Practical Tips for Continuity Planning

Don Schmidt presented “Practical Tips for Continuity Planning: From Impact Analysis to Executable Strategies and Plans” to the Safe+Ready Institute’s 2018 Virtual Summit.

Tips (and lessons learned) from decades of business continuity planning were shared including:

• Importance of management support and Identifying who needs to be involved in the planning process
• Planning Scope, Assumptions, Limitations, and Scenarios
• Tools & Techniques for Business Impact Analysis (BIA)
• Risk Assessment: It’s not just for emergency planning
• Continuity Strategies: Focus on Priorities
• Resources, Resources, Resources
• Continuity Plan: Putting it all together
• Incident Management: Concept of Operations
• Training, Testing & Exercises
• Program Development Resources

The presentation can be viewed here, and the recorded webinar can be viewed on the Safe+Ready Institute’s website here. While you’re visiting the Preparedness, LLC website, be sure to check out the program development resources and Preparedness Bulletins.

Suspicious Packages

Suspicious Packages

Over the past week, U.S. politicians, high profile individuals, and CNN were targeted with suspicious packages/letters at their homes or places of business.  These packages, each appearing to contain a bomb, were a coordinated attempt to spread fear, injure the intended recipients, and cause destruction. Since the days of the "Unabomber" in 1978 and the anthrax containing letters sent to members of Congress in 2001, the potential dangers of threats perpetrated by mail have been realized.

What is a suspicious item?

A suspicious item is any article (e.g. package, envelope, bag, vehicle, etc.) that is reasonably believed to contain explosives, an improvised explosive device (IED), or other hazardous material that requires a bomb technician and/or specialized equipment to further evaluate it. Examples that could indicate a bomb include unexplainable wires or electronics, other visible bomb-like components and unusual sounds, vapors, mists or odors.   Anything that is Hidden, Obviously suspicious, and not Typical (HOT) should be deemed suspicious. In addition, potential indicators for a bomb are threats, placement, and proximity of the item to people and valuable assets. The term Improvised Explosive Device (IED) has long been associated with war, but easy access to instructions and ingredients has resulted in numerous incidents involving the use of IEDs in the United States. IED attacks remain the primary tactic for terrorists seeking a relatively uncomplicated, inexpensive means for inflicting mass casualties and maximum damage. A series of bombings in Seaside Park, NJ and New York City in September, 2016 targeted a charity race and a Manhattan neighborhood. Unexploded devices including a pressure cooker were found at both the New Jersey and New York City bombing sites.

Differentiating Between Unattended and Suspicious

Not all unattended items are suspicious. An unattended item is an item of unknown origin and content where there are no obvious signs of being suspicious.  If not suspicious, there is no need for facility search or evacuation. Evaluate the item using the U.S. Postal Service "Suspicious Mail" poster (below) to determine if it meets "suspicious" criteria. Consider the placement of the package and its proximity to people and valuable assets and the current threat environment. Consider the following factors: Was any suspicious activity reported when the package was left or discovered? Have any threats to the receiving organization or similar organizations been reported? Is the unattended package or bag consistent with those normally expected to be found in the building? Does the unattended package or bag have any external indicators consistent with a suspicious package? If package is not considered an immediate threat to health or safety, record the name and address of the addressee and sender; post office codes, stamps, and cancellation date; and any other markings or labels. Contact the addressee to determine if the package was expected.

Figure 1. Suspicious Mail Poster 84 (U.S. Postal Service)

Emergency Response to Suspicious Packages

If a package is deemed "suspicious," the following action should be taken: Notify security that a suspicious package has been detected. Alert everyone in adjacent areas that a suspicious letter or package has been found and direct them to clear the area.  If the suspicious item is believed to be a bomb, evacuate the building.  Anyone in contact with any powder or substance believed to have been released from the package should seek decontamination immediately and should segregate from others not exposed. Shut down the building's ventilation system if shutdown can be done safely. If package is not deemed an immediate threat to health or safety, document the reasons for identifying the package as suspicious. Without making direct contact with the suspicious item, record all available information from all sides including name and address of addressee and sender, post office codes, stamps, and cancellation date, any other markings or labels found on the item, any other peculiarities (stains, tears, tape, flaps not glued). If possible, photograph from all sides without moving. Contact the addressee to determine if package was expected. If the package cannot be verified as legitimate within a reasonable period, notify police.

Emergency operations plans should include instructions for employees as well as those responsible for managing emergencies. Procedures should be clear and concise and align with your organization's incident management system. Figure 2 is an example from Preparedness, LLC's flowchart-based emergency operations plans. Flowcharts, hazard precautions, and defined roles and responsibilities are compiled in hard-copy and digital format with hyperlinks for quick navigation to all related guidance.

Figure 2. Emergency procedures flowchart from Preparedness, LLC's emergency operations plan.

National Preparedness Month

September is National Preparedness Month     National Preparedness Month serves as an annual reminder to review your organization's preparedness program-- loss prevention and hazard mitigation, emergency preparedness, business continuity, information technology disaster recovery, and crisis management including crisis communication.    Ten Critical Preparedness Program Elements   1. Program Management: Senior management commitment, direction and support is critical for any program. Management must have a clear understanding of risk, identify/confirm preparedness priorities, ensure that adequate and capable resources are available, and ensure the program can be executed on a moment's notice.  Those vested with the authority for all aspects of the program must also have knowledge, skills and abilities to undertake this task.   2. Risk Assessment:  Understanding hazard, operational, and reputation risk is essential to plan loss prevention, hazard mitigation, response and recovery efforts. A comprehensive risk assessment should identify hazards, their potential magnitudes, assets at risk and their vulnerabilities, and potential impacts on people, property, business operations, the environment, and your reputation and relationships.  Comprehensive guidance is provided in our Preparedness Bulletin: Risk Assessment.   3. Business Impact Analysis: Prioritizing business processes by revenue, profit, or importance to the organization's mission helps define the scope of business continuity planning. Costs and impacts on customers, along with identification of the people, facilities, systems, equipment, technologies, information, and supply chain required to execute priority processes defines the requirements for continuity strategies. Guidance is offered in our Preparedness Bulletins Business Impact Analysis as well as Supply Chain Risk.   4. Resource Needs Assessment: AEDs, emergency generators, alerting, warning and communications systems are examples of resources. People are your most important resource. Information gleaned from the risk assessment and business impact analysis, regulations, and decisions about the level of response and recovery time for priority operations should help define resource needs. Without adequate resources, response and recovery efforts will be delayed or may fail. 5. Prevention & Mitigation: A fire that is quickly detected and suppressed by automatic systems should not jeopardize life safety and should minimize business interruption. Multiple, protected connections to internet service providers that enter the property and building from opposite directions can provide high availability of connectivity to applications and data in the cloud.    Prevention and mitigation begin with land use planning, building and process design and protection, and validation of proper installation. Safety, including physical, operational, and information security, and environmental protection programs are essential. Ongoing inspections, testing, maintenance, and training of these systems are critical to maintain up-time and minimize failure and downtime.  6. Emergency Preparedness: Emergency preparedness requirements vary based on location, type and size of building, hazards within or on-site, and many other factors and variables. Different threats or hazards require different capabilities. Protective actions for life safety (e.g., evacuation, sheltering, lockdown, and "run, hide, fight") vary based on the nature and location of the threat or hazard. Determining whether it is necessary to organize and train teams for medical response, firefighting, and hazardous materials response depends on regulations, severity of the threat or hazard, and the availability, capability and response time of assistance. Read Preparedness Bulletin: Protective Actions for Life Safety. 7. Business Continuity: Does your business continuity plan prioritize the recovery of your business processes? Are the resources required for executing continuity strategies available when needed, and will they support the strategy to the extent needed? Does the plan define strategies for prompt reporting of an incident, alerting of team members, declaring a "disaster," and executing the plan-- -at any time day or night? Are there manual workarounds to be employed when technology fails?  Guidance on these issues is provided in Preparedness Bulletin: Business Impact Analysis. 8. Information Technology Disaster Recovery Planning: Is all vital information backed up? Are employees complying with your information security policy? IT disaster recovery planning begins with ensuring all vital records are backed up and restorable in the event the facility is destroyed. Vulnerabilities and potential failures of computing and information backup strategies should be assessed. Physical protection and security of server rooms, equipment, and information is essential. Protection of infrastructure supporting server rooms including power, connectivity, and climate control should be commensurate with the importance of the technology to the organization's mission.  9. Crisis Management and Crisis Communications: A crisis is a low frequency, high impact situation with many potential causes--  a physical incident at a site, allegation, employment practices, product or service issue, criminal activity, information security breach, geopolitical events, or litigation. A crisis has the potential to cause very significant impacts on the corporation, its security, financial standing, reputation, and relationships with stakeholders. Are processes in place to identify and report issues that surface as well as events that occur? What are the potential issues and what are the current and potential impacts on stakeholders? Who constitutes the crisis management team? How will the crisis be managed, including the execution of communications strategies?  10. Testing, Training & Exercises: If a major incident were to occur, would employees know how to protect their own safety? Would team members be able to carry out their assigned responsibilities? Would the resources and procedures for continuity and recovery work? Testing of continuity and recovery strategies for IT and business processes as well as testing of any physical resource (e.g., a generator) is essential to ensure reliability in time of need. Basic training for all employees to protect their safety and security as well as protect the organization and its physical, digital, and intellectual property is essential today. Every team member needs training so they can execute their job on emergency, continuity, or crisis management team. Exercises are needed to evaluate plans and capabilities, and familiarize those responsible for executing the plan.   Help make your organization more resilient, conduct a self-assessment of your preparedness program using our Comprehensive Self-Assessment Checklist.  This checklist is based on NFPA 1600, our National Preparedness Standard, and references important regulations.   For further guidance read our Preparedness Bulletin: Auditing Your Preparedness Program.   Be sure to check out the hundreds of curated links to preparedness resources provided on our Resources Page.

 

 

Crises On The Rise

Is your organization prepared?

Deloitte conducted a survey [1] of over 500 senior crisis management, business continuity and risk executives.  Findings from this survey indicate respondents believe that crises are on the rise, necessitating the need for them to be ready to respond quickly and appropriately.  This includes plan implementation, testing and rehearsing for these threats.

From the “less visible” events such as cyber-attacks, financial fraud and corruption, and internal safety concerns, to the visually alarming emergencies caused by weather-related events, facility disasters or terrorist events, 80% of organizations have had to mobilize their crisis management teams at least once in the past 2 years.

These crises can have a devastating effect on a company’s financial performance, employee morale, sales and reputation.  Thanks to the proliferation of social media, what was once an accident or minor incident, is now displayed, sometimes within minutes of an incident, for all the world to see.  It is important for an organization to get out in front of an occurrence to maintain the confidence of all stakeholders.

But are organizations truly prepared to implement a crisis communication plan?  While the vast majority of those who responded to this survey do have some sort of crisis management plans in place, it is clear more needs to be done.  Findings from the survey revealed that:

• Confidence outstrips preparedness.  Companies are more confident in their ability to manage a crisis than their level of preparedness indicates.  Nearly three quarters of the survey respondents felt confident in their organizations’ ability to deal with a crisis, yet only half of these companies have plans in place, and just under a third have run simulation exercises.
• Experiencing a crisis drives organizations to avoid them.  Nearly 90% of the survey respondents indicated they have conducted internal reviews following a crisis.  They recognize the need to respond to threats before they happen by detecting the early warning signs, investing more effort in prevention and to identify potential crisis scenarios.
• Leaders need more development for crisis management.  Leading during a crisis is vastly different than leading during normal times.  It is critical that strong leadership skills and situational awareness are well developed.
• Being prepared significantly reduces the negative impact of a crisis.  Having board members and senior management committed and involved in the creation of a crisis management plan and participating in simulations/exercises increases effectiveness of the implementation.  Overall, about a third of organizations with a crisis plan in place report finances have been negatively impacted during a crisis, while that number jumps to nearly half of the organizations surveyed if no plan is in place.
• While third parties may be part of the problem, they can also be part of the solution.  Many crises may be triggered by suppliers or other partners.  And these critical service providers should be involved in crisis planning.  Bringing in outside advisors, identified in advance of any crisis, such as lawyers, PR firms, or other specialists, can help in managing a crisis.

The frequency and causes of crises are not likely to diminish.  There are a constant barrage of potential attacks from a variety of sources just waiting to pounce on the next victim.  Preparing your organization to be ready for any crisis is best handled when the board of directors and senior management is committed and initiates the need for planning.  The appropriate personnel must then be tasked with executing the planning, implementation and conducting simulated exercises, testing those in the organization who would be involved in an actual crisis.  Most organizations must overcome several challenges to be ready to navigate a crisis, however following these recommendations will go a long way towards making your organization more resilient and able to handle these crises as they arise.

Preparedness, LLC has many solutions to help your organization create and implement a crisis management program.  Visit our Crisis Management page to learn more about what we can do to help your firm plan for the unexpected.

Preparedness, LLC also offers capabilities to help your organization evaluate your preparedness program.  Download our Self-Assessment Checklist and check-out our comprehensive solutions to prepare your organization.

[1] Dent, Peter; Woo, Rhonda; Cudworth, Rick. 2018/06/18. Stronger, Fitter, Better. Deloitte Insights.https://www2.deloitte.com/insights/us/en/topics/risk-management/crisis-management-plan-resilient-enterprise.html?mod=djemRiskCompliance?id=us:2el:3es:4di_gl:5eng:6di

National Lightning Safety Awareness Week June 24-30

"When Thunder Roars, Go Indoors" Illustration how threat of lightning increases as a thunderstorm approaches. The exposure to risk reaches a peak when the storm is overhead, and then gradually diminishes as the storm moves away. According to the National Weather Service, 16 Americans were killed by lightning in 2017. This is the fewest annual deaths by lightning strike since tracking these deaths began in the 1940's. That is the good news.  The bad news is that while 10% of people who are struck by lightning are killed, the remaining 90% usually suffer life-long debilitating effects.  Clearly campaigns such as Lightning Safety Awareness Week are having a positive effect on society's recognition of the danger of thunderstorms. As a result of this awareness, policies surrounding sports and recreational organizations have changed for the safer.           There is no such thing as a safe place outdoors when thunderstorms are in the area. The only safe thing to do is to go indoors and wait out the storm. If you can't shelter inside, sheltering in a motor vehicle with windows up is the next best option.  Avoid parking under trees.  If thunderstorms are forecast, have a plan in place so that you have an indoor venue to retreat to, then continue to watch the sky for signs of an impending storm. Once inside, avoid corded phones, electrical appliances and plumbing, as these can conduct electricity in case of a lightning strike. Read more about how to prepare for these storms by protecting your property and people in the Preparedness Bulletin Thunderstorms, Lightning and Tornadoes

Tropical Storm Harvey Bearing Down on Texas Coast

Tropical Storm Harvey is bearing down on the Texas Gulf coast. Heavy rainfall reminiscent of Tropical Storm Allison is forecast along with coastal storm surge and high winds.

Cascading impacts from damage to critical infrastructure including electrical power, telecommunications, and transportation are possible. 

Hazard mitigation can substantially reduce the damage caused by hurricanes. Property insurer FM Global compared the loss history of its policyholders that implemented its loss prevention recommendations with those with outstanding recommendations to complete. FM found that those policyholders that fully implemented its preparedness recommendations had on average 75% to 85% lower dollar losses than those policyholders that did not implement such measures. 

Preparedness, LLC’s 7-page Preparedness Bulletin provides extensive guidance for mitigating hurricane hazards, organizing a team for storm preparedness and response, developing a preparedness and recovery plan, and planning for business continuity and family support. 

Program Development Resources: All Preparedness Bulletins are posted to our website. Be sure to check out the hundreds of links to program development resources and download the program self-assessment checklist based on NFPA 1600.

Hurricane Preparedness

NOAA's updated 2017 Atlantic Hurricane Season Outlook indicates that an above-normal hurricane season is most likely, with the possibility that the season could be extremely active. Hurricane season began on June 1, and the statistical peak of activity is mid-September.

No matter the forecast for number of storms, major hurricanes, and land-falling hurricanes, it only takes one storm to cause many deaths and billions in damages. "Superstorm" Sandy was not technically a hurricane when it made landfall, but it caused billions in damages. Recovery efforts continue years later.

Hurricane hazards include damaging wind, hurricane-spawned tornadoes, flooding from heavy rainfall, and coastal flooding from storm surge. Cascading impacts result from damage to critical infrastructure including electrical power, telecommunications, and transportation. Hurricane Katrina proved that these cascading impacts include widespread supply chain disruption.

Hazard mitigation can substantially reduce the damage caused by hurricanes. Property insurer FM Global compared the loss history of its policyholders that implemented its loss prevention recommendations with those with outstanding recommendations to complete. FM found that those policyholders that fully implemented its preparedness recommendations had on average 75% to 85% lower dollar losses than those policyholders that did not implement such measures.

This 7-page Preparedness Bulletin provides extensive guidance for mitigating hurricane hazards, organizing a team for storm preparedness and response, developing a preparedness and recovery plan, and planning for business continuity and family support.

Program Development Resources: All Preparedness Bulletins are posted to our website. Be sure to check out the hundreds of links to program development resources and download the program self-assessment checklist based on NFPA 1600.