How Organizations Prepare to Face Today’s Risks & Hazards
Preparation, Mitigation, Response, and Recovery are the Keys to Continuity of Operations
You are prepared to respond to emergencies. You have fire safety plans, evacuation plans, and other types of emergency procedures in place. Of course, since 9/11, you also have plans to deal with threats and acts of terrorism. Most organizations today need a comprehensive, integrated plan in place to protect people, property, and technology in the face of a myriad of risks. You need a disaster response plan and a business continuity plan to cover all the possibilities and make business recovery possible. Overriding all, however, is personal safety and the need to preserve life ... these are always the top priorities.
Consider these actual happenings and their potential impacts:
- Your web server is the target of a denial-of-service (DOS) attack; it's flooded with false requests, overwhelming the system and finally crashing it. None of your members, clients, or customers can reach your website; now what?
- 150 protesters block the entrance to the hotel site on the opening day of your national conference; a large number of them get into the building and stage a sit-down protest in the main lobby/registration area. Police are called, many individuals are arrested and the event gets a lot of media attention. What's your Plan B for getting your conference attendees to the registration area? What will the media say about how you handled the situation?
- Flooding takes out your total phone system - and your vendor's control site as well. The vendor doesn't know how soon they can get you back up and running. What's your fallback plan?
- A newly fired employee accesses your database and obtains contact information for a large number of individuals. Do you have a plan in place to detect when employees attempt to access the information they aren't authorized to access in order to prevent such a happening?
- During a meeting in your building, a fire breaks out. Your employees know the fire evacuation procedures, but many of the attendees are not employees and have no idea where the fire exits are. Three attendees panic and are injured. How do you get all the meeting attendees out safely?
- A large voltage spike occurs on the grid used by your data center plunging it into darkness. The backup generators failed to start and the battery power is failing. How will you handle this disruption?
As you can see from these examples, it's not just terrorism, natural and man-made disasters, legal liability (injury, violence, etc.), and government regulations that threaten your operations. Reputation damage, litigation, and other factors increase the odds against business continuity; there is significant potential for loss of income if you are not prepared. In this climate, an organization should be prepared for anything that could happen - to protect its employees, members, and, to the greatest degree possible, its reputation and financial viability. It's entirely possible that one ruined or badly handled incident might result in extensive revenue losses and require years of rebuilding reputation and attendance.
Planning is the Key
The process described in this article is a strategic approach to business continuity planning and stresses the need to make this an evolving effort. A good plan is dynamic; it's never finished. It reflects the constant vigilance of its preparers and maintains as current a level of information as possible so that it remains a strategic tool that can help you respond to whatever comes up.
It's a well-known and accepted management principle that defining a problem is the first step to finding its solution. How do you plan for disruptions you can only imagine? The following principles of emergency management, including the activities each might generate, are provided here to guide your planning:
- Preparedness - activities involved in creating awareness, determining risk and developing a state of readiness to respond to disaster, crisis or any type of emergency situation.
Example: Get all your key players (security, administration, etc.) together and have a brainstorming session to surface all possible vulnerabilities, and then prioritize them.
Example: Conduct an evacuation drill
- Mitigation - activities aimed at reducing vulnerability; activities performed in advance to decrease the impact of and reduce potential loss or damage from disruptions.
Example: If the server room is in the basement of the building, what steps can you take now to reduce the impact of flooding?
- Response - activities occurring during or immediately following a disruptive event to minimize its immediate impact(s).
Example: To keep rumors under control, you need a good communication plan for employees, stakeholders, customers, and the public at large.
- Recovery - activities undertaken to minimize long-term impacts of the disruption and return the situation/system to normal.
Example: If it's going to take three months to repair the damage to your building, do you have an alternative to closing down for that period? If not, there's a chance that you'll be closing your doors for good.
If you talk to any true emergency management professional, what you'll hear is an echo of this: have a plan and keep these principles in mind as you plan.
Note: Planning is a time-consuming, ongoing process. There aren't any really good shortcuts. It's tempting to go to the Internet and find one of the many plans-in-a-box or checklists that are available. This is fine if you are going to use these as starting points, but remember that there really is no such thing as a one-size-fits-all solution. Threat assessment is a critical building block of your plan, and considering only some other's organization's list of threats won't get you off on the right foot.
Determining Risk and Establishing Priorities
It's not possible to be prepared for every possible disruption; you have to concentrate on those that are most likely to occur. Before you begin any kind of planning or assessment, therefore, it is important to know how to determine the risk of each potential disruption and to decide on which disruptions to concentrate your resources. This universally accepted risk management equation will help with this effort:
Probability, quite logically, refers to the likelihood that something will happen, while consequence refers to its impact. For example, the probability of a meteorite hitting your facility is likely quite small, although the consequences from such an event would be huge. This wouldn't be high on your list of risks... the risks on which you want to concentrate are those in which both the likelihood of occurrence and the potential consequences are in the medium to high range. Keep this in mind as you go through the emergency management process.
Most important - keep things in perspective. Any consequence that involves potential critical injury or loss of life must take precedence over less critical outcomes. It's necessary, therefore, to prioritize the risks as well as identifying the ones to focus on.
Preparedness is both general and specific
Identify the vulnerabilities. Ask yourself, "What if…?" What would I do if a part of the roof collapsed? What would I do if the keynote speaker died in mid-sentence? What if the chairman of the board was taken hostage? Develop a comprehensive list of such threats that you can then use to go through the planning process. This is the age-old problem/solution approach to planning and is a good way to start.
While many threats are equally likely to impact all organizations (fire, transportation strike, power blackouts, etc.), each facility also has unique threat potential depending on its location and other factors (hurricanes, flooding, terrorism, etc.). In addition, any organization has risk from groups that take issue with its practices, beliefs, etc. or those of its clients. For that reason, managers need to plan generally as well as for their own unique vulnerabilities. In addition, what is a threat this month may not be a threat next month, or from one program to the next, so you have to constantly revisit this step.
The other critical factor here is the impact of each risk on your key business processes. The key is to identify what processes (e.g. online event registration) support your business and what infrastructure supports those processes (e.g. phones, Internet, gas, electric, etc.). You have to plan for the causes in order to mitigate/prevent the effects. You also need to know how quickly things have to be fixed... if you can't continue to operate without power for two hours and it will take four to get power, you have a problem. These recovery time objectives will also help you prioritize your efforts.
In each case, it's important to assemble a group of key players who are aware of and can help identify issues or activities that make the facility or group vulnerable to specific risks. This is the stage during which potential threats are identified, their individual risk is assessed, and a comprehensive list of vulnerabilities for which to plan is developed.
If this seems like a daunting task, it also is extremely rewarding when the planning results in successful handling of disruptions. Another benefit of this step is that some of the vulnerabilities can be eliminated simply by knowing about them beforehand. For example, consider the situation where the security vendor for your conference facility has a union contract scheduled for renegotiations. In this case, you might want to find out more about the situation and evaluate the possibility of changing venues or lining up an alternative site in the event of a strike.
Be aware. You know your organization and the local environment. What is going on locally - are there potential situations or weather hazards that could impact your operations? Are there issues that might result in demonstrations, bomb threats, etc., which could disrupt your organization's functioning? Good communication plus awareness of your environment will help you identify previously unconsidered vulnerabilities and develop plans for dealing with them.
Develop a plan for each scenario identified - and TEST IT. The planning isn't as difficult as it sounds. You really need one basic plan that can be customized for each different threat/hazard, because a lot of the planning or information used will be the same no matter what the disruption. Most important, write your plan down and make sure it gets communicated to everyone involved.
How do you plan? Take the case of a bomb threat, for example. Although the majority of bomb threats are false (we are told), who can afford to ignore such a threat in the 21st century? As an example, use a scenario in which you are told that at 1 pm on the opening day of your annual conference a bomb threat has been called into the facility. What's your first question? (When is the bomb supposed to go off?) If the answer is in 20 minutes, that's Plan A; if it's three hours from now, that's Plan B. The most critical thing to consider is how to handle the situation with the least risk to life. So, if you have three hours and you know that it takes 35 minutes to evacuate the building, there's the answer. If you have only 20 minutes, what do you do? This is the kind of thinking that you have to go through to survive such a disruption and be able to carry on if possible.
Mitigation - Isn't it better if the disruption never occurs?
Mitigation is the area of planning with the highest potential return, but one on which organizations seem to spend the least time and effort. What is mitigation, exactly? Mitigation is everything you do to prevent a disruption from occurring or to minimize its impact. It's keeping your virus protection updated, for example, to prevent data loss from a new virus. It's planning early and carefully for security if you are hosting a high-visibility individual. It's having a tested backup and recovery facility for your critical operations in case a broken gas line shuts down your building. It's having at least one plain old telephone that gets its power from the Telco line versus an electrical outlet.
Mitigation often is accomplished through communication. If a situation is threatening a scheduled event (for example a local e coli outbreak), it's important to communicate to members that the area is or isn't safe and why or why not. If they know you have their health and safety in mind, they are more likely not to back out. Communicating to your staff is even more important because they are communicating with your publics. If they don't have all the information, you may well lose control of the situation.
Mitigation activities can be identified by reviewing your list of vulnerabilities and/or the plans to determine what can be done NOW as opposed to waiting for a disruption. This kind of planning is one of the best ways to help ensure that your operations can continue without significant disruption.
Response - When you call the fire department, that's response.
The response period occurs from the start of the disrupting event until the situation has been stabilized. You need to build response capability into your plans in order to minimize the immediate impact of any disruption. If you have a meeting scheduled at a local hotel (where your attending members also are staying), and the hotel burns down while they're at a luncheon several blocks away, what are you going to do? Yes, the hotel is responsible, but you can't tell your attendees it's not your problem... At the very least, you need to provide assistance in dealings with the hotel and their contingency plans. And, if they don't have any, you need to get on the phone and assist the members in finding other accommodations and helping them figure out how to replace personal belongings and lost medications.
You can best handle the response to any disruption if, in your planning, you created a crisis response team that you can call into play. Just as you can't possibly plan for every vulnerability, you can't possibly predetermine responses when unexpected disruption occurs. But you can transform other plans to help you deal with this, and you can hold drills to practice working under pressure and as a team. If someone doesn't react well (e.g., panics or freaks out), get them off the team; someone could die if an individual becomes a loose cannon. What you need on this team are people who can keep their heads, who are resourceful, and who can move quickly. You also need a spokesperson - someone who will deal with the media (when necessary) and other groups confidently and forthrightly.
One thing to remember about the response to threats and hazards is that, despite different causes, the general flow of activities is similar. There is an "all hazards approach" - try to save people, secure the situation, get everything under control.
Recovery - How soon can we operate again?
After any disruption, all we want is for things to "get back to normal." Be aware, however, that this seldom if ever happens. After any disruption, there is usually a "new" normal. Things have changed. A classic example of this is the impact of 9/11 on the businesses surrounding the World Trade Center. There were restaurants, dry cleaners, newsstands, and other shops that were able to reopen, but without the several thousand customers who used to populate the World Trade Center. The ones that did reopen now have a "new" normal, characterized by far fewer customers. If your facility was severely damaged and declared unusable, what would your new normal be?
We want actions in the recovery stage to enable us to minimize the long-term impact of the disruption on the organization. In the case of a food poisoning incident, for example, recovery might mean immediately inviting health officials to investigate, getting in a new vendor for any remaining meals (or send out for Chinese for everyone), and publicizing this to your members personally and via the media. The food poisoning wasn't your fault, but your reputation is at risk regardless.
Customize, Don't Reinvent
As organizations that provide products and services, you are in the unique, perhaps not enviable position, of having to plan for the business continuity and emergency response needs of your organization and any services critical to your members' operations as well. We have alluded above to some of your responsibility in this regard; here we want to stress that, while each situation has its different, unique risks, your overall plan does not have to be reinvented for each situation. You can easily customize your planning to incorporate the mitigation and response required for varying situations. Just remember that, in each instance, you need specifically to consider any risks that could significantly impact your or your members' safety and reputation.
Training, Testing and Evaluation (TT&E) - Does it (still) work?
Probably the most common example of TT&E is the fire drill. We've all done them and learned from them, and no one disputes the need to continue to do fire drills on a regular basis. We have to develop the same attitude about testing business continuity plans.
When your plan is complete and placed on the shelf, the job is not over. To be effective, a plan must be (1) accessible and (2) a dynamic document that constantly evolves to reflect changes in the environment, staffing, regulation, policies, and procedures. If you're not going to test the plan regularly to keep it current and ensure its viability, you might as well throw it away after a few months. What happens, for example, when a disruption occurs and someone goes to the plan to find out who to contact, only to discover that the person in charge left the company six months ago? Finally, the plan has to be easy to use. Don't make it easier for people to run for the door than to locate the correct procedure in the plan (of course, if the plan is tested and people are trained, this shouldn't be an issue).
Plan accessibility is an important issue. Everyone has to know what and where the plans are, who's in charge of what, as well as processes for different types of disruptions. Hardcopy has been used, either placed in strategic locations or provided to each department or manager. Today, with the growing popularity of smart phones, and tablets, plans can be accessible from anywhere by keeping a copy on the device as well as gaining access to online Business Continuity Plan Management services like Plan-A-ware by Attainium. What happens if the power goes out? Is the plan now inaccessible? Do you have a way to access the plan remotely? Should you have a website or service that you can access to make sure the information remains accessible? TT&E, when done right, also can surface problems with access to the plan.
There are basically five types of exercises that test your plan and allow you to evaluate its effectiveness. These include the orientation, the drill, the tabletop exercise, the functional exercise, and the full-scale exercise. The primary objective of the testing is to determine whether or not your plan can successfully respond to the crisis and restore one or more business-critical processes in the allotted time. Below are descriptions of these exercises, based on FEMA's definition of each.
- Orientation. An orientation is an informal session that does not include any simulation. It provides a discussion of roles and responsibilities and introduces or reinforces policies, procedures and plans.
- Drill. Think of the fire drill... this is a test of one function only.
- Tabletop. This takes the form of a discussion of a simulated emergency. It's inexpensive, low-stress, and has no time limits. This exercise can help you evaluate plans and processes and review any issues with coordination and responsibility.
- Functional. This is a realistic simulation that takes place in real time and can be quite stressful. All key personnel should be involved.
- Full-scale. This type of exercise features a specific emergency scenario using real people and equipment. It takes place in real time and, done correctly, causes high levels of stress. It is designed to test many/all of the emergency response functions.
A critical result of testing the plan, no matter what method you use, is to incorporate the lessons learned into the plan and making sure that all relevant personnel receive the updates. In fact, holding a Monday-morning quarterbacking session after the test is a good way to surface the problems and determine how to incorporate changes into the plan.
Your entire plan should be tested on an annual basis to ensure its viability. But you don't have to test the entire plan at one time; you can test pieces of it over the course of the year to save time and money.
A Word about Communication
- Communicate with first responders, not just when the emergency occurs, but well beforehand. Involve them in your planning and give them a copy of the plan. The more information they have, the better they can assist you in a crisis.
- Communicate the contents and location of the plan to everyone, unless there is some top secret information you don't want released. Even then, communicate the parts that are not secret, because your best preparation is an informed staff.
- If an emergency occurs, communicate with your staff and members. If they know what is happening and what you expect of them, they are less likely to become the source of rumors or misinformation.
- Communicate with the public. If you don't take steps to tell folks what you are doing about a situation, someone is likely to be there making you look bad. The news media abhors a vacuum.
Communication before and during a crisis is one of the most effective tools you have to control rumors and public perception and protect your reputation.
Your job is an overwhelming one, particularly when viewed from the perspective of planning to survive the threats and hazards that can impact organizations today. Planning is the key to making it through. The risk assessment and emergency management processes are tools that you can use to identify and prepare for the myriad of disruptions you might face. Mitigation activities actually can reduce certain threats. Response plans mean that everyone knows their role in the event of any disruption. Recovery plans help reduce the amount of downtime to the facility. And training, testing, and evaluation are critical to keeping plans accessible, current, and effective.
Following, we have provided some resources that will assist you in developing those plans and your responses to any situations that arise.
- http://www.fema.gov/ps-preptm-voluntary-private-sector-preparedness - FEMA's Volunteer Private Sector Preparedness site offers organizations many options for preparedness.
- http://www.ready.gov/business - FEMA's Ready Business site can help with the development of a plan, using the "all hazards" approach.
- http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=50038 - ISO Business Continuity Standard 22301.
- http://www.attainium.net/index.php/resources/resources-and-articles/143-assessing-your-risk-planning-for-the-unexpected - a quick read on how to assess risk.
- http://www.attainium.net/index.php/resources/resources-and-articles/142-can-your-business-survive-a-major-disruption - Studies show that businesses with 500 or fewer employees that experience a major disruption may not survive it. Could your business? If your business continuity or disaster recovery plan has been sitting on the shelf -- or, worse, if you don't have one -- it's time to take a look at what it will take to keep you in business.
- https://goo.gl/GQwgMV - links to an excellent white paper on Crisis Communications by Rosanne Desmone of Mt. Vernon PR & Communications.
- http://www.attainium.net/index.php/resources/business-continuity-newsbriefs - Attainium's Business Continuity NewsBriefs will keep you up to date on the hot topics in business continuity, disaster recovery, and crisis management.
© Attainium Corp
# # #