Tag Archive for emergency preparedness

Failure and Rescue

So, even though I opened a Twitter account about 2 years ago, this week I decided to start really using it.

I tweeted a thing or two to the 3 people following me.  It was fun, but a lot like talking to myself, which, I sometimes do.

Then, I started looking for people and organizations that I wanted to follow.  Some in sports, some in entertainment, a few friends I found, and even some in the field of business continuity and crisis management.  I also found Eric Greitens whose book, “The Heart and the Fist” I had recently just finished reading – a read I highly recommend to all.

Today, one of Eric’s tweets included a link to this article in The New Yorker – “Failure and Rescue”.  I think this article has a profound message for everyone in all walks of life, but I also think it has significant meaning to business continuity, disaster recovery and emergency response planners.

I recently posted a few blogs about the need to have plans that are flexible and provide the framework for decision makers to change the plan when needed – which, in my mind, will be always for any situation that occurs.  In this article, Atul Gawande, presents this message much better than I ever could.  His concept of rescuing the plans is, in my mind, brilliant.

There is no need for me to try to recap the article for you; I would “fail” miserably in my attempt.  So, I simply suggest you read it for yourself.  I believe you will be glad you did.

And then, to thank me, you can “follow” me on Twitter @jpflach.  ;-)

Preparing for the London Olympics

I am assisting a client in developing contingency plans for their London offices in preparation for the upcoming 2012 Olympics.  We are researching possible risks, threats and disruptions based on past Olympics and past London-area events.  And, believe me, there is plenty of material there to raise a concern.

In this process we have developed two paths of recommendations: Precautionary Strategies and At-the-Ready Contingencies.

Precautionary Strategies are actions we recommend be taken to lessen the possible impacts of disruptions that are likely to occur.  These actions require no triggers to enact; we recommend following this course of action simply as a matter of business during the Olympics.

Precautionary Strategies include:

  • Scheduling work-from-home times where the capability already exists and the disruption to work flow negligible.
  • Rerouting business processes to non-London offices where this can be easily accomplished and does not stress the remote offices work flow.
  • Utilizing facilities outside of the Olympic parameters where possible.  This may include working out of their business continuity work sites if this can be managed at little expense.

Precautionary Strategies will be temporary, low cost, easy to implement and low disruption activities that can remove some of the stress that the Olympic events may cause.

At-the-Ready-Contingencies are more of your typical business continuity solutions that will be engaged only if threats and disruptions occur.  These actions will include identified triggers that must be monitored and tracked throughout the Olympics.  Most of these strategies, hopefully, are already in place as part of their existing Business Continuity Program.

The London Olympics will certainly disrupt the commuting processes to London area businesses and introduces a threat of civil disorder, terrorist activity, and security breaches.  London area companies should be well aware of the Olympic footprint and understand the traffic flows that may interfere with their employee’s commutes.  And, these interruptions and threats will exist for pre-Olympic activities as well as for the Paralympics that follow.

Where possible, we believe London area businesses should evaluate the possibility of minimizing their London-based business activities during this event to lessen the possible impacts to their firms.  Wherever you can take precautionary steps at low expense, it might be advisable to do so.  And, of course, you should brush the dust off your Business Continuity Plans and ensure that your recovery strategies are still viable given the risks this event incurs.  For example – if your alternate site locations are also within the Olympic footprint, you may need to establish a temporary other location during this event.

Certainly, there will be plenty of security provided and lots of precautions and contingencies put in place by the local and national authorities.  Be sure you are aware of these plans and make sure that your plans will work within the parameters provided.

We hope for a smooth and exciting Olympics in 2012 – let’s just hope all of the excitement is on the athletic fields and within the competitive framework of the games.

Conducting a Test – Yes, a “Test”

Yeah, I know, I know … we don’t have “tests” we have “exercises”, because tests imply pass/fail and exercises imply getting stronger.  Yeah, I used to sing that same silly song, too.

I now understand that there are times when you need to test; times when you need to drill; and, times when you need to exercise.  You do need to test your solutions to make sure that they do, in fact, work.  You do want to know if you can “pass the test”.  You may refer to these as validation tests.

I’ll take it a step farther and would even like to see us test the people.  I think it would be great to gather our key business continuity players, managers and employees into a room and give them a regular, school-like, no. 2 leaded pencil, don’t start until I tell you to, and put down your pencils when instructed, actual tests.  Why not?

I would like to ask key players and managers questions that they should know about our Emergency Preparedness, Business Continuity and Disaster Recovery Programs.  These questions might include:

  • If the fire alarm went off right now:
  • What would you do?
  • Where would you find evacuation routes posted?
  • Where would you congregate once outside of the building?
  • Who are your floor wardens?
  • If you received a bomb threat on the phone, what would you do?
  • If you got a call at 2:00 am that the building had burnt down…
  • What would you do?
  • Who would you call?
  • Where would you go to work?
  • Where would you find your Business Continuity Plan?
  • If the Data Center experienced a disaster…
  • What applications that you use would be recovered?
  • In what timeframe?
  • What would be the status of the data?
  • What applications would not be recovered?
  • What business processes would you be expected to continue?
  • What business processes would be temporarily suspended?
  • If you do not know the answers to any of the questions on this test, where would you go to find them?
  • If we experienced a disaster and you weren’t available to participate in the recovery, who has been trained to play your role?  Have you trained them to be successful in this effort?

I could go on, but I want to try to make this an interactive blog and challenge you to post the types of questions you would want to include on this pencil to paper test.  You can do so by posting a comment to this blog.

You can exercise your solutions all you want.  You can physically recover hardware, applications, data, networks, etc., time after time – but there are some things that people need to know when the alarms go off or your ability to execute your plans will be severely hampered.

How do you think your organization would do if given this kind of test?  My bet is most companies would not fare too well.  There are historical cases where adequate recovery capabilities were in place but the people were not educated well enough to implement these capabilities at time of event.  How better to determine our level of preparedness than to give them a test?

You can exercise and get as strong as you want, but if you can’t pass the test … you will fail.

Office of Disaster Assistance

Here is one more number to include in your Business Continuity, Emergency Response and Disaster Recovery directory: (202) 205-6734.  This is the number for the Office of Disaster Assistance under the US Small Business Association (SBA).  And, despite being administered by the SBA it is available for “businesses of all sizes” according to the Mission Statement included on its website.

If you are not aware of this organization and the things they can do, I urge you to go visit their website.  Check out the page of Current Disaster Declarations to review the events that they provide assistance for.  You might also find some ideas where they could add value to your program by going to their Emergency Preparedness and Disaster Assistance page.

I know many organizations have well developed plans to mitigate losses from disasters; many of you have insurance policies which include loss of business clauses; and, many larger companies have self-insurance reserves to cover losses that may stem from a disaster – but, there still might be circumstances where the Office of Disaster Assistance could be of value.  Anyway, what does it hurt to check them out?

After all, it’s just one more number to add to your directory of resources that could provide assistance; you don’t have to commit to calling it if you don’t need them.

Disasters, Disasters, Disasters

One of the challenges that Business Continuity and Disaster Recovery Planners have had to face over the years is in dealing with a largely apathetic business community.  Many of the management personnel we try hard to work with just do not buy into the belief that a disaster is likely to occur – or, at least – not during their time in the position, so why invest time and resources to plan for an unlikely event?

In this day and age, that is dangerous thinking.

I have written a few blogs over the past month about real events that have recently impacted the business community – the threats are real; the impacts are meaningful.  Safe Harbor Consulting alone has received numerous calls from companies that have been impacted by these events – even if just impacted by having to prepare for potential losses – realizing the need to update, expand and improve their emergency response and business continuity plans and posture.

It used to be that I would search for disaster related stories on the internet to try to validate the work we do, but now all you have to do is look at the top news stories for the day.

Today, for example, some of the top news stories on Yahoo include:

A Google news search, in addition to similar headlines, includes:

And these are just the top news stories for a typical day.  Each of these events have the potential of causing some sort of business interruption or impacting the workforce in some way for companies in the vicinity of the event.

These stories range from the scary (earthquake) to the sublime (satellite falling to earth), but they all have crisis management, emergency response and potential business continuity concerns.

We can no longer pretend that the threats are not out there.  And, we as professional planners can no longer use the excuse that management just does not appreciate the need for planning – it is our job to make them understand the need for planning!  So, let’s get out there and do our jobs.

I almost hate to see what tomorrow’s headlines will bring!

Emergency Preparedness for Airlines

For the past 3+ years I have had the opportunity and privilege to work for a US airlines, responsible for their Business Continuity and Emergency Preparedness programs.

Emergency Preparedness for airlines is a completely different animal than what most of us are used to.  An airline’s Emergency Preparedness program is focused on one particular event – an airplane accident.  Rules, regulations and guidelines issued by the National Transportation Safety Board (NTSB) and the Aviation Disaster Family Assistance Act of 1996 stipulate exactly what is expected from airlines in their response to an accident resulting in the deaths of some or all of their passengers.

Airlines are required to immediately lock down all records and documentation that has anything to do with the aircraft(s) and personnel who operate and/or maintain the aircraft(s); immediately perform drug testing on all surviving individuals who may have operated or maintained the aircraft(s); make available a team of experts on the operation and maintenance of the aircraft(s) involved to assist the NTSB in its investigation of the cause of the accident; and, most importantly, provide immediate care and assistance to the families of the passengers and crew aboard the aircraft(s).

These requirements make it essential that airlines can quickly notify and mobilize a large number of employees (depending on the size of the aircraft(s) involved in the incident) to the accident site (or as close to the site as possible), for employees involved in the investigation; near the accident site, for families to gather, a little distanced from the actual site; at the originating and destination airports, where family members may already be or may originally gather; and, perhaps, at upline and downline airports for passengers that had connecting flights.

The operating airline must provide resources and accommodations for a number of governmental and other support organizations (NTSB, American Red Cross, FEMA and others) to set up operations near the crash site; provide accommodations and transportation for all families who wish to travel to the nearby site location, as well as to provide compassionate assistance to families who decide to remain in their home locations.

There are other requirements regarding the dissemination and security of information released to agencies, families, the media and the general public; investigation logistics; legal matters and other concerns.

The airline must also concern themselves with the fact that now that they have a large number of their employees dedicated to the accident response for days, weeks and in some cases, months, they still have an airline to safely operate with a now depleted workforce who is likely stressed and emotionally impacted by the event.

Without getting into the gory details about how all of this works and the challenges the airlines face, suffice it to say, this requires a lot of planning, education and testing of the process and procedures.  Those employees who volunteer to assist in providing family care must be trained and participate in annual refresher courses.  Those employees targeted to manage the response process in the airline’s Corporate Command Center and at the accident site, must be trained and participate in annual exercises.  Station management and staff, any of whom might be called on to set up Family Assistance Centers at their airport must be trained and tested in their responsibilities.  All, a huge undertaking.  And all what makes Emergency Preparedness a different animal at airlines.

Whereas most airlines have a relatively well developed and rehearsed Emergency Preparedness program for this specific incident, I found that they do not have very well developed or rehearsed programs for any other kind of incident that may impact their ability to operate the airlines.  Emergency Preparedness for them has become very myopic.  But, that is fodder for another blog on another day.

Risk Analysis: The Nuclear Power Plant Threat

I am in the process of creating an Emergency Response Facilitated Exercise for one of Safe Harbor Consulting’s prestigious clients who has elected to simulate a nuclear power plant crisis near one of their strategic corporate locations.  My research on this topic has uncovered some rather disturbing information.

Currently, the US standard is to establish an evacuation zone of 10 miles, yet in the wake of the Fukushima, tsunami induced crisis, the US government ordered the evacuation of US citizens within 50 miles of the site.  The Nuclear Regulatory Commission (NRC) suggests that they would do the same should a similar event happen in the US.  Then why not expand the standard evacuation zone that nuclear sites currently are told to plan for?

Furthermore, my research suggest that information concerning the expected time to evacuate from nearby nuclear power plants is based on old and outdated population figures.  This is disturbing to me – what are your thoughts on this?

This web site shows the active nuclear power plants and the population counts nearby.  Realizing how many plants were in the path of Hurricane Irene is pretty scary.  Sure these facilities are hardened and built to withstand most weather and geological threats, but still – a breach at any one of these plants could be devastating.

Now, I do not want to come across as a fear monger – just wondering how many of you include the possibility of evacuation caused by a nuclear power plant compromise as part of your risk analysis?  If doing so, I would use the 50 mile radius precedent established by the Fukushima catastrophe as my measuring stick and not the official 10 mile radius established by the NRC.

Now back to planning the exercise.  Maybe in a future blog I can relate how it went.

Red Cross’ Ready Rating Program

The Red Cross has a neat little web site called the Red Cross Ready Rating Program which helps businesses and schools become better prepared to respond to emergencies.  It is a self guided tool that helps you assess your response posture and provides tips and tools for improving your level of readiness.

Safe Harbor Consulting, of course, wants to assist organizations of all sizes implement, document, maintain and exercise their programs, but a self help tool such as this could be very valuable in starting (and completing, in some cases) the process in smaller organizations or even allow larger organizations to get a better handle of where, exactly, they could use some consulting assistance.

In any case, it might be worth your time to invest a couple of hours in looking at this tool.  It might even give you some ideas on what to do to prepare yourself and your family, a small organization in and of itself, to prepare for disasters.

Good luck.  And, enjoy a disaster-free weekend.

Everyone Has a Business Continuity Plan

Although, as discussed in my previous blog, the terminology is sometimes different, business continuity planning professionals follow a pretty standard, cyclical planning methodology as depicted in this Wikipedia article: http://en.wikipedia.org/wiki/Business_continuity_planning

Even though the methodology is cyclical, first time planners need a starting point and, working under the assumption that the organization they are planning for has no plan in place, they begin in the Analysis Phase.  I suggest that this is a mistake.

Every organization has a business continuity plan – it’s just that some of them have not formalized, approved or documented their plans.  For many of these organizations, by default, their business continuity plan is to respond to the disaster ad hoc and figure out what to do during the crisis.

I believe that planners can get a quicker start in the planning process and stronger management buy in for the need to strengthen and improve their business continuity plans (or crisis management, or disaster recovery, or emergency response plans) if you start the methodology at the testing phase.

By first performing a Table Top Exercise to discuss, with the management teams, how the organization would respond to a business interruption event today, you will quickly understand the planning objectives, assumptions and expectations of the management team.

Through my years of experience I have witnessed, time and time again, the frustration of management teams after months and months of analysis to identify risks, conduct business impact analysis and define recovery requirements, and yet no one has put together the baseline plan of who calls who when the alarms go off.

I think planners have become a victim of our own methodology and have forgotten the importance of first providing a simple baseline response plan before we try to put in the perfect business continuity plan.  I think it is like putting together a football team and designing the playbook with intricate blocking schematics, pass patterns, trick plays, etc., with never teaching the basic football techniques.

Assume a plan exists.  Test that plan and allow your business partner, in the process, to discover the weaknesses and fallacies of this plan and lack of documentation to support it, so that they now better understand the need for planning analysis and we better understand their immediate concerns.

Business Continuity Blog

Welcome to the Safe Harbor Consulting Business Continuity Blog.

I will utilize this blog to discuss, what I hope is, timely and relevant business continuity, disaster recovery, crisis management, emergency response … issues, problems and concerns.

The first thought that comes to mind as I struggle with the wording of my very first blog sentence is to figure out the right label for what it is we do.  All of those terms that I used in the sentence above are thrown out by business continuity professionals sometimes as synonymous terms and sometimes as terms to differentiate between plans and programs with distinct and unique goals and objectives.

How the heck are we to expect executives and management to understand what it is we do when we can’t even agree amongst ourselves how to label these programs?

  • What is the difference between Business Continuity Plans and Contingency Plans?
  • What is the difference between Emergency Response Plans and Crisis Management Plans?
  • What is the difference between Business Continuity and Disaster Recovery?

And on and on and on.

Now I know you all probably have definite answers to those questions – but, are your answers all the same?  And, therein lies the problem.

I am not going to pretend to have the absolute answer to these questions, just merely wish to point out that this inconsistent use of terminology and jargon is an issue that all business continuity professionals must be aware of.  I have often seen planning professionals and their business partners using the same terms but with very different assumptions about what those terms mean, resulting in huge disconnects between what the business community wanted and what the planning professional delivered.

I often spend a lot of time asking my clients to define what those terms mean to them so I can make sure we develop the right programs.  I do not care that my clients conform to my language – just that I create and implement programs that succinctly meet their expectations.

Over time, I think these blogs will begin to define how I usually use these terms and I hope that I do not add to the confusion in the process.

I invite all of you to participate along with me in this forum by adding your comments and thoughts along with mine.

I am looking forward to the challenge and experience of keeping this blog active, relevant and full of timely information and in making it worth your while to come visit us on a routine basis.

Regards,

Joe Flach, CEO, Safe Harbor Consulting