Tag Business Continuity

Thinking Back and Looking Ahead – A Blogging Year in Review

Tim Riecker, The Contrarian Emergency Manager Leave a comment

Here it is, the close of one year and the dawn of another.  As with most of you, I’m taking some time to reflect on the past and look ahead to the future.  2015 was my best blogging year yet, doubling last year’s readership, for which I am thankful.  I’ve been humbled in getting readers from around the globe – 127 nations in all.  While most came from the US, I have a great number of readers in Canada and Australia.  Based on who commented, my readers include public safety and business continuity professionals, academics and scholars, and those simply curious about what we do and how we do it.  My thanks to you all!

2015

In case you may have missed them, below are my five most popular posts:

Incident Command System Training Sucks (June)  This post prompted a lot of discussion directly on my blog site as well as in numerous LinkedIn discussion forums.  I received phone calls, emails, and had several in person conversations about the need to revamp ICS training to make it more effective.  While sadly I’ve received no feedback directly from the National Integration Center, I will continue the crusade to get better and more effective ICS training for stakeholders.

ICS Training Sucks… So Let’s Fix It (September)  Riding the coat-tails of Incident Command System Training Sucks, this post reflected a bit more on what needed to be done to improve the curriculum.  I received lots of feedback on this post as well.

The Need for Practical Incident Command Training (March)  This post preceded Incident Command System Training Sucks, and marked my mental progression from an earlier post (which is listed next) to this piece’s most popular successor in the ad-hoc series.

Preparedness – ICS Is Not Enough (January)  This piece reflected mostly on ICS as a component of preparedness, identifying that many agencies think they are prepared simply because their staff have taken some ICS courses and they include the terms in their plans.  In this we see the danger of the requirements of NIMS, which often mean compliance to many people.

The Death of ADDIE? (November 2012)  Yes, this one was written back in my first year of blogging.  This piece still holds strong and I see many search terms about ADDIE and the Successive Approximation Model (SAM) which bring people to the post.  While I’m still an avid user and advocate of ADDIE, the emergence of SAM shows there is more than one way to skin the proverbial cat.

Looking ahead:

Clearly the topic of ICS training is an important one to those in emergency management and homeland security.  As mentioned, I will continue my crusade to advocate for better and more effective training in ICS for our personnel.

I also had the pleasure of co-authoring a post this year with Mr. Ralph Fisk of Fisk Consultants.  Prior to the release of the new Star Wars film, The Force Awakens, we wrote about public safety interests for jurisdictions, law enforcement, theater management, and the general public.  Fortunately there were no shootings or other similar violent incidents that arose during the first couple weeks of showing this blockbuster film.  It was fun collaborating with Ralph and we have already discussed some possible topics for collaboration in 2016.  I hope to do the same with others as well as hosting guest posts from other experts in public safety.

I hope all of you enjoy reading these posts as much as I like writing them.  Each post provides an opportunity for me to learn and to share what I have learned.  It has become a great networking tool and marketing tool for my consulting practice.  Together I hope we can improve the important work we do in emergency management, homeland security, business continuity, and public safety as a whole.  The thoughts you share on posts are greatly appreciated and I look forward to interacting with you all in 2016.

Health, wealth, and happiness in the New Year!

© 2015 – Timothy Riecker

Emergency Preparedness Solutions, LLC

 

 

So Your AAR Says Bad Things… Now What?

Tim Riecker, The Contrarian Emergency Manager Leave a comment

There it is.  Your recently delivered after action report (AAR).  Uncomfortably sitting across the room from you.  You eye it like Tom Hanks looking at Wilson for the first time.

Wilson

Wilson!!!

You know what’s in it.  It says bad things.  Things you don’t like.  Things your boss really doesn’t like.  But what will you do?

First, let’s assume that, despite you being unhappy with the areas for improvement identified in the AAR, they are fair representations.  What will you do with the dreaded information now that you have it?  Your AAR may have come with a corrective action plan (CAP), but this is only guidance that still needs to be reviewed and acted upon.

First, each identified area for improvement should be prioritized.  After all, if everything is important, then nothing is important.  Even if the areas for improvement and/or corrective actions are already identified in the AAR (particularly if done by a third party or if the AAR is representative of a multi-agency exercise) you should review this prioritization with your own organization’s stakeholders.  This means pulling together a committee (sorry for cursing!) comprised of key areas within your organization.  This may even mean people from areas that may not have participated, such as information technology, as I’m betting there was something in the exercise about computer systems, programs, internet connection, data access, data continuity, etc.  Don’t forget the finance people, either… some fixes aren’t cheap!

Once everyone has had an opportunity to review the AAR, each identified area for improvement should prioritized, at least to the degrees of high, medium, and low; with a secondary filtering of short-term vs long-term projects.  While some may be relatively quick fixes, others can take months, if not years, to accomplish.  Activities should also be identified that are dependent upon others which may need to be completed first (i.e. a procedure needs to be written before it can be trained on).

That’s probably enough for one meeting.  But the people you gathered aren’t cut loose yet… in fact they are pretty much locked in, so you need to be sure that the people you bring together for this corrective action group have the knowledge, ability, and authority to commit resources within their respective areas of responsibility.  Now that activities have been prioritized, it’s time to assign them… this is why involvement of your boss (if you aren’t the boss) is so important.

Some individuals within your organization will be able to act on their own to make the corrective actions that are needed – while others will need to work together to make these happen.  Consider that there may be more activities than just those identified in the AAR.  For example, the AAR may identify a need for a resource management plan.  That’s good, but we all know you can’t just build a plan and expect it to be ready for action.

For those who are regular readers of my blog, you know I’m a big fan of the POETE elements.  (More on POETE here).  What is POETE?  POETE is an acronym that stands for:

  • Planning
  • Organizing
  • Equipping
  • Training
  • Exercising

What is the value of POETE and what does it all mean?  POETE is a great reminder of the key activities we need to do to enhance our preparedness.  Given that, when we look at an identified need for improvement, we need to consider how to properly address it.  So start at the top:

  • What plans, policies, and procedures are needed to implement and support this corrective action?
  • What organizational impact will occur? Do we need to change our organization in any way?  Do we need to form any special teams or committees to best implement this corrective action?
  • What equipment or systems are needed to support the corrective action?
  • What do people need to be trained in to support the corrective action? Do we need to train them in the plan, about a new policy or procedure?  Do they need training on organizational changes?  How about training in the use of equipment or systems?
  • Lastly, once you’ve made a corrective action, it’s a good idea to test it. Exercises are the best way to accomplish this.

There are obviously other considerations depending on the specific corrective actions and the circumstances of your organization.  Funding is often times one of the most significant.  If you need to obtain funding to make corrective actions, the AAR is one of the best documented investment justifications you can get.

From a project management perspective, the committee should regularly reconvene as a matter of checking in to see how the corrective actions are going.  On a continuing basis, the progress of corrections should be tracked (spreadsheets are great for this), along with who has been tasked with addressing it, timelines for completion, related finances, progress notes, etc.  Otherwise, in our otherwise busy days, these things get lost in the shuffle.

From a program management perspective, this is a process that should be engrained culturally into your organization.  Ideally, one person should be responsible in your organization for coordinating and tracking this corrective action process.  As additional exercises are conducted and actual incidents and events occur, corrective actions from these will be brought into the mix.  It is all too often that organizations complain of seeing the same remarks on every AAR or from experiencing the same issues for every response.  BREAK THE CYCLE!  Establishing a corrective action program for your organization will go a long way toward making these chronic issues go away.

By the way, the same concept can be applied to multi-organizational/agency efforts at any level – local, county, state, federal, regional, etc.  Since we respond jointly, there are great benefits to joint preparedness efforts.  We will likely find that even that we have our own house in order, working with someone else is a very different experience and will require a whole new list of corrective actions as we identify areas for improvement.  This process works great with multi-agency committees.

The bottom line – the biggest reason why we exercise is to test our capabilities.  When we test them, we find faults.  Those faults need to be corrected.  Capitalize on the investment you made in your exercise effort to address those identified deficiencies and improve your capabilities.

What ideas do you have for addressing corrective actions?

Need help with preparedness activities?  Be Proactive and Be Prepared™ – Reach out to Emergency Preparedness Solutions!  We’re always happy to help.

Thanks for reading!

© 2015 – Timothy Riecker

Emergency Preparedness Solutions, LLC

Gauging Return on Investment in Preparedness: Exercises

Tim Riecker, The Contrarian Emergency Manager 1 Comment

In this last article of the Return on Investment series, I’ll be discussing the investments and benefits of preparedness exercises to help organizations determine their return on investment – or ROI.  The series has followed the model of the five POETE elements (Planning, Organizing, Equipping, Training, Exercising).  The inspiration for the series was a piece I wrote called Measuring Return on Investment in Emergency Management and Homeland Security: Improving State Preparedness Reports.  If you haven’t had the opportunity to review the earlier articles in the series, they are linked below:

Planning

Organizing

Equipping

Training

We conduct preparedness exercises for two main reasons: 1) to test plans and procedures, and 2) to provide people with an opportunity to practice their roles and responsibilities.  Exercises can be stand-alone activities or integrated into training and education through scenario-based learning. In the US we use the Homeland Security Exercise and Evaluation Program (HSEEP) as our model for both the macro and micro levels of exercise management.  If you are interested in an in-depth look on HSEEP and its components, you can check out an earlier series I did called Managing an Exercise Program.

As with most major activities we do, exercise-related tasks can be divided out into program management (the macro level) and project management (the micro level).  Since we usually examine ROI for individual activities, we will focus on the micro level of exercises, that is the project management piece, or individual exercises, to identify specific costs (investments) and benefits.

Conducting an exercise takes a fair amount of preparation.  The more complex the exercise, the greater period of time it should take to prepare.  Complexity of an exercise is measured by a few different factors – the number of participants involved, the span of time for the exercise, the complexity of the tasks/plans being exercised, and the number of locations being exercised.  Most of us who have been involved in emergency management and homeland security for a while have seen the full gamut of exercises – from discussion-based exercises like table top exercises, workshops, and seminars; to operations-based exercises like drills, functional, and full-scale exercises.  Often we view functional and full scale exercises as being the most complex, however I’ve been involved in table top exercises and workshops which have involved significant efforts.

Up front, the most significant investment any organization can make in an exercise is personnel time.  All exercise efforts will have a lead planner, and most will be supported by a planning team.  If the exercise involves only one organization, that planning team will typically involve only internal people, while multi-organizational exercises should involve some measure of representation from every organization, either directly or indirectly.  Planning an exercise requires a great attention to detail, drafting and editing of documents, and arranging of logistical matters.  Experience helps, so those who do this less often will typically require more time to do it.  This is why many organizations hire consultants (like me!) to help them with exercises.

During the planning phase for the exercise, you may have some associated costs, such as meeting space, food, and travel for planning meetings.  You may also have these costs for the exercise itself which should be identified during the planning phase.  It is also important to identify any costs associated with audio-visual equipment, communications equipment (including internet connectivity), and even things as simple as name badges and signage.

For the exercise itself, personnel costs are still significant.  You must not only consider the time of all participants (as well as potential travel costs), but also the time of your exercise management staff – an exercise director, controllers, evaluators, and possibly staff for a simulation cell.  Again, experience helps to support a successful exercise, so if you don’t have the depth of experience in your organization, consider hiring consultants for the conduct and evaluation of the exercise as well.  Either way, exercises can be significant investments.

Once the exercise is complete, the activity isn’t over – and neither are the costs.  The evaluation team needs to draft the after action report (AAR), and conduct an AAR meeting with the planning team and principal participants to ensure that everything was captured accurately.  Once the AAR is finalized, action items identified in the AAR are assigned to responsible parties to address improvements.  These improvements are generally not considered part of the cost of the exercise itself, but rather part of your general preparedness costs (these will all fall within the POETE elements).

While exercises come at no insignificant cost, the benefits are tremendous – if the exercise is done properly.  A well designed, conducted, and evaluated exercise provides better outcomes and benefits.  The AAR should reflect not only best practices that should be continued, but also areas for improvement which should be addressed to enhance preparedness.  Any of these, as mentioned in the last paragraph, can fall within the five POETE elements – Planning, Organizing, Equipping, Training, and Exercising.  While each of these certainly have costs associated with them, the benefit from the exercise was identification and documentation of need.  Perhaps you are exercising a new active shooter response plan and through the exercise realize that a certain procedure was based on poor assumptions – if this plan was put in place without being exercised, the outcomes in a real life event could have been catastrophic.  It’s better to identify these issues through an exercise so they can be addressed with much less cost.

As I mentioned earlier, another reason to exercise is to provide participants with an opportunity to practice plans, procedures, or skills in a safe and structured environment.  While there is a great deal of routine to what we do in emergency management, homeland security, and public safety, there are certainly activities that we don’t do very often, resulting in degradation of skill over time.  Many of these activities, though, are absolutely critical when needed, which means that we must give practitioners ample opportunity to practice and apply what they have learned through training.  The benefits of this, depending on the activity, can include increased efficiency (time), reductions in injury and loss of life, and proper use of equipment and protocols.  Additionally, there are benefits to getting people to work together in these activities, especially for those who don’t usually work together.  Emergency management, after all, is about collaboration.

Because of the wide range of things we exercise, it’s up to you to examine what your investments and benefits might be.  At EPS, we can help you with designing, conducting, and evaluating exercises; identifying potential costs and benefits of an exercise; and other preparedness activities.  We’re happy to help!

Feedback from this return on investment series of posts has been very positive, which I greatly appreciate.  We also got some good dialogue across all mediums including the blog home page (www.triecker.wordpress.com) and various LinkedIn discussion groups – some of which provided some excellent additional ideas on how to better capture information on investments and benefits.  The challenge remains to not only identify these, but to convert them into meaningful information for decision makers, which usually involves currency values.  Thank you, as always, for your time and attention.

© 2015 – Timothy Riecker

Emergency Preparedness Solutions, LLC

Community-driven Preparedness

Tim Riecker, The Contrarian Emergency Manager Leave a comment

As many of you know, September is National Preparedness Month.  The website offers a number of resources, mostly for governments, to engage citizens and community groups in preparedness.  Higher level engagement of citizens is extremely important to better enable to them to care for themselves for a period of time so they are less dependent upon government and emergency services in the event of a disaster, freeing up these services to address matters of high impact and high importance.

National Preparedness Month is a great opportunity to get information out to everyone!  Consider every facet of your community.

  • Schools and day cares
  • colleges and universities
  • nursing homes, assisted living facilities, retirement homes
  • business and industry
  • community organizations, service organizations, labor unions
  • religious organizations
  • government offices
  • travel and tourism offices and entertainment venues

What will you do to get the word out?  I’d suggest a multi-pronged approach… static information on your website is a good central point to direct people to.  Pamphlets and handouts are great to get information into people’s hands, especially at gatherings.  Social media is a great outreach tool that should be used often.  (and if you think you are OK just having a Facebook account, you really need to take a social media class!).  With organized groups, invest time to meet with them and present to them.

One of my biggest tips is to actually give people something to do, give them a mission.  Don’t just direct them to preparedness information and count on them to do something with it.  Busy people (and even non-busy ones) aren’t wired that way.  ENGAGE them!  Don’t just speak at them.  Challenge them to be prepared and give them benchmarks.  Tell them how important it is for them to be prepared, not just for themselves, but for their families, their neighbors, and their communities.

Target your message to the specific groups you are speaking to.  A senior citizens organization should be getting a vastly different message than the Chamber of Commerce.  Organizations at all levels can be encouraged to join a VOAD (if you don’t have one – form one!) or other coalition to provide services before and after disasters.  There is no longer any mission for the community that is just for one organization any more.  The demands are too high for that.  Sheltering can’t be handled by the Red Cross alone and the local humane society or ASPCA can’t handle all pets in a disaster on their own.  I’m betting even your health department could use a hand with points of distribution.

Businesses can help, too.  Along with becoming a community partner, they also need to be prepared.  The SBA, through Agility Recovery, is offering a number of webinars this month which can be found here.

Yes, all this campaigning takes some serious time and effort.  Engage others to help you, establish a strategy and a message, and get out there.  Community preparedness pays dividends.

As with most things I write about, Emergency Preparedness Solutions can help you with community messaging and engagement – any time of year!  Info below.

© 2015 – Timothy Riecker

Emergency Preparedness Solutions, LLC

WWW.EPSLLC.BIZ 

What is the Top Sector at Risk for Cyberattacks?

Tim Riecker, The Contrarian Emergency Manager 1 Comment

3D Electric powerlines over sunrise

According to this article in the Insurance Business America magazine, it’s the energy sector.  This is no surprise, even without the statistics provided in the article; although the statistics are pretty staggering.  The article states that according to DHS “more than 50% of investigated cyber incidents from October 2012 to May 2013 occurred within the energy sector”.  The advice in the article is pretty sound and coincides well with what I’ve suggested many times in this blog… be prepared!  Not only do power utilities need to have their own cybersecurity experts and the policies, plans, and infrastructure to prevent cyberattacks, they also need to be prepared for the potential success of the attackers.  They need to know who to notify (and how), and what actions to take.  Further, those that depend on electricity should have an alternate means of obtaining electricity to meet essential needs.

Threats to our infrastructure show just how interconnected we are and how interconnected our critical infrastructure is.  This is the primary reason why our energy infrastructure, which touches every other sector, is so essential.  We must ensure that we have in place prevention and protection plans, such as cybersecurity plans; hazard mitigation plans to lessen the impacts; response plans to address critical issues; and recovery plans to return to operations.  Business continuity is also an essential component of this – even if you are an NGO or government entity (continuity of government).

Along with proper planning, training, and exercises, we need to continue to promote legislation which requires measures for cybersecurity and protection of our critical infrastructure.

What are your major critical infrastructure concerns?

© 2015 – Timothy Riecker

EMERGENCY PREPAREDNESS SOLUTIONS, LLC

WWW.EPSLLC.BIZ

Deliberate Planning – Strategic Planning and Business Continuity

Tim Riecker, The Contrarian Emergency Manager Leave a comment

Many organizations put forth extraordinary effort to develop strategic plans to give concerted organization-wide direction to the organization for the coming 3-5 years.  Like many of my readers, I have been part of several strategic planning efforts in different organizations, sometimes helping to lead the way.  There is a great deal of value to strategic planning as it helps not only refine the organization’s vision, but also develops objectives to help it get there while (ideally) bringing the entire organization on board – from finance, to HR, to operations, and facilities – everyone is facing in the same direction and striving to accomplish the same goals.  Just as strategic planning should not be performed in a vacuum, business continuity planning should not either.  Just as strategic planning engaged the whole organization, as should business continuity planning.

If the efforts of strategic planning and business continuity planning have such foundational similarities, why not bring the two together?  As the goals of these two efforts are distinctly different we certainly can’t merge the efforts, but the overlaps provide for easily exploitable opportunities within the organization.  How?

First, make business continuity and resilience a goal of your strategic plan.  What does this do for the organization?  Just like the other goals identified in strategic planning, it provides a documented leadership-driven purpose which will engage the whole organization.  Every business unit in an organization has a stake in business continuity.  Just with other goals within your strategic plan, the specific actions will be identified through objectives – be it a start to your business continuity program or a continuation and improvement thereof.  As mentioned in previous posts, business owners and managers put forth a great deal of effort to build and expand their businesses, but we also need plans to stay in business in the event of a disaster.

Second, once the strategic plan is completed, you now have a group of people from across the organization who now hopefully work well together – engage them!  Turn your strategic planning committee into your business continuity committee.  Good strategic planning provides for someone (ideally the planning group) to monitor the implementation of the strategic plan.  This takes minimal time compared to developing the strategic plan, allowing for this group – who has already worked together for some time and has gone through the group dynamics of forming, storming, norming, and performing – to focus on another task.  Why pull together another group of different people?  It’s a waste of time and the team will lag in performance.  Simply reengage them and change their focus.  This group is a great asset who has already proven they can represent their business units while still having an organization-wide perspective.

Third, mine data from the strategic planning process to support business continuity.  A thorough strategic planning process has examined the organization from many angles and perspective – particularly through a SWOT analysis (strengths, weaknesses, opportunities, and threats).  While a SWOT analysis is performed from a business standpoint, much of the data obtained and derived from this analysis can inform both your hazard analysis and the identification of mission essential functions – these are the things which you MUST DO to stay in business and to minimize the greatest losses.

Lastly, continue the relationship between strategic planning and business continuity.  Both work in a cycle of continuous improvement and those cycles obviously intersect – not just at one point but potentially at multiple junctures; an important consideration of a business continuity program is the impact which disasters may have not only on current business operations but also on planned business initiatives.  This shared knowledge and insight between two planning efforts conducted within one group is invaluable.  As strategic planning continues, new objectives for the business continuity program should be included while resiliency opportunities identified through the business continuity program should inform the strategic plan helping the organization overall to become more resilient and sustainable.

What are your thoughts on the synergy between strategic planning and business continuity?  What other opportunities do you see?

As always, if you need help starting, growing, or rebuilding your business continuity or emergency management program, Emergency Preparedness Solutions, LLC can help.  Contact us through www.epsllc.biz or directly at consultants@epsllc.biz.

© 2014 – Timothy Riecker

Business Continuity in the Food Service Industry

Tim Riecker, The Contrarian Emergency Manager Leave a comment

Last year I had the pleasure of working with a number of folks in the food service industry on business continuity.  Just like any industry, they have some very specific mission essential functions which must be maintained or minimally disrupted in the event of a disaster. 

If you’ve watched Bar Rescue or other similar shows (or eaten in a restaurant) you should know that sanitation is a critical issue in the food service industry.  Sanitation is the aspect of food service which is most heavily inspected (not as often as it should be in my opinion) and cited.  It is a critical component of regulation in the food service industry (usually done by local health departments) and failure to comply with sanitation can, will, and should result in being shut down.  Operating in a disaster environment is no exception to this – particularly when people are more susceptible and more exposed to food borne illness during disasters.  Part of sanitation, by the way, also includes the control of vermin. 

In my discussions with food service folks on business continuity, sanitation is the primary mission essential function they must maintain.  Others on the list include receiving and storage (at appropriate temperatures) of food goods and preparation of food (to proper temperatures and maintaining those temperatures until food is served). 

As restaurants examine their hazards they need to know what impacts hazards can have on their operations.  Certainly a loss of power can inhibit their ability to store and prepare food – but does it make it impossible to do so?  Maybe.  Dry ice can help regulate cold storage, but must be carefully monitored.  Food preparation is often done with natural gas or propane stoves, so power may not necessarily be required.  Even refrigeration can be outfitted to be powered by propane or natural gas.  That’s how food trucks and carts do it. 

Other considerations during a disaster are the ability of employees, customers, and suppliers to access your location.  You may have to operate with minimal staff as some of your staff could have been impacted by the disaster.  Assuming access is viable and that you can safety store and prepare food, it is possible for you to make money or at least minimize losses, even with a smaller menu, since those impacted by a disaster may not be able to make their own food and responders and relief workers will be happy to sit down and enjoy a warm meal. 

The best way to minimize your losses during a disaster is to have a business continuity plan.  If you need help building one, call Emergency Preparedness Solutions, LLC.  Reach us at consultants@epsllc.biz or www.epsllc.biz

National Preparedness Month Webinars for Businesses

Tim Riecker, The Contrarian Emergency Manager 1 Comment

September is National Preparedness Month in the US and to help promote preparedness across the whole community, FEMA is partnering with the Small Business Administration and their consultant Agility Recovery to spread the word to the business community.  Below is information on a webinar series with topics to help prepare your business!  

Get Your Business Ready For Any Kind of Disaster at Free National Preparedness Month Webinar Series

 WASHINGTON – Each year small businesses nationwide are forced to close their doors in the aftermath of severe storms, flooding, tornadoes, wildfires and hurricanes. Business interruptions, even if they last just a few hours, are costly in terms of lost productivity and profits.

 You can get help with your own business preparedness planning through a series of free webinars in September hosted by the U.S. Small Business Administration and Agility Recovery.   The September series is presented in collaboration with FEMA’s Ready Campaign as part of National Preparedness Month.  

 The SBA wants to help business owners take charge of the well-being of their own companies, the safety of their employees, and the sustenance of their local economies by being prepared to rebound quickly from any kind of disaster.

 The half-hour webinars will be presented at 2 p.m., Eastern time, each Wednesday in September. Visit http://snurl.com/296yw4e to register for any or all of the webinars listed below:

 September 3: Crisis Communications for Any Organization

Learn best practices for developing an emergency communication strategy.

 September 10: How to Plan for a Power Interruption…and Recover Fast

Tips on how to make your company resilient and better prepared to mitigate losses during power outages.

 September 17: The Top 5 Steps for Preparedness This Year

The top five ways to prepare for disaster-related business interruptions will be discussed.

 September 24: If You Do Nothing Else This Year

Simple, low-cost tips on building a solid business continuity plan.

 SBA has partnered with Agility Recovery to offer business continuity strategies through their “PrepareMyBusiness” website. Visit www.preparemybusiness.org to check out the archived webinars and for more disaster preparedness tools.

Business Continuity and Emergency Management Standards and Requirements

Tim Riecker, The Contrarian Emergency Manager 2 Comments

When building a business continuity or emergency management program – or the foundation of that program in a business continuity or emergency management plan – there is a lot of research that needs to be performed before much work can even begin.  Some of the most critical research is the identification of the standards and requirements which apply to your program/plan.  Note a significant difference in terminology between requirement and standard.  Requirements are generally items that are in passed into law or included in regulation.  Standards are typically developed by standards organizations or accrediting bodies and are generally looked upon as best practices within an industry.  Standards are also more likely to be regularly updated whereas requirements (laws) are generally updated on a less often basis.

Where should you look for requirements and standards which apply to you?  Much of it is based upon what industry you are in and where you are located.

Start locally.  Research local laws and codes which may have requirements for certain industries.  Local emergency management planning codes that I’ve seen include industries that use or produce specific chemicals, healthcare facilities, day care programs, and the hospitality industry (hotels and resorts), to name a few.  These codes may require certain planning or notification elements which you must address.  You should search the codes/laws of your city/town/village as well as your county.  The clerks or emergency management officials for those jurisdictions should be of great help to you.  States usually also have specific planning requirements found in state law and/or regulation which cover requirements for local jurisdictions as well as many of the industries mentioned previously.  Contact your state emergency management agency as well as the state agency that regulates your industry for the best information.

Local and state laws comprise most of the requirements you will find – however certain industries may have federal laws or regulations which must be followed – many of these come from the EPA.  Nationally, however, you are more likely to find standards.  FEMA’s standard for emergency planning (which largely applies to jurisdictions but can certainly be used by other organizations) is found in Comprehensive Preparedness Guide (CPG) 101 – Developing and Maintaining Emergency Operations Plans.  While there is no up front legal requirement to follow CPG 101 from FEMA, it may be a requirement of grant funding – yet another requirement you must explore and address.  Certain industries seeking ISO (International Standards Organization) accreditation may need to follow various ISO standards on emergency management and safety.  Overall, if your industry has a professional association or accrediting body, they are an excellent resource for you.

But isn’t there some standard that applies broadly to everyone?  Yes – that is NFPA 1600.  The National Fire Protection Association (NFPA) creates standards which apply to many industries and are often legally adopted as code by jurisdictions.  The NFPA itself does not create law or regulation but they drive many of the standards we see across the nation in many applications including chemical production and handling, engineering, electrical, plumbing, building and development codes, fire codes and others.  NFPA documents are developed through a consensus standards development process approved by the American National Standards Institute (ANSI).  NFPA 1600 is the Standard on Disaster/Emergency Management and Business Continuity Programs.  Typically access to NFPA documents requires membership or a fee per document (their material is copyrighted), however NFPA 1600 is seen as so critical and broad-reaching that the NFPA offers access to the document free of charge.

NFPA 1600 is comprehensive yet open enough for individual application.  You won’t see from NFPA 1600 any detailed guidance in how to write a plan, but you will see the steps of a planning process and key benchmarks they recommend be addressed in a plan.  In addition to planning, the standard also addresses program management, training and exercises, and program improvement.  Intended to be used as a tool, the standard also includes program evaluation checklists and references other best practices in emergency management and business continuity including DRII (Disaster Recovery Institute International) and United Nations programs.  An annex within the standard even addresses family preparedness programs intended for employees.

While the standards you must follow are dependent upon your location and industry, NFPA 1600 can be applicable to all organizations and should be referenced in the building and maintenance of your emergency management and business continuity plan.  For those of you dependent upon access to information on your mobile devices, they even have a free NFPA 1600 mobile app (I reference it often!).

Adherence to requirements and standards helps ensure that your program meets or exceeds all expectations and best practices.  Even if you are not legally obligated to do so, following standards, such as NFPA 1600, provides you with a comprehensive program which will help you better prepare for, respond to, and recover from disaster.

If you need help navigating your emergency management requirements or standards, contact Emergency Preparedness Solutions.  Visit our website at www.epsllc.biz.

© 2014 Timothy Riecker

Business Continuity – Telework Capabilities and Policies

Tim Riecker, The Contrarian Emergency Manager Leave a comment

This month’s issue of Homeland Security Today (volume 11, number 3 – April/May 2014) features, along with a variety of other excellent articles, an article titled Virtual Crisis Response by David Smith.  Right up front they provide a thought-provoking factoid… The Congressional Budget Office estimates that the five-year cost of implementing telework throughout the federal government is about $30 million, which is less than the cost of a single day of shutting down federal offices in the DC area due to a snow storm.

SHX1877.TIFFolks, this is 2014.  We have the capability to telework off of nearly any device you could imagine and for a very low-cost.  Like most, I have access to both work and personal email and files from anywhere… from my own laptop, from my smart phone, or from any other internet connected device.  I have this capability as a small business owner using tools that we set up ourselves.  I’ve worked for large corporations and state agencies that also have that capability, and even more with VPN and other tools available.  When speaking with people who work for other companies or government agencies, however, I’m astounded by the lack of interest in allowing telework.  I’m going to refrain from outlining the virtues of telework as a regular operation (don’t get me wrong, there are drawbacks as well), but telework does provide for a means of maintaining continuous business and government operations which many businesses and governments seem to be dismissing.

There are quite a few businesses and governments who maintain remotely accessible email and data as a means of enabling the conduct of business while traveling or working from an alternate site as a normal course of business – thankfully.  Many of these entities, however, due to a lack of trust in their employees, union issues, or simply an inability to adapt do not allow employees to telework.  This may have discouraged employees from even attempting to connect to these services from home, where they may likely be if some event – flood, snow storm, or otherwise – prevented them from going to work.  Maybe you do have the capabilities but generally don’t allow telework.  So how can you be sure that it will work in the event of a disaster?  The answer is simple… you have to test it.

The Homeland Security Today article provides some info on the tech stuff you need to ensure a viable network.  Follow their lead and talk to your tech people – either indigenous or consultants.  I’m not a tech guy, so I won’t even attempt to give that kind of information.  What I will tell you is that you need a business continuity telework policy along with plans and protocols to support it.  These plans need to identify the same critical business functions you identified in your base business continuity plan and address how they can be maintained remotely.  Just like any other plan we put in place, we need to train people to it and test it (exercise it).  How do we exercise it?  For starters, tell everyone (or at least key continuity staff) they don’t have to come into the office on Friday.  No, they don’t get the day off – they have to work from home, but this is a test to make sure it is possible.  Be sure to buy your help desk people something nice that day because they will be busy!  There will be plenty of connection problems.  Properly designed job aids will help facilitate this on the user end, but tech people will be needed to trouble shoot.  Of course before you even get into this you will have to make sure that everyone has the capability to connect from home.  Do they have high-speed internet at home?  Do they have an appropriate device for connecting and working through the day?

Next, once you have everyone on the network, consider how you will communicate.  Teleconference?  Video conference?  Remember that these people don’t have their work desk phones.  What information needs to be exchanged?  What is everyone’s role and can they perform it remotely?  Can they gain access to all the data and files they need?  Test the viability of the network, too… is your server in your office?  What happens if you lose power to your office?  Understand that some employees may experience utility outages during a disaster which may prevent some employees from accessing the network, but the goal is to get as many people on as possible to maintain critical business operations.  Given this, your plan should address how you will maintain critical operations in the absence of some employees – even remotely.

Just like any other exercise, put together an after action report, and not just from the perspective of the IT folks either.  Be sure to solicit input from the employees as well.  What were your lessons learned and what improvements need to be made?  Lastly, don’t just exercise this once.  Do this at least a couple of times each year.  Not only does this give you ongoing feedback of the plan, but it also helps to make sure employees can continue to connect remotely (especially new employees), and also helps to ensure that technology upgrades don’t interfere with remote access.

Do you have telework protocols integrated into your business continuity plan?  Have you exercised them?


© 2014 Timothy Riecker