Are You & Your Facility Ready? What’s New in Business Continuity, Personal Resiliency & Preparedness

Mike Thomson Manager, Client Services & Business Continuity Programs

ImpactReady @ ImpactWeather, Inc.

Anthony Pizzitola, CFM, CBCP, MBCI

Facilities & Disaster Recovery Manager

Goode Company

First, what are we solving for ? •Business Continuity Management is defined as a holistic management

process that identifies potential impacts that threaten an organization and

provides a framework for building resilience with the capability for an

effective response that safeguards the interests of its key stakeholders,

reputation and value creating activities.

•The primary objective of Business Continuity Management is to allow the

Executive to continue to manage business operations under adverse

conditions, by the introduction of appropriate resilience strategies,

recovery objectives, business continuity, operational risk management

considerations and crisis management plans.

Disaster Recovery Institute International

Business Continuity Helps Manage Risk in Many Ways

• Protects 85% of the business • Nearly 170% return on investment • Non-compliant companies paid $9.4M in fines, penalties & lost revenue • Compliant companies paid $3.5M

22

.

Life Safety Emergency

Response

Operations

Work

Planning

Adherence to

Regulations

Corporate

Governance

and InfrastructureProperty, Facilities

Physical

Security

Financial

Capacity

Cash & Credit

Management

Enterprise Risk

Management

Business

Risk or

Interruption

Intellectual

Property,

Processes &

Vital Records*

Business Continuity

Planning

How are the Threats Identified to Prepare and

Prevent a Disaster?

•Don’t just visit the site, inspect the site!

•Collaborate with your colleagues and vendor base to ID the top 10 threats

in each category.

ID regional natural threats, have a backup plan.

ID manmade threats, launch control measures.

ID technological threats, have a backup plan.

•Is lack of compliance with OSHA and ADA a threat? Yes!

•Is lack of Preventive & Predictive Maintenance a threat? Yes, just wait until

Friday afternoon or Saturday evening.

•Prepare a plan based on the above, implement controls , inspect and test!

Assess

Respond

Manage Recover

Resume

Pandemic

Fire Flood

Storm

Terrorism

???

Normal

Business Operations

Security

Regulatory

Continuity Planning and Response Move in a Cycle

Develop A Disaster Preparation, Response and

Recovery Plan

•How So? Start by Identifying the Threats, their Probability and their

Impacts to the Organization. How can the threats be controlled.

•What are the threats?

Natural

Manmade

Technological

•Lack of preparation and a plan can threaten your career!

•Lack of preparation and a plan is a call for the lawyers!

Businesses Will Use Their Continuity Plans Regularly

Business Preparedness Involves Five Important Steps

1. Develop a Program (for what you will do

in an emergency)

2. Have Back-ups (for critical people,

equipments and supplies)

3. Practice Your Plan (at least once each

year)

4. Be Informed (about what might happen)

5. Get Involved (in preparing with your

community)

You Need Six Essential Tools in Your Preparedness Program

1. Severe Weather Alerts

2. Emergency Notification System

3. Incident Management Program

4. ePlan Documentation

5. Situational Awareness Monitoring

6. Personal Preparedness/Resiliency

Weather Disasters at Highest Levels Ever Recorded

Source: NOAA

Billions

Total economic damage = $52B, Most $1B+ Disaster Ever

Forecasting, Monitoring and Alerting

Tropical storm & hurricane analysis Severe weather analysis 24/7 alerting (including “all clear”) Domestic and International coverage Web-based weather briefings for key personnel 24/7 access to meteorologists for additional consultation and pre-scheduled conference calls

Consulting and Support Programs

Corporate Business Continuity & Emergency Preparedness: consulting services and training programs Personal Preparedness: Seminars, Webinars, and Personal Preparedness tools

#1 – Essential Tool

Severe Weather Services

Capability Resident Meteorologist National Weather Service Web-based Weather Services Dedicated Weather Service

Available 24x7x365 No Yes Limited, w/Advertisements Yes

Domestic & International No No Limited Yes

All Weather Services – Severe,

Tropical, Marine Yes No No

Yes

Customized Alerts & Forecasts Yes No No Yes

Any Time, Live Help Limited No No Yes

Meteorologist Needed On-Site Possible No No Yes

Imbedded “Calls to Action” Yes No No Yes

Integrated Business Continuity

Services No No No

Yes

Certified Crisis Experts On-call Limited No No Yes

Branded, Direct Access Website Possible Yes No Yes

All-Hazards Data Feeds/Alerting No No No Yes

“Single Pane of Glass” No No No Yes

All Clear Notices Limited No No Yes

Video Production Studio No No No Yes

Crisis Webconferences Possible No No Yes

Daily Branded Weather Videos No No No Yes

Site-specific, All-Hazard Trigger

Reports Possible No No

Yes

Best Practice Web & Seminars No No No Yes

Delivery to Any Device Yes No No Yes

“Manually dialed telephone call trees are no longer acceptable for emergency notification. Effective incident management requires automation to ensure business continuity.” -Gartner, Inc.

#2 – Essential Tool

Emergency Notification System

Incident

Detected Incident Management Team

(IMT) Member Aware

Incident Commander (IC)

*Division VP

*Manager of Administration

Notified

Initial Incident

Assessment

Site Back to

Normal

Standard

Operating

Procedures

Incident

Briefing

Impact

Assessment

Incident

Assessment

Incident

Objectives

- Develop IAP

- SITREP

Alternate

Operating

Procedures

Recovery

Procedures

Site Back to

Normal

Resume

Normal

Operations

Critique IMT

Response

Need to

Update Plan

Plan

Maintenance

and Update

End

Major

> 8 hrs

Minor

< 8 hrs

> 8

hrs

No

Yes < 8 hrs

No

NoYes

Demobilization

Report to

Executive

Oversight

CommitteeYes

IMT

Assembled

*Foreseen Events

#3 – Essential Tool

Incident Management Program

• Repository for all IM, BC, ER and DR plans

• Component of comprehensive Business Continuity effort

• Modules for both planning and incident management

• Linked with emergency notification system

• NIMS Compliant

#4 – Essential Tool

ePlan Documentation

– Crisis management is moving from offices or command rooms to sophisticated mobile and online environments…

– Breaking threats in dozens of risk categories now delivered as targeted alerts, anytime, anywhere…

#5 – Essential Tool

Situational Awareness Monitoring

Most individuals, and thus their employers, are unprepared

for a disaster

“Only 7% of Americans have taken the

necessary steps to prepare for disasters”

Source: American Red Cross

#6 – Essential Tool

Personal Preparedness

“75% of company plans do not support employee resiliency”

Source: Forrester Research

#6 – Essential Tool

Personal Preparedness

Most individuals, and thus their employers, are

unprepared for a disaster

# 6 – Essential Tool

Employee Education Works

• Annual Preparedness Programs • Speakers, Demos, Handouts • Company Intranet Campaigns • Home, Office Videos & Checklists • Contact Info Updates

• Cost effective, 100x ROI • Save $2,800 per employee • Overcame Complacency • Mitigated Damages, Impact • Less Time Responding • More Effective Action

Ready Today = Ready in Crisis

© Personal Recovery Concepts, All rights reserved

You Need To Be Prepared for Many Reasons • Protection (people, reputation, resources)

• Legal (regulatory compliance, litigation)

• Financial (more revenue, reduced costs)

• Decision-making (one source, more confidence)

• Good Business (stakeholders, market share)

Contingency Planning in Many Areas is Highly

Regulated

• Required to have an “all

hazards” plan

• Weather is leading hazard

causing business interruption

• Plan must follow a Standard

• All standards include

preparedness of the

workforce that the plan relies

upon before, during and after

a continuity event

• PS-Prep will translate that

requirement to any private

sector company

PS-Prep will Impact Every Private Sector Company Title IX, PL 110-53 (Private Sector Preparedness Act) • Outgrowth of 9/11 Commission Report

• Independent certification of private sector emergency preparedness (including disaster/emergency management & business continuity)

• Administer outside government by third parties

• Give special consideration to small businesses (15 USC 632)

• Based on standards (3 already approved)

• FEMA Administrator is responsible • DHS is encouraging multiple standards • Initial certifications will be “conformity or non-conformity” based • Process slowed by change of administrations • Integrate, recognize & credit existing industry efforts, standards,

best practices and reporting

Should Vendors Comply with PS-Prep?

•If business units are prepared, their supply chain should be equally

prepared.

•A resilient supply chain is prepared for natural disasters, business

interruptions and terrorism.

•Preparedness guarantees quality products with on-time deliveries to

business units.

•You can’t do business with an empty wagon.

•The purpose of PS-Prep is to enhance nationwide resilience against

all hazards and to support business preparedness.

Some Benefits of Preparedness May Not be Obvious

Minimizing Impact of Business Disruptions

Insurance Benefits

Rating Agency Acknowledgement

Mitigating Legal Liability

Post-Event

Supply Chain Resiliency

Corporate Governance

Reputational and other Benefits

Greater PreparednessGreater PreparednessGreater Preparedness

90% of Requirements Are Common in All Standards

1. Policy statement

2. Management commitment

3. Risk identification, assessment & analysis

4. Protect proprietary & confidential information

5. Incident management procedures & controls

6. Data control & backup (documents & information)

7. Continuity of critical operations

8. Exercises & testing

9. Independent audits

First (or Next) Steps to Take to Mitigate Your Risks

1. Assess your current level of emergency preparedness against industry best practices (report & gap analysis)

2. Select a standard to use (e.g. FFEIC, OCC, ASIS, etc)

3. Supplement and/or improve your existing preparedness processes, plans & activities to meet intent of desired standard(s)

4. Contract with accredited certification body for formal assessment and certification

5. Conduct on-going surveillance and continual improvement processes

Plan, Do, Check, Act

Someone Will Ask for Your Business Preparedness Plan

• Regulatory Auditors • Customers • Strategic Partners • Suppliers & Vendors • Fire & Law Enforcement

Preparedness Increases Revenue and Reduces Costs

• Oxford University study • Everyone loses value after crisis • Effective crisis response recovers quicker • 22% higher market cap 8 months after crisis • Cost of downtime = $84,000 -$90,000 per hour

Q&A

Have questions??

Mike Thomson Manager, Client Services & Business Continuity Programs ImpactReady @ ImpactWeather, Inc. 877-792-3220 mthomson@impactweather.com

Anthony Pizzitola Facilities & Disaster Recovery Manager Goode Company 713-667-9001 apizzitola@goodecompany.com

CONTACT