Plan-A-ware

Collaborative Business Continuity Plan Development and Management

Read More...

 

 

Tabletop Exercises

From custom designed and delivered to "off the shelf"

Read More...

 

 

Disaster Experiences

Tabletop Exercises delivered as mock disaster simulations

Read More...

 

In the past several years, we've experienced unthinkable disasters resulting from terrorist activity. The September 11 attacks on the World Trade Center and the Pentagon struck on a peaceful, sunny morning with no warning. Today, war in Iraq has made us more vulnerable to terrorist activity and, even with the war at an end, the Department of Homeland Security warns that terrorism remains a very real threat for the foreseeable future. The bombing of the federal building in Oklahoma City was a shocking demonstration of domestic terror. Natural disasters have taken their toll as well… Tornadoes have leveled parts of Kansas, Missouri, and Tennessee, and Maryland. Ohio residents are still recovering from February ice and snow storms. A massive natural gas explosion in Toronto in April reduced a strip mall to a huge crater. Wildfires in California, Colorado and Arizona destroyed homes and businesses and threatened the tourism industries in those areas.

Could your business survive this kind of disaster? Your organization should be prepared for anything that could happen - to protect your critical resources, your employees, and, to the greatest degree possible, to ensure the continuity of your business. It's not just the major disasters, either… it's downtime, employee error, denial-of-service attacks, and many other "minor" disasters that endanger your operations. For many businesses, even a few hours of downtime could be critical to their ability to continue. It's not just the cost of downtime, the economic impact on your business - it's the survival factor.

How much downtime would it take to put you out of business? Companies participating in Contingency Planning Research's 2001 Cost of Downtime Survey indicated that downtime would cost them $50,000 to $1 million per hour. Of even greater concern, 7% of companies indicated their survival would be at risk after only one hour of downtime. The majority of companies projected that they could not survive 72 hours of downtime. Given that most disasters, natural or otherwise, can easily close things down for three days, this is pretty scary information.

If you haven't done so already, now's the time to dust off your Business Continuity Plan (BCP) and make sure it's up to date. Can your plans get you through the critical 72 hours? If you don't have a plan, it's not too late to develop one… it may not be perfect, but any continuity planning is better than none. It's a good idea to test your plans to ensure that they actually are viable… better to find out now than on the heels of a disaster. In this article, we offer some tips for your plan, whether you're updating it or starting fresh. In addition, at the end of this article you will find links to articles and other resources to help you pull it all together.

Remember that your primary goal is business continuity and prevention of business disruption, not disaster recovery. Disaster recovery should be your contingency plan, in case disaster cannot be averted. Focus on these critical components of your organization:

People

Reservists - There are close to one million reservists working full-time jobs in the United States today, and more than 100,000 of them were called to active duty in the Iraq war. Reservists are being activated more frequently now -- not only because of war, but to combat the never-ending war on terrorism. Businesses in New York were hit with a "double whammy" in 2001 when, reeling from the events of Sept. 11, critical staff members were called to active duty in the wake of that disaster.

You must plan for the fact that your employees -- or their family members -- could be called to service. What impact this will this have on your organization? If you have reservists in critical positions, you need to back them up to prevent loss of information or productivity. If you have a replacement at the ready, the impact would be far less -- and you'll also be protected if they decide to take other jobs. Training existing employees to cover any critical positions will give you some protection, and temporary-staffing replacements can provide relief for lost manpower. If you have an Employee Assistance Program (EAP), it can provide counseling and assistance to alleviate the impact on your employees and, thereby, your organization.

Employee Safety and Security - Your employees spend 1/3 or more of their day in your offices, and you want to ensure their safety while they're there. Start by making sure you have a complete employee roster and contact information for everyone. Because evacuation is a possibility, have a complete evacuation plan and practice it - make sure every employee is familiar with it and knows what to do. If the government issues a "shelter in place" directive, you're going to have a lot of folks who'll need food, water, blankets, etc. Build up emergency supplies for them and don't forget a battery-powered radio, batteries, flashlights, and other necessities.

Because employees will be concerned about their families' well-being, encourage them to develop family preparedness plans for the safety of their homes and their loved ones. The more prepared their families are, the less stress and worry employees will be subject to while at work. While it may cause some loss of productivity to be understanding and lenient if your employees need to take care of pressing family matters, their peace of mind will improve their productivity. When possible, providing telecommuting resources can help alleviate these competing pressures. Please refer to the links at the end of this article for some information on personal and business safety and security.

Traveling Employees - When terrorism threatens, if employee travel -- especially overseas travel -- can be postponed or canceled, do it. If employees must travel, maintain complete contact and passport information and itineraries for them, including hotels and all ground and air travel. This might prove to be important to track someone down or to confirm their safety for their family back home. Employees on travel should be given a company contact they can call 24 hours a day for assistance, if necessary. And this is one time when the US State Department's advice about filling your itinerary with the US Embassy wherever you are traveling should be heeded without fail.

The SARS epidemic that has killed 400 people in China has migrated to other areas -- as close as Toronto -- and is making travel extremely risky. How will you mitigate this risk and protect your people? What technologies, for example, could you put in place to reduce the need for travel to certain areas of the world? Teleconferencing? Video conferencing?

Operations

Physical Plant - While not every company will become a target of terrorist activity, your offices may be located in an area otherwise at high risk. If you're in close proximity to major cities, airports, water treatment or nuclear plants, high visibility landmarks, military bases, and other civic or government institutions, terrorist activities aimed at them may mean that you won't be able to open for business. Do you have an alternate location from which you can operate? To help keep the premises safe, consider controlling access to your offices via badges or other means. Have visitors sign in and account for them. If you're vulnerable for any reason, check all packages carried in or delivered and report anything suspicious to authorities. Implement safe mail-handling procedures.

Floods, earthquakes, hurricanes, or tornadoes also could keep you out of your building or your employees stranded in their homes, unable to get to work. You need to plan what needs to be done before, during and after any such disaster strikes.

Network and Data Protection - Although most experts don't see terrorist activity bringing down the entire Internet, various forms of cyber terrorism could be enacted. Malicious worms and viruses can be transmitted -- via email or downloaded files --throughout your network infrastructure, destroying valuable data and applications. Firewalls and virus protection are initial steps to protect your critical resources. And if you don't have any backup and recovery system in place for your network, now's the time to implement one. Again, something is better than nothing. At the very least, backup crucial customer, financial and other critical data and keep at least one copy somewhere safe outside of -- and some distance from -- your office. You also can investigate remote, online backup vendors who can do near real-time backup and reliable recovery that would be accessible via any IP address.

Telecommuting - What if critical employees can't get to work? Plan now to provide a number of employees with remote access to your critical applications and data in the event travel is restricted, "shelter-in-place" directives are enacted, or your building/data center is not accessible.

Transportation - If your organization relies on meetings or conferences, or extensive just-in-time shipping, now is the time to consider alternative ways to move items and look into replacing face-to-face meetings with teleconferences or Webcasts. Both war and the threat of terrorist activity could affect travel. Air travel could be more restricted while ground transportation could be seriously delayed for extensive scrutiny of people and goods. If the "Just-In-Time" business model has been the backbone of your company's success, plan to have some extra supplies and materials on hand, so JIT doesn't become your downfall.

Supplies - One of the realities of war or disaster is shortages… either because of restrictions or lack of supply. Consider how shortages of various materials and supplies could affect your business and plan to compensate for them. Since fuel easily could be in short supply, you might want to have a backup supply on hand if you need it for emergency generators. We recommend the same three-day rule that is used for natural disasters. For critical shipments, are you prepared to pay additional charges for local or long-distance shipping if prices increase? Or does it make more sense to overstock just in case? If certain items are perishable, do you have the resources to keep them protected if shipping methods are halted? Whatever the answers, you must decide how to handle these contingencies, and these decisions should be part of your business continuity plan.

Communications

Once you have a plan in place, you need to communicate with employees, customers, vendors, members, and other stakeholders. Let them know what you're going to be doing to maintain operations. Will your location change temporarily? Your contact information? How will procedures be different, if at all? Make sure all your critical stakeholders know what is going on… how they can contact you and continue to do business with you. And make sure you contact your critical suppliers regarding their contingency operations. If appropriate, communicate with media via news releases or other means. If newspapers and magazines are publishing, and if the Internet is operational, news about your organization also will let people know you're open for business.

Successful Survival

It's all about surviving, particularly the first 72 hours. It may not be business as usual, but, if you plan and implement carefully, you'll still be in business -- and your employees and other critical resources will be safe.


Resource and Information Links

Business Continuity Planning:

Gartner Group: Emergency Steps We Recommend You Take Right Now
http://www4.gartner.com/5_about/news/disaster_recovery.html

Eating An Elephant...
http://www.operationalrisk.info/bc002.html

The Small And Medium Size Businesses Guide To A Successful Continuity Program
http://www.drj.com/special/smallbusiness/article1-01.html

Are You Ready - An In-depth Guide to Citizen Preparedness
http://www.ready.gov/are-you-ready-guide

The Hartford's Resource Topics: Weather and Natural Disasters
http://www.sb.thehartford.com/reduce_risk/loss_library/Weather_Related_Natural_Disasters/

Are Your Intangible Assets Protected? Here's How to Choose the Right Insurance Policy For Your Company.
http://www.csoonline.com/read/120902/safety.html

Set disaster-recovery objectives
http://searchstorage.techtarget.com/tip/1,289483,sid5_gci850762,00.html

Continuity plans - the staff disconnect
http://www.globalcontinuity.com/thought_leadership/continuity_plans_the_staff_disconnect

What have you FORGOTTEN?
http://www.disasterplan.com/yellowpages/Remember.html

Business Continuity Resources
http://www.attainium.net/index.php/resources/resources-and-articles

People:

Disasters - plan for your people above all else
http://www.globalcontinuity.com/thought_leadership/disasters_plan_for_your_people_above_all_else

Terrorism In America: What Should Employers Be Doing?
http://www.bipc.com/news.cfm?mode=article&article_id=586&practice_id=76

Coping with Sudden Employee Departures: Back Up Your Reserves
http://update.informationweek.com/cgi-bin4/flo?y=eJps0EjK1y04e0Bm3q0Ae

Shelter-in-Place at Your Office
http://www.tallytown.com/redcross/library/ShelterInPlaceAtYourOffice.pdf

Telecommuters Have Unique Security Needs
http://www.informationweek.com/story/IWK20011018S0076

Prepare Remote Access For Disaster Recovery
http://searchstorage.techtarget.com/tip/0,289483,sid5_gci882243,00.html

Guide for the special needs of people with disabilities for emergency managers, planners, and responders (Adobe PDF)
http://www.nod.org/pdffiles/epi2002.pdf

Family Disaster Planning
http://www.redcross.org/services/disaster/beprepared/familyplan.html

Financial Preparations
http://www.redcross.org/services/disaster/beprepared/financeprep.html

American Red Cross Homeland Security Advisory System (HSAS) Recommendations for Individuals, Families, Neighborhoods, Schools, and Businesses
http://www.redcross.org/services/disaster/beprepared/hsas.html

[The above three items are made available through the American Red Cross and the Federal Emergency Management Agency. They are available to view at the URLs above, but they also may be downloaded as PDF files.]

Last but not Least… Don't Forget the Pets!
http://www.redcross.org/services/disaster/beprepared/animalsafety.html

Physical Plant:

Office Building Security
http://www.security-expert.org/office_security.html

Protecting the Premises
http://www.eweek.com/article2/0,3959,669172,00.asp

Graphic of a mail bomb
http://www.atf.treas.gov/explarson/information/indic.htm

Guidance Issued on Building Safety
An executive summary of the document, 'Risk Management Guidance for Health, Safety and Environmental Security Under Extraordinary Incidents', can be found at http://xp20.ashrae.org/ABOUT/Summary.pdf. The full document is available at http://xp20.ashrae.org/ABOUT/extraordinary.pdf

United States Postal Inspection Service: Security Plan for Suspected Letter and Parcel Bombs
http://www.usps.com/websites/depart/inspect/bombcorp.htm

Data and Cyber Threats:

'It's The Restore, Stupid!'
http://www.computerworld.com/securitytopics/security/recovery/story/0,10801,78483,00.html?nas=ST-78483

Data Protection Strategy: Backup + Recovery = Survival
http://www.attainium.net/index.php/resources-and-articles/142-can-your-business-survive-a-major-disruption

Data protection risk analysis self-test http://searchstorage.techtarget.com/tip/0,289483,sid5_gci874814,00.html

How to Build A Data Protection Strategy for Availability and Recovery (Adobe PDF)
http://www.cio.com/sponsors/090102dl/analysis.html

Can you decentralize data?
http://www.infoworld.com/articles/fe/xml/02/04/01/020401febcemc.xml

 

© Bob Mellinger, Attainium Corp

# # #

 

Latest Articles & NewsBriefs

Risk Management

October 18, 2017 - Today, more than ever before, risk assessment and management are critical functions in every organization. We've said before that you cannot plan for every contingency, but you should be aware of the most critical risks facing your organization. Since you created your business continuity plan, have you reviewed and updated the risks you face? No? Review these articles to help you reconsider whether you've covered everything you should. 

Read more ...

Crisis Response & Communication

October 11, 2017 - When dealing with communicating in a crisis, the first concerns should be to respond quickly, accurately and consistently. Obviously, the best approach is to have a plan to work from before the crisis hits. This will shorten your response time and enable everyone to hit the ground running. It's also important to ensure that everyone knows what's going on and what to say or not say in any situation. Take a look at these articles to see if your plans for crisis response are everything they need to be.  

Read more ...

Cyber Security Awareness

October 4, 2017 - October is National Cyber Security Awareness Month (NCSAM), an annual campaign to raise awareness about the importance of cyber security. This is especially relevant after the recent hack of Equifax and other large companies. What are you doing to help make your employees more aware of cyber security practices? Do you offer regular training? Take a look at these articles, all of which are focused on ways to increase employees’ awareness of and participation in cyber security. 

Read more ...

Fire Preparedness

September 27, 2017 - October is National Fire Prevention Month, and Fire Prevention Week this year is the week of Oct. 8. This year's theme is "Every Second Counts: Plan 2 Ways Out!" More than likely, fire risk and prevention are part of your business continuity plan, but, if you haven't covered everything you should, these articles can help you improve your plan. 

Read more ...

Emergency Notification Systems (ENS)

September 20, 2017 - In any emergency, information is critical. How to deliver that information is something companies continually struggle with -- social media, the cloud, etc. One choice is an emergency notification system, which also could be used as a mass communication medium in non-emergency situations. If you have one, maybe it needs updating. If you don't, here's some information on why you might want one and how to integrate it into your organization and your business continuity planning. 

Read more ...