Amy Sebring: Welcome to the EIIP Virtual Classroom! ... Amy Sebring: One quick note about any URLs that may be used in the session; they are live links and you can click on them and view the referenced site in your browser window. Amy Sebring: Subsequent "slides" may display behind your chat window, so you may need to bring the browser window forward. Background information for today's session may be found at Amy Sebring: http://www.emforum.org/vclass/990505.htm Amy Sebring: Today we will be learning about Business Continuity Planning in the context of Risk Management. Amy Sebring: We will have a presentation for about thirty minutes, and then have audience Q&A for the last thirty minutes. We will review the instructions for Q&A as we are about to begin that portion. Amy Sebring: We are pleased to once again welcome EIIP partner EQE International today. With us are ... Amy Sebring: Rick Ranous, who specializes in Recovery and Business Continuation planning for EQE, ... Amy Sebring: and Neil Blais in the background, Senior Project Engineer at EQE International's Newport Beach, California office to whom we are grateful for arranging today's program. Amy Sebring: Paul Flores could not be with us after all today. Welcome gentlemen, and Rick, thank you for taking the time to be with us today. Rick Ranous: Thank you Amy and Ava for the opportunity to 'speak' today. Rick Ranous: An effective risk management program addresses all risks to all parts of a business operation. Having a detailed plan on one component of your business, restoring management information systems for example, only marginally helps the business if the production line is down. The plan for recovery needs to address all aspects of the business operations... Rick Ranous: Amy, Slide 1 please. Amy Sebring: http://www.emforum.org/vclass/EQE/bcp01.htm Rick Ranous: There are three basic questions that guide and develop a risk management program: ... Rick Ranous: 1. What can affect my business?... Rick Ranous: 2. How will it affect my business?... Rick Ranous: 3. What can I do about it?... Rick Ranous: The answers to questions one and two are found in the Business Impact Analysis. With the knowledge of what and how, a risk manager can then determine how best to manage the risk posed by the hazards... Rick Ranous: The risks are strategically spread between Facility Planning, Facility Strengthening, and Business Continuity Planning... Rick Ranous: Amy, Slide 2 please. Amy Sebring: http://www.emforum.org/vclass/EQE/bcp02.htm Rick Ranous: Determining what can affect a business is more commonly referred to as a hazards assessment. All potential hazards are identified and analyzed to determine likelihood of occurrence and annualized losses resulting from that hazard. With this information the hazards can be ranked according to severity... Rick Ranous: With the information generated in the hazard assessment, we work closely with the client to define the business' risk tolerance, i.e., how much loss can they absorb without detriment to the overall operation. All losses below that line can be discarded... Rick Ranous: The client then looks at the remaining hazards and we work together to determine the most significant hazards to the business and those are the hazards that should be analyzed in detail. Generally, we recommend analyzing at least five hazards... Rick Ranous: The systems analysis begins by studying and mapping, in a flow diagram, the entire operational system. We prefer to do the systems analysis through an interview process where we can gain detail information on each part of the system and its separate vulnerabilities... Rick Ranous: The scenarios are applied to the buildings and to the operation. On the building side you are anticipating property damage and downtime as a result of that damage... Rick Ranous: On the operations side you are looking also at downtime to restore systems, but also identifying inherent vulnerabilities. Inherent vulnerabilities are those that exist as a result of the system, not some external source... Rick Ranous: On the operations side, it must be remembered that, if there is damage to the facility, downtime to restore systems is additive to the facility downtime. You may not be able to access the systems until the facility is repaired... Rick Ranous: Amy, Slide 3 please. Amy Sebring: http://www.emforum.org/vclass/EQE/bcp03.htm Rick Ranous: Knowing the anticipated damages to the facility and the operational systems as well as the projected downtime, the financial impact of the occurrence can be determined... Rick Ranous: Also, it is important to note that system the hazards may not impact the different parts of the operation in the same fashion. That is, the parts may be vulnerable to different hazards... Rick Ranous: The financial impact considers repair cost, lost revenue, and can consider intangibles such as the credibility of the business. The final step is to determine the risk of suffering these financial losses... Rick Ranous: Knowing what the risks are, allows the Risk Manager to determine how best to distribute the risks. Examples of risk distribution include the purchase of insurance to protect the facility; hazard mitigation to minimize the potential for the anticipated losses;... Rick Ranous: and business continuity plans to ensure that the business interruptions anticipated are minimized and systems restored in a timely fashion... Rick Ranous: Amy, Slide 4 please. Amy Sebring: http://www.emforum.org/vclass/EQE/bcp04.htm Rick Ranous: The development of a BCP is done in five phases. What we refer to as the Business Continuity Planning Cycle. Now that the impact analysis is completed, we have all the information necessary to develop a plan that will guide the client through the emergency response and into recovery... Rick Ranous: Using the information from the impact analysis we know what to expect for several different hazards. Phases II and III are done somewhat simultaneously. We begin by identifying an organizational structure that incorporates all the functions that will be needed to ensure a timely recovery... Rick Ranous: We recommend to our clients that they use the Incident Command System as the basis for their response and recovery organizational structure. Through questionnaires we build a database of the employee skills and experience that allows management to identify individuals to fill the various boxes... Rick Ranous: As we develop the recovery operations, it is important to note that we do not pre-determine recovery strategies. These strategies must be determined during the actual operation based on the level of damage experienced... Rick Ranous: Instead of strategies, we develop actions that the organization can take to provide the information necessary to develop strategies and priorities. These actions are not hazard specific, but are actions that would apply no matter what the hazard or what the level of damage... Rick Ranous: At this point in the process we start the development of the actual plan. EQE develops a plan that is similar in structure to a government's emergency plan... Rick Ranous: That is we develop a general plan that provides guidance to the overall organization. The details of the operation are contained in functional annexes... Rick Ranous: A business continuity plan is just a document until the staff have been trained in its contents. The staff must know their duties and responsibilities and where to find the appropriate checklists. They need to understand all aspects of the response and recovery operations and what the ultimate goal is... Rick Ranous: We approach the training by organizational sections: Recovery Management Team; Operations Section; Planning Section; Logistics Section; and Finance and Administration Section... Rick Ranous: The Recovery Management Team consists of the Command staff (Coordinator, Public Information Officer, Safety Officer, and Agency Liaison) plus the Section Chiefs. This process includes any special training that may be needed for the operation such as Safety and Damage Assessment... Rick Ranous: At the completion of the training we conduct a tabletop exercise to reinforce with the Recovery Management Team the concepts of coordination and control. The tabletop is followed by a full exercise to test the plan and identify any weak links in the process... Rick Ranous: EQE will evaluate the exercise and meet with the Recovery Management Team to discuss the overall outcome. From these discussions necessary modifications to the plan are identified and revisions made... Rick Ranous: In this manner, the client knows that the plan they have been provided will work and will guide them through the process of recovery... Rick Ranous: This concludes the formal presentation and we are ready to answer any questions you may have. We turn the room back to you, Amy. Amy Sebring: Thank you Rick. We will now turn you over to our audience. Amy Sebring: If you have a question or comment, please indicate by inputting a question mark (?) to the chat screen. Then compose your question but hold it until you are recognized. Amy Sebring: First question please? Audra Kunf: ? rick tobin: ? Amy Sebring: Audra please. Audra Kunf: how does the private industry accept doing ICS? Audra Kunf: isn't it a little 'foreign' to private business concepts? Rick Ranous: In our experience... Rick Ranous: It has been difficult to train as businesses are not used to... Rick Ranous: The concepts of ICS. However, once trained, they begin to see the value... Rick Ranous: and fully accept the structure. Amy Sebring: Rick Tobin please. Avagene Moore: ? rick tobin: Many clients want to see a blending of Y2K plans with the Business Recovery. This is not always a good fit because IT staff may see other hazards as "of secondary interest". Have you faced this challenge? Rick Ranous: Typically, the IT staff is involved in the development of BCP... Rick Ranous: This is of critical importance as companies use computers for much of their daily activities... Rick Ranous: Most IT staff concerns are addressed through the checklist actions.... Rick Ranous: Y2K is really one component of all IT issues that can interrupt a business. Amy Sebring: Avagene please. Avagene Moore: Is it the difference in terminology that makes ICS difficult or what? We all realize we each speak our own language and have our own set of acronyms unfortunately. Amy Sebring: ? Rick Ranous: Terminology is a problem... Rick Ranous: But the problem is overcome during the systems analysis as we learn more detail about the business.... Rick Ranous: Terminology can then be modified to fit the clients specific operations. Amy Sebring: I assume many of these same businesses are also under the EPA Risk Management Planning requirements as well as facing Y2K concerns ... Amy Sebring: does this interfere with a comprehensive approach, or do you try to integrate all these requirements? Rick Ranous: Again, it is one of the hazards impacting a business that is addressed during the process... Rick Ranous: This hazard is then integrated into the recovery operations. rick tobin: ? Audra Kunf: ? Amy Sebring: rick tobin please rick tobin: The private sector many times has difficulty with accepting their vulnerability to terrorism (especially cyberterrorism) and to internal sabotage. Any suggestions on how to successfully bring people to the table on these hazards? Rick Ranous: Good question.... Rick Ranous: We find that many clients have never thought of internal or external sabotage or terrorism as a problem... Rick Ranous: We approach this as a training opportunity to point out their vulnerabilities. Often times putting knowledgeable... Rick Ranous: staff in a single room to discuss these hazards will produce the proper planning opportunities.... Rick Ranous: to mitigate these issues. Amy Sebring: Audra please. Audra Kunf: govt. *helps* itself through mutual aid provisions and reliance on other govt. agencies (local to state to federal). What avenues are there for private industry to meet their response and recovery resource shortfalls? Rick Ranous: This depends in part on the industry.... Rick Ranous: Pre identification of what will be needed, evaluated against what the client has.... Rick Ranous: identifies the shortfall and contracts can be developed to fill the needs similar to a mutual aid concept. Amy Sebring: ? Amy Sebring: Rick, in the public sector we are particularly concerned about small businesses as well... rick tobin: ? Amy Sebring: do you know of any outreach efforts to small business along these lines? ... Amy Sebring: and might it be possible to market to industry groups through trade associations? Rick Ranous: This is a legitimate concern... Rick Ranous: With the exception of some Chambers of Commerce there is little outreach that we can identify. Rick Ranous: It is... Rick Ranous: an area that should be explored most likely through seminars to present the importance... Rick Ranous: of contingency planning. (The seminars should reach small businesses and local officials). Amy Sebring: Rick Tobin please. rick tobin: Many organizations prepare BIAs and Business Recovery Plans, but there is no "program". How do you compute the dollar costs for maintaining training, facilities, and procedures for an organization to ensure that the program survives? Rick Ranous: Good question... Rick Ranous: What the client needs is a sense of ownership of the program... Rick Ranous: This is why we include them through the whole process (at many management levels).... Rick Ranous: In this manner they feel as through the program was developed by them.... Rick Ranous: and are more likely to budget maintenance of the plan (including occasional exercises and training). Amy Sebring: ? Amy Sebring: Rick Tobin reminds me of something we have touched on here before ... Amy Sebring: that is the continuing challenge of employee turnover ... Amy Sebring: to maintenance. Just when we are used to dealing with someone who understands ... Amy Sebring: off they go and the new guy has no clue. Amy Sebring: Perhaps this should be factored in as a cost as well? Rick Ranous: Our recommendation is to include.... Audra Kunf: ? Rick Ranous: very basic training with their new employee orientation... Rick Ranous: This includes answering the employee questionnaire and entering the information into the personnel database... Rick Ranous: Management can then assign them to a function and ensure they are included in the next training session. Amy Sebring: Audra please. Audra Kunf: in govt., disaster programs are usually the first to be cut when budgets are tight....how do You impress upon private industry (who is not supported by federal funding) the need to spend money on disaster planning/training/exercising? rick tobin: ? Rick Ranous: Some of this is driven by their insurance carriers who.... Rick Ranous: encourage and sometimes require having plans in place.... Rick Ranous: The BIA is also a strong tool to show the client their vulnerability.... Rick Ranous: The combination can be the incentive necessary to ensure continued maintenance and training. Amy Sebring: Rick Tobin please. rick tobin: Some companies have used the critical missions section of the Business Impact Analysis as a way to cut staff. This makes emergency managers the "evil empire." How do you convince a client not to misuse the tools you've provided(although there is no way to completely prevent this)? Rick Ranous: In our experience... Rick Ranous: We have not run into that issue. Consequently have not thought about it.... Amy Sebring: ? Rick Ranous: Using the hazards approach tends to keep typical daily business personnel issues out of the process. Amy Sebring: Can you share some of the information actions you mentioned earlier used to support strategic decisions? Rick Ranous: They are highly operational dependent.... Rick Ranous: The actions are guides or reminders of information that needs to be collected... Rick Ranous: for example... Rick Ranous: an action item might simply be activate your damage assessment teams. Amy Sebring: Other questions/comments? Avagene Moore: ? Amy Sebring: Avagene please. Avagene Moore: Is anyone working with elected officials and their respective organizations ... Avagene Moore: as a means of making small businesses understand the importance the of business planning? Rick Ranous: In my opinion.... Avagene Moore: Such as NaCO and League of Cities. Amy Sebring: ? Rick Ranous: This has begun with the Y2K issue and governments involvement in appropriate regulations... Rick Ranous: These same officials need to carry this work on after Y2K and expand into other hazards. Amy Sebring: In analyzing hazards and prioritizing, do you look for commonalities across different types of hazards, e.g. loss of power? And what tools do you use to estimate likelihood? Rick Ranous: Yes... Rick Ranous: We also consider those commonalities as separate and distinct hazards. Rick Ranous: To clarify... Rick Ranous: A power outage can be caused by many hazards, or a technological issue, but the net results are the same. Amy Sebring: Likelihood? Rick Ranous: Probability of occurrence is estimated through subjective discussions with staff and providers. Amy Sebring: Thank you very much Rick, and Neil and thank you audience. Our time is about up, but before we adjourn, Ava will give us a heads up on our upcoming events. Ava? Avagene Moore: Thanks, Amy. Next week is going to be a good one! On Tuesday, May 11, 1: 00 PM EDT, Jack Long, SSI (EIIP Partner), and a representative of the Pennsylvania School Boards Association will be with us. ... Avagene Moore: They recently completed development ... Avagene Moore: of a School Emergency Preparedness and Response Manual for the ... Avagene Moore: PA State Association and have conducted a series of 6 seminars on the topic around Pennsylvania. ... Avagene Moore: They will share some of their experiences in the seminars with us. ... Avagene Moore: As well as the manual itself ... Avagene Moore: On Wednesday, May 5, 12: 00 Noon EDT, Paul Hoff and Marty Ditmeyer present National Academy of Pubic Administration (NAPA) findings from their January ?99 Workshop on Limitations to Data Access for Disaster Management in the Virtual Library. ... Avagene Moore: This workshop relates to Global Disaster Information Network (GDIN) efforts and should be most informative. ... Avagene Moore: Would like to alert everyone online that we will be changing the time of our Round Table sessions starting the first of June. Tuesday Round Tables and our Wednesday formal sessions will both begin at 12: 00 Noon Eastern time. We hope this will help everyone to be on time and avoid any confusion. ... Avagene Moore: We will be announcing this many times and through many mechanisms for the remainder of this month. Back to you, Amy. Amy Sebring: Let's go ahead and express our appreciation to EQE and then you are invited to join us back in the Virtual Forum room for a few more minutes of open discussion.