Edited Version May 5, 1999
EIIP Classroom Online Presentation

"Business Continuity Planning:
A Risk Management Tool"

Rick Ranous
Recovery and Business Continuation Specialist
EQE International

Neil Blais
Senior Project Engineer
EQE International

The original unedited transcript of the May 5, 1999 online Virtual Classroom presentation is available on the EIIP Virtual Forum (http://www.emforum.org). The following version of the transcript has been edited for easier reading and comprehension. Typos were corrected, date/time/names attributed by the software to each were deleted but content of discussions, questions, and responses are as stated by each participant. Answers from the presenter to questions by the audience are grouped beneath the appropriate question to facilitate meaning.


[Opening ]

Amy Sebring: Welcome to the EIIP Virtual Classroom!

One quick note about any URL's that may be used in the session; they are live links and you can click on them and view the referenced site in your browser window. Subsequent "slides" may display behind your chat window, so you may need to bring the browser window forward.

Background information for today's session may be found at

<http://www.emforum.org/vclass/990505.htm>. Today we will be learning about Business Continuity Planning in the context of Risk Management.

We will have a presentation for about thirty minutes, and then have audience Q&A for the last thirty minutes. We will review the instructions for Q&A as we are about to begin that portion.

[Introduction]

We are pleased to once again welcome EIIP partner, EQE International. With us are Rick Ranous, who specializes in Recovery and Business Continuation planning for EQE, and Neil Blais in the background, Senior Project Engineer at EQE International's Newport Beach, California office to whom we are grateful for arranging today's program. Paul Flores could not be with us after all today.

Welcome gentlemen; and Rick, thank you, for taking the time to be with us today.

[Presentation]

Rick Ranous: Thank you. Amy and Ava, for the opportunity to 'speak' today.

An effective risk management program addresses all risks to all parts of a business operation. Having a detailed plan on one component of your business, restoring management information systems for example, only marginally helps the business if the production line is down. The plan for recovery needs to address all aspects of the business operations. Amy, SLIDE 1, please.

[SLIDE 1]

Rick Ranous: There are three basic questions that guide and develop a risk management program:

1. What can affect my business?

2. How will it affect my business?

3. What can I do about it?

The answers to questions one and two are found in the Business Impact Analysis. With the knowledge of what and how, a risk manager can then determine how best to manage the risk posed by the hazards. The risks are strategically spread between Facility Planning, Facility Strengthening, and Business Continuity Planning. Amy, SLIDE 2, please.

[SLIDE 2]

Rick Ranous: Determining what can affect a business is more commonly referred to as a hazards assessment. All potential hazards are identified and analyzed to determine likelihood of occurrence and annualized losses resulting from that hazard. With this information the hazards can be ranked according to severity.

With the information generated in the hazard assessment, we work closely with the client to define the business' risk tolerance, i.e., how much loss can they absorb without detriment to the overall operation. All losses below that line can be discarded.

The client then looks at the remaining hazards and we work together to determine the most significant hazards to the business and those are the hazards that should be analyzed in detail. Generally, we recommend analyzing at least five hazards.

The systems analysis begins by studying and mapping, in a flow diagram, the entire operational system. We prefer to do the systems analysis through an interview process where we can gain detail information on each part of the system and its separate vulnerabilities.

The scenarios are applied to the buildings and to the operation. On the building side you are anticipating property damage and downtime as a result of that damage. On the operations side, you are looking also at downtime to restore systems, but also identifying inherent vulnerabilities. Inherent vulnerabilities are those that exist as a result of the system, not some external source.

On the operations side, it must be remembered that, if there is damage to the facility, downtime to restore systems is additive to the facility downtime. You may not be able to access the systems until the facility is repaired. Amy, SLIDE 3, please.

[SLIDE 3]

Rick Ranous: Knowing the anticipated damages to the facility and the operational systems as well as the projected downtime, the financial impact of the occurrence can be determined. Also, it is important to note that system the hazards may not impact the different parts of the operation in the same fashion. That is, the parts may be vulnerable to different hazards.

The financial impact considers repair cost, lost revenue, and can consider intangibles such as the credibility of the business. The final step is to determine the risk of suffering these financial losses.

Knowing what the risks are, allows the Risk Manager to determine how best to distribute the risks. Examples of risk distribution include the purchase of insurance to protect the facility; hazard mitigation to minimize the potential for the anticipated losses; and business continuity plans to ensure that the business interruptions anticipated are minimized and systems restored in a timely fashion. Amy, SLIDE 4, please.

[SLIDE 4]

Rick Ranous: The development of a BCP is done in five phases. What we refer to as the Business Continuity Planning Cycle. Now that the impact analysis is completed, we have all the information necessary to develop a plan that will guide the client through the emergency response and into recovery.

Using the information from the impact analysis we know what to expect for several different hazards. Phases II and III are done somewhat simultaneously. We begin by identifying an organizational structure that incorporates all the functions that will be needed to ensure a timely recovery.

We recommend to our clients that they use the Incident Command System as the basis for their response and recovery organizational structure. Through questionnaires we build a database of the employee skills and experience that allows management to identify individuals to fill the various boxes.

As we develop the recovery operations, it is important to note that we do not pre-determine recovery strategies. These strategies must be determined during the actual operation based on the level of damage experienced.

Instead of strategies, we develop actions that the organization can take to provide the information necessary to develop strategies and priorities. These actions are not hazard specific, but are actions that would apply no matter what the hazard or what the level of damage.

At this point in the process we start the development of the actual plan. EQE develops a plan that is similar in structure to a government's emergency plan. That is, we develop a general plan that provides guidance to the overall organization. The details of the operation are contained in functional annexes.

A business continuity plan is just a document until the staff have been trained in its contents. The staff must know their duties and responsibilities and where to find the appropriate checklists. They need to understand all aspects of the response and recovery operations and what the ultimate goal is.

We approach the training by organizational sections: Recovery Management Team; Operations Section; Planning Section; Logistics Section; and Finance and Administration Section.

The Recovery Management Team consists of the Command staff (Coordinator, Public Information Officer, Safety Officer, and Agency Liaison) plus the Section Chiefs. This process includes any special training that may be needed for the operation such as Safety and Damage Assessment.

At the completion of the training, we conduct a tabletop exercise to reinforce with the Recovery Management Team the concepts of coordination and control. The tabletop is followed by a full exercise to test the plan and identify any weak links in the process.

EQE will evaluate the exercise and meet with the Recovery Management Team to discuss the overall outcome. From these discussions necessary modifications to the plan are identified and revisions made. In this manner, the client knows that the plan they have been provided will work and will guide them through the process of recovery.

This concludes the formal presentation and we are ready to answer any questions you may have. We turn the room back to you, Amy.

Amy Sebring: Thank you Rick. We will now turn you over to our audience. If you have a question or comment, please indicate by inputting a question mark (?) to the chat screen. Then compose your question but hold it until you are recognized. First question, please?

Audience Questions

Question:

Audra Kunf: how does the private industry accept doing ICS? Isn't it a little 'foreign' to private business concepts?

Rick Ranous: In our experience, it has been difficult to train, as businesses are not used to the concepts of ICS. However, once trained, they begin to see the value and fully accept the structure.

Question:

Rick Tobin: Many clients want to see a blending of Y2K plans with the Business Recovery. This is not always a good fit because IT staff may see other hazards as "of secondary interest". Have you faced this challenge?

Rick Ranous: Typically, the IT staff is involved in the development of BCP. This is of critical importance as companies use computers for much of their daily activities. Most IT staff concerns are addressed through the checklist actions. Y2K is really one component of all IT issues that can interrupt a business.

Question:

Avagene Moore: Is it the difference in terminology that makes ICS difficult or what? We all realize we each speak our own language and have our own set of acronyms, unfortunately.

Rick Ranous: Terminology is a problem. But the problem is overcome during the systems analysis as we learn more detail about the business. Terminology can then be modified to fit the client's specific operations.

Question:

Amy Sebring: I assume many of these same businesses are also under the EPA Risk Management Planning requirements as well as facing Y2K concerns. Does this interfere with a comprehensive approach, or do you try to integrate all these requirements?

Rick Ranous: Again, it is one of the hazards impacting a business that is addressed during the process. This hazard is then integrated into the recovery operations.

Question:

Rick Tobin: The private sector many times has difficulty with accepting their vulnerability to terrorism (especially cyberterrorism) and to internal sabotage. Any suggestions on how to successfully bring people to the table on these hazards?

Rick Ranous: Good question. We find that many clients have never thought of internal or external sabotage or terrorism as a problem. We approach this as a training opportunity to point out their vulnerabilities. Often times putting knowledgeable staff in a single room to discuss these hazards will produce the proper planning opportunities to mitigate these issues.

Question:

Audra Kunf: Government "helps" itself through mutual aid provisions and reliance on other government agencies (local to state to federal). What avenues are there for private industry to meet their response and recovery resource shortfalls?

Rick Ranous: This depends in part on the industry. Pre-identification of what will be needed, evaluated against what the client has identifies the shortfall and contracts can be developed to fill the needs similar to a mutual aid concept.

Question:

Amy Sebring: Rick, in the public sector, we are particularly concerned about small businesses as well. Do you know of any outreach efforts to small business along these lines? And might it be possible to market to industry groups through trade associations?

Rick Ranous: This is a legitimate concern. With the exception of some Chambers of Commerce there is little outreach that we can identify. It is an area that should be explored, most likely through seminars to present the importance of contingency planning. (The seminars should reach small businesses and local officials).

Question:

Rick Tobin: Many organizations prepare BIA's and Business Recovery Plans, but there is no "program". How do you compute the dollar costs for maintaining training, facilities, and procedures for an organization to ensure that the program survives?

Rick Ranous: Good question. What the client needs is a sense of ownership of the program. This is why we include them through the whole process (at many management levels). In this manner they feel as though the program was developed by them and are more likely to budget maintenance of the plan (including occasional exercises and training).

Question:

Amy Sebring: Rick Tobin reminds me of something we have touched on here before, that is the continuing challenge of employee turnover to maintenance. Just when we are used to dealing with someone who understands, off they go, and the new guy has no clue. Perhaps this should be factored in as a cost as well?

Rick Ranous: Our recommendation is to include very basic training with their new employee orientation. This includes answering the employee questionnaire and entering the information into the personnel database. Management can then assign them to a function and ensure they are included in the next training session.

Question:

Audra Kunf: In government, disaster programs are usually the first to be cut when budgets are tight. How do you impress upon private industry (who is not supported by federal funding) the need to spend money on disaster planning/training/exercising?

Rick Ranous: Some of this is driven by their insurance carriers who encourage and sometimes require having plans in place. The BIA is also a strong tool to show the client their vulnerability. The combination can be the incentive necessary to ensure continued maintenance and training.

Question:

Rick Tobin: Some companies have used the critical missions section of the Business Impact Analysis as a way to cut staff. This makes emergency managers the "evil empire." How do you convince a client not to misuse the tools you've provided, although there is no way to completely prevent this?

Rick Ranous: In our experience, we have not run into that issue. Consequently have not thought about it. Using the hazards approach tends to keep typical daily business personnel issues out of the process.

Question:

Amy Sebring: Can you share some of the information actions you mentioned earlier used to support strategic decisions?

Rick Ranous: They are highly operational dependent. The actions are guides or reminders of information that needs to be collected. For example: an action item might simply be activate your damage assessment teams.

Question:

Avagene Moore: Is anyone working with elected officials and their respective organizations as a means of making small businesses understand the importance of business planning? Such as NaCO and League of Cities.

Rick Ranous: In my opinion, this has begun with the Y2K issue and governments involvement in appropriate regulations. These same officials need to carry this work on after Y2K and expand into other hazards.

Question:

Amy Sebring: In analyzing hazards and prioritizing, do you look for commonalities across different types of hazards, e.g. loss of power? And what tools do you use to estimate likelihood?

Rick Ranous: Yes. We also consider those commonalities as separate and distinct hazards. To clarify, a power outage can be caused by many hazards, or a technological issue, but the net results are the same.

Question:

Amy Sebring: Likelihood?

Rick Ranous: Probability of occurrence is estimated through subjective discussions with staff and providers.

Amy Sebring: Thank you very much, Rick and Neil and thank you, audience. Our time is about up, but before we adjourn, Ava, will give us a heads up on our upcoming events. Ava?

Avagene Moore: Thanks, Amy. Next week is going to be a good one!

• On Tuesday, May 11, 1:00 PM EDT, Jack Long, SSI (EIIP Partner), and a representative of the Pennsylvania School Boards Association will be with us. They recently completed development of a School Emergency Preparedness and Response Manual for the PA State Association and have conducted a series of 6 seminars on the topic around Pennsylvania. They will share some of their experiences from the seminars with us as well as discuss the manual.

• On Wednesday, May 5, 12: 00 Noon EDT, Paul Hoff and Marty Ditmeyer present National Academy of Pubic Administration (NAPA) findings from their January ?99 Workshop on Limitations to Data Access for Disaster Management in the Virtual Library. This workshop relates to Global Disaster Information Network (GDIN) efforts and should be most informative.

Would like to alert everyone online that we will be changing the time of our Round Table sessions starting the first of June. Tuesday Round Tables and our Wednesday formal sessions will both begin at 12:00 Noon Eastern time. We hope this will help everyone to be on time and avoid any confusion. We will be announcing this many times and through many mechanisms for the remainder of this month. Back to you, Amy.

Amy Sebring: Let's go ahead and express our appreciation to EQE and then you are invited to join us back in the Virtual Forum room for a few more minutes of open discussion.