Business Continuity Management Dan Warnock, CSP, CFPS, ALCM Risk Control Manager Senn Dunn Insurance
Why Business Continuity Management Now? Hurricane Season June 1st November 30th Hurricanes Potential for physical damage and significant business interruption. Each Season UNPREDICTABLE Typical Season 12 Trop Storms / 6 Hurricanes (3 Major) - 2014 8 Trop Storms / 6 Hurricanes (2 major) - 2013 14 Trop Storms / 2 Hurricanes (0 major) - 2012 9 Trop Storms / 10 Hurricanes (3 major) - 2011 13 Trop Storms / 7 Hurricanes (4 major) DEVASTATING IMPACT High Winds & Rain / Storm Surge / Inland Flooding
Why Business Continuity Management Now? 2015 Texas Flooding The Storms that hit the area: o More than 7 inches fell overnight o Wettest month ever recorded at 16.07 inches. o So big It ended states drought Human Factor At least 28 people have been killed nationwide 24 died in Texas. At least 11 are missing
Overview Introduction What is Business Continuity Management (BCM) Management Support Establishing Policy and Organizational Structure Program Management 1: Understanding Your Business 2: Developing a BCM Response 3: Testing and Maintenance
What is Business Continuity Management (BCM) Primary Objectives: 1. Protection of people, property, and 2. Preparing an organization to resume operations as soon as possible. Definition: Ensuring the continuity or uninterrupted provision of operations and services. It is an ongoing process with different, but complementary elements: Crisis management / Business recovery, Testing & maintenance / Auditing the plan.
What is Business Continuity Management (BCM) Making the Case for BCM: BCM often given a low priority, or not at all. Why? Effective planning requires time and money Commitment to maintain a plan once developed Development can be enormously challenging
Preparing Makes Sense During an emergency, help may not be available immediately Community preparedness starts with the individual Preparing reduces anxiety
What is Business Continuity Management (BCM) Making the Case for BCM: 79% of companies do not have integrated Business Continuity Plans 65% of companies that do have plans, have never tested it 43% without a plan in place did not reopen 70% of businesses that closed for a month or more failed to reopen or failed altogether within 3 years
Could This Be You? In 1993, flooding in the state of Missouri affected 265 businesses. Of those affected, only 65 remain open one year after the floods. Damage $4.5 billion
What is Business Continuity Management (BCM) Making the Case for BCM: Consider other possible impacts other than natural disasters:
What is Business Continuity Management (BCM) Making the Case for BCM: Consider other possible impacts other than natural disasters: Hazardous spill in your neighborhood forces you to shut down your operations Critical supplier/vendor experience a strike Disgruntled employee or customer Highly visible product recall Pandemic
Business Continuity Management Examples Suppliers 2002 - California Dock Workers Strike Supplies and imported materials not able to be received. Agriculture Suppliers What if they were your main supplier for your business? (E Coli, Salmonella outbreaks) Workplace Shooting at Beverage Distributor what if they were your main supplier and you have a wedding that following weekend?
Business Continuity Management Examples Natural Events Drought / Flood What if your main raw material is water or affected by water. Hurricane / Tornado / Earthquake How many locations do you have? Where are they located? Wild Fires / Ice Storms Earthquakes Business Functions Computer Records Lost, Back up did not work properly.
What is Business Continuity Management (BCM) What causes businesses to fail? 68% Human error 25% Technology failure 5% Natural disaster 2% Intentional causes Many companies fall into a trap of planning only for failures on a grand scale when it is the smaller interruptions that cause most problems.
What is Business Continuity Management (BCM) How will BCM help my organization? Help Prioritize potential hazards. Important process / bottle necks / equip. Potential Natural Disasters Help Protect against uninsured losses : Market share / Customers Business relationships Employees (injury, disability, death, quitting) Communications
Management Support Strong support from your organization s upper management is essential for an effective BCM Plan BCM must become part of your corporate culture. Your management must perceive BCM as an essential and integral part of your company s strategy and operations
Management Support Potential challenges: Insufficient resources Inadequate coordination and followthrough between departments Inadequate coordination between prevention plans and response plans.
Management Support Beyond approval, upper Management must: Allocate resources financial and human Appoint and support qualified individuals Provide oversight to align the Plan with other programs, policies and plans Mission statements Operating plans Strategic plans HE&S program
Establishing Policy and Organizational Structure The first steps in developing a Plan: Creating a written policy statement Establishing the organization of the BCM planning process Begin the documentation process to create the formal Plan
Establishing Policy / Organizational Structure Written Policy Statement Creating a written policy statement clearly reflects the organization s commitment to BCM. The statement should: Define the purpose and objective of the policy Define the lines of authority Be fully endorsed by top management
Establishing Policy / Organizational Structure Organizational Structure: Roles and Responsibilities Clearly define the roles and responsibilities Leader positions should be appointed Fully trained alternates are essential and should participate in all exercises, drills and activities
Establishing Policy and Organizational Structure Documentation Gather all policies, procedures, resource lists, etc. into one well-organized document. Keep current copies of the Plan in designated locations at the facility and at a secure off-site location. Provide copies to local authorities Establish a schedule for review and maintenance of each element of the Plan.
Making the Case for BCM Activity #1 Develop the case and need of a business continuity program for management. What is your main selling point? Owner / Partner / Management
1: Understanding your Business How quickly your company can get back to business after a crisis often depends on the planning done today. You must first understand your business and the critical processes to ensure continuity of a business activity.
1: Understanding your Business Assess your company: Internally Functions Externally Functions Determine what is absolutely critical People Materials Equipment Procedures Environment
1: Understanding your Business The tools for understanding your business: Business Impact Analysis (BIA) Helps understand financial and operational exposures in the event of an interruption Risk Assessment (RA) The purpose of the RA is to identify the inherent risks of performing various business functions
Business Impact Analysis (BIA) The BIA identifies: Processes that are critical to the survival of the business The time in which these processes must be returned to order to avoid significant impact. {Recovery Time Objective (RTO)}
Business Impact Analysis (BIA) The BIA process is Business Driven and designed to identify business Requirements. Not ITdriven. Step 1 - Identify appropriate Business functions and processes to analyze Step 2 - Identify appropriate participants for the analysis process Step 3 - Conduct and validate the BIA information; obtain sign-off
Business Impact Analysis (BIA) Step 1 - Identify Business Functions Identify business functions in a way that makes sense to you. You could start with an organizational chart and work down to the department level Only break up a department into multiple functions if the breath of activities warrant multiple BIAs
Business Impact Analysis (BIA) Step 2 - Identify Participants They should: Be Responsible for that function Extremely familiar with the processes Understand how their processes affect their interact with other business functions Authority to identify RTOs for the business processes IT participants should have a high-level understanding of the business applications and their interactions Consult upper management for advise across business functions
Business Impact Analysis (BIA) Step 3 Conduct/collect BIA data Validate BIA data Obtain Sign-off. The finalized BIA should be presented to the appropriate senior level manager for discussion and sign-off
Business Impact Analysis (BIA) The BIA should include Vendor Assessment Needs: Analyze your BCM throughout the business process supply chain. Business areas should conduct analysis of their vendor dependencies as they apply to critical business processes.
Business Impact Analysis (BIA) BIA Review Minimum annually, but more frequently in the event of: An aggressive pace of business change Significant changes in - Internal business processes, location or technology - External business environment such as market or regulatory change
Business Impact Analysis (BIA) A BIA should consider 4 individual scenarios: Scenario #1 Total Destruction A major disruption has occurred all business functions at your location have been disrupted for up to 30 days Personnel cannot physically access their primary location for only damage assessment Network connection to shared drives at your primary location are not longer available
Business Impact Analysis (BIA) Scenario #2 Technology Failure Your data center(s) supporting business functions at your location have also been disrupted and are unavailable for up to 30 days
Business Impact Analysis (BIA) Scenario #3 Equipment / Operational Failure Partial loss of equipment / operations, but still have use and control of your facility. Use of overtime, outside services. Employee food, travel and lodging expenses, etc. are authorized to assist in re-establishing business operations
Business Impact Analysis (BIA) Scenario #4 Seasonal Failure Assume that this event happens at the worst possible time of the year, quarter, month, etc.
Risk Assessment (RA) Risk Assessment is the definition of a critical outage based on the service you provide. A large financial company can experience major losses within minutes of an interruption An insurance company may withstand an interruption of 12 hours or more before being seriously impacted A manufacturing company could possibly be interrupted for as long as 24 hours without severe effects.
Risk Assessment (RA) The two primary questions to consider when assessing the risk in a business function are: 1. What is the probability that things can go wrong? (the probability of one event) 2. What is the cost if what can go wrong does go wrong? (exposure of one event)
Risk Assessment (RA) Risk is assessed by answering these questions for various risk factors (BIA) and assessing the exposure of failure and the impact of exposure for each risk factor. Risk is the probability times the exposure Probability x Exposure = Risk
Risk Assessment (RA) Considerations to critical business functions; but not limited to: Personnel Equipment Automation Software/ hardware /data Raw and finished stock Cash Vital records Facilities Transportation Customers Vendors Contractors Interdependent Companies Manufacturers Distributors
Risk Assessment (RA) RA Review Same as the BIA, Minimum annually, but more frequently in the event of: An aggressive pace of business change Significant change in - Internal business processes, location or technology - External business environment such as market or regulatory change
Understanding Your Business Activity #2: Identify the persons or job functions within your organization that you will need to contact in order to complete a Business Impact Analysis and a Risk Assessment.
2: Developing a BCM Response The goal of the topics covered in this section is to develop a BCM Response through two main topics: 1. Crisis Management the actions that are necessary during a crisis 2. Business Recovery the resources which are needed to enable the organization to manage an interruption whatever the cause
Crisis Management Phase A crisis is any activity that focuses immediate public attention on an organization or has the immediate capability of doing so. Examples include: Action by a consumer activist or terrorist group Employee accident, disaster, and/or workplace violence Legal action (e.g. discrimination, harassment, fraud, workplace violence) Natural Disasters
Crisis Management Phase The Crisis Plan should be initiated in any crisis situation that runs the risk of: Jeopardizing an organization s positive image Generating news media coverage Interfering with normal business operations
Crisis Management Phase Identify specific crisis management teams or emergency response team within your organization. Choose names that fit into their structure Ensure the roles described in this plan are covered Communicate the chosen names with the proper roles consistently
Crisis Management Phase Crisis Management Plan Elements: Evacuation Plan Medical Care Crisis Team Responsibility Employee Training
Crisis Management Phase Building Evacuations Depending on the type of emergency, staff could be required to: Evacuate a specific floor Evacuate the entire building Remain in place
Crisis Management Phase Medical Emergency Assigned - First responders / Area sweepers Medical equipment AEDs Special PPE required to be worn
Crisis Management Phase Accounting for Visitors Includes: employees acquaintances, customers, agents, vendors A method for informing and accounting for visitors should be established at your facility. At a minimum, visitors should be made aware of the evacuation procedures and the designated assembly locations. A visitor handout detailing these procedures could be distributed during the sign-in process.
Crisis Management Phase Crisis Management Team Responsibility The team will implement emergency response protocols. The first priority is to ensure: A safe, orderly emergency response Proper use of resources Reduce confusion Improve safety Organize and coordinate actions
Crisis Management Phase Crisis Management Team Roles and Responsibilities. Leader Emergency Manager Team Emergency Roles -Floor Coordinators -Sweepers -Medical Response Team Non- Emergency Roles -OSHA Compliance -Fire Prevention -Auto Fleet Program
Crisis Management Phase SAMPLE - Crisis Management Team LEADER EMERGENCY MANAGER Floor Coordinator 1 for each floor or 1:4 Sweepers Sweeper 1 for every 10 employees Evacuation Assistant 2 for each individual in need of assistance Stairwell/Exit Monitor 2 for each stairwell or exit Assembly Coordinator 2 for each primary assembly location
Crisis Management Phase Employee Training: All employees will need to be trained in their roles and responsibilities during emergencies. Each employee should have basic knowledge of: The evacuation procedure Alarm notification system Reporting procedures for emergencies Potential emergencies or hazards
Crisis Management Phase Individuals in Need of Assistance: Special needs may exist for some: Mobility / Visual / Hearing impairment / etc - Permanent (arthritis, emphysema) - Temporary (sprained ankle, pregnancy) condition. The controlling standard is: - The individual can move at a reasonable pace during an emergency, or - The condition exists that impedes the ability to be aware of an alarm
Crisis Management Phase The Human Element - Addresses the human side of a disaster. Typical Reactions: Goal - Shock / Stress - Reduced efficiency - High turnover Restores positive, proactive work Environment.
Crisis Management Phase The Human Element Recognizing Common Reactions Physical Fatigue / difficulty sleeping / low energy levels / illness / pain Emotional Fear / Grief / anxiety / helplessness Behavioral Changes Irrational behavior / Substance use / Withdrawn / Combative / Difficulty Concentrating / Confusion
Crisis Management Phase The Human Element How To Deal With Reactions Communication Share Information on Status / Future Plans Allow Employees to Express Feelings Offer Reinforcement / Encouragement to Employees
Crisis Management Phase The Human Element How To Deal With Reactions Communication Explain Resources Available to Employees Employee Assistance Program Community Resources Wellness Programs Crisis Counseling Scheduling Leaves of Absence Flex Time Reassignment of Duties
Business Recovery Phase What is Business Recovery? Part 2 of a BCM process. It follows the Crisis Management Phase. Deals with restoring processes and operations necessary to continue business interactions Focuses on two (2) major items, Infrastructure - Information Technology - Physical Plant Business Processes.
Business Recovery Phase Business Process Classifications All operations should be grouped into pre-determined categories with assigned sensitivity level indicators for recovery operations. For example: Category A Operations must be resumed immediately following an interruption Category B Must be recovered after Category A Category C Recovery may be deferred pending time and resource availability 68
Business Recovery Phase Damage Assessment Roles/Responsibilities Once local emergency services provide clearance for reentry into the facility, the team assigned to damage Assessment should do an inspection. Damage Assessment should provide information on the: - Structure - Contents - Environment.
Business Recovery Phase Developing Technology Recovery Team: The purpose is to establish a centralized point of technology control, support and coordination at the Emergency Operations Center (EOC), if applicable.
Business Recovery Phase Developing Technology Recovery Team: Plan maintenance tasks for the technology recovery team may include: Maintain: a list of all vendors and service providers a current list of service specialists and their areas of expertise. team member names and contact information a current list of all technology resources and requirements at the EOC.
Business Recovery Phase Business Recovery Communication Plan: A key to your operations success is your relationship with customers and business partners. In the event of a crisis, it s critical to keep these entities informed so that they understand: How you will continue the business relationship If any, impacts the situation will have on them
Business Recovery Phase Alternate Business Processes: Planning for an event that eliminates some central source of technology (a Data Center, outside vendor service, etc.) May not have direct impact on the physical location, staff or local services, but requires that the business processes have been prepared to implement manual work-around to replace the loss of these centralized services.
3: Testing and Maintenance Testing the BCM Plan: A successful BCM must have a testing program which begins simply and escalates progressively. This consists of rehearsing team members, staff and exercising procedures.
3: Testing and Maintenance Testing the BCM Plan: The purpose of testing is to: Evaluate overall effectiveness Identify strengths and weaknesses Develop understanding and cohesiveness with team members Determine the efficiencies of recovery procedures
3: Testing and Maintenance Testing the BCM Plan: Training General Training should take into consideration: Individual roles and responsibilities Information about threats, hazards, and protective actions Notification, warning, other communications Crisis management procedures Evacuation, shelter, and accountability procedures Location and use of emergency equipment - (AEDs, radios, fire extinguishers, etc.) Emergency shutdown procedures
3: Testing and Maintenance Testing the BCM Plan: Schedule The Plan is first completed The Plan is revised Minimum Annually Drills or exercises have not had satisfactory results There is a new employee or when employees change jobs There are new HE&S Leaders, team members or alternates Equipment and processes have been updated or altered
3: Testing and Maintenance Testing the BCM Plan: Drills & Exercise: Know what you want to test, who, when, why, Who will observe, record, evaluate Supplies, etc., needed for tests Relay relevant information to employees, community agencies, media Evaluate performance; correct weaknesses - Identify action items; make plans to correct them; establish target dates for completion Include employees on all shifts, including nights and weekends; don t forget telecommuters or other mobile workers
3: Testing and Maintenance Testing the BCM Plan: Drills should: Help evaluate the adequacy of the Plan Identify weak spots and reveal missing resources Give employees a chance to practice and improve their skills Give community responders a chance to become familiar with the Plan, the facility, and the HE&S Team members
3: Testing and Maintenance Testing the BCM Plan: Training Methods and Techniques: Orientation and Education Sessions Tabletop Exercises Walk-through Drills Functional Drills Evacuation Drills Full-Scale Exercises
3: Testing and Maintenance Testing the BCM Plan: Keep records of training activities: What training was given To whom the training was given Who did the training What exercises or tests took place Results of the exercises Changes made to the Plan as a result of the outcome of the training
3: Testing and Maintenance Maintenance of the BCM Plan: The Plan must remain a living document, so that it is always current and ready to be activated should the need arise.
3: Testing and Maintenance Maintenance of the BCM Plan: Review, audit, evaluate, revise and test your plan on a regular basis to be sure it keeps pace with changes at your facility. Conduct a formal audit of the entire Plan at least once a year.
3: Testing and Maintenance Maintenance of the BCM Plan: The Leading responsible party Should: Identify areas to update Determine completeness Assess chain of command Evaluate employee knowledge and awareness Assess trigger mechanisms Evaluate inventory resources
3: Testing and Maintenance Maintenance of the BCM Plan: Update the Plan whenever there are: New Team members or alternates New operations, processes, equipment, or materials New or renovated sites or changes in layouts Changes with outside agencies New suppliers or vendors Mergers or acquisitions
Summary What is Business Continuity Management (BCM) Management Support Establishing Policy and Organizational Structure Program Management Understanding Your Business Developing a BCM Response Testing and Maintenance
NEXT STEPS Business Continuity Action Plan Develop Purpose Priorities Contacts
NEXT STEPS Business Continuity Action - Handout: FEMAs 4 Step Business Continuity Guide Guide to Developing a Plan Addressing Hazard Emergency Management Considerations Business Recovery Checklist Implementation Guide Sample Business Continuity Plan Annual Review
Resource Links Link to Loss Control Literature from your Insurance Carrier Ready.Gov - http://www.ready.gov/business/plan/planning.html NC Emergency Management Division http://www.nccrimecontrol.org/index2.cfm?a=000003,000010 OSHA Emergency Preparedness http://www.osha.gov/sltc/emergencypreparedness/index.html