Applicability, purpose and scope Background, geographic boundaries and other policy information Listing of facilities subject to rules Facility identification information Transportation routes for hazmat Identification of at risk facilities and locations Identify critical functions; develop recovery strategies Risk/hazard analysis and mitigating factors Business impact analysis Planning organization Emergency response levels Product information (MSDS) Potential scenarios and action plans Trajectory modeling Listing of response equipment, support facilities and personnel (private and government) Health and safety Assessment/discovery Notification procedures (internal and external) Response operations (during emergency phase) Response management system/organization Identify recovery teams Alternate site location and setup, off-site storage retrieval Response techniques Recovery and demobilization (after emergency phase) Waste management Communications procedures (internal and external) Public Affairs information Humanitarian assistance concerns (injuries, deaths, etc.) Training and exercising plans, schedules and programs Plan maintenance and review procedures Accident review and investigation Incident Documentation (administrative and financial) Prevention Note: ACP, Area Contingency Plan, LECP, local emergency planning committee plan; FRP, facility response plan; ICP, integrated contingency plans; BCP, business continuity plan. Granted, the particular facility being impacted by the incident may not be the main provider of all information or services mentioned above, but specific information needs to be available on how to obtain additional assistance and advice from corporate management teams. Most oil spill response plans, however, do not contain these elements since they usually are developed in accordance with regulatory requirements that rarely require a corporation to plan for its continuing business success. Contingency planning, including business continuity, is a necessity that has turned out to be beneficial in more ways than expected. Beyond ensuring a business function's viability during and after a crisis or disaster, contingency planning efforts have led to significant improvements in the daily operations of many business units. In addition, no other process does a better job of making a corporation assess its operations and processes than the structured process of planning what to do when your refinery or vessel, the full staff, information systems, and communications are no longer available. Contingency planning for the long-term business success of a company is traditionally a primary responsibility of senior management at a headquarters location. But over the past decade, the trend has been to move this decision making to strategic business units. And in many companies, those strategic business decisions are being delegated to plant, terminal, and facility managers. These are the people that are not only responsible for safeguarding their existing operation, but they also need to have

6 INTERNATIONAL OIL SPILL CONFERENCE plans in place to protect business processes and procedures when a crisis occurs. After all, this is where the company makes its money and is of primary interest to all stockholders, so naturally this should be the level where business continuity begins. The goal is to develop one plan that covers all incidents, from a small spill that could have partial impacts on business profitability to a major incident where the entire business operation comes to a halt. How well this is planned for will dictate the success of the company. Biography Glenn F. Epier has over 24 years of experience in planning, training, exercising, and response, 18 of which were with the U.S. Coast Guard. He worked extensively in the emergency management field, in both preparing for and responding to maritime incidents. Mr. Epler reviewed and developed numerous crisis management and emergency response plans dealing with natural and man-made disasters.