VFRE 2000
Emergency Management Track

NFPA 1600 Standard - Session 3
Wednesday – September 20, 2000 – 1:00 PM EDT

Implications for Business Continuity Planning: What Difference Will It Make to Business?

Pat Moore
NFPA Technical Committee
Vice President, Business Continuity Education, Strohl Systems

Amy Sebring, Moderator
EIIP Technical Projects Coordinator

Amy Sebring: Welcome to VFRE 2000 and the third session in the Emergency Management Track, the new NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity Programs.

Monday we looked at the history and future development of the standard with the NFPA Technical Committee chair, Lloyd Bokman, and Committee member, Bob Fletcher. Yesterday we focused on the requirements of the standard with Committee member Dean Larson. Transcripts of both sessions in an easy to read format are accessible from the session pages in the Exhibit Hall.

Today we will focus on the private sector in a session entitled "Implications for Business Continuity Planning: What Difference Will It Make to Business?" The background page for this session is found at http://www.vfre.com/presentation21/private.htm

Today we will get into more detail about business continuity planning and it is my pleasure to introduce our speaker, Ms. Pat Moore. In addition to being a member of the Technical Committee during development of the standard, Pat is Vice President, Business Continuity Education for Strohl Systems.

Ms. Moore has extensive real world experience and expertise in disaster recovery, business/ service resumption and continuity planning, as well as property restoration and loss mitigation. During last year, she was inducted into the Contingency Planning & Management Hall of Fame, and received the FEMA Project Impact "Outstanding National Business Person" Award.

Welcome, Pat; I turn the floor over to you now.

Pat Moore: Thank you Amy. I am pleased to be with VFRE this afternoon to talk about business continuity planning. Singular, isolated business or service disruptions as well as large-scale, community-wide disasters have shown us that a well designed and tested organization-wide recovery and continuity of operations plan must be in place.

The frequency and severity with which singular and regional disasters are occurring today prove that planning for the emergency response phase of disaster recovery alone is simply not enough.

As organizations, whether they are a fire department, emergency management agency or private sector business, look to extend their recovery planning efforts beyond the life safety and emergency response incident management issues, and move beyond data center and critical applications recovery concerns to address 'continuity of operations', organization-wide planning can seem overwhelming. There are, however, certain planning elements that are common to all public and private sector organizations, no matter how large or small.

This session will address the critical elements of business and service continuity planning and will concentrate on the following issues:

* Defining business / service continuity planning

* Expanding emergency response plans to address continuity of operations issues

* Utilizing NFPA 1600 as a benchmark for continuity of operations plans

* Incorporating a business / service impact analysis into hazard / risk assessments

* Business continuity plan construction, implementation, maintenance and exercise

A great deal of progress has already been made in the field of disaster recovery and business continuity planning within the private sector (especially within the Fortune 1000 companies worldwide). NFPA 1600 is actually the first FORMAL benchmarking standard that an organization of any type or size can use to begin and guide them through their process.

There are industry 'best practices' documents such as those developed by the Disaster Recovery Institute International headquartered in the United States, and the Business Continuity Institute headquartered in the United Kingdom, but this is the first real 'standard' in our industry.

We all know that life safety issues from an emergency response standpoint will always be the 'first' priority in planning and response. But even public sector organizations such as fire departments and police departments as well as other government agencies, must also consider themselves a 'business' in what they do and plan to recover their own functions and processes in order to be able to deliver their emergency management services.

Also, it is important to address the 'continuity of operations' issues that allow a business or government agency or institution to continue to do what it is they do to generate revenue, provide services and help keep the economic dollars in the community.

Because there are so many interpretations of the terminology regarding disaster recovery and business continuity planning, NFPA 1600 has tried very hard to define those terms. In the private sector, the term disaster recovery relates mainly to the recovery of critical information systems and technology. The term 'business continuity planning’ relates to a process that defines the procedures employed to ensure the timely and orderly recovery, resumption and continuity of an organization's business cycle, through its ability to execute plans with minimal or no interruption to time-sensitive business or service operations.

Documented Plan Components must include (at minimum):

A successful planning methodology, that will assist you not only in recovering, but ensuring continuity of your core, strategic, revenue-generating business and service units, operations and processes, as well as their important administrative or staff support business units, and should include (at minimum):


Prevention addresses the positioning of those measures and activities that will lessen the possibility or the impact of an adverse incident occurring in your organization. The primary goals and objectives of the Prevention phase of a business continuity program are to protect the organization's assets and to manage risk.


Response is the reaction to an incident or emergency to assess the damage or impact and to ascertain the level of containment and control activity required. In addition to addressing matters of life safety, Response also addresses the policies, procedures and actions to be followed in the event of an emergency.


Resumption refers to the process of planning for and/or implementing the resumption of only the most time-sensitive business operations immediately following a disaster.


Recovery is the process of planning for and/or implementing expanded operations to address less time-sensitive business operations immediately following an interruption or disaster.


Restoration is the process of planning for and/or implementing procedures for the repair or relocation of the primary site and its contents, and for the restoration of normal operations at the primary site.

Step 1: Project Initiation -- When developing your business / service continuity program, you will need to determine its objectives, gain senior management support, and allocate the necessary time and resources to develop, exercise and maintain the plan. Your plan's objectives should include:

As you begin to develop the plan, the following assumptions should be defined:

As you conduct your review, you will probably find that some levels of recovery planning exist in some business / service units. For example, the Safety / Security, Facilities, or Vital Records departments may have plans in place to recover their own operations.

In many cases, the Information Systems or Information Technology department will have a documented contingency plan for information systems / technology functions. It is important to integrate these independent plans so that all critical and interdependent components are in place to ensure a successful recovery.

Can you expect to recover everything? Can each department's or business unit's needs be considered the number one priority? Of course not. What are the real priorities? What is the cost of risk to your organization or community? (Cost of risk is a way of measuring the degree of risk by examining several of the worst possible loss scenarios.)

Step 2: Business Impact Analysis -- A Business Impact Analysis is a proven method of determining this cost of risk by identifying the impact of business or service disruptions, and helping you to target those operations and processes which require recovery planning.

A Business Impact Analysis will identify financial and operational impacts -- when they begin and when they're most severe, for example:

The key steps in conducting a Business or Service Impact Analysis are:

  1. Define the assumptions and scope of the project;
  2. Develop a survey to gather the needed information;
  3. Identify survey recipients and provide needed education;
  4. Distribute the survey; collect and review responses;
  5. Conduct follow-up interviews where needed;
  6. Modify survey responses based on interviews;
  7. Analyze survey data;
  8. Verify results with business/service unit management; and
  9. Prepare a report -- present findings to management.

Today's automated technology can greatly expedite the data gathering and analysis process and help you present the information to senior management in professional charts and graphs that clearly indicate the analysis results.

Step 3: Plan Construction - When you've completed your Business or Service Impact Analysis, you will be ready to develop your recovery strategies and build your business / service continuity plans. Consider the following when building your plans.

Note: This particular checklist encompasses only a portion of the business/service continuity planning effort and does not address specific manufacturing, research and development or distribution issue.

Step 4: Exercising and Maintaining the Plan - The litmus test for any business / service continuity plan is that it works when executed. To ensure your plans work, exercise them. Make certain that the logistics, procedures and tactical strategies you developed are sound.

Plans must be exercised to determine whether:

The information contained in a business/service continuity plan must be kept alive. Organizations are constantly changing --- businesses are acquired, merged and divested; new operations and processes begin, some cease; people leave, are hired, promoted, etc.; customer commitments and supplier relationships change; locations change; responsibilities change; priorities change; etc., You cannot rely on outdated information...

In today's constantly changing environment, where people are often asked to do more with less, it's a challenge to maintain a living plan. Although you may maintain the text portion of your plan, such as corporate or government agency policy in a word processing document, if a disaster occurs, you don't want to have to be searching through a manual looking for action lists, notification procedures, critical resource information, etc. It is important for those individuals doing the actual planning and plan implementation and execution to look to today's' automated planning systems for assistance.

NFPA 1600 addresses the basics of this planning information. This is a very quick overview of business continuity planning issues and I will be happy to try and answer questions at this point. There are many more BCP issues we have to deal with in our e-business and web-based planning.

[Q&A with Audience]

Amy Sebring: Thank you Pat. That is very valuable information. We will now move on to our interactive portion. Please try to limit your questions to the scope of today's presentation, that is, the implications for the private sector. We will have two more sessions this week; one tomorrow on the government emergency management program aspects, including the current status of the EMAP accreditation program, and a wrap up group discussion on Friday.


Stephen Walsh: How do you quantify monetary savings to a business that is considering NFPA1600?

Pat Moore: If you are referring to the impact of a disaster upon your business, it is important to identify what the loss of key operations and functions and processes will mean to the bottom line.

In addition, a business will be looked at very closely by its stakeholders and trustees as to what senior management is doing in the way of due diligence and 'duty of trust' in protecting the assets of their business.

Stephen Walsh: "Duty of Trust" sounds great, but 'How Much' is the question, I anticipate. Comment?

Pat Moore:If you are asking how much BCP costs, it all relates to the scope of the project. Perhaps an organization will find its greatest vulnerability in their data center or manufacturing operations. They have to decide, based on the financial and operational impacts of a loss whether they want to do full blown planning for the whole organization, or do recovery and mitigation instead using better loss control, etc. The business impact analysis will clearly define what their 'cost of risk' is if they don't do it.


Bill Karl: Does business continuity planning use the Incident Command System?

Pat Moore: Most business continuity plans today, within the private sector, include in their emergency response plans, the coordination with ICS. At most of our private sector industry conferences, we provide courses through the DRII on ICS, taught by CEMs to make the private sector more knowledgeable in understanding ICS.


David Crews: Pat about 80 percent of business is small. The type of planning you have covered requires the resources of a much larger business. What would be a good strategy for businesses with less than 25 employees and do not have the resources on the scale you recommend? Also, many of the smaller business must resume operations within 15 days just to keep the doors open. I work with SBA on these issues all the time in Presidential Declarations. There is also the matter of Disaster unemployment.

Pat Moore: I don't know that figure you are quoting about 80% of most businesses being small, as we look at the global economy today. But even small companies with less than 25 employees can easily follow the guidelines in NFPA 1600 themselves, without costly consultants, and even use the checklist I just gave you to follow - much like they prepare their homes and families for evacuation.


Derri Hanson: How would you market this program?

Pat Moore: If you are asking me how you would market it to a 'company' rather than a government agency, it is always important to start 'at the top' and get senior management commitment or at least a sense of understanding. I always suggest when you are talking to a senior management individual, COO/CEO/CFO, you talk in language they can relate to; such as board room issues of how are they protecting the company's or organization's assets, public image, etc. They will usually respond very well to that kind of language.

Also today there are many examples out there of what happened to company's and their officers and director's who didn't have a continuity of operations plan in place. Another good way of getting this message across is through internal or external auditors who are reviewing a company's plans, much like they did with Y2K.

In addition clients today, even small companies, are looking at the plans of their 'suppliers' and if their suppliers don't have a good contingency plan that addresses their needs, the client finds another supplier. A good example of this is in the automotive industry, e.g. the General Motors strike where the automotive industry established QS 9000 - A FORM OF CONTINGENCY PLANNING requirement for suppliers to that industry.

If you are talking about 'small business', e.g. a Pizza Hut, or a dry cleaning establishment - talk to the owner about how much business they would lose if their customers went to the competition a mile away because they were closed. There are some very basic things a business (even small) can do to plan for continuity of operations - just like they would plan to evacuate in a flood.


Amy Sebring: Pat, I am sorry but we have another session following this. I am sorry but we are going to have to end there; if we did not have time for your question please see the background page and contact information for Pat.

Pat Moore: Feel free to contact me at pmoore@strohlsystems.com or (800) 634-2016 x 306.

Amy Sebring: Thank you very much Pat for your time and effort today. Before I ask the audience to express their appreciation,

Tomorrow, Eric Tolbert and Emily DeMers, NEMA Emergency Management Accreditation Program and Gunnar Kuepper, IAEM will be with us to look at the implications for government programs.

Next VFRE session starts at 2 p.m. EDT in the HAZMAT track, Hazardous Materials Personal Protective Equipment -- Bernie A. Edmondson, Special Operations Coordinator, Fort George G. Meade Fire Department, and Gary Warren, Field Instructor, Maryland Fire & Rescue Institute.

Our thanks to all our participants today and to VFRE for inviting us to host the Emergency Management Track. Now please help me thank Pat.