VFRE 2000
Emergency Management Track

NFPA 1600 Standard - Session 3
Wednesday – September 20, 2000 – 1:00 PM EDT

Implications for Business Continuity Planning: What Difference Will It Make to Business?

Pat Moore
NFPA Technical Committee
Vice President, Business Continuity Education, Strohl Systems

Amy Sebring, Moderator
EIIP Technical Projects Coordinator

Amy Sebring: Welcome to VFRE 2000 and the third session in the Emergency Management Track, the new NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity Programs.

Monday we looked at the history and future development of the standard with the NFPA Technical Committee chair, Lloyd Bokman, and Committee member, Bob Fletcher. Yesterday we focused on the requirements of the standard with Committee member Dean Larson. Transcripts of both sessions in an easy to read format are accessible from the session pages in the Exhibit Hall.

Today we will focus on the private sector in a session entitled "Implications for Business Continuity Planning: What Difference Will It Make to Business?" The background page for this session is found at http://www.vfre.com/presentation21/private.htm

Today we will get into more detail about business continuity planning and it is my pleasure to introduce our speaker, Ms. Pat Moore. In addition to being a member of the Technical Committee during development of the standard, Pat is Vice President, Business Continuity Education for Strohl Systems.

Ms. Moore has extensive real world experience and expertise in disaster recovery, business/ service resumption and continuity planning, as well as property restoration and loss mitigation. During last year, she was inducted into the Contingency Planning & Management Hall of Fame, and received the FEMA Project Impact "Outstanding National Business Person" Award.

Welcome, Pat; I turn the floor over to you now.

Pat Moore: Thank you Amy. I am pleased to be with VFRE this afternoon to talk about business continuity planning. Singular, isolated business or service disruptions as well as large-scale, community-wide disasters have shown us that a well designed and tested organization-wide recovery and continuity of operations plan must be in place.

The frequency and severity with which singular and regional disasters are occurring today prove that planning for the emergency response phase of disaster recovery alone is simply not enough.

As organizations, whether they are a fire department, emergency management agency or private sector business, look to extend their recovery planning efforts beyond the life safety and emergency response incident management issues, and move beyond data center and critical applications recovery concerns to address 'continuity of operations', organization-wide planning can seem overwhelming. There are, however, certain planning elements that are common to all public and private sector organizations, no matter how large or small.

This session will address the critical elements of business and service continuity planning and will concentrate on the following issues:

* Defining business / service continuity planning

* Expanding emergency response plans to address continuity of operations issues

* Utilizing NFPA 1600 as a benchmark for continuity of operations plans

* Incorporating a business / service impact analysis into hazard / risk assessments

* Business continuity plan construction, implementation, maintenance and exercise

A great deal of progress has already been made in the field of disaster recovery and business continuity planning within the private sector (especially within the Fortune 1000 companies worldwide). NFPA 1600 is actually the first FORMAL benchmarking standard that an organization of any type or size can use to begin and guide them through their process.

There are industry 'best practices' documents such as those developed by the Disaster Recovery Institute International headquartered in the United States, and the Business Continuity Institute headquartered in the United Kingdom, but this is the first real 'standard' in our industry.

We all know that life safety issues from an emergency response standpoint will always be the 'first' priority in planning and response. But even public sector organizations such as fire departments and police departments as well as other government agencies, must also consider themselves a 'business' in what they do and plan to recover their own functions and processes in order to be able to deliver their emergency management services.

Also, it is important to address the 'continuity of operations' issues that allow a business or government agency or institution to continue to do what it is they do to generate revenue, provide services and help keep the economic dollars in the community.

Because there are so many interpretations of the terminology regarding disaster recovery and business continuity planning, NFPA 1600 has tried very hard to define those terms. In the private sector, the term disaster recovery relates mainly to the recovery of critical information systems and technology. The term 'business continuity planning’ relates to a process that defines the procedures employed to ensure the timely and orderly recovery, resumption and continuity of an organization's business cycle, through its ability to execute plans with minimal or no interruption to time-sensitive business or service operations.

Documented Plan Components must include (at minimum):

• Strategies
• Procedures
• Resources
• Organizational structure
• Information database

A successful planning methodology, that will assist you not only in recovering, but ensuring continuity of your core, strategic, revenue-generating business and service units, operations and processes, as well as their important administrative or staff support business units, and should include (at minimum):

PREVENTION/MITIGATION:

Prevention addresses the positioning of those measures and activities that will lessen the possibility or the impact of an adverse incident occurring in your organization. The primary goals and objectives of the Prevention phase of a business continuity program are to protect the organization's assets and to manage risk.

RESPONSE:

Response is the reaction to an incident or emergency to assess the damage or impact and to ascertain the level of containment and control activity required. In addition to addressing matters of life safety, Response also addresses the policies, procedures and actions to be followed in the event of an emergency.

RESUMPTION:

Resumption refers to the process of planning for and/or implementing the resumption of only the most time-sensitive business operations immediately following a disaster.

RECOVERY:

Recovery is the process of planning for and/or implementing expanded operations to address less time-sensitive business operations immediately following an interruption or disaster.

RESTORATION:

Restoration is the process of planning for and/or implementing procedures for the repair or relocation of the primary site and its contents, and for the restoration of normal operations at the primary site.

Step 1: Project Initiation -- When developing your business / service continuity program, you will need to determine its objectives, gain senior management support, and allocate the necessary time and resources to develop, exercise and maintain the plan. Your plan's objectives should include:

• Minimize interruptions to business/service operations;
• Resume critical operations within a specified time after a disaster;
• Minimize financial loss;
• Assure clients/customers/community that their interests are protected;
• Limit the severity of the disruption;
• Expedite the restoration of services;
• Establish awareness so that management and staff understand the implications of a disaster upon services; and
• Maintain a positive public image of the organization.

As you begin to develop the plan, the following assumptions should be defined:

• The organization's business/service goals and objectives;
• The organization's policy on business/service continuity planning;
• Business / service interruption scenarios that pertain to each plan's functional area and/or location;
• A "minor interruption" and "major disaster" in terms of business / service impact and anticipated duration of outage;
• What will be reused / recovered and to what capacity levels over what period of time;
• Which business / service operations will be resumed immediately;
• Which business / service operations will not be resumed immediately and when they will be available;
• Which business / service operations are expendable;
• What resumption and recovery strategies are to be employed, and what are the priority sequences associated with each; and
• What resources need to be pre-positioned and what are their interdependencies.

As you conduct your review, you will probably find that some levels of recovery planning exist in some business / service units. For example, the Safety / Security, Facilities, or Vital Records departments may have plans in place to recover their own operations.

In many cases, the Information Systems or Information Technology department will have a documented contingency plan for information systems / technology functions. It is important to integrate these independent plans so that all critical and interdependent components are in place to ensure a successful recovery.

Can you expect to recover everything? Can each department's or business unit's needs be considered the number one priority? Of course not. What are the real priorities? What is the cost of risk to your organization or community? (Cost of risk is a way of measuring the degree of risk by examining several of the worst possible loss scenarios.)

Step 2: Business Impact Analysis -- A Business Impact Analysis is a proven method of determining this cost of risk by identifying the impact of business or service disruptions, and helping you to target those operations and processes which require recovery planning.

A Business Impact Analysis will identify financial and operational impacts -- when they begin and when they're most severe, for example:

• Financial impacts such as lost sales, loss trade discounts, contractual penalties/fines;
• Operational impacts such as negative public image, loss of shareholder confidence, employee morale;
• Extraordinary expenses such as rental of temporary premises/equipment, moving equipment and supplies, media reconstruction;
• Current state of preparedness;
• Technology requirements for recovery;
• Special recovery resources; and
• Critical information systems support.

The key steps in conducting a Business or Service Impact Analysis are:

1. Define the assumptions and scope of the project;
2. Develop a survey to gather the needed information;
3. Identify survey recipients and provide needed education;
4. Distribute the survey; collect and review responses;
5. Conduct follow-up interviews where needed;
6. Modify survey responses based on interviews;
7. Analyze survey data;
8. Verify results with business/service unit management; and
9. Prepare a report -- present findings to management.

Today's automated technology can greatly expedite the data gathering and analysis process and help you present the information to senior management in professional charts and graphs that clearly indicate the analysis results.

Step 3: Plan Construction - When you've completed your Business or Service Impact Analysis, you will be ready to develop your recovery strategies and build your business / service continuity plans. Consider the following when building your plans.

Note: This particular checklist encompasses only a portion of the business/service continuity planning effort and does not address specific manufacturing, research and development or distribution issue.

• Write your plans so that you can recover equally well in a singular, community-wide or hazardous materials disaster.
  
  
• Ensure that your emergency response plans are expanded to address 'continuity of operations' planning beyond the incident management and emergency response and business resumption and recovery phases.
  
  
• Ensure that your pre-qualified, critical suppliers of services and supplies will be available to you when you need them. Your vendors must have their own disaster recovery and business continuity plans, and responding to your needs must be a part of their plans. Ask to see documentation of this response commitment.
  
  
• Establish a notification list that identifies who needs to be notified in the event of a disaster at any of your locations, and provides procedural information on how they will be contacted (no matter whether or not there is power available).
  
  
• Pre-identify critical resources (communications equipment, supplies, hardware, specialized workforce, etc.) and determine the time frames needed to not only mobilize them but fulfill delivery commitments.
  
  
• Establish telecommunications recovery procedures for voice and data, including switching capabilities and backup networks.
  
  
• Address the possibility of denied access to your facility due to assessment of structural integrity, forensic investigations, and/or toxic contamination. (Plan for at least a 24 - 72 hour delay in getting back into your facility -- even for just site/damage assessment. If it is necessary to test for hazardous materials, your access can be delayed several weeks or longer.)
  
  
• Determine the parameters for declaring a disaster and moving off-site to your hot site, cold site or internal warm site.
  
  
• Determine who authorizes this move and other emergency acquisitions, and what special accounting procedures need to be established for tracking these disaster-specific costs.
  
  
• Determine the location of your command center(s), its requirements, and what special security/access control procedures you need to establish in advance.
  
  
• Determine when you implement your Crisis Management Plan.
  
  
• Identify and arrange for the relocation of your strategic revenue-generating and administrative/staff support functions. Determine what special needs these departments and personnel have.
  
  
• Ensure that the pre-identified locations will be available in both a community-wide and singular disaster. Research what real estate transactions need to be completed prior to a move.
  
  
• Determine how you will resume your production and distribution capabilities and get your finished goods to market.
  
  
• Determine how your Crisis Communications Plan will address the continuity of positive communications to your clients, employees and the public regarding your recovery progress.
  
  
• Determine what issues you must address to be sensitive to global cultural and philosophical differences.
  
  
• Identify your recovery teams and their tasks.

Step 4: Exercising and Maintaining the Plan - The litmus test for any business / service continuity plan is that it works when executed. To ensure your plans work, exercise them. Make certain that the logistics, procedures and tactical strategies you developed are sound.

Plans must be exercised to determine whether:

• Your organization and its critical vendors are prepared to cope with a business/service interruption or disastrous event; anywhere in the world you have operations;
  
  
• Backed-up data and documentation stored off-site are adequate to support resumption, recovery and restoration operations;
  
  
• Inventories, tasks and procedures are adequate to support resumption and recovery operations; and
  
  
• Plans have been properly maintained and updated to reflect actual resumption and recovery needs, and, in particular, any changes to the organization.

The information contained in a business/service continuity plan must be kept alive. Organizations are constantly changing --- businesses are acquired, merged and divested; new operations and processes begin, some cease; people leave, are hired, promoted, etc.; customer commitments and supplier relationships change; locations change; responsibilities change; priorities change; etc., You cannot rely on outdated information...

In today's constantly changing environment, where people are often asked to do more with less, it's a challenge to maintain a living plan. Although you may maintain the text portion of your plan, such as corporate or government agency policy in a word processing document, if a disaster occurs, you don't want to have to be searching through a manual looking for action lists, notification procedures, critical resource information, etc. It is important for those individuals doing the actual planning and plan implementation and execution to look to today's' automated planning systems for assistance.

NFPA 1600 addresses the basics of this planning information. This is a very quick overview of business continuity planning issues and I will be happy to try and answer questions at this point. There are many more BCP issues we have to deal with in our e-business and web-based planning.

[Q&A with Audience]

Amy Sebring: Thank you Pat. That is very valuable information. We will now move on to our interactive portion. Please try to limit your questions to the scope of today's presentation, that is, the implications for the private sector. We will have two more sessions this week; one tomorrow on the government emergency management program aspects, including the current status of the EMAP accreditation program, and a wrap up group discussion on Friday.

Question:

Stephen Walsh: How do you quantify monetary savings to a business that is considering NFPA1600?

Pat Moore: If you are referring to the impact of a disaster upon your business, it is important to identify what the loss of key operations and functions and processes will mean to the bottom line.

In addition, a business will be looked at very closely by its stakeholders and trustees as to what senior management is doing in the way of due diligence and 'duty of trust' in protecting the assets of their business.

Stephen Walsh: "Duty of Trust" sounds great, but 'How Much' is the question, I anticipate. Comment?

Pat Moore:If you are asking how much BCP costs, it all relates to the scope of the project. Perhaps an organization will find its greatest vulnerability in their data center or manufacturing operations. They have to decide, based on the financial and operational impacts of a loss whether they want to do full blown planning for the whole organization, or do recovery and mitigation instead using better loss control, etc. The business impact analysis will clearly define what their 'cost of risk' is if they don't do it.

Question:

Bill Karl: Does business continuity planning use the Incident Command System?

Pat Moore: Most business continuity plans today, within the private sector, include in their emergency response plans, the coordination with ICS. At most of our private sector industry conferences, we provide courses through the DRII on ICS, taught by CEMs to make the private sector more knowledgeable in understanding ICS.

Question:

David Crews: Pat about 80 percent of business is small. The type of planning you have covered requires the resources of a much larger business. What would be a good strategy for businesses with less than 25 employees and do not have the resources on the scale you recommend? Also, many of the smaller business must resume operations within 15 days just to keep the doors open. I work with SBA on these issues all the time in Presidential Declarations. There is also the matter of Disaster unemployment.

Pat Moore: I don't know that figure you are quoting about 80% of most businesses being small, as we look at the global economy today. But even small companies with less than 25 employees can easily follow the guidelines in NFPA 1600 themselves, without costly consultants, and even use the checklist I just gave you to follow - much like they prepare their homes and families for evacuation.

Question:

Derri Hanson: How would you market this program?

Pat Moore: If you are asking me how you would market it to a 'company' rather than a government agency, it is always important to start 'at the top' and get senior management commitment or at least a sense of understanding. I always suggest when you are talking to a senior management individual, COO/CEO/CFO, you talk in language they can relate to; such as board room issues of how are they protecting the company's or organization's assets, public image, etc. They will usually respond very well to that kind of language.

Also today there are many examples out there of what happened to company's and their officers and director's who didn't have a continuity of operations plan in place. Another good way of getting this message across is through internal or external auditors who are reviewing a company's plans, much like they did with Y2K.

In addition clients today, even small companies, are looking at the plans of their 'suppliers' and if their suppliers don't have a good contingency plan that addresses their needs, the client finds another supplier. A good example of this is in the automotive industry, e.g. the General Motors strike where the automotive industry established QS 9000 - A FORM OF CONTINGENCY PLANNING requirement for suppliers to that industry.

If you are talking about 'small business', e.g. a Pizza Hut, or a dry cleaning establishment - talk to the owner about how much business they would lose if their customers went to the competition a mile away because they were closed. There are some very basic things a business (even small) can do to plan for continuity of operations - just like they would plan to evacuate in a flood.

[Closing]

Amy Sebring: Pat, I am sorry but we have another session following this. I am sorry but we are going to have to end there; if we did not have time for your question please see the background page and contact information for Pat.

Pat Moore: Feel free to contact me at pmoore@strohlsystems.com or (800) 634-2016 x 306.

Amy Sebring: Thank you very much Pat for your time and effort today. Before I ask the audience to express their appreciation,

Tomorrow, Eric Tolbert and Emily DeMers, NEMA Emergency Management Accreditation Program and Gunnar Kuepper, IAEM will be with us to look at the implications for government programs.

Next VFRE session starts at 2 p.m. EDT in the HAZMAT track, Hazardous Materials Personal Protective Equipment -- Bernie A. Edmondson, Special Operations Coordinator, Fort George G. Meade Fire Department, and Gary Warren, Field Instructor, Maryland Fire & Rescue Institute.

Our thanks to all our participants today and to VFRE for inviting us to host the Emergency Management Track. Now please help me thank Pat.