Keys to Narrowing Business Continuity Planning Gaps: Training, Testing & Audits

Transcription

1 Keys to Narrowing Business Continuity Planning Gaps: Training, Testing & Audits Betty A. Kildow, CBCP, FBCI, Emergency Management Consultant Kildow Consulting 765/ ; 94 nd Annual International Supply Management Conference, May 2009 Abstract. A Business Continuity Plan is not a plan until it has been tested; it is only theory. A program of training, exercises, and tests moves plans beyond the concept stage, provides training opportunities for employees, and helps identify needed corrections in procedures and plans. All employees are critical to the success of your Business Continuity Program and need to receive the appropriate level of education and training. For most employees this will entail the basics what programs exist, the purpose of each, what it means for them, what they can expect from the organization when disaster strikes, and what the organization expects of them. For Business Continuity Teams exercises and tests provide advanced training and an opportunity to identify needed improvements to strategies and plans before a disaster occurs. Business Continuity planning is not a check the box endeavor, not a project with a start and a finish. To ensure that your Business Continuity Program will serve the organization well when disasters occur, it must be maintained through regular reviews, updates, and revisions. You Have a Business Continuity Plan...Now What? Once a business continuity plan has been developed likely after going through several draft iterations it is important to make sure that the plan provides the guidance necessary to make the business continuity strategies work. Have all business continuity team members read and assess the plan document. Here are some of the questions to consider when assessing your business continuity plan: Does the plan address the requirements of the entire supply chain including the manufacturing process through the distribution process, spanning all movement and storage of raw materials, and in-process and finished inventory from point-of-origin to pointof-consumption? From a supply chain perspective, does the plan take into account all internal and external links and interdependencies? Have consumer requirements been taken into account? Does the plan meet customer requirements by including strategies for maintaining full customer service and meeting all service level agreements? Does the plan meet applicable regulatory requirements? Does the plan fully document under what circumstances the plan will be activated and the team notified, who has the authority to do so, and how that will be accomplished? Does the plan tell those responsible for carrying it out: where they are to go, what are they are to do, and how they are to do it? Does the plan include a reporting structure?

2 Is the plan user friendly and easy to read with step-by-step checklists for all team members? Does the plan consider people issues and provide business continuity team staffing that includes primary assignments and at least two backups for all business continuity team members and others assigned responsibility for continuing or restoring critical functions following a disaster in the event you can t contact them, they can t get to where they re needed, or they re not available? Is there people redundancy, cross-trained personnel who can fulfill all identified critical functions should the primaries be unavailable? Does the plan include an attachment listing complete contact information for all external as well as internal key contacts, e.g., customers, suppliers, and contractors? Are hard copies of the plan available off-site? Does the plan detail requirements for regularly-scheduled reviews and/or internal or external audits? Are there controls to track distribution of copies of the plan and make certain all plan holders receive all updates and revisions? Keep in mind that it is highly unlikely that only those involved in developing your business continuity plans will want to review them for sufficiency. Auditors, both internal and external, are increasingly interested in business continuity and disaster recovery plans. Gone are the days of simply checking a box indicating that a plan exists. Today it is likely that auditors will review the plans in detail for content and for frequency of updates and testing. For some businesses, regulatory agencies have business continuity-related requirements. Additionally, be aware that customers and clients are more and more interested in your company s capability to continue to provide your product or service following a disaster and may have questions about your business continuity plans. Continually look for gaps and areas needing improvement. There are several areas of business continuity planning that are often overlooked or under-planned. One of these is disaster communication. Disaster Communication. Maintaining contact with employees, other company locations, customers, suppliers, contractors, regulatory agencies, shareholders, and other stakeholders is an essential part of the managing the disaster, and one that is often overlooked or given insufficient attention. Post-disaster communication strategies need to be detailed in your business continuity plan. Additionally, being prepared to handle requests from print media, radio, and television can help ensure that the media does not become a secondary disaster. Situations, initially viewed as minor annoyances or small emergencies, may turn into a disaster if adequate communication is not maintained or if the media becomes interested. In particular for the visual medium of television, action events are perfect for newscasts. Therefore, fires, incidents resulting in injuries or fatalities, bombing, etc., will draw attention and be excellent candidates for a broadcast with film at eleven.

3 A serious problem and the way in which you opt to respond to the situation, including your crisis communication strategy, may represent a critical turning point in the way your company operates and in the way you are perceived by your stakeholders, including customers, suppliers, regulatory agencies, and the public in general. It is important to consider and have a plan for keeping those who may have heard about the crisis and who have a vested interested in your company in the loop. This includes customers who need assurance that the products or services they receive from you will still be delivered...on time at the quality level they expect. Employees will want to know what they are to do and how the crisis may impact them and their jobs. There are four components of effective disaster communication with stakeholders: (1) getting the right information to the right people at the right time; (2) the technical capability to communicate; (3) clearly communicating the information; and (4) rumor control to prevent misinformation. Your post-disaster communication with stakeholders will be more timely and effective if, before a crisis occurs, there is pre-assigned responsibility for keeping key contacts informed. Identify who will establish and, as necessary, maintain contact, with whom, and how. As with all others who have disaster response responsibilities, have a backup for each person with primary responsibility should they not be immediately available when a disaster occurs. Create a database of key stakeholder contacts that is maintained and updated frequently. Prepare templates and sample letters to speed the process of getting written updates to stakeholders. Present your information to all stakeholders quickly and honestly. As appropriate, provide frequent updates on how you re doing in responding to and recovering from the disaster. Customers, while they will sympathize with your plight, need to know how your situation will impact them. Above all else, will the service/product you provide be delivered as scheduled? Identify the groups and individuals with whom your company will need to communicate when a disaster occurs. Get input from throughout the organization. Include both those who have an actual need for information and those who believe that they need information. In the case of the latter group, remember that if you don t provide information, they will most likely get it elsewhere, or even create their own answers. If not already in place, consider developing and implementing a company policy that employees are not to give statements to the media. Not everyone is skilled at giving statements or interviews and having a no statement policy benefits both the organization and the employee. It protects employees from possibly being responsible for incomplete, incorrect, or proprietary information making its way to the front page of a newspaper or from being the source of a damaging sound bite on an evening news broadcast. Educate employees about the importance of following the company s media policy and also provide them with information about to whom to refer media representatives contact. Include complete and accurate contact information. Having a reporter with a microphone ask for your opinion or having a news camera bearing down on you can be impelling. While reporters have the right to interview anyone they want to; everyone has the right to decline to be interviewed.

4 A no comment policy and a person to whom to refer media representatives provide direction and make it easier for employees to decline to comment. The importance of acting promptly when responding to a disaster can not be overstated...tell it all, tell it fast, and tell the truth. To prepare for successful disaster communication, develop and regularly maintain notification lists, a list of immediate internal notifications to be made in each type of crisis (e.g., CEO, Public Relations Department, Security, Legal). Designate how each person will be contacted and by whom. Include business and home contact information including land line telephone, cell phone, PDA s, and . A helpful tool is a laminated card containing this information that is carried by those with crisis communication responsibilities. Keep all employees informed through use of an employee 800 number, , intranet, and increasingly sophisticated electronic notification systems. Employees need to know when and where to report to work or that they are to stay at home until notified otherwise. Also consider how your company s Internet presence may be used to communicate your message when a crisis occurs. An additional pre-assignment may be a person(s) who will facilitate use of the Internet to contact identified stakeholders and keep them advised of the company s actions in responding to the crisis and possibly make information available to the general public. Test disaster communication capabilities often. Update all contact lists and contact information in electronic notification systems. Ensure that those assigned communication responsibilities receive complete training with periodic updates and refresher training. Develop communication redundancies and test the technology often. Training and Testing...The Reality Check. A plan is not a plan until it has been tested; it is only theory. A program of training, exercises, and tests, is an integral part of any Business Continuity Program, moves plans beyond the concept stage, and provides all employees with the appropriate level of education and training. A written plan by itself is of little help when disaster strikes. To ensure that the plan is workable and do-able, personnel must be trained and the planned strategies must be tested. Staff assigned to business continuity teams need tailored, detailed training which focuses on their particular roles. In addition, it is essential that the plan s strategies, equipment, and personnel be exercised and tested. This can be accomplished through tabletop and function exercises and specialized field tests (e.g., Business Continuity Center exercises and hot site and alternate work site tests). Think of training, exercises, and tests as disaster rehearsals, an opportunity to learn critically important lessons before a disaster occurs. It is through ongoing tests and exercises that we work out the kinks, enhance our strategies, and help ensure a smooth return to normal business operations. Training for those involved in carrying out business continuity responsibilities provides an opportunity to develop practical knowledge of the business continuity plan and its processes. Business continuity team members also gain a more complete understanding of their responsibilities: what to do, why it is being done, and where it fits in the bigger business continuity picture.

5 When planning exercises and tests we have options. First, provide basic business continuity orientation for all employees beginning with an orientation for new hires. Provide regularly scheduled refresher training as well as updates as needed to introduce revised strategies and procedures. Develop and deliver detailed training for business continuity team members and others charged with carrying out business continuity strategies. Then, choose the best exercise type for the situation and the maturity of your business continuity program and team members. There are three basic types: tabletop exercise, simulation (or functional) exercise, and field (or full-scale) exercise (test). In business continuity exercise is the more commonly used terminology, while test is more commonly used in disaster recovery. A tabletop (walk-through, desktop) exercise is a non-stressful, slow-paced exercise used to evaluate strategies, plans, and procedures and to provide a training opportunity for team members. Team members are presented with a disaster scenario, and as participants discuss the situation and problem solve using the plan document, they become more familiar with their roles. A simulation (functional) exercise is designed to give team members a more realistic, hands-on experience in dealing with a disaster situation. A simulation is faster paced and more stressful than a tabletop exercise. It enhances communication and decision-making skills and helps further familiarize team members with the plan and procedures. A simulation exercise involves two groups. The first is the business continuity team; the second is a simulation team. Working with an agreed-upon realistic disaster scenario and scope, prior to the exercise the Simulation Team develops messages that in the event of a real disaster might be received by the business continuity team from anyone, anywhere inside or outside the organization. This will likely include public safety officials, customers, suppliers, regulatory agencies, stockholders, government officials, media representatives, and employees. Team members must then decide what actions are needed and what response to the messages received is required, if any. To be fully effective, test actions must mirror reality. All actions taken by team members must be based on existing plans and procedures and resources that actually exist. A field (full-scale) exercise is based on a disaster scenario and involves the actual mobilization of the business continuity team. This type of exercise adds an integration and coordination component to the simulation (functional) exercise as people and resources are moved, perhaps to a disaster recovery hotsite or an alternate work area. Think of exercises and tests as rehearsals, an opportunity to practice before an actual disaster occurs. Exercises raise awareness and provide a teambuilding opportunity, as well as identifying needed corrections, improvements, and enhancements to plans and strategies. Develop an annual program of orientation sessions, drills, training sessions, exercises, and tests. Remember to eventually include both primary and alternate team members in the exercise process. And once your plan is mature, consider including suppliers, contractors and even customers in exercises. Doing so increases the realism, expands learning, and provides opportunities for partnering in business continuity planning.

6 New lessons are learned with every test, every exercise, as well as when disasters occur. We want to be certain that our planning incorporates all the lessons learned, not only our own but those of others who have been impacted by recent major disasters, for example: Prior planning had been done on the assumption that the results of a disaster would be much less far-reaching and long-term. People expected to carry out Business Continuity responsibilities were not available. Air transportation infrastructure was shut down, resulting in it being impossible to air products, supplies, or people. Some businesses realized that a great percentage of their business was tied to the airports. More extensive communication outages of longer duration were experienced. There was a lack of reliable transportation. Electrical power outages were accompanied by a lack of fuel for generators. Multiple facilities were destroyed or sustained significant damage. Buildings were under water or otherwise inaccessible for weeks. Mail service was interrupted for as long as several months. People were displaced for extended periods of time. The recovery period extended far beyond what was expected and what was addressed in business continuity plans. Answers to important questions are found through a program of tests and exercises. How effective are the plan documents? Is greater detail needed in some sections of the plan? Is our business continuity team structure what is needed, or do we need additional roles? Do we need more communication equipment? Is our notification procedure working as planned? While exercises have enormous importance as a training vehicle, the greatest value comes when we fully capture the lessons learned. Have exercise participants and an observer(s) take notes on issues and challenges that arise during the exercise. Conduct a debriefing session as soon as possible following the exercise. Did we do what the plan said we would do? What worked well, what did not work as planned, and what do we need to do to improve strategies, procedures, and the plan document? Capture the lessons learned, assign responsibility for completion of each action item and a specific deliverable date, and begin preparations for your next exercise. The Perpetual Work In Progress. Developing a business continuity plan is never a job that is complete. Best practices call for a full review and update of plans annually in addition to interim revisions made necessary by substantive changes in any information contained in the plan including business continuity staffing, contact information, procedures, technology, or lessons learned from tests and exercises. Ensure that all plan holders receive all updates and revisions. A Business Continuity Plan is never finished, rather, it is always a work in progress. Conduct a formal review/audit of the entire plan not less than annually. In addition a full review, there are certain triggers that signal the need for additional plan reviews and updates. Changes in the physical plan or equipment, changes in hazard and vulnerability information, changes in personnel, a reorganization, changes in policy, changes in regulatory requirements,

7 and audit requirements are signals that strategies and plans should be reviewed for necessary changes. It is likely that the greatest challenge in containing current information in plan documents is ongoing changes in contact information for employees and critical suppliers and contractors. To help manage the impact that ongoing organizational changes make in Business Continuity Programs, establish documented policies supported by management that require all changes that possibly impact Business Continuity be reported, e.g., to the Business Continuity Manager. If the organization has a Change Management Department or function, link Business Continuity to the established change management process. Experience will almost always identify needed changes in plans. experience will be a test or exercise rather than an actual disaster. The hope is that the Summary. In today s world, everyone in the organization has responsibility for their own safety and security and that of others, as well as a responsibility to help prevent and protect the organization from disasters. Through a program of training and testing that includes all employees, we can help ensure that everyone is aware of the part they play and understands what the organization is prepared to do. Exercises and tests provide the best possibility reality check for your plans other than an actual disaster. Plans must be reviewed and updated frequently to ensure that the information they contain is accurate and current. The overall result is better prepared organization and a stronger line of defense against future disasters.