Plan-A-ware

Collaborative Business Continuity Plan Development and Management

Read More...

 

 

Tabletop Exercises

From custom designed and delivered to "off the shelf"

Read More...

 

 

Disaster Experiences

Tabletop Exercises delivered as mock disaster simulations

Read More...

 

In the past several years, we've experienced unthinkable disasters resulting from terrorist activity. The September 11 attacks on the World Trade Center and the Pentagon struck on a peaceful, sunny morning with no warning. Today, war in Iraq has made us more vulnerable to terrorist activity and, even with the war at an end, the Department of Homeland Security warns that terrorism remains a very real threat for the foreseeable future. The bombing of the federal building in Oklahoma City was a shocking demonstration of domestic terror. Natural disasters have taken their toll as well… Tornadoes have leveled parts of Kansas, Missouri, and Tennessee, and Maryland. Ohio residents are still recovering from February ice and snow storms. A massive natural gas explosion in Toronto in April reduced a strip mall to a huge crater. Wildfires in California, Colorado and Arizona destroyed homes and businesses and threatened the tourism industries in those areas.

Could your business survive this kind of disaster? Your organization should be prepared for anything that could happen - to protect your critical resources, your employees, and, to the greatest degree possible, to ensure the continuity of your business. It's not just the major disasters, either… it's downtime, employee error, denial-of-service attacks, and many other "minor" disasters that endanger your operations. For many businesses, even a few hours of downtime could be critical to their ability to continue. It's not just the cost of downtime, the economic impact on your business - it's the survival factor.

How much downtime would it take to put you out of business? Companies participating in Contingency Planning Research's 2001 Cost of Downtime Survey indicated that downtime would cost them $50,000 to $1 million per hour. Of even greater concern, 7% of companies indicated their survival would be at risk after only one hour of downtime. The majority of companies projected that they could not survive 72 hours of downtime. Given that most disasters, natural or otherwise, can easily close things down for three days, this is pretty scary information.

If you haven't done so already, now's the time to dust off your Business Continuity Plan (BCP) and make sure it's up to date. Can your plans get you through the critical 72 hours? If you don't have a plan, it's not too late to develop one… it may not be perfect, but any continuity planning is better than none. It's a good idea to test your plans to ensure that they actually are viable… better to find out now than on the heels of a disaster. In this article, we offer some tips for your plan, whether you're updating it or starting fresh. In addition, at the end of this article you will find links to articles and other resources to help you pull it all together.

Remember that your primary goal is business continuity and prevention of business disruption, not disaster recovery. Disaster recovery should be your contingency plan, in case disaster cannot be averted. Focus on these critical components of your organization:

People

Reservists - There are close to one million reservists working full-time jobs in the United States today, and more than 100,000 of them were called to active duty in the Iraq war. Reservists are being activated more frequently now -- not only because of war, but to combat the never-ending war on terrorism. Businesses in New York were hit with a "double whammy" in 2001 when, reeling from the events of Sept. 11, critical staff members were called to active duty in the wake of that disaster.

You must plan for the fact that your employees -- or their family members -- could be called to service. What impact this will this have on your organization? If you have reservists in critical positions, you need to back them up to prevent loss of information or productivity. If you have a replacement at the ready, the impact would be far less -- and you'll also be protected if they decide to take other jobs. Training existing employees to cover any critical positions will give you some protection, and temporary-staffing replacements can provide relief for lost manpower. If you have an Employee Assistance Program (EAP), it can provide counseling and assistance to alleviate the impact on your employees and, thereby, your organization.

Employee Safety and Security - Your employees spend 1/3 or more of their day in your offices, and you want to ensure their safety while they're there. Start by making sure you have a complete employee roster and contact information for everyone. Because evacuation is a possibility, have a complete evacuation plan and practice it - make sure every employee is familiar with it and knows what to do. If the government issues a "shelter in place" directive, you're going to have a lot of folks who'll need food, water, blankets, etc. Build up emergency supplies for them and don't forget a battery-powered radio, batteries, flashlights, and other necessities.

Because employees will be concerned about their families' well-being, encourage them to develop family preparedness plans for the safety of their homes and their loved ones. The more prepared their families are, the less stress and worry employees will be subject to while at work. While it may cause some loss of productivity to be understanding and lenient if your employees need to take care of pressing family matters, their peace of mind will improve their productivity. When possible, providing telecommuting resources can help alleviate these competing pressures. Please refer to the links at the end of this article for some information on personal and business safety and security.

Traveling Employees - When terrorism threatens, if employee travel -- especially overseas travel -- can be postponed or canceled, do it. If employees must travel, maintain complete contact and passport information and itineraries for them, including hotels and all ground and air travel. This might prove to be important to track someone down or to confirm their safety for their family back home. Employees on travel should be given a company contact they can call 24 hours a day for assistance, if necessary. And this is one time when the US State Department's advice about filling your itinerary with the US Embassy wherever you are traveling should be heeded without fail.

The SARS epidemic that has killed 400 people in China has migrated to other areas -- as close as Toronto -- and is making travel extremely risky. How will you mitigate this risk and protect your people? What technologies, for example, could you put in place to reduce the need for travel to certain areas of the world? Teleconferencing? Video conferencing?

Operations

Physical Plant - While not every company will become a target of terrorist activity, your offices may be located in an area otherwise at high risk. If you're in close proximity to major cities, airports, water treatment or nuclear plants, high visibility landmarks, military bases, and other civic or government institutions, terrorist activities aimed at them may mean that you won't be able to open for business. Do you have an alternate location from which you can operate? To help keep the premises safe, consider controlling access to your offices via badges or other means. Have visitors sign in and account for them. If you're vulnerable for any reason, check all packages carried in or delivered and report anything suspicious to authorities. Implement safe mail-handling procedures.

Floods, earthquakes, hurricanes, or tornadoes also could keep you out of your building or your employees stranded in their homes, unable to get to work. You need to plan what needs to be done before, during and after any such disaster strikes.

Network and Data Protection - Although most experts don't see terrorist activity bringing down the entire Internet, various forms of cyber terrorism could be enacted. Malicious worms and viruses can be transmitted -- via email or downloaded files --throughout your network infrastructure, destroying valuable data and applications. Firewalls and virus protection are initial steps to protect your critical resources. And if you don't have any backup and recovery system in place for your network, now's the time to implement one. Again, something is better than nothing. At the very least, backup crucial customer, financial and other critical data and keep at least one copy somewhere safe outside of -- and some distance from -- your office. You also can investigate remote, online backup vendors who can do near real-time backup and reliable recovery that would be accessible via any IP address.

Telecommuting - What if critical employees can't get to work? Plan now to provide a number of employees with remote access to your critical applications and data in the event travel is restricted, "shelter-in-place" directives are enacted, or your building/data center is not accessible.

Transportation - If your organization relies on meetings or conferences, or extensive just-in-time shipping, now is the time to consider alternative ways to move items and look into replacing face-to-face meetings with teleconferences or Webcasts. Both war and the threat of terrorist activity could affect travel. Air travel could be more restricted while ground transportation could be seriously delayed for extensive scrutiny of people and goods. If the "Just-In-Time" business model has been the backbone of your company's success, plan to have some extra supplies and materials on hand, so JIT doesn't become your downfall.

Supplies - One of the realities of war or disaster is shortages… either because of restrictions or lack of supply. Consider how shortages of various materials and supplies could affect your business and plan to compensate for them. Since fuel easily could be in short supply, you might want to have a backup supply on hand if you need it for emergency generators. We recommend the same three-day rule that is used for natural disasters. For critical shipments, are you prepared to pay additional charges for local or long-distance shipping if prices increase? Or does it make more sense to overstock just in case? If certain items are perishable, do you have the resources to keep them protected if shipping methods are halted? Whatever the answers, you must decide how to handle these contingencies, and these decisions should be part of your business continuity plan.

Communications

Once you have a plan in place, you need to communicate with employees, customers, vendors, members, and other stakeholders. Let them know what you're going to be doing to maintain operations. Will your location change temporarily? Your contact information? How will procedures be different, if at all? Make sure all your critical stakeholders know what is going on… how they can contact you and continue to do business with you. And make sure you contact your critical suppliers regarding their contingency operations. If appropriate, communicate with media via news releases or other means. If newspapers and magazines are publishing, and if the Internet is operational, news about your organization also will let people know you're open for business.

Successful Survival

It's all about surviving, particularly the first 72 hours. It may not be business as usual, but, if you plan and implement carefully, you'll still be in business -- and your employees and other critical resources will be safe.


Resource and Information Links

Business Continuity Planning:

Gartner Group: Emergency Steps We Recommend You Take Right Now
http://www4.gartner.com/5_about/news/disaster_recovery.html

Eating An Elephant...
http://www.operationalrisk.info/bc002.html

The Small And Medium Size Businesses Guide To A Successful Continuity Program
http://www.drj.com/special/smallbusiness/article1-01.html

Are You Ready - An In-depth Guide to Citizen Preparedness
http://www.ready.gov/are-you-ready-guide

The Hartford's Resource Topics: Weather and Natural Disasters
http://www.sb.thehartford.com/reduce_risk/loss_library/Weather_Related_Natural_Disasters/

Are Your Intangible Assets Protected? Here's How to Choose the Right Insurance Policy For Your Company.
http://www.csoonline.com/read/120902/safety.html

Set disaster-recovery objectives
http://searchstorage.techtarget.com/tip/1,289483,sid5_gci850762,00.html

Continuity plans - the staff disconnect
http://www.globalcontinuity.com/thought_leadership/continuity_plans_the_staff_disconnect

What have you FORGOTTEN?
http://www.disasterplan.com/yellowpages/Remember.html

Business Continuity Resources
http://www.attainium.net/index.php/resources/resources-and-articles

People:

Disasters - plan for your people above all else
http://www.globalcontinuity.com/thought_leadership/disasters_plan_for_your_people_above_all_else

Terrorism In America: What Should Employers Be Doing?
http://www.bipc.com/news.cfm?mode=article&article_id=586&practice_id=76

Coping with Sudden Employee Departures: Back Up Your Reserves
http://update.informationweek.com/cgi-bin4/flo?y=eJps0EjK1y04e0Bm3q0Ae

Shelter-in-Place at Your Office
http://www.tallytown.com/redcross/library/ShelterInPlaceAtYourOffice.pdf

Telecommuters Have Unique Security Needs
http://www.informationweek.com/story/IWK20011018S0076

Prepare Remote Access For Disaster Recovery
http://searchstorage.techtarget.com/tip/0,289483,sid5_gci882243,00.html

Guide for the special needs of people with disabilities for emergency managers, planners, and responders (Adobe PDF)
http://www.nod.org/pdffiles/epi2002.pdf

Family Disaster Planning
http://www.redcross.org/services/disaster/beprepared/familyplan.html

Financial Preparations
http://www.redcross.org/services/disaster/beprepared/financeprep.html

American Red Cross Homeland Security Advisory System (HSAS) Recommendations for Individuals, Families, Neighborhoods, Schools, and Businesses
http://www.redcross.org/services/disaster/beprepared/hsas.html

[The above three items are made available through the American Red Cross and the Federal Emergency Management Agency. They are available to view at the URLs above, but they also may be downloaded as PDF files.]

Last but not Least… Don't Forget the Pets!
http://www.redcross.org/services/disaster/beprepared/animalsafety.html

Physical Plant:

Office Building Security
http://www.security-expert.org/office_security.html

Protecting the Premises
http://www.eweek.com/article2/0,3959,669172,00.asp

Graphic of a mail bomb
http://www.atf.treas.gov/explarson/information/indic.htm

Guidance Issued on Building Safety
An executive summary of the document, 'Risk Management Guidance for Health, Safety and Environmental Security Under Extraordinary Incidents', can be found at http://xp20.ashrae.org/ABOUT/Summary.pdf. The full document is available at http://xp20.ashrae.org/ABOUT/extraordinary.pdf

United States Postal Inspection Service: Security Plan for Suspected Letter and Parcel Bombs
http://www.usps.com/websites/depart/inspect/bombcorp.htm

Data and Cyber Threats:

'It's The Restore, Stupid!'
http://www.computerworld.com/securitytopics/security/recovery/story/0,10801,78483,00.html?nas=ST-78483

Data Protection Strategy: Backup + Recovery = Survival
http://www.attainium.net/index.php/resources-and-articles/142-can-your-business-survive-a-major-disruption

Data protection risk analysis self-test http://searchstorage.techtarget.com/tip/0,289483,sid5_gci874814,00.html

How to Build A Data Protection Strategy for Availability and Recovery (Adobe PDF)
http://www.cio.com/sponsors/090102dl/analysis.html

Can you decentralize data?
http://www.infoworld.com/articles/fe/xml/02/04/01/020401febcemc.xml

 

© Bob Mellinger, Attainium Corp

# # #

 

Latest Articles & NewsBriefs

Testing and Training Your Business Continuity Plan

December 6, 2017 - Some say the most valuable outcome of a test is failure, because from failure you can learn where the faults are and you can make corrections. At the very least you should be able to run the test and identify any weaknesses. These articles address the need for testing and for training your people what's required to their roles. 

Read more ...

Winter Weather

November 29, 2017 - You just never know what weather surprises Mother Nature has in store for the winter, so it's best to be as prepared as possible for whatever challenges arise. We all are familiar with some of the problems... blizzards that prevent employees from getting to work (or getting home); power losses that can span days; frozen pipes, flooding or other building damages; and more. If you haven't thought about what you might be facing this winter, these articles can help you figure out where your planning runs short and what you can do about it. 

Read more ...

Flu and Business Continuity

November 15, 2017 - Flu season is creeping up on us and that means employees home sick or slowed down at the office by flu symptoms. There does not seem to be any flu pandemic on the near horizon, so at least we don't have that to worry about this year, but experts seem to think that a pandemic is coming (It is about 100 years since the Spanish flu epidemic killed millions worldwide). We need to ensure that we have plans in place to help prevent the spread of flu in the workplace. But we also need to be thinking long-term and look at how we should update our business continuity plans to help us deal with whatever is ahead. 

Read more ...

Holiday Parties

November 8, 2017 - With Christmas less than 50 days away, many employers' thoughts turn to holiday parties. At first glance, you might say, "What do holiday parties have to do with business continuity?" But think about it... many of the holiday activities both in the workplace and outside it can create risky situations (food poisoning, sexual harassment, drunken driving) that might end in liability for your company. And liabilities can endanger your bottom line. These articles were chosen to help you avoid potentially litigious and unsafe situations.  

Read more ...

After a Disaster...

November 1, 2017 - Most of us have planned carefully for all the things that can go wrong and have plans in place to mitigate the effects of various disasters. But have you thought about the period after the disaster is over? Do you know what you are going to do to overcome the challenge of insufficient funding while the business gets back on its feet? What about recovering records? And getting employees back to work if the workplace is gone? These articles might help you consider what must be done right after the disruption but before things are back to whatever passes for normal at that point. 

Read more ...