Texas Emergency Management Conference 2015 Business Impact Analysis (BIA) and Risk Mitigation Alan Sowell, COOP Unit Supervisor Paul Morado, COOP Unit Planner BIA Implementation Process BIA Private Sector Definition- A method of identifying the effects of failing to perform a function or requirement. The cost of a business outage or degradation BIA FEMA Definition- A method of identifying the effects various threats and hazards may have on the ability of an organization to perform its MEFs and the resulting impact of those effects. 1
BIA Implementation Process BIA Implementation Process 2
BIA Worksheet CGC 2, Fig D2, P D-3 BIA Step 1 Identify Potential Threats and Hazards What threats and hazards could interrupt MEF Performance? Identifying potential threats and hazards that could impact performance of each MEF. Interruptions could me natural, manmade, or process oriented. There are many common threats and hazards, this list is not all encompassing. There will be unique threats and hazards to specific MEFs that should be considered as well. If the organization is dependent on information or supplies from a partner it may be necessary to evaluate the effect a threat may have on the partner. 3
Potential Threats and Hazards CGC 2, Fig D3, P D-4 Potential Threats and Hazards Explosions Man made or Accidental Chemical/Biological Food contamination, Animal disease, Pandemic Infrastructure Damage Power Outage, Network, HVAC, Water Supply, Fire Natural Disaster Storm, Flood, Hurricane, Earthquake 4
BIA Step 2 Identify Threats and Hazards characteristics What threats and hazards could interrupt MEF Performance? Associated characteristics and assumptions and effects are specific for each threat or hazard. Information can be based on historical patterns, general predictions of effect on the community, effects on the organization. For low frequency events for which historical data is not available, general assumptions are made about the likely characteristics and effects of the event. BIA Step 3 Estimate Likelihood of Threat or Hazards Occurrence What is the likelihood each threats or hazards could occur and affect on MEF performance? Based on a assessment of high frequency/low frequency events and their associated risk, assign an approximate relative numeric value to the likelihood of each threat or hazard occurring and effecting your MEF Hurricane or Flooding in West Texas. If Critical supplies or activities come from the coastal areas of Texas, the effect of the flooding or hurricane in Houston cannot be discounted. 5
Likelihood of Threat or Hazard Occurrence CGC 2, Table D1, P D-5 BIA Step 4 Estimate Overall Impact if MEF Failure Occurs How susceptible is the MEF to failure due to each threats or hazard? This step uses a Likelihood table to evaluate how vulnerable of each MEF is to disruption if the particular threat or hazard does occur. 6
MEF Vulnerability Values CGC 2, Table D2, P D-6 BIA Step 4 Estimate Overall Impact if MEF Failure Occurs How susceptible is the MEF to failure due to each threats or hazard? This step uses a likelihood table to evaluate how vulnerable each MEF is to disruption if the particular threat or hazard does occur. Organizations should look separately at how vulnerable its people, facilities, communications, resources, interdependencies, and processes are to the effects of each threat and hazard. Leadership should then estimate a combined value Organization depends on PAYROLL conducted offsite; Backup Data stored at vendor 7
BIA Step 5 Estimate Overall Impact if MEF failure Occurs How significant is the impact if the MEF cannot be performed? Estimate the impact of MEF failure for each threat or hazard. Based on MEF failure impact value assign a numeric value of 0 to 10, with 10 being the highest. It is important to consider acceptable versus unacceptable downtime. For example a 12 hour delay in beginning to process claims may be acceptable; whereas a 12 hour delay in initiating search and rescue services would not. Consideration must be given to whether other organizations would be able to perform the MEF if your organization cannot. MEF Failure Impact Value Table CGC 2, Table D3, P D-7 8
BIA Step 6 Determine Risk Value for Each Threat or Hazzard Based on likelihood, vulnerability, and impact of the threat or hazard, what is the risk value for the MEF? The risk value for each threat or hazard must be determined for each individual MEF. This is accomplished by adding together numerical values from the previous steps. The result is a number from 0 to 30 for risk value. MEF Risk Value Calculation Formula BIA Process Step 3 High Winds Tornado = 6 BIA Process Step 4 Neg effect minor mission delay = 7 BIA Process Step 5 Minor mission delay limited period = 7 MEF Risk Value 20 CGC 2, Table D2, P D-6 9
BIA Worksheet Business Impact Analysis Worksheet: Threats and Hazards Number Entry Threat Hazard 1 Power Failure Threat or Hazard Characteristics Unable to access onsite computers, HR files, security doors offline 2 HVAC Affects plant floor, cold storage, testing, working conditions 3 Wind Storm Wind speeds affect power, personnel, HVAC Threat of Hazard Likelihood MEF Vulnerability MEF Failure Impact 2 6 8 16 6 7 8 21 6 7 7 20 MEF Risk Value 4 Flood Transportation, logistics, personnel, power, HR, network, communications 2 4 8 14 Risk Mitigation Evaluation Current Texas Mitigation Plan (Hazard Mitigation, Annex P) Pre-event mitigation involves proactive measures undertaken by state and local officials to reduce or prevent loss of life and property that may occur in the future. FEMA definition of Risk Mitigation Mitigation strategies are those actions taken by an organization to reduce risks resulting from threats or hazards and to ensure the continued performance of MEFs. 10
Risk Mitigation Planning Process CGC 2, Fig E1, P E-1 Risk Mitigation Plan Model CGC 2, Fig E2, P E-2 11
Evaluate Risk Mitigation requirements and potential options RME Step 1 Review BIA results, evaluate risk value, assess risk mitigation options determine mitigation requirements Review the BIA results WITH LEADERSHIP Based on BIA results determine high frequency/ low frequency events and how to address unacceptable threats and vulnerabilities. BIA Worksheet Business Impact Analysis Worksheet: Threats and Hazards Number Entry 2 3 1 4 Threat Hazard HVAC Wind Storm Power Flood Threat or Hazard Characteristics Threat of Hazard Likelihood MEF Vulnerability MEF Failure Impact MEF Risk Value Affects plant floor, cold storage, testing, working conditions, networks 6 7 8 21 Wind speeds affect power, personnel, HVAC 6 7 7 20 Unable to access onsite computers, HVAC, HR files, security doors offline 2 6 8 16 Transportation, logistics, personnel, power, HR, network, communications 2 4 8 14 12
RME Step 2 Identify Potential Threats and Hazards Identify feasible options for reducing mef risk and develop mitigation approach and implementation plans MEF vulnerability can be mitigated with the development of risk mitigation options to reduce the overall risk of failure There may be more than one option developed to reduce a single vulnerability Risk Mitigation Plan Model A brief narrative description of MEF risk problem A Narrative description of proposed mitigation Anticipated MEF risk reduction Mitigation Project officer and manager 13
Risk Mitigation Plan Model Cont. Estimated budget requirements Estimated schedule Participating Partners Concurrences Risk Mitigation Plan Model CGC 2, Fig E2, P E-2 14
Mitigation Plan Model The need for HVAC to process samples in the work Line 1 area was the highest priority hazard based on BIA worksheet Identified issue is the need to have additional onsite power for HVAC systems or alternative ventilation method in the facility s Laboratory building. Currently the facilities HVAC unit is not connected to secondary power source. Failure of this system will make storage of evidence and usage of laboratory flammability functions inoperable due to loss of climate controls. Exhaust ventilation is needed when employees are exposed to high toxicity chemicals or when large amounts of dusts or welding fumes are generated. The building is secured by storm windows, loss of ventilation system causes a vacuum seal effect on the doors making access difficult. Loss of cooling in personnel areas would degrade the working conditions for extended periods as well as server degradation over time. Mitigation Plan Model Line 2 HVAC proposed mitigation Indoor air quality ventilation, used primarily in offices and other non-industrial buildings, will not be covered in this plan. There are advantages and disadvantages to the use of either dilution ventilation or local exhaust ventilation in terms of costs and effectiveness. There are three types of workplace ventilation as noted by OSHA, Indoor air quality ventilation, Dilution ventilation, and "Local exhaust ventilation The identified issue is the need to alternate onsite power for HVAC systems or alternative ventilation method in the facility s Laboratory building. The purchase of other systems, or the addition of another direct municipal power source are the only short term viable solutions. See attached table 1. 15
Mitigation Plan Model Line 3 Anticipated MEF HVAC Risk Reduction The risk value for HVAC as shown in BIA worksheet was given the numeric values resulting from three components; (Estimate Likelihood of loss of HVAC), (Loss of laboratory services vulnerability to loss of HVAC), and (Estimate overall impact if laboratory services fail occur).the purchase of other systems, or the addition of another direct municipal power source will reduce vulnerability by more than half, becoming a 2. The result is a risk value 16, and a reduction of 5 points. Making it now one of lowest threats in our BIA. RME Step 3 Submit a risk mitigation plan for leadership Approval Develop and submit a risk mitigation review package for leadership review and approval Formal presentation of Risk Mitigation proposal at a minimum should include the following: MEF Risk Mitigation Plan Approval Package Executive Summary BIA Results Risk Mitigation Recommendations Next Steps, strategic plan Additional Supporting materials 16
RME Step 4 Implement Risk Mitigation Plan Implement the mitigation plan; monitor progress Strong advocate among leadership who understands your plan can help to implementation. Review of all resources required with special emphasis on Budget and Timelines associated with the cost. In preparing your criteria for Project manager ensuring they understand the BIA/Mitigation plan to later refer leadership to it, as each milestone is accomplished towards the overall goal. RME Step 5 Assess Risk mitigation effectiveness Test, Train, exercise and assess the new equipment or procedures. Initiate corrective action if risk remains high An effective TT&E program is necessary to assist organizations to prepare and validate their continuity capabilities and program and ability to perform essential functions during any emergency. Training familiarizes continuity personnel with their roles and responsibilities in support of the performance of an organization s essential functions during a continuity event. The HSEEP is a pillar of the National Exercise Program framework. Organizations should refer to the HSEEP for additional exercise and evaluation guidance. 17
Thank You! For More Information For more information about this presentation, contact Alan Sowell, COOP Unit Supervisor, at Alan.Sowell@dps.texas.gov. Please direct general questions to supervisory contact Kiran Dhanji, Preparedness Section Administrator, at kiran.dhanji@dps.texas.gov. Produced by the Texas Division of Emergency Management Preparedness Section, COOP Team http://www.txdps.state.tx.us/dem/preparedness/plansunit.htm 18