Emergency Response & Business Continuity: The Next Generation in Planning
By Owens, Russell W | |
Proquest LLC |
A safety professional working for a smallto-midsize business (SMB) is often asked to develop emergency response and business continuity (E&BC) plans to protect staff and facilities. These plans predict likely hazardous _ events and describe how the SMB can protect itself and its employees from any immediate threat.
To be most effective, the next generation of E&BC plans should go beyond simple evacuation plans. These plans should be specific, tailored to the SMB's operations and encompass all facets of the business. Safety professionals charged with this task must be aware of the true responsibility involved. They need to think long term-not just about protecting current operations. Today's E&BC plans should include procedures necessary to recover critical functions to help get the business back up and running should a future loss occur.
Financial Impact/Return on Investment
No matter the business size, response to a disaster and the subsequent effect on business continuity can be daunting. The extent of the effects will vary depending on the characteristics of the disaster, time of year, specific areas of the company affected and duration. In the authors' experience, SMB companies experience a greater proportional effect on their bottom line than larger companies. Therefore, an SMB's failure to prepare for a disaster is the business equivalent of playing Texas Hold'Em-an all-in decision with the future of the SMB riding on the outcome.
Studies have shown that publicly traded companies without a plan or with an inadequate plan reduce their market viability. When market share is lost due to a catastrophic event, it can profoundly affect an SMB's ability to stay in business. Some SMBs may initially recover from the disaster, but reports suggest that "one in four small businesses that close due to a disaster will never reopen. Anecdotally, the statistics are probably higher" (
The days of a simple evacuation plan are over, and safety professionals must consider a disaster's overall effect on the company's long-term health. In a crisis, you do what you have to do, but it is better to do what you planned to do. Put another way, "Planning is vital, but plans are the source of actions" (Kelly, 1989). This is especially true if the company is going to survive the catastrophic event.
In the past, executives have seen the development of E&BC plans as a "document production factory producing reams of paper in three-ring binders" (Mah, 2012) that fill bookshelves and devour budgets with no return on investment (ROI). This view is changing. More and more SMB executives are asking these questions:
*Do these plans make us money?
*Do they save us money?
*Do they benefit our customers?
*Is this only to satisfy a regulatory requirement?
The answers to these questions must show how such plans will positively affect a company's bottom line. To make these plans successful, one must develop strategies and activities that help answer these questions.
How this is achieved varies from business to business and industry to industry. One method asks the safety professional to become involved with the organization's day-to-day decision making rather than standing on the sidelines until disaster strikes. The volume of an organization's data available to the SMB safety professional should help support the decision-making process. Business continuity should become integral to defining and shaping business decisions to ensure that, even after an adverse event, the company can survive. This is similar to the proactive approach that safety professionals take concerning employee well-being.
Every business has objectives and plans- whether they are to achieve a profitable year, increased market share, name recognition, ROI or other goals. The E&BC plans should contemplate how to meet these objectives. It is no longer acceptable to just return the business to where it was before the event. Plans must enable the business to grow and meet these objectives despite adverse events. Plans must be regularly updated and refined to reflect changing business conditions and activities.
In the past, E&BC plans often sat outdated and no longer able to meet the new challenges of a changing business climate. Studies have shown that large corporations see a correlation between their ability to recover from a catastrophe and the value of their stock price. In man-made disasters, there can be as much as a 25% variation in stock price (Knight & Pretty, 2001).
Developing Your Plan
1) program management;
2) risk assessment;
3) prevention and mitigation;
4) resource management;
5) plan development;
7) exercise and corrective actions;
8) program revision.
The guide describes the goal of each phase and provides tips for developing a plan for an organization. The book also includes checklists, forms and questionnaires essential to the plan-development process. Among the key documents are the business impact analysis checklist, cost-benefit analysis worksheet and a damage assessment form (see 'Things to Consider" sidebar, p. 52).
Building the Team
Developing an E&BC plan requires the efforts of a knowledgeable team. This is not a one-person job due to the complexity of today's SMB. An organization's safety professional may touch on all areas of the business, but most likely will not have in-depth knowledge of each area and its interaction with other segments of the business. Building a team of experts will help ensure access to the knowledge required to develop a robust and detailed plan that encompasses all areas of the company and reflects the symbiotic nature of various areas.
Before building the E&BC team, the safety professional must have senior management support. Management commitment, direction and support are essential to ultimate success. This support is also crucial in funding the E&BC plans.
The E&BC team should include individuals with expertise in the critical functions within an organization (e.g., finance, manufacturing, human resources, IT, quality control, communications, legal, marketing). The exact makeup of the team will vary based on the operation's size and complexity.
The ideal team should not exceed 10 primary members and may have as few as three (for the smallest companies). Alternates are necessary to fill in for people when they go on vacation, leave the company or change roles.
The safety professional's role is to lead this team and manage the project. In leading the team, s/he must provide clear direction and purpose, much of which comes from the built-in senior management team support. This direction is expressed in a mission statement approved by senior management outlining the expected roles and responsibilities of the E&BC team. This information must be communicated to the team and motivate all members to embrace this commitment in addition to their other responsibilities. Few SMB companies have the luxury of a full-time dedicated staff to develop and maintain their E&BC plans.
Assessing Risk
Experience has shown that safety professionals use several different methods to assess risk when building an E&BC plan. Many SMBs use the "I think" method to determine which risk they would or would not include in the overall plan. While this method may work well for some organizations, it does not truly identify the risk and the potential impact to the organization.
Another method is to develop a matrix with severity along one axis and impact along another, then concentrate only on those incidents that demonstrate high impact and severity. A complex numbering system that scores impact probability and resource availability might also be used when developing the plan (Figure 2).
Some SMBs just list past events and develop plans to manage a potential recurrence. However, as business and the world have become more complex, this best-guess approach is inadequate. Investors, owners and key stakeholders want more definitive and quantifiable indications of the risk. One can assess risk more effectively and accurately on an individual-site basis and with an emphasis on statistical probability.
The changing landscape of risk assessment is evident in various journal articles and in resources that focus on terrorist and pandemic events. Most SMBs focus on preparing for fires, weather events and workplace violence. However, as the world changes, businesses must consider new potential threats. The U.S. government has created documents to help employees assess and quantify risk for terrorism, pandemics and other emerging risks. One example is the Risk Management Series offered by the
Sophisticated weather tracking software allows experts to predict a hurricane's movement over a 5-day period.
Plan Documentation
Today, most E&BC plans are developed using word-processing software and are ultimately printed and stored in a binder. Some SMBs may also use a virtual team room to allow for document sharing and input before creating a final document. This process is cumbersome and may cause confusion during the editing process. In addition, while a plan in a binder may be useful, it is difficult to keep the documents up-to-date as risks and the business evolve, and it may be impossible to access if employees are off site or if an event prevents access to the facility where the plan is kept.
As a result, many companies are moving away from the stand-alone word-processed plan that resides in a three-ring binder. More companies are developing E&BC plans closely tied to operating systems that are already in place within the organization. Most of these systems are server-based and offer direct access to data mining of corporate files to allow for resource allocation, asset tracking and staffing information. These systems offer remote access and real-time information updates based on changing business conditions. Additionally, some programs may tie into external information feeds such as weather alerts and threat assessment software from third-party vendors.
The recent advent of cloud computing has also changed the way E&BC plans are documented. Cloud computing is a way of storing information and processing software off site with a third party so that it can be accessed by various means. Storing business continuity plans in the cloud makes them accessible via laptop computers, smartphones and tablets. In addition, access to the business continuity plan and other information is not subject to the events affecting the location that the plan was designed to protect.
However, as with most technology, this approach raises additional concerns such as the security of critical data or the server itself, as well as other Internet vulnerabilities. If power is lost or the Internet is no longer accessible, then cloud-based plans and corporate data are no longer retrievable. Therefore, to be fully protected, SMBs should maintain backup servers and duplicates of data (Hill, 2011).
As with most technology, the use of new software and cloud computing for business continuity plans is a rapidly developing area and must be constantly reviewed to ensure that these tools meet SMB needs. Several resources are available to help compare competing software packages. The cost for many of these new integrated plan-development and tracking systems is often more than the technology employed today and is a factor the SMB must consider.
While new technology provides great possibilities, safety professionals must guard against fillin-the-blank programs that require little or no true input from the organization. Regardless of which program is chosen, the E&BC team must be involved in the selection process. Rarefy will software out of the box directly meet an organization's true needs (2011 Software Surveys, 2011).
Business continuity plans rely on various communication methods to disseminate information to a large group of people via telephone, e-mail, text messages and social media. In addition, third-party vendors provide notification services to employees, customers and others if a company must disseminate a message regarding a disaster or emergency. The telephone call tree remains a popular way to get information out. Unfortunately, this method cannot ensure notification of everyone. Current notification systems allow for tracking and verification of the message through various options such as polling and contact reports (Witty, Girard & Goldstein, 2012).
Even as robust and prolific as telephones and mobile devices have become, they have some drawbacks, especially when the power is down or too many people try to access the system at the same time. During events such as Hurricane Katrina and
Without question, efforts to communicate about emergencies with large groups of people will continue to include methods such as call trees, e-mail and radio. Fortunately, new communication tools, such as social media (e.g., Twitter,
Training & Testing
"No plan of action has any value until proven. Even then, it is of little value until all of the actors have practiced their performance" (Buriles, 2007). Testing has always been a component of any E&BC plan; the challenge continues to be conducting meaningful testing and not just including it in the plan. As the next generation of business continuity planning develops testing will become more necessary because of the plans' increasing complexity and because of regulatory requirements, clients, vendors and stakeholders will mandate testing and certification. Some tests will be mandatory, while others will be recommended, such as the Private-Sector Preparedness recommendation (see Private-Sector Preparedness: A National Perspective sidebar) made by the 9/11 Commission (
Once again, as plans become more complex, testing becomes more expensive. More plans will need to be tested using simulations and functional exercises versus orientations and tabletop reviews. By becoming more efficient in what is tested, it may be possible to control expenses without sacrificing results. A company must take advantage of what is learned from testing and implement it back into the plan-despite economic pressures. If companies don't incorporate the lessons learned, they may find themselves faced with the same issues during actual incidents (Figure 3).
Testing must include all individuals involved in E&BC activities, as well as an organization's suppliers. Previously, little or no emphasis was given to SMB vendors/suppliers and their ability to meet the organization's needs. As the economy and business practices have changed, vendors/suppliers have become more intertwined with an organization's ability to respond to disasters.
Emergency Response
Depending on the event, different individuals will be essential to the response. The correct staff will understand the event and take actions to help mitigate the damage and/or prevent loss of life. Various alarms must be present throughout the workplace. These may include fire alarms, water motor gongs, emergency exit buzzers, elevator alarms and car alarms. Does the staff know how to respond to each alarm? The plan should identify the various alarms and actions needed to investigate the reason for the alarm. A company must also ensure that everyone throughout the site can hear the alarm. For instance, water motor gongs are notorious for only being heard outside, because inside noise from machinery masks the sound of the alarm.
Exit diagrams are needed to direct staff to a safe location either inside the building during a tomado or to the exterior of the building during a fire. These diagrams should include color-coded primary and secondary exit routes, the location of fire extinguishers, areas of refuge within the building and gathering points outside the building.
Available Resources
Developing an E&BC plan that reflects today's complex business operations and the global business world is a challenging task. But, various resources are available to help safety professionals develop these plans. Industry group websites, such as Continuity Insights or the
IN BRIEF
*Tasked with developing response/recovery plans for small-to-midsize businesses, safety professionals must have the knowledge to develop complex and interconnected plans.
*SH&E professionals must understand the requirements for the next generation expectations, their effect on business, and how to develop, implement and maintain these new plans.
*Today's emergency response and business continuity plans must include procedures necessary to recover critical functions to help get the business back up and running should a future loss occur.
Things to Consider
*Staff experience. Does anyone on staff have experience?
*IT complexity. Do you need a trusted partner to assist?
*Management commitment. Will management support the time required for a long-term project?
*Budget. Is budget or funding available for the project?
*Project scope. Start with a single plant, then expand to other sites.
*Learn the topic. Attend seminars/read articles to understand the basic concepts.
*Talk to others. Ask around. Maybe someone was in your shoes a year ago.
*Regulatory issues. What specific regulatory or contract issues must be considered?
*Resources. What resources are available and what will be required?
Private-Sector Preparedness: A National Perspective
Responsibility for preparedness for a national calamity does not rest with the federal, state or local governments. Neither is it the sole responsibility of the
We endorse the
In 2007, at the direction of
References
2011 Software Surveys. (2011, Fall).
Burtles, J. (2007). Principles and practices of business continuity: Tools and techniques.
Hill, B. (2011). 5 trends in preparedness: 2012 forecast [webinar]. Retrieved fromwww2.preparis.com/ 1/2492/2011-11-18/B PV G 0
Hookway, J. & Poon, A. (2011,
Kelly, R.B. (1989). Industrial emergency preparedness.
Knight, R.F. & Pretty, D.J. (2001). Reputation and value: The case of corporate catastrophes.
Mah, K. (2012, Winter). Change or perish! Business continuity management as an operational competitive edge.
Nicoll, S. & Owens, R. (2011). The next generation of SMB emergency response and business continuity planning. Proceedings of ASSE's Safety 2012,
Short Message Service. (2012). Wikipedia. Retrieved from http://en.wikipedia.org/wiki/SMS
Stronach, R.I. & Raisch, W.G. (2007). Introduction to emergency management and business continuity. In
Witty, R.J., Girard, J. & Goldstein, C.H. (2012). Magic quadrant for U.S. emergency/mass notification services. Retrieved from www.gartner.com/technol ogy/reprints.do?id=l-19Q6C7Z&ct=120316&st=sb
Woyke, E. (2011,
fl
Copyright: | (c) 2013 American Society of Safety Engineers |
Wordcount: | 3879 |
Safety 2013 Scores Big in Vegas
Contract Issues & Construction Safety Management
Advisor News
Annuity News
Health/Employee Benefits News
Life Insurance News