On the other hand, the public sector, either by directive or presumptive duty, is much further ahead in establishing continuity of operations, disaster preparedness and other risk management initiatives and plans. This is evidenced by the numerous documented plans and conducted exercises for cities, states, court systems, state run colleges, counties, and other government agencies. COOP plans and training abound and can be easily found on any internet search.

Research is desperately needed to determine the effectiveness of business continuity planning for an organization who may experience a major crisis or disaster. This can be done in terms of ROI, survivability, and/or the measured ease of recovery and reconstitution.

Lindstedt offers two very plausible approaches to researching the positive effectiveness of business continuity planning.

1. Go to where a real, regional disaster has occurred; Speak with those businesses impacted by the event; Obtain data that identifies the types of organizations by demographic (size, shape, industry etc); Survey the business’ level of preplanning and then conduct follow up to see how well they fared their degree of survivability.

1. In those same regions: Get copies of response to the disaster, existing plans, and measure the effectiveness of their response. Lindstedt does not offer the metrics that would be necessary to determine what ‘effectiveness’ means. I imagine with some thought, any BC planner could make that metrics list.

While I like the ideas presented and believe the results would be valuable we should consider how difficult that data might to obtain and the amount of effort necessary to conduct a thorough research project. But, it is doable.

Example: wildland fire disaster. I responded with the county IMT to the Fourmile Canyon Fire in Sept 2010. I know a few of the impacted residents and fire departments who lost headquarters and stations to this sad and devastating incident. The reconstitution efforts are enormous and many residents say they simply won’t rebuild. Although there are very few if any business impacted (as it relates to the topic of business recovery) the fire departments were dramatically affected, both the individual firefighters who lost homes and a fire station itself.

The topic of the fire is still a painful one to speak about, but the healing continues. If the Lindstedt proposal of doing research on an impacted disaster region is used then a careful and delicate approach us necessary.

So, while I like the idea of the research and believe it has value, the approach must be conducted professionally, with permission, and in a way that minimizes the reliving of the event.

References:

Lindstedt, David,  (2009) Three Part lecture series MSBC Seminar 6 Week 10 Norwich Univ.

” Maintaining and Auditing a Business Continuity Program-

A Plan for a Municipality“

February 12, 2011

by

Andrew M. Amalfitano

CONTENTS

I.  Introduction.. 3

II. Plan.. 4

Key Plan Steps: 4

1. On-going. 4

2. Awareness and Launch.. 4

3. Implement. 5

4. Considerations. 5

III. Audit. 5

Standards. 6

Audit Elements. 8

Process. 8

Identification of Individuals to be involved in the Audit. 9

Functions to be Included in Audit. 9

Audit  Approach.. 10

Documents to review… 11

Audit Instrument. 12

Correcting Shortcomings. 12

III.  Conclusion.. 13

Appendix A – Continuity Assistance Tool (CAT). 14

Appendix B: Plan Maintenance Example: National Center of State Courts. 16

References. 17

I.  Introduction

A well developed, dusty plan sitting on a shelf does not ensure the City will be ready to weather a major crisis or disaster. To really be ready, the City must maintain current plans, keep people trained and informed, and exercise those plans on a periodic basis.

Scheduled, informal reviews[1] and annual, independent audits[2] are recommended and can significantly improve the overall readiness of the City. Two plans in particular that must be maintained in a current and effective condition are the Continuity of Operations Plan-COOP and the Emergency Operations Plan-EOP.

Maintaining Continuity of Operations and Emergency Operation Plans can help ensure that the City is ready for the unforeseen major crisis or disaster. This process includes the review, testing, and update of the plans on a regular and defined schedule.

Audits may not always be necessary, however, due to their independent nature, are often a valuable check and balance to internal plan reviews. Audits can objectively determine the adequacy of controls and level of compliance to any appropriate standards.

This document describes how to maintain continuity plans, specifically the COOP and EOP.  It describes key plan steps, suggests self-assessment instruments, and makes a case of conducting both internal reviews and external audits. It identifies the appropriate standards for the public sector, describes the audit elements and process, who should be involved, functions and documents to review, the audit approach, and how to manage shortcomings and make improvements.

II. Plan

The fundamental plan for maintaining and auditing the continuity program at a municipality is to follow the established testing, exercise, maintenance, and review process designated in the COOP plan itself.

This process includes what to review, the frequency of review and update, who is responsible for the review, and the criteria by which to determine the viability of the plan. A viable plan exists when there is proof (through training, testing, and exercises) that the plan can be implemented during a crisis or disaster and that the City’s mission essential functions can be continued successfully.

A comprehensive strategy for maintaining plans should inform the maintenance review and audit planning process. For the public sector, the establishment of a Multi-Year Strategy and Program Management Plan is recommended.[3]

Key Plan Steps:

1. On-going

a.     Take actions to revise and update plan on a periodic cycle

b.     Train new personnel and provide refresher training for others

c.      Conduct periodic exercises, follow up with corrective actions from AAR[4]

d.     Adhere to general COOP planning requirements

e.     Identify issues that may impact the COOP and drive the frequency of changes

f.       Identify the instrument(s) to be used to conduct the audit

g.      Ensure there is adequate budget and funding for exercises and plan maintenance

2. Awareness and Launch

a.     Inform those involved

b.     Get support and agreement from City functional directors

c.      Designate a review team

d.     Determine scope of the review or audit

•       A description of elements that ensure a viable COOP capability.

•       Identification of resources required to establish each element.

•       Discussion of organization-specific management and policy issues.

e.     Appoint and introduce the auditor as needed

3. Implement

a.     Begin the audit

b.     Auditor meets with designated individuals, documents specific findings, uses the identified instrument to score each function, and reports on findings.

4. Considerations

a.     Final reporting of findings

b.     Recommendations for plan maintenance improvements

c.      Identification of deficiencies and opportunities for improvement

d.     Commitment by City management to support, budget, rectify shortcomings by specific dates

e.     Scheduling of next audit

III. Audit

A continuity audit is an evaluation of a the viability, at a point in time, of the COOP and Emergency Operations in terms of people, the City as an organization, systems, processes, and functions. The audit is conducted by an independent person or entity who will focus on the business continuity and emergency operational readiness of the City based on the plan components.

There are many benefits of a continuity audit at the City. The continuity audit can provide an independent evaluation of the COOP and EOP plans and identify strengths and weakness of the program. An audit can bring to light risks inherent in the plans and suggest strategies to reduce or eliminate the risks. Finally, a thorough audit will report results that include recommendations for improvements to the plans.

An audit of the emergency management/continuity of operations plans at the City will be done in two phases. In the first phase, the Manager of the Office of Emergency Management will coordinate period reviews, report on findings, and obtain budget and direction to make improvements. Phase two will be an annual audit conducted by an independent person or organization external to the City, that is, not an employee, vendors or supplier, or any person directly affiliated with the city.

Standards

The most appropriate business continuity standards to follow for a municipality are those applicable to the public sector: NFPA 1600, FPC-65, and FEMA COOP Guidelines.

§  NFPA 1600

The NFPA 1600 standard establishes “…a common set of criteria for all hazards disaster/emergency management and business continuity programs”. [NFPA 1600]

NFPA 1600 is a very relevant standard designed to “…apply to public, not-for profit, non-governmental organizations (NGO), and private entities”. [NFPA] The standard addresses program improvement and provides a self-assessment tool  which can serve as a valuable means of performing a self-audit of the COOP plan. [NFPA]

§  FPC-65

The Federal Preparedness Circular-65, while designed for federal level agencies, suggests that states and local government develop similar continuity of operations preparedness programs that would align with the federal guidelines. As such, maintenance of the COOP should be part of a multi-year strategy and program management plan. FPC-65 includes a definition of the 11 elements that agency COOP plans and programs must contain to be considered viable. When auditing a COOP plan, each of these 11 elements should be evaluated and assessed”. [US DHS-audit forum 2007]

§  FEMA Continuity of Operations Plan Guidelines

The COOP training provided by FEMA is part of the Continuity Excellence series. One of the fundamental aspects of the training describes the importance of testing, exercises, after action reporting, corrective action and improvements. These elements constitute direction on how to best keep updated plans, and  maintain and improve agency readiness. [FEMA]

In addition, there are other standards that should be reviewed for their applicability to the ‘business’ of the City.

These may include the following:

Figure 1: Additional Standards

Audit Elements

An audit should cover a broad view of the continuity plan as well as a deep-dive into any details that demand further inspection. Typically, a more detailed review is instigated by higher level findings that elicit missing data, or are deemed inaccurate, incomplete, or suspect for any reason.

Since a COOP plan includes all essential city functions, this is the only plan that needs to be audited. However, given the criticality of emergency operations, it would be beneficial to include the Emergency Operations Plan in an audit.  Therefore, the plans to be reviewed and audited should be:

§  Continuity of Operations Plan-COOP

§  Incident Management and Emergency Operations Plan-IC/EOP

Process

The audit process can be as simple or elaborate as desired, however, simpler and shorter in duration is usually better.

The process begins with identification of those individuals to be involved with the review or audit process. This may be an individual or a team, and in the case of an audit will usually be an person external to the City.

The scope of the audit will identify which City functions, plans, and ‘territory’ will be audited. The scope should be based on applicable standards and those functions represented in the COOP or EOP plans. Any areas deemed outside of the plans should be excluded from the audit.

An approach to the audit should be established based on the goal of the audit. Since the goal of most audits is to verify the existence of proof that a plan exists and is viable,  then suitable standards should be used for comparison. The types of questions should be identified early in the process along with the instrument or tool to be used to score or rate the plans.

A list of plan elements, documents to review, and people to interview should be identified and those involved should be notified in advance.

Conducting the audit should be bounded by time and scope with a description of expectations of the auditor and all those involved. This requires good, clear communication of the intent and purpose of the audit and expected outcomes.

Finally, there should be a pre-determined description of how the results will be reported, to whom, and what action will be taken with those results. Where deficiencies are identified there should be an openness to creating and implementing corrective actions, who will be responsible, and in what time frame those improvements will be accomplished.

Identification of Individuals to be involved in the Audit

A formal, annual audit can be preceded by informal, more frequent reviews. The reviews should include conversations with either the director of each city function or a person whom they designate. During the formation of the COOP plan, each function identified a representative who developed their portion of the plan. These individuals would be ideal interviewees for the audit process, as well as, be involved in regular plan maintenance, testing and exercising of the plan, and the review process. An audit of the EOP would best be conducted by another qualified organization who also understands the nature of  emergency operations. For this City, the logical choice is the County Office of Emergency Management.

Functions to be Included in Audit

The following functions should be involved with the director of each function being responsible for plan review and audit completion:

§  Office of the City Manager

§  Buildings & Facilities

§  Community Services

§  Finance

§  Human Resources

§  Information Technology

§  Light, Power, and Communications

§  Public Safety (Police, Fire, EMS, OEM, Emergency Communications)

§  Public Works

Audit  Approach

The approach to conducting an audit should be supportive and positive with the intent of identifying opportunities for improvement. The overall goal, of course, is for the City to be operationally ready to continue mission essential functions during a crisis or disaster. The audit should support that goal.

The City Manager’s office should ensure that all departments and functions are made aware of the value of an audit and set the expectation for full cooperation. Once awareness is established, and an auditor is identified, the process should begin with a conversation and interview from the top down. The directors of each function would first be interviewed followed by a person whom they designate to represent their function. On some occasions the auditor may go beyond these two people for each function depending on what is found during the initial functional assessment.

A broad range of questions will yield an overall assessment of the general viability of the COOP and Emergency Operations Plan.

At a high level, the following types of questions should be considered:

a.     Does the COOP plan meet (as a guideline) the FPC-65 requirements?

b.     Does the EOP plan meet (as a guideline) the NFPA 1600 requirements?

c.      Do we find the specifics in each plan evident in reality? i.e. are the specifics demonstrated by adequate funding, facilities, record keeping, systems integration, trained and dedicated personnel, across all City functions?

d.     Is there adequate oversight of the COOP and EOP plans to ensure completeness and viability?

e.     Are each of the 11 elements of the COOP plan reviewed and complete?

f.       Are each of the 11 elements of the COOP plan tested and exercises at an appropriate frequency?

g.      Is there evidence of an After Action Report for each exercise and is there documentation of  corrective action follow up?

h.     Does the electronic version of documentation exist, is it backed up adequately, and can it be easily produced when asked?

i.       Are plans and individual elements up to date

With these broad and high-level questions asked, the audit can proceed into more detail as needed to gain a more full and accurate assessment of the current state of the COOP and EOP plans.

Documents to review

The key documents that should be kept up to date and reviewed periodically are those that support the mission essential functions of each city function. For the EOP, the entire plan including annexes and appendices should be included.

All 11 elements of the COOP plan may have documents and if so, all of these documents should be reviewed. In any case, the minimum document review list should be:

§  Mission Essential Functions

§  Key personnel contact information

§  Information System codes, software, keys, passwords

§  Vital records and data files

§  Critical vendor and supplier contact information

§  Building access and security documents

§  Plans: Continuity of Operations-COOP, Emergency Operations-EOP, Continuity of Government

Audit Instrument

The NFPA 1600 standard offers a suggested self-assessment instrument/tool which can be used by the City to perform a quick evaluation of the conformity to requirements of the COOP and EOP plans. That instrument can be found in the table labeled Table C.1. of Annex C of the NFPA 1600 standard. The tool allows indication of “conformity, partial conformity, or nonconformity as well as indicate evidence of conformity, corrective action, task assignment, a schedule for action, or other information in the Comments column.” [NFPA 1600 Annex C]

In addition to the NFPA tool, FEMA offers a Continuity Assistance Tool-CAT. The CAT tool provides a way to identify the strengths and weaknesses of the City continuity plan and show areas that need improvement. See Appendix ‘A’ for more details.

Correcting Shortcomings

Any review or audit process will elicit the identification of strengths and weaknesses or shortcomings. These shortcomings should be well documented with clear and concise recommendations of what actions should be taken to make improvements. Vague generalizations are not useful and should be avoided.

As part of the steering of the review or audit, the City Manager’s office should get agreement with the functional directors as to who the audience is to hear and consider the findings and take actions. As a municipality,  ultimately any citizen should be able to have visibility to the results and actions being taken to mitigate and improve the COOP and EOP plans based on the review or audit findings.

A project plan approach should be used to track and demonstrate that improvements have been implemented. Typical tracking will include a set of numbered actions, with a description of what ‘complete’ looks like, the name of the person responsible for seeing that the improvement is completed and an agreed to time frame or due date.

III.  Conclusion

This document presents a plan for maintaining the COOP and EOP plans of the City. A case is made of the benefits of conducting both a periodic internal review and an annual independent audit. A plan is proposed with key actions to be taken along with a description of the elements and approach of an audit.

The municipality as a public entity should conform with established standards from government entities, namely FEMA continuity guidelines, NFPA 1600 and others pertinent directives.

The use of suggested evaluation instruments can help bring consistency to a self-assessment and provide for a repeatable process. The document establishes the need for transparency of the findings and urges prompt and coordinated actions to fix shortcomings and institute improvements.

The end result of a proper maintenance plan and audit program will be a higher degree of assurance that the city is ready to continue mission essential functions during a crisis or disaster. This assurance can only come from a systematic and documented approach to plan maintenance that demonstrates accountability through specific actions.

Appendix A – Continuity Assistance Tool (CAT)[5]

FEMA provides a tool to help public sector organizations like the City to perform a self-evaluation of their continuity programs.

“CAT PROCESS

The process provided below is the recommended method to apply this tool:

Step 1: The continuity manager meets with functional representatives (i.e., IT manager, HR manager, Security managers, etc.) of the organization to review the CAT.

Step 2: With the assistance of the continuity manager, the functional representatives review their respective characteristics.

Answer each characteristic “Yes”, “No”, or “Not Applicable” (N/A). Flexibility is built into the assistance tool. Therefore, “Not Applicable” (N/A) may be used for those characteristics that do not apply.

Step 3: For each characteristic, a “comments” section is provided to enter any helpful notes.

Step 4: For each CMF, tally all Characteristics to obtain the “Yes”, “No”, and “N/A” CMF totals. Record this tally in the CMF header.

Step 5: Capture each CMF total in Table 2 – Continuity Management Functions Summary on page ix.”

Example: Excerpt from CAT self-assessment tool

Figure 2: FEMA Continuity Assistance Tool scoring table

Appendix B: Plan Maintenance Example: National Center of State Courts

“PLAN MAINTENANCE: The management process of keeping an organization’s Business continuity management plans up to date and effective.  Maintenance procedures are a part of this process for the review and update of the BC plans on a defined schedule.  Maintenance procedures are a part of this process. “[6]

References

Beard, Mike, (2010). “Adding Value to the Enterprise Through Operational Project Auditing”. Institute of Internal Auditors. Retrieved 2-11-11. http://www.vbpm.org/home/wp-content/uploads/2010/08/Ops-n-Project-Auditing-IIA-Beach-Cities-2010009.pdf

Burtles, Jim, (2007). “Principles and Practices of Business Continuity- Tools and Techniques“. Chapter 12. Rothstein Associates, Connecticut

Crowe, Timothy, J. (2010). “Evaluating Continuity of Operations Plans and Programs“. Virginia US Department of Veterans Affairs/Office of Inspector General. Retrieved 2-12-11: http://www.floridaauditforum.org/files/meeting/2010_02/Crowe_Evaluating%20COOPs.pdf

DHS-FEMA, (2004). “Federal Preparedness Circular, FPC-65″. Retrieved 2-11-11: http://www.fema.gov/pdf/library/fpc65_0604.pdf

FEMA, (2009). “Train the Trainer Instructor Guide E/L 550“. Continuity Planners Workshop. Chapter 7 Corrective Action Planning

FEMA, (2009). “Continuity Assistance Tool (CAT)- Continuity Assistance for Non-Federal Entities (States, Territories, Tribal, and Local Government Jurisdictions and Private Sector Organizations)“.  Retrieved 2-11-11: http://www.fema.gov/pdf/about/org/ncp/cat.pdf

Hiles, A. (Ed.). (2007). The Definitive Handbook of Business Continuity Management. 2nd Edition. England: John Wiley & Sons

National Center for State Courts, (2007). “A Comprehensive Emergency Management Program-Part III, Appendix A”.

NFPA, (2010). “NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity Programs 2010 Edition: Annex C Self Assessment for Conformity with NFPA 1600 2010 Edition“.  Retrieved 2-1-11: http://www.nfpa.org/assets/files/PDF/NFPA16002010.pdf

North Carolina Emergency Management, (2006). “North Carolina Continuity of Operations Planning Manual“. 2nd Edition. Retrieved 2-1-11: http://www.nccrimecontrol.org/div/em/documents/COOPPlannin%20Manua%202ed.pdf

Office of Emergency Management, Boulder County Colorado, (2009). “EOP Plan”, pg 67. Retrieved 2-11-11: http://www.boulderoem.com/files/Boulder%20-%20BEOP%205-5-09.pdf

Texas Dept. of State Health, (2008). “Pandemic Influenza Annex to the Continuity of Operations (COOP) Plan“. Retrieved 2-8-11: http://www.dshs.state.tx.us/comprep/pandemic/Pandemic%20Influenza%20Annex_%20DSHS%20Agency%20Level%20COOP%20Plan.pdf

US Dept. Homeland Security, (May 2007). “Evaluating Continuity of Operations Programs-Approaches & Case Study“. NY/NJ/IGAF Conference. Retrieved 2-9-11: http://www.auditforum.org/speaker%20presentations/nynj/nynjiaf%2005%202007/crowe.pdf

Wold, Geoffrey, (2010). “How to Survive a BCM Audit“. Disaster Recovery Journal. Retrieved 2-8-11: http://www.drj.com/2010-articles/summer-2010/how-to-survive-a-bcm-audit.html

End of Document

[2] “AUDITING is the external process which looks for evidence of compliance with policy, prudence with finance, achievement of purposes and justification of claims.” [Burtles]

[3] FEMA (2009) continuity assistance tool document.

[4] FEMA (2007) http://training.fema.gov/EMIweb/edu/docs/TopOff4_afteraction_report2007.pdf

[5] FEMA Continuity Assistance Tool (2009)

[6] National Center for State Courts, (2007).

When internally done, the auditor should not be from the group and should not be responsible for any of the activities being reviewed including inputs and outputs, internal supplier or customer.

Some benefits of internal auditors include lower cost, more timely execution (they know their way around the systems and people), and quick turn around on a report.

Also, internal auditors usually are capable of providing a more frequent check point on specific portions required processes in order to maintain best practices and suggest mid-period corrective actions. This is a good idea so that there is not such a major drain on personnel and their time all at once subsequent to a more comprehensive annual audit.

External auditors are useful when whatever is being audited may require a specialist. Often, specialty functions in a company are the responsibility of just a few people and therefore there may not be any other people in the company who know what to look for or how to audit that specialty area. In that case, an external auditor may be most appropriate.

The most effective use of BC plan auditors can also be a combination of both internal and external people. By coordinating the timing and scope of these auditors, many subordinate plans can be reviewed and improved throughout the year, while the annual audit of all plans can be more comprehensive and span the collective set of plan s and how well they work together

Reference:

[1] ASIS (2009). “Organizational Resilience: Security, Preparedness, and Continuity Management Systems-Requirements with Guidance for Use“. Retrieved 2-6-11: http://www.asisonline.org/guidelines/ASIS_SPC.1-2009_Item_No._1842.pdf

If personal or management performance goals include business continuity plan conformance to standards and bonuses are paid out on meeting such goals, then the situation can become a bit dicey. Nevertheless, past activity and reporting should not influence the current audit(or) process.

Since plan auditing can be an iterative process consideration should be given to change management including a review of how the performance objectives are ties to the bonus structure. I don’t believe it is the job of the auditor to suggest performance objective changes as this flies in the way of objectivity.

In a recent corporate governance audit prep (the actual audit was performed by internal auditors) which I performed on a global consumer manufacturing business, I found an openness to understanding the process and making improvements. Most lacking was simple documentation of some very good plans, processes and procedures. Human resources played an important role in managing the audit preparation and setting the tone of expectations.

If a manager asked that there be two separate AAR’s, one internal and one external, I would make a strong case that two reports is not appropriate. In the municipal arena, the HSEEP calls for one AAR.

An AAR should never be ‘sanitized’ for auditors and external. The whole purpose of conducting an audit is to bring a level of transparency to the quality of programs, in this case the disaster preparedness of the agency.

Anything less than full transparency in the AAR would be unprofessional, inappropriate and borders on malfeasance.

In a typical 15 minutes executive presentation I’d keep it to about four or five slides (or pages, or whatever, depending on the media used to present).  Here are the key points to cover in the disaster exercise after-action presentation:

Slide One: Set the Tone

§  The team successfully exercised three key objectives

§  We found areas for improvement
(emphasize the great value in finding this out in practice and not during a real crisis)

Slide Two: Key Objectives

§  High level overview focused on key objectives and outcomes

§  Provide fact-based, comparison to benchmarking and industry standards

(no editorials; use action oriented verbs, like “describe, implement, conduct, assess, etc)

Slide Three: Recommendations

§  Succinctly state the lessons learned focused on key objectives

§  List recommendations as actions and why

(to company audit results, key company initiatives, etc., de-politicize, focus on improvements)

Slide Four: Call to Action

§  Ask for next steps, authorization to do follow-up with functions

§  Plan for next exercise

§  Re commit by team to continue program with benefits to company

This is especially true when it is discovered that many issues raised are tied to a particular senior person in the organization. If these issues are brought out in the exercise injects, debrief, and written evaluations, then it is up to the facilitator who is developing the AAR to determine how best to manage this situation.

I have found that there is either very good reasons for the comments or that the comments are complete bunk, as in the case where the senior person is disliked or has taken a hard stand and individuals have used the exercise as an opportunity to ‘get back’.

In the former case, when there is some merit to the raised issues, I believe a one-on-one direct conversation with the senior person is appropriate. The discussion should be honest and the data should be shared. Often times a seasoned professional will very aptly manage the feedback and may go public directly and ask for help in making things better. The opposite could also happen and that could be a ‘career limiting move’ on the part of the exercise facilitator.

In the end, the person responsible for the AAR must present a fact-based set of lessons learned that are focused on the objectives and not any one individual. The collective organization owns the responsibility to make improvements and that should be the focus of the follow up.

1. ASIS SPC.1-2009, National Standard: Organizational Resilience Standard.
2. DRII Professional Practices for Business Continuity Planners.
3. NFPA 1600.

Since BSI has not been offered for this discussion point, I believe that NFPA 1600 has the most viability for the municipality organization. This is not simply because of the nature of emergency management in the public sector, but also because NFPA 1600 offers the widest interpretation of guidelines while still ensuring that there is some strictness in implementation (opinion).

Annex C of the NFPA 1600 provides a very useful rubric which can be used immediately, simply, and at a high level to determine the current status of an organization. [1] This self assessment for conformity can be used to identify key weaknesses and help begin a program management process that focuses on those areas in most need of improvement.

With the extremely tight budgets these days and a slow to recover economy, cities and counties are simply not able to implement the full array of guideline adherence typically found in the 10 professional practices of  DRII.

While the ASIS standard does specify threats and hazards assessment and can be very helpful to the private sector, it focuses a great deal on topic areas not particularly useful to a public sector entity, particularly a small town under 100,000 population.

[1] NFPA (Dec 2009). “NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity Programs 2010 Edition. Annex C Self Assessment for Conformity with NFPA 1600, 2010 Edition“. Retrieved 1-29-11: http://www.nfpa.org/assets/files/PDF/NFPA16002010.pdf

I’ve accomplished this mind set by introducing awareness concepts for maintenance before beginning the COOP program. I scheduled a maintenance event for immediately following completion of the first program. This essentially provided a practice for testing our system of data backup and retrieval and loading new data items such as staffing and changing responsibilities.

Once that initial mind set is in motion as described above, we turn our attention to three key issues for how to actually perform plan maintenance successfully.

1. Central

By using a software application, each department is responsible for keeping their own section of the COOP updated in real time. This common format is very useful for supporting consistency. If a BC program manager is assigned then that person can manage a central review of the software program. This is the approach we took. However, for those companies who don’t use a software application, it may be necessary to collect hard copies or Word documents with updates. In this case, (unlike the lecture from Ms Phelps) I would require a similar format and have a central folder within a designated and protected directory which is backed up regularly. Thus, a paper (or electronic) trail is established the provides a means to validate that the plan is current.

2. Consistent

In order to ensure that the plan is consistent, the BC manager must set clear expectations. The goal is to ensure that the maintenance of the plan(s) is performed in a manner that makes it an accountable, and repeatable requirement. It should be an easy to use tool and it should be easy to submit changes.

3. Clearly Defined Responsibilities

Identify the people in each function responsible for updating the plan and representing the teams during meetings, practices, and training.

The BC manager can publish a schedule, issue reminders to review updates, and institute a mandatory return receipt policy that acknowledges that those who needed to receive direction and provide input have in fact received such notice.

Maintaining and storing plans must occur according to a specific set of guidelines. Some of the pitfalls of maintaining plans is keeping them up to date, storing them and backing up the data, and if there are multiple copies for redundancy then updating all the copies can be tedious, time consuming and costly.

To ensure successful plan maintenance:

§  Identify roles and responsibilities

§  Identify which plans are to be maintained by whom and by when

§  Use an easy software application or method

§  Make remedies clear improvements can be tracked readily

Some hold the position that it’s best not to hire vendors or third parties to maintain a plan. However in my experience, it can be helpful to have an independent external person assist the BC manager or designated person responsible for maintenance. Oddly, people may respond better sometimes to a third-party than their own colleagues.

People make judgments based on ever changing information and data in real life and will do the same during a disaster exercise. Sometimes that can lead to participants taking short cuts to solve problems. For example, they may stonewall and buy time, respond to injects [1] with responses like “We’ve already fixed that”, “The situation wasn’t that bad”, or “We called the vendor and got what we needed”. If it’s clear that those responses are not possible, then it’s important for the exercise facilitator [2] to help get the exercise back on track.

In advance of the exercise, here are some ways to help prevent or reduce stonewalling:

§  Pre-arrange with the Simulation team [3] to check-in periodically to ensure things are going smoothly.

§  At exercise briefing, remind participants of ground rules and expectations to reinforce how the injects should be handled.

§  Be clear that issues cannot be resolved by waving away the problem with words, but only by making that phone call and actually resolving the situation.

§  Make injects realistic, valid and believable to help improve the likelihood that participants follow through on tasks and don’t shortcut the actions.

During the exercise, here are some ways to help prevent or reduce stonewalling:

§  Instruct evaluators [4] and observers [5] to listen as they watch for how key injects are being handled. They can inform the facilitator if tasks are being ignored or glossed over.

§  The Simulation team can use status boards to keep track of how injects are moving along and make corrections proactively by sending out new information to get the teams back on track.

§  The facilitator should roam, listen and observe the activity, even for table top exercises. If the facilitator hears something that might throw the team off or that the team has misconstrued a message, then the simulation team can be alerted with a suggested response to manage the course correction in the exercise flow.

Remember that the ultimate exercise goal is LEARNING! We want the participants to act and make decisions in a way that meets the exercise objectives, builds personal and team confidence, and helps assess our readiness to handle the real disaster. Everyone involved should do what it takes to reach these goals.

[1] Inject: During the course of an exercise, an inject is data or information provided to participants that must be acted on or considered as new to the scenario.

[2] Facilitator: Conducts and directs the exercise event and is ultimately responsible for its success.

[3] Simulation Team: A person or group of people who help conduct an exercise and who act as the outside world, offer and confirm information and direct the participants through the exercise.

[4] Evaluators: To assess the key injects and actions taken relative to the stated exercise objectives.

[5] Observers: Watch and listen to learn the exercise progress in order to learn or provide general feedback to the facilitator and design team.