1

Business Continuity and Crisis Management

Crisis Management, Crisis Management, Business Continuity and Business Continuity and The Incident Command SystemThe Incident Command System

Understanding Differences Understanding Differences and Putting it all together?and Putting it all together?

by Max Ckonjevic FBCI, CBCPby Max Ckonjevic FBCI, CBCP

2

ObjectivesObjectives

•• To challenge your ideas and To challenge your ideas and understanding of Crisis Management understanding of Crisis Management and Business Continuity Plansand Business Continuity Plans

•• To present recommended components To present recommended components in a Crisis Management Planin a Crisis Management Plan

•• To present an organizational structure To present an organizational structure that may tie it all together (ICS Model)that may tie it all together (ICS Model)

3

Who is in Attendance?Who is in Attendance?

Functional perspectiveFunctional perspective•• Emergency Management ProfessionalsEmergency Management Professionals•• Business Continuity ProfessionalsBusiness Continuity Professionals•• Security ProfessionalsSecurity Professionals•• ConsultantsConsultants

4

Who is in Attendance?Who is in Attendance?

Industry perspectiveIndustry perspective•• Manufacturing Manufacturing •• WholesaleWholesale•• ServicesServices•• RetailRetail

5

Preparedness Management

Managing threats and preparing for disasters is complex

Nomenclature for preparedness activities differs

6

Preparedness Management Components

PrePre-- IncidentIncidentActivities that attempt Activities that attempt prevent or lessen the effect prevent or lessen the effect of a threat or incidentof a threat or incident

PostPost--IncidentIncidentActivities that follow an Activities that follow an incident incident –– to minimize the to minimize the effects of the incidenteffects of the incident

7

Preparedness Management Components

PrePre-- IncidentIncident•• IntelligenceIntelligence•• Preventive MeasuresPreventive Measures•• Mitigation or Emergency Mitigation or Emergency

Response PlanningResponse Planning

8

Preparedness Management Components

Post Post -- IncidentIncident•• Emergency Emergency

ManagementManagement•• Incident Control or Crisis Incident Control or Crisis

ManagementManagement•• Business Continuity and Business Continuity and

Recovery Recovery

9

Plans, Plans, Plans…?

Emergency Action Plans Emergency Action Plans ------

Disaster Recovery Plans Disaster Recovery Plans ------

Business Continuity Plans Business Continuity Plans ------

Crisis Management Plans Crisis Management Plans

10

Plans, Plans, Plans…

Why so many different plans?Why so many different plans?

Are they really needed?Are they really needed?

What’s your opinion?What’s your opinion?

11

Differences need to be understood

•• To develop plans that will address the proper To develop plans that will address the proper situationsituation

•• To engage the proper plan for the To engage the proper plan for the corresponding eventcorresponding event

•• Not knowing the differences Not knowing the differences –– creates a false creates a false sense of security sense of security

•• Not having the proper plan could become the Not having the proper plan could become the negative turning point of an organization that negative turning point of an organization that will lead that organization to significant losses will lead that organization to significant losses and liberalitiesand liberalities

12

Loss RealityLoss Reality

Losses attributable to disasters - doubled in the past 5 years and will double again by 2010. (Gardner)

• 43% of companies experiencing a major disaster do not re-open. Another 29% close within 2 years. (NYC Port Authority)

• Regulatory and legal requirements are increasing for some form of continuation capability

• Stakeholders and governing bodies are increasingly holding a company’s management to their fiduciary responsibilities.

13

The Good News is…The Good News is…

An October An October 2005 Research Survey 2005 Research Survey completed completed by the Economist Intelligence by the Economist Intelligence

Unit and Lloyds titled:Unit and Lloyds titled:

Taking Risk On Board, How Global Taking Risk On Board, How Global Business Leaders View RiskBusiness Leaders View Risk

Board of Directors are taking “Risk” more Board of Directors are taking “Risk” more seriouslyseriously!!

14

and the Survey says why….and the Survey says why….

•• One in five companies suffered significant One in five companies suffered significant damage from a failure to manage risk damage from a failure to manage risk adequately last year*adequately last year*

•• Over ½ had at least one “near miss” *Over ½ had at least one “near miss” *

•• Lloyds Survey, Taking Risk On Board, completed in October 2005, Lloyds Survey, Taking Risk On Board, completed in October 2005, How Global How Global Business Leaders View Risk.Business Leaders View Risk.

15

BC’s Role and Risk Management

What is Business Continuity Planning from a Risk Management Perspective?

16

BC’s Role is Risk Management

Business Continuity Planning is a risk reduction technique designed to reduce a potential impact of an event or action to a manageable/acceptable level.

17

BC’s Role in Risk Management

BC Planning is designed to manage risk:• Reduces the impact of an event to an

acceptable level by;• Maintaining availability of critical products

and services in the marketplace,• Protecting corporate assets, • Ensuring timely and cost effective

recovery.

18

General Definition Business Continuity Planning

AA process to identify, prioritize, protect and restore critical business assets, processes and resources required to maintain an acceptable level of operations and services by the organization in the aftermath of an event or an interruption to the business.

19

Definition of a Crisis

20

General Definition of a Crisis

Extreme threats to important values, Extreme threats to important values, intense time pressures, high stress, and intense time pressures, high stress, and the need for rapid, but careful decision the need for rapid, but careful decision making.*making.*

* Billings, A Model Of Crisis Perception* Billings, A Model Of Crisis Perception

21

Organizational Crisis

A turning point in which a situation of A turning point in which a situation of impending danger to the organization runs the impending danger to the organization runs the risk of escalating in intensity, interfering with risk of escalating in intensity, interfering with normal business operations, jeopardizing the normal business operations, jeopardizing the organization’s public image, and damaging organization’s public image, and damaging the bottom line.*the bottom line.*

* * LebingerLebinger, Managing Corporate Crisis: Strategies , Managing Corporate Crisis: Strategies for Executivesfor Executives

22

My Favorite Definition…. Organizational Crisis

A extreme threat to an organization that is A extreme threat to an organization that is intensified by time and has the potential for intensified by time and has the potential for significant negative results to important significant negative results to important organizational values, functions and/or services. organizational values, functions and/or services. This threat could result in major damageThis threat could result in major damageto the organization, its employees, to the organization, its employees, products, services, financial products, services, financial condition and/or reputation.*condition and/or reputation.*

**M. CkonjevicM. Ckonjevic

23

Plan Reality Check

•• How many have BC Plans?How many have BC Plans?

•• How many have CM Plans?How many have CM Plans?

24

Crisis Plan Reality Check

•• Does your plan focus on the recovery Does your plan focus on the recovery of business functions and services?of business functions and services?

•• Is your Plan Designed around the “worst case Is your Plan Designed around the “worst case scenario” or “all hazards” approach?scenario” or “all hazards” approach?•• Facility Losses (no or limited access to a Facility Losses (no or limited access to a

facility)facility)•• Technology Losses (no access to systems, Technology Losses (no access to systems,

equipment, information/data or services)equipment, information/data or services)

25

Plan Reality Check

If you answer hand is still up ….If you answer hand is still up ….

Congratulations, those are BC Congratulations, those are BC plans….plans….

Not Crisis management plansNot Crisis management plans

26

Plan Reality Check

Does you BC Plan support …..Does you BC Plan support …..

27

Examples of Crisis Threats

•• White Collar CrimeWhite Collar Crime•• Fraud Fraud •• Workplace ViolenceWorkplace Violence•• Sexual HarassmentSexual Harassment•• Class Action Class Action

LawsuitsLawsuits•• MismanagementMismanagement•• Labor Disputes

•• Product Tampering, Product Tampering, Recalls, FailuresRecalls, Failures

•• Environmental Environmental AccidentsAccidents

•• Casualty AccidentsCasualty Accidents•• ExtortionExtortion•• Insider TradingInsider Trading•• CrashesCrashesLabor Disputes

28

Business Continuity Plan

What is the Primary Purpose of a What is the Primary Purpose of a Business Continuity Plan?Business Continuity Plan?

29

Business Continuity Plan Primary Purpose

To recover or continue the business!To recover or continue the business!

•• The recovery and continuation of The recovery and continuation of mission critical and time sensitive mission critical and time sensitive business functions and services after business functions and services after an incident!an incident!

30

Crisis Management Plan

What is the Primary What is the Primary Purpose of a Crisis Purpose of a Crisis Management Plan?Management Plan?

31

Crisis Management PlanPrimary Purpose

To manage a crisis!To manage a crisis!

•• To limit the intensity or impact of a To limit the intensity or impact of a negative threat or event to organization's negative threat or event to organization's employees, products, services, financial employees, products, services, financial condition and/or reputationcondition and/or reputation

32

Summary of Plan Differences

Business Continuity Business Continuity Plan (BCP)Plan (BCP)

•• To recover mission To recover mission critical business critical business services and/or services and/or processesprocesses

•• Limited scenariosLimited scenarios•• Focus on technology Focus on technology

facilities and/or datafacilities and/or data

Crisis Management Plan Crisis Management Plan (CMP)(CMP)

•• To limit, control and To limit, control and manage negative manage negative effects of an eventeffects of an event

•• Many scenariosMany scenarios•• Focus on people, Focus on people,

products, services and products, services and organization valuesorganization values

33

Summary of Plan Differences

You can have a crisis without a disasterYou can have a crisis without a disaster•• A Crisis can exist with NO physical damage to A Crisis can exist with NO physical damage to

facilities or technologies. facilities or technologies.

You can have a disaster without a crisis You can have a disaster without a crisis •• You can have a loss to physical facilities or You can have a loss to physical facilities or

technologies and NOT have a crisis.technologies and NOT have a crisis.

Both will escalate if not managedBoth will escalate if not managed

34

Summary of Plan Differences

If not effetely managedIf not effetely managed

A Crisis can become a Disaster A Crisis can become a Disaster

A Disaster can become a CrisisA Disaster can become a Crisis

35

10 Basic Components of a Crisis Management Plan

1. 1. Document IntroductionDocument Introduction2. Crisis Scenarios/Situations2. Crisis Scenarios/Situations3. Crisis Considerations3. Crisis Considerations4. Crisis Management Team 4. Crisis Management Team 5. Crisis Management 5. Crisis Management

FacilityFacility

36

10 Basic Components of a Crisis Management Plan

(not discussed)(not discussed)6. Notification Procedures6. Notification Procedures7. Action Procedures7. Action Procedures8. Post8. Post--Crisis AnalysisCrisis Analysis9. Plan Exercising9. Plan Exercising10. Appendix10. Appendix

37

2. Crisis Scenarios

•• Likely scenarios (8 to 12)Likely scenarios (8 to 12)

•• Risk Assessment Risk Assessment -- tool of choicetool of choice

38

3. Crisis Considerations3. Crisis Considerations

•• DocumentationDocumentation•• Proprietary InformationProprietary Information•• Financial and Legal ConsiderationsFinancial and Legal Considerations•• Media RelationsMedia Relations

39

3. Crisis Considerations

Documentation Section Documentation Section –– ((Crisis = Lawsuits)Crisis = Lawsuits)

•• Critical to document all eventsCritical to document all events•• Formal notesFormal notes•• Crisis team contact formsCrisis team contact forms•• Press contact formsPress contact forms

40

3. Crisis Considerations

Proprietary InformationProprietary Information•• Guidelines in dissemination of information Guidelines in dissemination of information

•• Confidential informationConfidential information•• State and Federal statutes State and Federal statutes

preclude certain datapreclude certain data

41

3. Crisis Considerations

Financial & Legal ConsiderationsFinancial & Legal Considerations•• Implementation guidelines Implementation guidelines

•• Suspending trading of firm’s stockSuspending trading of firm’s stock•• Acquiring stock in volumesAcquiring stock in volumes•• Communications with brokerage Communications with brokerage

firms, vested interest groups, firms, vested interest groups, consumers, employeesconsumers, employees

42

3. Crisis Considerations

Media RelationsMedia Relations•• Single point of contactSingle point of contact•• Log all press calls (Press Contact Form) Log all press calls (Press Contact Form) •• Media packages Media packages –– Dark websiteDark website•• Clipping ServiceClipping Service•• Example press releasesExample press releases•• Guidelines for information Guidelines for information

disseminationdissemination

43

4. Crisis Management Team

•• Senior Management, President, Senior Management, President, V.P., CEO, CFO, etc.V.P., CEO, CFO, etc.

•• Public RelationsPublic Relations•• CommunicationsCommunications•• Legal, HRLegal, HR

44

5. Crisis Management Facility

Command Center considerations Command Center considerations •• Presentation area Presentation area –– Media ControlMedia Control•• Additional media Additional media

support equipmentsupport equipment

45

10 Basic Components of a Crisis Management Plan

6. Notification Procedures6. Notification Procedures7. Action Procedures7. Action Procedures8. Post8. Post--Crisis AnalysisCrisis Analysis9. Plan Exercising9. Plan Exercising10. Appendix10. Appendix

46

ICS Model

An Incident Command System consist of two An Incident Command System consist of two primary structures:primary structures:

1.1. Damage Assessment Team Damage Assessment Team –– (First Responders)(First Responders)2.2. Incident Command System Incident Command System

•• Incident Commander Incident Commander •• Planning (“Tactical Action”)Planning (“Tactical Action”)•• Operations (“Business Operations”)Operations (“Business Operations”)•• Logistics (“Provide Support”)Logistics (“Provide Support”)•• Finance & Admin (“Account & Procure”)Finance & Admin (“Account & Procure”)

47

ICS Model

BRANCH

DIVISIONS & GROUPS

GROUP

GROUPSTRIKE TEAMS & TASK FORCES

RESOURCES

SITUATION UNIT

DEMOBILIZATION

DOCUMENTATION

TIME UNIT

PROCUREMENT UNIT

COMPENSATION

COST UNIT

SERVICE BRANCH

COMMUNICATIONS

MEDICAL

FOOD

SUPPORT BRANCH

SUPPLY

FACILITIES

GROUND SUPPORT

COMMAND

OPERATIONS LOGISTICS PLANNING FINANCE

INFORMATIONSAFETYLIAISON

RESOURCES

TECHICAL SPECIALIST

BRANCH

48

IM/CM Organization Model Private Companies

Taking the ICS structure supporting the uniform Taking the ICS structure supporting the uniform services and enhancing it to support the suits, services and enhancing it to support the suits, private industryprivate industryTheThe Incident Management Model consist of three Incident Management Model consist of three (3) teams:(3) teams:•• Damage/Crisis Assessment Team Damage/Crisis Assessment Team –– Private Private

Company’s First Responder Functions Company’s First Responder Functions •• Incident Management Team Incident Management Team –– (Same ICS Model)(Same ICS Model)•• Crisis Team Crisis Team –– newly added teamnewly added team

49

TITLE: Incident Management's Relationship to Other Emergency Management Elements

INCIDENTOCCURRENCE

INCIDENTMANAGEMENT

TEAM

* Damage Assessment * Crisis Assessment * Emergency Declaration * Primary/Secondary Notification * Repair & Resume

BC PLAN

BUSINESS CONTINUITY@ ALTERNATE SITE

BUSINESS RECOVERY@ PERMANENT SITE

Crisis Plans

EmergencyAction Plans

Max Ckonjevic2006

EXECUTIVEMGMT.

CRISIS TEAM

Damage/CrisisAssessment

Team

* Evacuation Plans * Shelter in Place * Emergency Power

* Incident Manager * PLANNING * OPERATIONS * LOGISTICS * FINANCIAL

50

Summary of Plan DifferencesSummary of Plan Differences

Business Continuity PlanBusiness Continuity Plan Crisis Management Plan Crisis Management Plan

•• To recover mission To recover mission critical business critical business services and services and processesprocesses

•• Limited scenariosLimited scenarios•• Focus on facilities Focus on facilities

and technologyand technology

•• To limit intensity, To limit intensity, manage and control manage and control negative results of negative results of an eventan event

•• Many scenariosMany scenarios•• Focus on people, Focus on people,

products, services products, services and/or reputation and/or reputation

51

Summary of Plan Differences

You can have a crisis without a disasterYou can have a crisis without a disaster•• A Crisis can exist with NO physical damage to A Crisis can exist with NO physical damage to

facilities or technologies. facilities or technologies.

You can have a disaster without a crisis You can have a disaster without a crisis •• You can have a loss to physical facilities or You can have a loss to physical facilities or

technologies and NOT have a crisis.technologies and NOT have a crisis.

Both will escalate if not managedBoth will escalate if not managed

52

SummarySummary

•• The focus of Crisis Management The focus of Crisis Management Planning is different then Business Planning is different then Business Recovery PlanningRecovery Planning

•• A Crisis Management Plan (CMP) and a A Crisis Management Plan (CMP) and a Business Continuity Plan (BCP) are Business Continuity Plan (BCP) are usually two different documents that can usually two different documents that can work together or separatelywork together or separately