Contents Pre-incident planning and incident response Disruptions A to Z Exercises B U S I NESS R I S K L E A D E R S H I P CSO EXECUTIVE .The Ultimate to Busi ness Continuity 2 A disaster just isn’t what it used to be. In years gone by, most companies defined a disaster as an act of nature—a hurricane, tornado, flood or fire that ravaged a building and wiped out a company’s ability to conduct business. Today, with worldwide networks, even a common electrical failure could spell disaster, if it brings communications and online transactions to a screeching halt. Business continuity involves much more than planning for disasters, though. It’s about taking steps to ensure that unexpected events have a minimal impact on a company’s ability to keep the business going. The focus is on continuity, not crisis. Good planning must take into account everything from people and communications to travel and facilities. Because business continuity and disaster recovery share much in common, they are often lumped together. However, before we get started, it’s important to mention that the two things are actually distinct, but intertwined. Disaster recovery assumes that something has happened to disrupt business, and it’s time to start things back up again. Disaster recovery is the set of steps and processes involved in restoring a business to normal operation after its operations have been partially or completely interrupted by some event. Business continuity planning, on the other hand, is making plans to keep your business going even when something unexpected happens. A good business continuity plan might perhaps keep a situation from truly turning into a disaster. All of this planning creates a hoary goal that can never be met 100 percent. It involves weighing risks and tradeoffs, thinking about bad scenarios and worse, making tough decisions about which business functions are most important, and determining the dollar value of keeping your business running even in the face of horrendous events. However, this gut-wrenching work has several benefits. It can enhance employee safety, mitigate corporate liability, help meet regulatory requirements, and protect or even enhance your company’s public issues. In short, it’s good for business, as long as it’s done in a smart, risk-oriented way. This paper is intended to help you sort through the many issues at stake and begin to plan and prioritize how to protect your business from the damaging effects of any interruption—whether it’s a small incident that affects just one building, or a major event that makes headlines across the country. Section 1: Pre-Incident Planning and Incident Response Good business continuity planning starts with being proactive. That means taking concrete steps to plan for an incident weeks, months or even years before it actually occurs. There’s no one-size-fits-all approach. Much of business continuity planning varies based on the size of your company, your line of business, and the locations of your company, customers and suppliers. No matter the particulars, however, there are certain fundamentals you’ll need to cover—from making a business case to pulling together a team to potentially hiring a third party to help. We’ll walk you through each step. Step 1: Establish the Business Case If you want to make an effective business case for business continuity, you need to make its effects tangible, before disaster strikes. That means emphasizing not just the importance of risk mitigation, but also the business value and competitive edge that a strong business continuity plan can provide. That’s easier said than done, but here are some tactics that can help. Use regulatory compliance to your advantage. In certain industries, regulations will define your business continuity strategy. Especially if your company is in the healthcare, financial services or insurance industry, the need to comply with regulations may dictate your thresholds for recovery. Aim to create a business continuity plan that reflects your company’s culture. Business continuity means different things to different people. The type of business continuity plan you design and how you sell it will be influenced by your company’s culture and organizational structure. Understanding this cultural landscape will help you craft a plan that is less likely to meet resistance from other parts of the business. Encourage grass-roots support by meeting individually with people in different business units. A good business continuity plan creates alignment among security, IT and corporate strategies and policies. Lay the groundwork for that by meeting with the people in individual business units and trying to understand their mindset and expectations. Stay flexible. Asking for support for a business continuity program doesn’t mean you’re asking the business to treat every application and piece of infrastructure the same way. “Just because you need failover capability for one application doesn’t mean you need that same capability for all files and systems,” said Jim Grogan, vice president of consulting product development for SunGard Availability Services. “Creating a blended solution helps the business become confident they are spending money wisely based on business principals and policies.” Find ways that business continuity can add to the bottom line. Finally, try to approach business continuity as a way of doing business—not as an add-on. One way to get executives to see that is to convince them how having a strong plan in place can improve revenue. they continued to process. “No critical functions were interrupted, despite it being one of the largest fires in the history of Chicago. Staying up when others may be down is good business—not to mention good public relations.” CSO EXECUTIVE GUIDE The to Busi ness Continuity 3 Step 2: Follow a Planning Process Once you have the go-ahead, how do you actually get started? Fortunately, there are a pretty standard set of things a business continuity plan should encompass. Obviously the first priority is to protect human life. However, much of the planning focus is necessarily on how to manage the smaller, less critical events, which happen much more frequently than catastrophic ones. Almost three decades of experience in network engineering and security, well-planned business continuity event management has several goals: NNTo minimize the business impact of each incident. NNTo address human safety. NNTo mitigate corporate liability due to lack of due diligence. NNTo meet regulatory requirements. NNTo protect the organization’s public image by a fast, professional response. “A business continuity plan includes all documentation necessary to mitigate business impact and to recover broken processes. Chief among those are plans for putting manual processes in place, so that you can continue to deliver products or services—even at a lower level of output—until the business has fully recovered. The plan should also include instructions for recovering individual devices or systems, disaster recovery processes for catastrophic events, and possibly contacts or agreements for alternate data centers or business office sites as well as alternate staffing. Part of the initial planning process should include creating a list of stakeholders for each supported system. These lists will become part of your overall incident response plan. According to, stakeholders might include: data owner, process owner, managers, public relations, legal, security, help desk, facilities management, labor unions, and key customers. Step 3: Build and Train the Team (or Teams) As soon as possible, you’ll want to start pulling together a team—or teams—of people who’ll be responsible for business continuity planning. The sooner you can involve them in the planning process, the easier it will be to get buy-in and ensure that the plan will meet your business needs. It’s likely that you’ll need both an upper-level planning team and a front-lines incident response team. The upper-level planning and execution will likely come from a management incident response team (MIRT), sometimes called a crisis response team. This cross-functional team might include the CISO /CSO , chief privacy officer, general counsel, chief compliance officer, business line presidents and public relations (or functional equivalents). During an event, this group ensures that accurate and complete data is gathered concerning the incident, and works to communicate this information to the stakeholders. A front-lines incident response team, sometimes a cyber incident response team (CIRT), will be more focused on answering questions like: “What happened? How did it happen? What damage has been done? And how do we prevent it from happening again?” That team is likely to include the following: Team Manager. Has overall responsibility to ensure business objectives are met during a response and is also responsible for communicating status to senior management. Technical Lead. Charged with assessing impact on the technology infrastructure, and responsible for containment and recovery activities as they relate to information technology. This person might supervise one or more engineers or programmers. Public Relations. Responsible for communicating with investors, the press, and other outside entities. Security. Encompasses facility, personnel, and information security. If these are separate departments, each should be represented on the CIRT. IS Support. Assists with containment and recovery, and establishes alternate methods of information processing when primary systems or network paths are disrupted. Facilities Management. Responsible for resolving power issues, coordinating the move to alternate locations, and conducting structural assessments and repair fall here. Labor Union. If applicable, can help diffuse possible reaction to unusual management decisions and provide employee perspectives of events. Representatives of Critical Business Functions. Depending on the scope of the problem, might include one or two administration or operations teams, or many more. Once the team members are identified, they should meet to begin building an incident response plan. “The plan should include all activities related to containing and mitigating effects and improving future response, “The plan is then used to train the team. Thorough training produces a team which reacts to events quickly, without confusion. It helps ensure all members understand their responsibilities, the roles of others, and team cooperation when it’s needed most.” Step 4: Have a Business Impact Analysis Format The next step is to understand your exposures and make good decisions about your recovery strategy. If you have a solid strategy, developing your plans becomes straightforward. “The most critical part of the whole process is your business impact analysis, including the risk assessment,” said Debbie Hoppenjans, manager of business continuity planning at Siemens IT Solutions and Services. “That’s where you need to spend most of your time.” At its core, a business impact analysis is the process by which you determine what systems or processes need to be recovered and how quickly, according to “Building an Enterprise-Wide Business Continuity Program. Broadly speaking, to Busi ness Continuity 4 the more time you can take to recover a business process, the more options you will have to recover it, and the less it will cost. Likewise, a business impact analysis can help you justify the expense of faster recovery capability on timesensitive processes. “All business functions and the technology that supports them need to be classified based on their recovery priority,Recovery time frames for business operations are driven by the consequences of not performing the functions.” If certain functions aren’t performed during the down-time, what will really happen? To do a business impact analysis of any given team, list everything done by that group, and analyze each of these functions against three areas: “financial risk of not performing that function, regulatory risk of not performing that function, and customer or reputational risk of not performing that function, It is all about impact. What happens to the company if we do not do this?” Then, part two of the process is to ask, how long before we see this impact? To help you assess levels of recovery, you might create a chart where you assign each business function a rating that looks something like this (excerpted from “Building an Enterprise-Wide Business Continuity Program ”): Rating Timeframe Description AAA Immediate recovery Must be performed in at least two geographically dispersed locations that are fully equipped and staffed. AA Up to 4 hours to recover Must have a viable alternate site that can be staffed and functioning within the four hour timeframe required. A Same day recovery Must be operational the same business day and must therefore have a viable alternate site that can be staffed and functioning within the same business day. B Up to 3 days Can be suspended for up to 3 business days, but must have a viable alternate site that can be staffed and functioning by the fourth business day. C Week 1 Can be suspended for up to a week, but must have a viable alternate site that can be staffed and functioning the second week following an interruption. D Week 2 or greater downtime allowable Can be suspended for greater than one week. A maximum number of days should be identified for this function. Step 5: Evaluating External Resources Evaluating Business Continuity Consultancies . Feeling overwhelmed? The good news is, there are plenty of consultancies and service providers who can make sure that your business continuity needs are met. BC/DR planning consultants include large firms. There are also dozens of boutique consulting firms—regional and niche players that just focus on business continuity planning. How can you be sure that the consulting firm has the expertise to fill in your business continuity gaps? Here are five questions to ask when choosing the best business continuity consultant for your company. 1. Do you know what you need? To get started, you’ll need to conduct a business impact analysis, and the consultants should perform a recovery option study to determine your company’s priorities. Make sure the consultant is willing to outline your recovery options and the amount of time each option will take. 2. Will the firm present several options? “When it comes to business continuity, it’s about planning and services, and it should be less about technologies, analyst at Forrester Research. “It’s your strategy for responding to business disruption and covers people, facilities and technologies. It covers everything from pandemic planning to ‘Microsoft Exchange is down.’” Firms that offer BC/DR planning and consulting services should be able to help you do a business impact analysis, identify critical business processes, map all the dependencies and define how critically you need them, and what the impact would be on revenue. “When you understand that, you can build a business case and invest in the right solutions,” she adds. 3. Are the consultants certified in business continuity planning? Certification ensures that business continuity consultants are well-versed in all aspects of BC/DR planning. Certification bodies include the Business Continuity Institute, DRI (The Institute for Continuity Management), Business Resilience Certification Consortium International, and the University of Virginia. Specialized certifications are available for emergency management, risk management, audit, security and technology. DRI International offers certification specifically for business continuity consultants and vendors to ensure that practitioners understand professional practices. Each subject area includes the professional’s role within the area and an outline of recommended knowledge within the subject area. The 10 subject areas cover topics such as risk evaluation and control, business impact analysis, emergency response and operations, awareness programs, training, crisis communication and coordinating with external agencies. 4. Are they willing and able to prioritize? You can save a lot of money by evaluating your BC/DR priorities, a disaster recovery and business continuity consulting firm. “If you need systems back up in six hours—you can, but you’ll have to throw a lot of money into that. Instead, consultants should be asking, ‘Do you need that? What can you wait a couple of days on, or a week on?’ and establish priorities.” Perhaps only 20 percent of the total environment must be recovered in minutes or hours. 5. Do they offer BC/DR solutions to fit your budget? Nearly one-quarter of companies surveyed to Busi ness Continuity 5 have not been able to justify the costs of business continuity plans. Most of these companies are focused in the large enterprise with 500 to 999 employees, according to the study. Consultants should know your business well enough to understand budget constraints and your immediate BC/ DR needs. “We let the business [units] decide what they want to spend and help coordinate based what the numbers tell us, We let [business impact analysis] data tell us what each department is doing as far as BC planning, what their risks and what their vulnerabilities are, and they decide what to spend. Some responses may be customer- or contract-driven.” Evaluating Business Continuity Services and Software. The frequency of common business interruptions has boosted the market for external disaster recovery services—which include data center services, backup and mobile recovery services—to $3 billion to $4 billion a year, according to Gartner. Here are some points to consider when evaluating business continuity and availability services and software. Weigh the benefits of specialized business continuity planning software. Business continuity planning software can help large companies formalize the BC framework and continually update the plan. “Of companies that actually have plans, 50 percent use software and 50 percent use informal software” such as Excel spreadsheets, Mass. Software providers such as SunGard Data Systems (which acquired Strohl Systems Group), eBRP Solutions, and U.K.-based Office-Shadow (now part of ICM Business Continuity Services Limited) offer BC planning solutions. Regulated industries that face audits, such as life and health insurance companies or financial institutions that require uniformity in how they build their plans, may benefit from one of these software packages. Consider the major business continuity/availability service providers and some niche players. Hosted business continuity/availability providers typically provide cold sites (data center space to house your own equipment and backup tapes), warm sites and hot sites (an operationally ready data center), as well as data archival, restoration capabilities, and managed services. SunGard, HP Enterprise Services, and IBM Global Services own the worldwide market share in this segment with the broadest set of services. Smaller services players such as Rentsys Recovery Services are also making inroads into the market. Let recovery requirements dictate the level of dedicated BC services. Subscribing to a data recovery service that you can trigger when a disaster strikes is fine if data can be restored in two to four days. But increasingly, as businesses require 24/7/365 availability, ¬more dedicated data recovery services are required. Just make sure you’re not paying for more than the business need dictates. Use caution when outsourcing business continuity functions overseas. Because of terrorism and natural disasters typically not seen in the United States, such as tsunamis and monsoons, companies should take caution when outsourcing backup, recovery and business continuity operations offshore. Some popular outsourcing countries may not have the recovery capabilities found in the United States. Step 6: Build a Crisis Communication Plan Communication during a crisis can be thought of on several levels—communicating with internal constituents and staff; communicating with business partners, suppliers and customers; and communicating with the general public, often via the media. We’ll cover these aspects from the inside out. Internal Communication. The people who work at the organization must be kept apprised, as much as is reasonable, during a crisis. Many organizations tend to keep employees in the dark during a difficult time, and that’s a mistake, program director at the School of Criminal Justice at Michigan State University in East Lansing, “They all have associates who want to know” what’s going on when there’s a crisis, “Employees will start calling the media if there’s a major crisis like an evacuation. That’s why it’s vitally important to tell your employees what’s going on,” so they don’t give out wrong information. Emergency notification systems can use many different means of communication—phone calls, text messages, e-mail—to contact employees, vendors or other critical personnel. A calling tree with home and mobile phone numbers can be a simple first step. “Although [emergency notification systems] may have slick bells and whistles, I have found that you don’t need them, You need a system that will call a lot of people all at once and have them call into a central conference call number.” He also suggests having an automatic phone forwarding system through your phone company. That way, clients whose only contact is an office phone number can be rerouted to an employee’s cell or home phone. In some cases, companies also have discovered that portals or intranets have been useful during a crisis. That’s what happened at Gale GFS, anyway. The property management company has an Incident Reporting System that operates as a sort of business blog on its intranet portal. Essentially, an employee can log on to the Web-based system with a user name and password and write about a hurricane, an explosion or any other incident. Gale GFS designed and built its system to automatically send out an e-mail notification to everyone in the region. Through an online control panel, administrators can determine who gets notified by region and by company. E-mail alerts pop up on cell phones and smartphones, as well as on computer screens, to Busi ness Continuity 6 Each case or incident is archived in the system so that others can retrieve them from the database in order to study them. Each session, however, is available for viewing only by the employees working with a specific client so as to maintain security. External Communication. Keeping employees in the loop is only part of the equation. During an adverse event, the crisis response team will determine the appropriate parties that must be notified both under the law and consistent with corporate values, as many organizations will decide to go beyond the legal or contractual requirements to protect the clients and consumers. The ultimate goal of all crisis communication is essentially to uphold long-standing relationships and assure key stakeholder groups that your company understands how the event impacts them and what you intend to do about it. When something really bad happens, such as a natural disaster that forces a company to evacuate headquarters or a security breach that results in lost or stolen data, the media will come calling. How organizations deal with the blitz could affect the long-term impact of the crisis. An effective and constructive response might help put the company in a positive light during a tough time. An ineffective or antagonistic reaction might make a disastrous situation even worse. Here are some tips for dealing with the public—and in particular the media—after a security incident or businessinterrupting event. Be truthful. Honesty really is the best policy. “One of the most important things is to try to understand what the media is interested in. The media is interested in accurate, truthful information—something that will be of interest to their readership [or viewers. “If you don’t know the answer, indicate that it’s information you don’t know at this point and hope to [provide] later. Provide useful information. Organizations should be as forthcoming as possible with information about the specific incident, and provide any relevant background information that will help the media put the situation in proper context. “Tell them what you do, Provide a fact sheet or release that explains what your business does.” If you don’t provide information, reporters will look for other sources inside and outside the company, who might provide inaccurate or outdated information. Train your spokespeople. In a crisis, But if the chief executive or other designated spokesperson isn’t comfortable or familiar with reporters, cameras and microphones, that could backfire. “All spokespeople need to be trained to deal with friendly interviews and in-yourface ambush interviews. It’s not an intuitive skill.” Establish an ongoing relationship. Organizations that keep media outlets informed on an ongoing basis will be less likely to have misunderstandings when a crisis arises. They might even rely on the media for help in disseminating information. “It’s very important for corporations to have a collaborative or partnership process with the [local] media. “Don’t wait for an incident to happen.” Don’t let the media be the only source of news. Consider using communications tools such as employee newsletters, or allowing officials to make personal appearances to groups such as a chamber of commerce or business association. SECTION 2: DISRUPTIONS A TO Z Diff erent sit uati ons requir e different types of plans. Below, we list some specific wrinkles and possible approaches to different types of threats. Corruption Corruption can be like a form of tax, but there may be mounting pressure not to pay. In the past, there were allegations that the extractive industries -- particularly energy and oil -- were paying off lots of people, in order to operate in corrupt environments, Now, “under pressure from human rights groups, there’s a set of voluntary principles that the extractive industries signed off on, saying that they would contribute to trying to build legitimate law enforce infrastructure instead of paying people off and encouraging corruption.” In places where the law enforcement infrastructure is not well-developed, these companies are also building their own security forces and compounds. If an economic downturn makes them unable to afford this protection, it will affect their security. Extortion Here’s one ’s plan if he receives an extortionist’s e-mail. 1) Contact general counsel and executive team (and whomever else they deem appropriate), and jointly make assessment of the company’s risks as well as the credibility of the threat. Discuss all possible factors that could magnify the risks (such as impending big executive news or an acquisition). 2) Recommend contact with appropriate electronic crimes law enforcement officials for tactical advice and (hopefully) assistance. (For example, are we the first to ever get this threat? Are these known perps? Has there been prior experience with them or with this MO?) 3. If top management agrees to involve external law enforcement, begin an investigation jointly with law enforcement. Formulate detection and response strategy with them to prepare to acquire and preserve evidence. 4. If senior management declines to involve external to Busi ness Continuity 7 law enforcement, then expect to be tasked to assemble a “red team”. Regardless of whether management decides to pay, this team will search for and eliminate the vulnerabilities that make the threat credible, and take other steps to diminish risk of attacks. 5. Simultaneously expect to be working with crisis management teams, and especially the investor relations and corporate PR staff, to prepare an official position for the media. If a U.S.-based company, consider the Sarbanes- Oxley implications of every decision. That means senior finance folks will also need to be involved. 6. Warm up disaster and business continuity plans and providers depending on the nature of the threat, perhaps increase backups in frequency or type. (For example, go to “full now” instead of “incremental” for critical systems at risk.) Floods Flooding is generally localized and somewhat predictable. If you operate business in an area prone to flooding, be sure to have a good plan in place for doing system backups, and plan to have redundancy in an area outside of the flood zone. Remember that even if your company facilities are on high ground, employees and delivery persons may be unable to get to the facility due to flood water over the access roads. Finally, expect a lot of residual impact due to employees, vendors and customers being directly impacted. Even if corporate facilities are not impacted, employees may have personal losses of home and property and be busy attempting to deal with these losses and the cleanup involved, offered some thoughts on the risks and trends in different areas: Haiti: “Economic kidnapping is like a virus; once it gets into a society it’s very hard to get it out. Criminals find out it’s pretty easy money. That’s what’s happening in Haiti, I think. There’s not much wealth in Haiti, but kidnapping numbers have to be up to 250 or so Haitian-Americans. If they grab someone who has family in the US , whatever they get—if they get $5k to $25k per kidnapping—that’s really serious money in Haiti.” Mexico: The Mexicans are “covering up a massive kidnapping problem. I recently had a conversation with the head of security for an international company based in Mexico; he tried to tell me, ‘Kidnapping, it’s mostly criminal on criminal’—which is nonsense. They’re diminishing the problem, trying to keep the larger world from criticizing them. So it’s getting worse and worse all the time. Tremendous amounts of legitimate businessmen are leaving that region.” Philippines: “In the Philippines, at the end of the Burnham- Sobero kidnapping case [2001-2002], the response of the Philippine and U.S. governments really sort of took their kidnapping infrastructure apart, left the Abu Sayyaf in somewhat of a shambles. They began to move toward bombings at that time. But that’s run its course and they’re getting back into it, starting with locals. I think it’s a matter of time before they are looking for Westerners again.” South America: “Colombia is much safer than it was ten years ago. Amazing difference. When I went in 1998, the guerillas had complete control of the countryside, and you could not travel there safely. In 2005, I went to a goingaway function in the countryside with no military escort. We were hardly armed at all. Now sometimes when you put pressure on crime in one area, it simply moves to a different area. Some of the Colombian kidnappers quit, and some are in jail. Of the others, some moved. So it’s on the rise in Venezuela and Ecuador.” Hurricanes While it’s impossible to predict the severity and timing of any given hurricane, if you conduct business in certain parts of the country, you can be fairly well-assured of the need to plan for the high winds, heavy rains and flooding that mark these strong storms. Obtain adequate insurance both for hurricane wind damage and flooding, and make sure that your business continuity plan encompasses the loss of power and running water. If it’s necessary to have a data center in a hurricane zone, make sure the building is built to sustain hurricane damage and has back up and battery power. Better still, have a back-up data center in another part of the country, and test it by bringing the main data center down and bringing up the back-up one. The data is only one part of the picture, though. Be sure that employees understood where to go and what to do during an evacuation. It’s important to have a way to send out alerts to all employees, even if the hurricane strikes on a weekend or when employees are traveling. Alternately, you could set up special numbers so people can dial-in and alert the company as to where they are. If a facility goes down because of power failure or flooding, many organizations need a physical location to place their staff so operations can continue, popular restaurant-chain brands including Outback, maintains a comprehensive facility in Atlanta, which they have had to use at least twice in the last 4 years. “Once we declare a disaster, we have 50 cubes available there, But we have to go up and make sure everything is up and running and ready. So we have people, from an IT perspective, head up 72 hours out ahead of any storm in private aircrafts to make sure everything is ready to go.” The process of relocating people and sometimes equipment is time consuming, labor intensive and costly. The company even has contracting companies on standby for employees that may need assistance with boarding up to Busi ness Continuity 8 houses before they depart. As complicated as it all sounds, Williams said, thankfully, most of it can be planned. “With hurricanes, you have a distinct advantage over an earthquake or a tornado. “You really don’t know when they will strike.” Kidnapping Chris Falkenberg, president of Insite Security, a New Yorkbased consultancy, outlines four preventative measures companies can consider to minimize kidnapping risk. 1. Establish a counter-surveillance program. An organization with an effective counter-surveillance program has good shot at detecting a threat, increasing security and motivating potential kidnappers to go elsewhere. In addition to having personnel manning the gate, a counter-surveillance program has personnel who are watching to see who is watching others. This means looking for people who might be walking back in forth frequently in front of a location, taking video or photographs, or counting footsteps to determine the measurements of a given location. A counter-surveillance program might also use CC TV infrastructure in a proactive way, “A counter- surveillance team can use all of the intelligent video in a proactive means, particularly if you have the ability to identify cars and license plates to keep an eye out for who seems to be in your perimeter.” 2. Utilize GPS. Falkenberg recommends companies put in place technology to be able to receive GPS transmissions from cell phones or emergency GPS transmitters. While this technology may only go so far because the device will likely be taken from the victim, in some scenarios, it could still aid in rescue. “There is some technology coming out in which you can program a cell phone to send out a distress signal, “What we are using with some clients is a handheld GPS transmitter which you can essentially use as a portable panic button.” 3. Train employees on how to stop a kidnapping in progress. When an event takes place, victims find themselves forced into vehicles with commands shouted at them like “Get in the car! We are going to kill you!” While this is terrifying, it is actually much easier to turn the situation to your advantage at that point than it is once you are incarcerated, However, this kind of reaction to threats is not second nature—it is something that has to be learned. He recommends talking with employees about what to do if threatened and rehearsing it. 4. Consider families, too. A crisis management and continuity plan for the family outside the office is key. However, the family component can’t be addressed with the same techniques used for employees because families are not going to tolerate the kind of protection that c-level executives tolerate at work. Also, it is just not cost effective, training family about potential dangers and how to behave if someone attempts to abduct them. More tips and advice, recommends companies train employees about how to act as hostages in the event that they are abducted. Tips include touching everything in sight to leave lots of fingerprints and talking to the kidnappers so they see you as a human, not an object, senior VP of security operations and training at Kroll, also advises finding some kind of resonant chord with abductors to try to get them to show more empathy toward you. Mining your captors for information also can be helpful. You may be able to discern whether you were abducted for political or religious reasons, for ransom or for all of the above. It’s also important to remember that people are working to get you released. “The feeling of hopelessness works completely against you,” he said. Pandemic Business risk consultancy Control Risks has identified ten questions organizations can use to determine their level of preparedness in the event of a pandemic emergency, walks us through these questions. 1. Have you defined reliable information sources that you will monitor for situational awareness in the event of an influenza pandemic? The information gathered from these sources will be critical for your decision-making process. 2. Has top management documented a set of guiding principles? This would outline, among other things, the commitments the firm will make to protect its employees and the budget available for planning. 3. Does the firm have in place a robust Crisis Management & Communications program that will allow executives to make key decisions and communicate messages on a timely basis? The question in pandemic planning, according to Kaye, is not how do we pick up the pieces; rather it is how do we live with this situation over the course of the next 18 months? 4. Is there a business continuity program in place that documents key products and services that will receive prioritized attention during a time of reduced staff availability? If only 50 percent of staff is in the workplace on a particular day, which business activities will be conducted and which will be deferred? 5. Has the firm implemented a robust employee health program that will guide ‘safe workplace’ protocols, such as facility access, social distancing, and surface cleaning? Surface cleaning and social distancing both prove effective and can have a major impact. The conventional perspective is that people are universally susceptible to influenza pandemics, and we must rely on these approaches to limit contagion. 6. Has the firm Human Resources provisions that outline actions employees should take if they become ill and how to handle sick leave and family care issues? It sounds so simple, but if you don’t provide clear to Busi ness Continuity 9 instruction regarding sick leave, employees will show up to work sick and ask whether they should stay or go. You need to remove any uncertainty in the mind of the employee so that they can stay home and get better without risk of spreading the virus to other employees. 7. Are key strategies for remote connectivity of workers backed up by actual IT capabilities in terms of VPN bandwidth and hardware availability? You need to be realistic and ask whether your existing IT infrastructure can support your entire workforce working from home at once. 8. Has the firm prepared guidance for expatriate employees and travelers? Does the firm have the ability to re-create travel patterns for employees, to support investigation into risk exposure? This goes back to ensuring that your sources of information are reliable and establishing your guiding principles. This was a lesson learned from SARS, ”If you have the ability to retain employees travel history and recreate their travel pattern, you have the potential to pinpoint their point of exposure.” 9. Has the firm discussed its pandemic preparedness efforts with key vendors, suppliers and other business partners? “Even the strongest in-house pandemic preparedness program can be rendered worthless if the company has a dependence on a third-party that is compromised.10. What is the firm’s position on the procurement and stockpiling of both pharmaceutical and non-pharmaceutical protective measures? If there is a formal program, who is responsible and are all key provisions up to date? “Antiviral treatments are receiving so much attention right now that it is almost tempting to mistake them for a pandemic preparedness program, “I cannot stress enough that they are not one in the same.” Tornados Business continuity planners in tornado alley have much in common with those in hurricane areas—but also key differences. Tornadoes have smaller funnels, but they can appear in groups, may feature dramatically higher winds, and can strike with far less warning than a major hurricane typically provides. Tornadoes can stretch more than a mile across and stay on a destructive ground path for many miles, wiping out structures and picking up objects and debris along the way. It’s impossible to build a structure that can withstand the strongest tornado, so redundancy is key. However, it may be possible to have redundant data centers within an easy drive of one another. With tornado patterns in mind, Cancer Treatment Centers of America (CTCA) built two data centers in greater Chicagoland so that they sit 59 miles apart and in a pattern in which the likelihood of tornado hitting both of them is nearly impossible, said Chad Eckes, chief information officer of the Schaumburg, Illinois-headquartered organization. The locations were chosen based on information from the Federal Emergency Management Agency about weather patterns. “The first main design from a BCP standpoint was to have complete redundancy in our data. Anytime there is any production data written to the primary it is immediately mirrored over to our DR data center,” said Eckes. “Literally, we are up to date in our second center within 15 seconds. That is, with a complete copy of all clinical systems.” Geoff Craighead, vice president of High-Rise and Real Estate Services at Securitas Security Services US A and author of “High-Rise Security and Fire Life Safety,” advises clients he works with in tornado zones to consider all physical elements of a building when creating a business continuity plan. Tornado warnings, when they are possible, are often broadcast on both radio and television, which of course can be monitored in the average security or network operations center. Craighead said if an organization is warned there is possibility of a tornado in the near future, preparations could include securing or moving outdoor objects such as trash containers, planters, signs, furniture, and vehicles that may blow away or cause damage to people or property. Craighead also recommends pruning tree branches that may cause damage to the building. Occupants should clear all objects from desks and working areas, and all exposed paperwork should be stored in closed cabinets and other containers, he said. Valuable equipment and documents should be moved to interior rooms. SECTION 3: EXERCISES Pre-incident planning for business continuity events should start by developing realistic scenarios that could arise. Typical examples would deal with external fraud, a malicious insider, a technology hack, lost media, a data center disaster and an external security breach. A tabletop exercise is a great way to get business continuity plans off the written page without the interruption of a full-scale drill. Rather than actually simulating a disaster, the crisis management group gathers for three hours to talk through a simulated disaster. It can be a full-scale production that involves local first responders and professional moderators. Or it can be a simple affair conducted by in-house disaster planners. The idea is to have an escalating scenario that unfolds in several segments. After each segment, small working groups discuss how they would respond, then report back to each other before hearing from moderators about what happens next. Tips for an Effective Tabletop Decide how much gloom and doom you want. When planning a tabletop, to Busi ness Continuity 10 ability to get work up and going someplace else?” Test how quickly you can pull together key players. At public utility PSE &G, Director of Corporate Security Mike Paszynsky said the crisis management group doesn’t always know when a tabletop will occur. Instead, the company tests how quickly it could reach all those individuals. Specialized software pings team members’ phone numbers and communications devices, alerting them that the crisis management team is assembling. Involve everyone. Make sure each person has a role. If one person answers all the questions, have others enact how they would respond if that person were unavailable. Acknowledge that first-timers may be nervous. “Some business managers don’t want to show that they may not know how to respond to a certain issue,” said Rad Jones of Michigan State University. To make them more comfortable, consider an hour-long orientation. Later, work your way up to a three-hour exercise, and then invite local law enforcement and first responders to participate. Encourage misinformation. During a crisis, “you’re always asked to make timely decisions based on incomplete and inaccurate information.” You can simulate the confusion this causes by giving the groups handouts containing different information. Take the lessons with you. A designated note-taker should keep track of what happens; always leave time for lessons learned. Scenario 1: A Disgruntled Employee Starts a Data Center Fire Segment 1: A small fire begins just outside the data center, setting off the alarm system. By the time the fire department arrives, the fire has been extinguished by the sprinkler system, but the building has been evacuated. Employees and people who work in nearby buildings want to know what has happened, as does the media. Then, as people begin to go back inside, the receptionist takes a call from someone who indicates that the fire is “only the beginning” because the company hasn’t treated him right. Segment 2: An employee discovers a box in the lobby with a handwritten warning that it contains anthrax. Management decides to evacuate the building again. Calls come in from concerned family members, and local TV crews arrive. Meanwhile, the sprinklers in the data center have caused the company’s e-mail and Web servers to stop working, which means the company’s e-commerce site is down. Segment 3: A woman calls the newspaper claiming to be the wife of an employee who’s just been laid off and who has left printouts about anthrax scattered in his home office. The newspaper calls the company with this information. The health department is on scene. The company’s call center (at another location) is swamped with calls from customers who can’t place orders at the website. Segment 4: The police apprehend a suspect. The health department determines that the box did not contain anthrax and the building is safe. Some employees are afraid to come back to work. 1: An explosion occurs at a chemical plant two miles from headquarters. Local news media are reporting that an undetermined number of the chemical company’s employees have been injured or killed, and officials are trying to determine to what extent deadly toxins have been released into the air. No one is sure what caused the blast. Segment 2: Area hospitals are crowded with people reporting breathing difficulties, and public health officials are encouraging people all over the city to “shelter in place” as a precaution. Headquarters is currently upwind of the explosion. The company needs to decide what to tell its employees to do but isn’t sure whether it has the legal right to tell people not to leave. People are speculating that terrorists caused the explosion. Segment 3: The Company tells employees not to leave the building, but many do anyway, saying that they do not trust what they are hearing and that they need to get home and take care of their families. The security guards at the front door also want to know what to tell people on the street who want to take shelter in the company’s lobby. The cafeteria reports that it has already sold out of lunches. Segment 4: The immediate danger passes, and authorities say the explosion was an accident. Several employees have been hospitalized, and others are upset that the company cafeteria did not have more supplies on hand. The medical community fears that the disease will spread to other continents and said that anyone who has been to Hong Kong in the past three weeks could be a carrier. As a precautionary measure, the company considers asking employees who have traveled to Hong Kong within the past three weeks not return to work until they see a doctor. The company also considers having security at the front door ask every visitor. Segment 2: A few people in the region are diagnosed with the disease, and the absentee rate at schools rises. Employees start calling in sick, but it’s not clear whether they are ill or afraid of going out in public. Enough people are absent that the company struggles to keep systems up, take orders and pay bills. Segment 3: The disease spreads, and absentee rates to Busi ness Continuity 11 shoot up to almost 50 percent. Some employees are sick or caring for sick family members. Employees are asking the company to provide for vaccinations and masks, even though the medical community said those precautions may not be effective. Critical functions are not getting done. Managers consider letting crucial staff volunteer for a lockdown— those who volunteer would receive vaccinations but then not be able to leave the building until the danger passes. They also consider rerouting work to another location or calling in retired workers to help out. Segment 4: The disease has peaked, but many employees are still leery of returning to work.
Posted on: Mon, 24 Jun 2013 09:22:56 +0000
Trending Topics
Recently Viewed Topics
© 2015