Basics of Business Continuity

Management

Brad Weger, MS, CSP MRIGlobal Safety Officer

72% of businesses impacted by

a disaster never reopen or close

within three years!

(Hiles, 2007).

Objectives

Define BCM

3 Phases of BCM

Important aspects of BCM program

NFPA 1600

The purpose of the PS-Prep Program is to enhance nationwide resilience in an all-hazards environment by encouraging private sector preparedness.

Elements of an Emergency Action Plan

1. Having a written plan

2. Procedures on how employees are to report

the emergency

3. Evacuation procedures

4. Employee accountability

5. Procedures for employees performing rescue

or medical duties.

6. Training and review

OSHA 29CFR1910.38

Business Continuity Management

Addresses the actions to be taken after the storm has passed.

- Disaster/incident has occurred & passed

- Emergency Action Plan has been successfully

carried out

- Concentration on resuming normal business can

begin.

What is BCM?

Series of pre-planned steps that allows an organization to

regain operational capabilities asap, after an incident.

The objective of BCM is to ensure the uninterrupted availability of all key business resources required to

support critical business activities in the event of business

disruption and expedite a return to business as usual

(Hiles, 2007, p. 36).

Why BCM? PRODUCTIVITY

- Loss Of Productivity - Employee Moral

REPUTATION - Customers

- Suppliers

- Financial Markets

- Banks

- Business Partners

- Etc.

OTHER EXPENSES - Temporary employees,

- Equipment Rental,

- Overtime,

- Extra Shipping Costs,

- Travel Expenses,

- Etc.

LEGAL/REGULATORY - Contractual Requirements

- Regulatory Requirements

FINANCIAL

PERFORMANCE - Lost Market Share

- Revenue Recognition

- Cash Flow

- Lost Discounts

- Payment Guarantees

- Stock Price

- Credit Rating

REVENUE - Direct Loss

- Deferred Losses

- Compensatory Payments

- Lost Future Revenue

- Billing Losses

- Investment Losses

Protecting the companys 3 core assets

1. People Employees and their expertise; vendors, investors and customers.

2. Finances Cash, stock, credit rating, capital equipment and other areas of vital financial

strength.

3. Reputation Positive feelings people have towards your company and organization.

Reputation affected by blame

5 questions of blame Severity can escalate significantly if there is blame towards the company.

1. Should management have foreseen the incident and taken

adequate precautions to prevent it?

2. Was management unprepared to respond effectively to the incident

after it occurred?

3. Did management do anything intentionally that caused the incident

to occur or that made it more severe?

4. Was management unjustified in the actions it took leading up to

and following the incident?

5. Is there any type of scandal or cover-up that related to

managements involvement in the incident?

BP Oil spill case study

Case Study

BP oil spill

20 April 2010 explosion of Deepwater Horizon

Killed 11, injured 17

Explosion caused oil cap release

Estimated that the daily flow rate diminished over time, starting at about 62K barrels per day

Flowed unabated for three months

15 July 2010, the gushing wellhead was capped

January 2011: White House oil spill commission released final report on the causes of the spill. Blamed BP and partners for making a

series of cost-cutting decisions and failing to ensure well safety.

BPs response..

Emergency response plan prepared by BP shows BP never anticipated an oil spill of this magnitude.

The 582-page document, "Regional Oil Spill Response Plan Gulf of Mexico," was approved in July 2010 by the Federal Minerals Management

Service (MMS). It offers technical details on how to use chemical

dispersants and provides instructions on what to say to the news media,

does not mention how to react if a deep-water well spews oil uncontrollably

BP spokesman Steve Rinehart said the plan provided the company a blueprint for response during the current disaster, but BP officials had to

improvise due to the "unforeseen circumstances" of the event a renegade well 5,000 feet under water. "Nobody foresaw an incident in

which something like this occurred," Rinehart said.

USA Today - 5/17/2010

Publics perception can have tremendous impact on businesses

Punishing BP: 6 brutal proposals over its disastrous Gulf oil spill. What's the appropriate penalty? posted on May 28, 2010, at 12:45 PM Newsweek - 2010

What is an incident?

Any event that affects an organizations operational capacity.

Forklift incident - micro

Severe weather incident macro

Micro can cause macro incidents

Macro can cause several micro incidents

Scale of incident effecting businesses

Common misconception is that only large scale disasters call for implementation of BCP.

Electrical utilities are shut down due to a vehicle accident. Power is expected to be down for 2 hours.

Labs No power for refrigerated product Manufacturing Assembly lines stop Offices Lighting/computers shut down

Scenario Automated order/delivery system for goods has been damaged beyond

immediate repair

You have just been asked to ensure that product is still

being processed/manufactured/shipped as scheduled.

- Customer orders must be taken in 2 hours

- Deliveries must be made as scheduled

- Top two customers must have deliveries that

same day.

Are you Ready?

Business Continuity Management A standards based approach Voluntary Private Sector Accreditation and Certification Program (PS-Prep).

The US Government recognizes the impact a disaster can have an individual company, but also the country. The Department of Homeland Security, by order of

Congress, has been given the responsibility to develop and maintain a Voluntary

Private Sector Accreditation and Certification Program. Disasters and attacks (such

as the terrorist attacks of September 11, 2001) place an emphasis on BCP

sanctioned by the government.

The Department of Homeland Security is implementing this voluntary program based on recommendations of the 9/11 Commission Act of 2007.

Ultimate Goal: Establishing a universal set of criteria for private sector organizations to prepare for emergency management, disaster management, business continuity

programs

PS-Prep

3 Standards adopted by DHS

ASIS International SPC.1-2009 Organizational Resilience: Security Preparedness, and Continuity Management System. Available at no

cost.

British Standards Institution 25999 Business Continuity Management: Part 1 (2006) and Part 2 (2007). Both parts available

for a reduced fee ($19.99 each).

National Fire Protection Association 1600: 2007 Standard on Disaster / Emergency Management and Business Continuity

Program. Available at no cost.

3 Phases in BCM

1. Emergency Response

2. Crisis Management

3. Business Recovery

Emergency Response phase

Emergency Response is the component of the

BCP that protects and saves lives, property, and

ultimately the organization.

1. Pre-planning - can be viewed as information gathering where all share insights/options on what can be expected; how to overcome

anticipated disasters/incidents

Identify all resources and personnel that would be needed during an emergency

2. Reviewing - Process of verifying that the proposed emergency

action plan, laid out in the planning phase, has solidity to it

Emergency Response phase cont.

3. Training Component where applicable personnel are trained in their required duties/tasks

4. Testing - After initial plan review, it must be

periodically tested. Caution: Last years EAP may

need to be updated for current

business needs

Crisis Management Phase

The intent; Eliminate, modify, or reduce exposure to crisis situations as much as

developing response management and recover

management plans (Hiles, 49).

Establishment of a Crisis Management Team (CMT)

Business Recovery Phase

Mission critical elements should be addressed first (outlined in BIA)

Activating resources

Alternative facilities, mutual-aid agreements, equipment rental/needs, multi-lateral continuity plans, contractors needed

in recovery/refurbish efforts should all be addressed and pre-

planned.

Once recovery operations are activated, all designated personnel and contractors are already lined up to provide a

smooth recovery

Business Impact Analysis NFPA 1600 5.5

Evaluates and determines the impact a disaster/incident will have on an organization

Analysis should include financial impact and manpower impact of an incident

BIA is generally based upon frequency and severity of the incident/scenario

BIA - Questions to Ask

What are the worst things that can happen to my

organization?

What can we prevent?

What are we willing to do to

prevent the event/incident?

Can we afford the risk?

How will we deal with it?

What is our most critical

operations?

Dave Arick - 2012

Impact Analysis Planning for all scenarios

Business Impact Analysis

Addresses probability and severity for a potential event.

Likelihood and severity will help determine time/resources necessary to minimize the event.

Identify all critical operations: Identify the tolerable timeframe for recover of critical

operations.

Frequency of an event

High Significant likelihood of

occurrence

Medium Realistic likelihood of

occurrence

Low Not likely

Risk Impact

Tornado M H

Hurricane N/A N/A

Earthquake L H

Severe Weather M M

Lightning M L

Flood M H

Flood (internal) M M

Fire L M

Tidal wave N/A N/A

Workplace violence L H

Disasterous event

Risk Analysis Grid

S E V E R I T Y

PROBABILITY

Low Probability

High Severity

Biological attack through the

mail

Medium Probability

High Severity

Fire or Explosion

High Probability

High Severity

Leak from utilities down to

server room

Low Probability

Medium Severity

Medium Probability

Medium Severity

High Probability

Medium Severity

Low Probability

Low Severity

Medium Probability

Low Severity

High Probability

Low Severity

BIA - continued

Rank business operations by importance

Critical Resumed in 24 hours

Fulfilling customer orders

Important Resumed in 48 hours

Restoring support operations Accounting

Moderate

Restoring facilities/cleaning services

Business Impact Cost Considerations

Tammineedi 2010

Business Continuity Management Key Elements

Information / Data

Documentation

Asset Accountability

Mutual Aid

Information Management

Employee Continuity

Training & Verification

Information / Data Continuity

Data back-up

Frequency?

Backed-up to a storage device

Kept off-site?

Document Control / Retention

Document storage room

Fire damage

Water damage

Stored off-site

Duplicate copies

Transition to data file management

Asset Accountability

Lists company assets

Updated annually

Copy at facility

Copy off-site

List compiled using:

Data/manual inventory

Photos of facility/assets

Video of facility/assets

Multi-lateral Continuity

Vendors

Specialized vendors currently utilized

Other venders with similar/like product?

Have multiple vendors for maximum flexibility

Ask about your vendors BCP

How they will assure that your company receives product/services

Pettibone - 2008

Multi-lateral Continuity

Agreements with competitors.

Assures services/products for your customers

Inform customers services/products continue from company X.

Effective PR/confidence in your company.

Multi-lateral Continuity

Mutual Aid NFPA1600-6.2

Agreement with similar company

Utilize portion of their facility

Quid pro quo Reciprocation your facility

Temporary rental agreements

Warehouse/office

Information Management NFPA 1600-6.3

Hotline for employees

Automated message

Regular updates (hourly/daily)

Means to keep employee performed

Automated email sent out

Information Management

Train/Designate a Primary/Secondary media officer

Information sent to customers/Public

Mishandled information can have negative impact on the organization.

Information/details supplied to the media must be strategic.

Case Study Perrier Water Company 1989 Perrier (market leader in bottled mineral water, name synonymous

with purity and quality. Found in high-class establishments world-wide. Sales

topped at over 1.2 billion bottles per year.

160 million bottles were recalled due to a benzene contamination, public relations were virtually non-existent/mishandled.

Issue caused by process failure; incorrect use of benzene cleaning product, followed by a failure to replace a filter.

1991: sales plunged to 761 million bottles per year. Perrier was effectively dead in the USA/Europe; Perrier lost 90% of original market share.

Result: Perrier water suffered tremendous financial set backs from its negative image perceived when it had sent out contaminated water and

mishandled their PR

Hiles - 2007

Employee Continuity NFPA1600-6.6

Critical Stress Debriefing

All staff meeting

EAP (Employee Assistance Program)

Counseling on-site

Counseling off-site

Testing and Verification

Verifies BCP actually works.

Table Top Drills - Most cost-effective. Simulates scenario/event.

Live Drills Facility evacuation, simulate calling resources, etc.

Critique Assess how plan performed.

Review

Questions Brad Weger, MS, CSP Safety Officer 425 Volker Boulevard Kansas City, MO 64110 Office: 816-753-7600 X1623 Cell: 816-225-6483 bweger@mriglobal.org

References Arick, D. (2012). Crisis Management Strategies. Presentation at RIMS 2012 Conference

Hiles, A. (2007). The definitive handbook of Business Continuity Management. Southern Gate, England: John Wiley & Sons.

Is Your Thinking About Business Continuity Wrong? (2007) Security Directors Report, 7, 1 11-15.

Rhodes. 2008. Data Recovery Planning and Business Continuity. Homeland Defense Journal, 36-40.

Tammineedi, 2010. Business Continuity Management: A Standards-Based Approach. Information Security Journal, 19, 36- 50.

Make sure your business continuity plan is a living document. (2004). Risk management Society, 1-3.

Pettibone. 2008. Out of Sight, Not Out of Mind. Risk Management, 89-90.

Thomas, B., Bruce, Preston, L., Ware. (2005). Insuring Business Continuity. Strategic Finance, 35-38.

ANAB. How to become an ANAB-Accredited Certification Body. Retrieved June 2, 2010.

From http://www.anab.org/certification-bodies/become-a-cerfication-body.asps

Department Of Homeland Security. Federal Emergency Management Acenty. (2008).

Document Action: Notice of availability; request for comments.

http://www.thefederalregistrer.com/d.p./2009-10-16-E9-24968.

Federal Emergency Management Agency. (2008). Voluntary Private Sector Preparedness

Accreditation and Certification Program. www.http://www.fema.gov/news/newsrelease.fema?id=45287

Hiles, A. (2007). The definitive handbook of Business Continuity Management. Southern Gate, England: John Wiley & Sons.

Public Law 110-53, (2007). Implementing Recommendations of the 9/11 Commision Act of 2007. www.ise.gov/docs/nsis/Implementing911acBiot_reader.php?BiotID=530.

Schmidt, L. Donald. Voluntary Certification of Private Sector Preparedness Program and

NFPA 1600: What do they mean for your business?. Powerpoint presented at the 6th annual business continuity

and safety planning conference.

Voluntary Private Sector Accreditation and Certification Preparedness program Department of Homeland Security. (2009). Notice of availability: request for comments. (Federal Registrar / Vol. 74, No. 1999.