Business Continuity Plan Testing is technically noted as the 5th stage (nestled between plan development and plan maintenance) of the Business Continuity Planning Process. Its objective is to serve as the litmus test to determine the plan’s “adequacy, reliability and effectiveness”.[1] In so doing, it ensures that the analytical efforts engaged in the planning process forms a sound premise for the plan construct and, moreover, is consistent with the organization’s assessment of its needs to sustain itself through possible business interruptions.
A tall order indeed and perhaps the Decisive Point on the path to achieving organizational resiliency.
At the core of the “adequacy, reliability and effectiveness” testing triangle (equal lateral: all sides in equal “tension”) is the actual event that serves as the driver for the testing process. For purposes of the discussion, it matters not the type or nature of the event. What is of primary importance is that the testing event involves the business continuity team that will be implementing the plan at the moment of calling. Herein lies the “Center of Gravity” for organizational resiliency in responding to threats to business continuity.
The actual link between the testing event and the business continuity may be identified as Organizational Level of Knowledge on the actual business continuity plan (BCP). I would even go as far as saying that this knowledge, in order to embody the concept of resiliency, must encompass the plan in total and NOT the stove piped columns of knowledge that individual business continuity plan response teams generally are empowered with in order to execute their individual finite pieces (of the plan).
The link of Organizational Level of Knowledge is supported by several knowledge sub-components that support and foster resiliency.
The first, and most critical, is the premise that Knowledge, specifically of the business continuity plan in total AND the premise(s) on which it is founded, constructs an innate sense of resiliency within each response team member. It enables them not only understand/execute their respective part better, but, of greater significance, to seize initiatives when they appear and to make the right decisions and take the right actions as a dynamic situation dictates. This is de-facto empowerment.
Secondly, mastery of the Knowledge contained in the BCP mitigates the paralyzing affects of the “shock and awe” syndrome when initially confronted with a disaster or serious interruption to business continuity. Individuals will respond as the BCP dictates due to the fact that the knowledge imparted by effective training of the BCP overwhelms “uncertainty and mental gridlock,” both of which are known human phenomena to circumstances that stress normal thought processing patterns.
Third, and perhaps more subtle than the previous two points, is the fact that a thorough knowledge of the BCP by key participants will maximize training opportunities when scheduled. The maximization occurs not only in the organizational resiliency sense but also from a fiscal stand point as well. Training demands planning (time, staff resource allocation) and productive participation (time saved by addressing new material/issues and not constantly re-plowing old ground). All of this affects the bottom line and is a significant enough consideration that cannot be overlooked.
John Kunert CBRM, CBRA
Senior Planner
CIRCUMSPEX
[1]Sentryx , Advanced Business Continuity and IT Disaster Recovery Planning: Course Notes, 2008, Section 9, page2, 2008.
Business Continuity: Practical Solutions Pre-event!
After 30 years working with customers and clients as they deal with either a personal or business crisis, it is rewarding to have the opportunity to work with them in pre-loss conditions hoping they will never have to implement the response plan you are helping to create. However, odds are not in their favor nothing will ever happen! Small incidents like a frozen pipe, a faulty sprinkler head, while not a major event, can be quite costly! Knowing how you would or should “react” is critical to saving dollars and reducing the risks. I like to say it is a matter of being pro-active versus reactive!
In light of all the bad news that floods the media, people still remain complacent…“it will never happen to me!” Historically, an increased sense of urgency to plan for disasters is top of mind immediately after a regional or national weather event, but that sense urgency fades with each passing day or week as the event passes. True business continuity is a process that never ends. It is driven internally within a company by an individual or group of individuals that have the unenviable task of making it part of a company’s culture. Unfortunately, most of those that have written those 3 -4 inch binders are placed on the shelf as a completed project versus a tool that must be constantly updated and tested. For years, Business Continuity and Business Recovery Plans have been a priority within IT Departments. Facility personnel and property managers are not quite as focused on the “what if” testing that goes on in the IT world. They have day to day issues that usually cloud the inevitability of a real issue with serious financial impact threatening the viability of a company. If we recover the data but cannot produce what we are selling because of a fire, flood or environmental event, where are we? How patient will your customers be if you are a supply chain vendor and you are holding up production of the finished product?
What can go wrong? In the past 30 – 90 days, we have had forest fires out west, Hurricane Irene impacting the Atlantic and Northeast, Tropical Storm Lee impacting rivers and flooding whole communities and businesses and now intense Santa Ana winds impacting the Western US…and these are just the natural disasters. What about the fire that starts up in production line machine igniting the hydraulic fluids that surrounded it, the sprinkler head that was sheered by a carless fork lift operator etc…? Are you ready? What can be done? Who is in charge when an event occurs? What are the critical functions that must be brought up first? Pre-planning can help to prepare a company to withstand an event should one hit. Part of the planning process should be to test the plan. Will it work as designed? I remember doing a table top exercise for a Fortune 500 company 6 years ago. With those sitting around the table, it was clear that at least 3 people thought they were in charge if a fire impacted the corporate headquarters…a interesting problem to have that must get worked out pre-event. I just found out through one of our response vendors that they were doing a fire in the corporate facility…good thing they had a plan!
Working with CIRCUMSPEX, a facility centric web-based planning tool, we focus on building contingencies. Developed by a team of restoration, homeland security software developers, certified property managers with extensive restoration experience, the program benefited from “real life” scenarios in the developmental process. Un-like most disaster planning solutions on the market, it is inexpensive and user friendly. It is also more robust than other solutions on the market. While the program identifies several tabs where critical information is stored, like Risk assessment, Business Continuity, Critical Processes, Life Safety and a robust section that are focused on Building Specifications and Critical Equipment.
Written by: Jim Wills
The primary incentive for insurance fraud is personal gain. Whether it arises from a fire or storm claim, worker’s comp, or theft of valuables many share the same roots. The insurance market place provides many fertile opportunities for exploitation on either side of the table.
The most typical form of fraud involves inflating the total dollar value of a claim, directly or through agents of the owner.
Insurance fraud can generally be divided into two categories, hard and soft. Typically a hard fraud case exists when someone invents an incident to produce a loss such as an auto accident or arson. Generally soft fraud on the other hand is an opportunistic endeavor. This may be typified by policyholders filing exaggerated claims on property damages or improperly valuing of a lost item. It may also occur when an item is insured without an inspection so as to accurately represent its existing conditions.
More on this subject during December by Dave Mistick, twitter @disasterguru
Or are they mutually exclusive? Is the concept of “resiliency” the framework within which an effective business continuity plan is constructed? If not, it should be. If not, the Business Continuity Plan (BCP) isn’t worth the electrons that store it within the system.
RESILIENCE is defined by Merriman-Webster as follows:
“The capability of a strained body to recover its size and shape after deformation caused especially by compressive stress,”and “an ability to recover from or adjust EASILY to misfortune or change.”
Both definitions address the ability of the main body to adjust and adapt to external forces that are exerted in a non-complementary fashion. In other words, unannounced disruptions to the status quo. Moreover, the emphasis is on the ease by with that adaptation is realized.
Much has been said regarding “Organizational Resiliency” and the need for the Business Continuity Plan to achieve that end. One can almost hear the mantra chorused by senior management when the notion of “organizational resiliency” is challenged by vested stakeholders: “….of course we are resilient….We have a Plan!”
But are they? Upon further review…
It may be interpreted that true “resiliency”, in the context of responses to external stresses, has two distinct components:
1. The BCP
2. The Organization
The glue that hold these two key resiliency elements in the proper tension is the ability, capability and will of the people within the organization to seamlessly respond to external organizational stimuli that results in unanticipated “misfortune or change” to key processes, infrastructure or capabilities.
It is certainly one thing to “brace for shock” when a threat is anticipated and known. People prepare. Management focuses more tightly on risk mitigation. Redundancy, perhaps rarely (or never) relied upon, is “given the warning” to step into action on moment’s notice. The probability of an effective response with the associated positive outcome is certainly “Good.” With a little training in between those odds may go to “Excellent.” Great.
It is all together different when the “misfortune or change” is more akin to the “bolt from the blue.” In this scenario, it is a “come as you are party” and, hopefully, the party preparations included a heavy dosage of organizational socialization, training, and testing of the BCP. In the average organization, what are the odds of the perfect nexus of these elements? Add the “surprise” element and we have the recipe for, at best, a “failed response.” Not Good.
In both scenarios, both organizations could have made the rhetorical claim (or claims if extraordinarily confident) before the event that they were, in fact, “resilient.” In fact, neither would meet the true litmus test or resiliency: “ An ability to recover from or adjust EASILY to misfortune or change.” The “ramp up” in the “brace for shock” scenario comes at a cost both in terms of time and the illusion of preparation. In this case, any deviation from the set plan serves as the prologue to failure. In the “bolt from the blue scenario, the notion of “adjusting easily to misfortune or change” was doomed to failure at first contact.
As stated earlier, the factors that empower an organization’s true resiliency are the ability, capability and will of the people within the organization. The challenge for senior leadership (note the term “leadership” used vice “management”. “Will” cannot be managed in the clinical sense however leadership inspires individuals from within, hence “will” is re-enforced) is to allow the growth of ability, development of capability and engendering the sense of empowerment amongst all echelons of the organizational structure to ACT as leadership expects them to act in the absence of direct supervision. The early stages of an event that “causes misfortune or change” are the most critical. The right actions taken at the right time by the people who have the opportunity to do so can only happen if they are trained (ability and capability) and empowered. This, in the final analysis, is Resiliency.
A page from history exemplifies this last point quite clearly. During the Second Battle of Guadalcanal in 1942, the light cruiser USS San Francisco (CA 38) suffered over 32 major caliber hits during an intense night action with significantly superior Japanese forces. With senior leadership killed, a severely compromised propulsion plant, “next to nothing” for electrical generation and on the verge of sinking, the ship continued to put “rounds down range” to the enemy. They continued to “fight another day.” Under these extraordinary circumstances, the crew of that ship demonstrated extraordinary “Resiliency.” Inspired leadership instilled the will to perform and training, on the part of every crewmember, to the tenets of their “contingency plan”, empowered them to prevail. They were, in every sense of the definition, RESILIENT.
By: John Kunert, Senior Planner @ Circumspex LLC
Much has been said regarding personal identity theft. Even more has been written with respect to the devastating consequences that personal identity theft can have on one’s own livelihood and economic health; even mental health if one considers the fact that one’s own “digital persona” is now embodied in that of another. This “digital persona” has the potential, both literally and figuratively, to steal not only one’s financial resources (Bank Accounts, Credit Cards) but also one’s “identity” in the cyber-world that controls one’s access to health care (Medicare, Medicaid), earned benefits (Veteran’s Assistance and Programs, Social Security) and even employment opportunities (or loss of present employment).
What to do? What’s next? How do I respond? Moreover, how do I mitigate the risk from this ever happening to me in the first place?
Before I begin, allow me to quantify my remarks. I recently “lost” a piece of critical personal identification while proceeding through a routine TSA check point at a major regional airport. Unfortunately (for me), the ID contained my social security number as well as my birth date. The two most centric pieces of data to one’s personal identity. My initial response was not what I could call the most efficient or even “pre-planned.” It was sheet panic over the magnitude of the loss and the knowledge of what “could be.” It was my personal Armageddon. Upfront and personal. Fortunately, the four hour plane ride that followed allowed me to focus on my next step(s).
What to do if you find or even suspect that personal information has been compromised. First and foremost, assume the worst. Then act. Go on the offensive and take charge of your counter attack. The following are the “what next’s.” By acting you’ve already begun the initial response.
1. Notify ALL of your financial institutions IMMEDIATELY that you suspect that your personal information has been compromised. From your credit card companies to the banks where you maintain accounts. LET THEM KNOW specifically what information has been stolen or lost (e.g. SSN, Birth date, Account number(s), security codes). This should be done as soon as you can get a dial tone!
2. Call the Social Security Office at: 1-800-772-1213 or access their web site at http://www.socialsecurity.gov . Report your circumstance, particularly if your SSN has been compromised.
3. Visit the Federal Trade Commission website http://www.ftc.gov/bcp/edu/pubs/consumer/credit/cre34.shtm for information on how to post a fraud alert and, once reported, obtain a Fraud Alert Confirmation number.
4. Through the FTC and/or on your own, notify one of the three major credit monitoring agencies ( e.g. Equi Fax at 1800-525-6285)of a potential fraud. They will track any activity under you personal identity (Social Security number).
That all said (and beside the issue of losing your data in the first place), the following are steps to hedge and or mitigate the risk to personal identity compromise:
1. Have a plan in advance where all of your key contact data (banks, credit card companies, creditors etc) is both secure and readily accessible. A product such as CIRCUMSPEX ( https://www.circumspex.com ) is the ideal platform in which to launch and store a personal identity theft/compromise plan and all contact data.
2. Properly secure all data. Minimize the amount of personal “data” that is on your person day to day. Examine that data such that you are continually aware of what you have in your back pocket. Always ask the question: “what is my exposure should I lose and/or have my wallet/purse stolen/misplaced?” Carry one piece of personal identification and, preferably, one that doesn’t include your SSN and birth date. Keep in mind what is on your personal computer/laptop and keep them “clean” to minimize exposure should they become lost or stolen.
3. Destroy (SHRED) all correspondence that contains any information relative to account data (all accounts e.g. phone and utility bills, banking, credit cards) prior to disposing.
4. When presenting personal identification for official purposes (Transportation Safety Authority screenings, banks, store check cashing etc), maintain a deliberate mental focus on how/where/who has their hands on that ID. Be deliberate in its return to you and its SAFE STORAGE on your person. Never mind the impatient person behind you. They can wait. Your personal security AND, moreover, piece of mind, cannot!
Don’t let happen to you what happened to me. Be ready. Be prepared. Be prepared to take charge of a personal identity theft counter-attack should the worst occur!
Having come through another hurricane season it is worth reconsidering the importance of open and honest communications between the property management staff and the tenants. On a recent project we witnessed the owner and manager paralyzed by indecision concerning emergency mitigation services. As such the rain soaked interiors baked in the sun leading to interesting environmental conditions.
The owner at first did not want to address the conditions almost trying to "wish" the problems away. This behavior only brought about very unhappy tenants and a stream of folks leaving the development. Soaking interior finishes and wall cavities also seriously impacted the very young and those with certain chronic breathing problems. Suddenly when reporters and news crews started to appear in the neighborhood the owner and manager were "moved" to action.
Over several decades of managing mitigation and large scale multi-family repairs we know that true, honest, accurate information sharing with the tenants is vital. When a disaster or calamitous event arises that impacts an entire complex the owner or manager need to be proactive. Bring the tenants together in a single event lay out the facts as you know them and answeer questions honestly to the best of your ability. Certain managers quake in their shoes at the thought of bringing all the tenants together. They are often afriad that they will be put upon by the throng. They have a misconceived notion that only speaking to individual inquiries is more prudent than providing uniform information. Is there a delusion that the tenants will not speak to each other? Have they not experienced the social phenomenon that rumors grow to fill the voids created by intentionally limiting communication.
More to come....
This is very good primer on the components of critical process investigation. Analyzing the business organization and its entire operational footprint is instrumental to developing a proper continuity strategy.
This begins with identifying mission‐critical functions throughout the organizational landscape, including agency functions (interdependent services performed by agency processes and sub‐processes), enterprise functions (services dependent upon agency‐level functions) and processes (series of actions or operations that implement functions).Identifying mission‐critical functions can be a tedious task, and no two organizations will follow the sameprocess or end up with the same list.
When identifying mission‐critical functions, the following should be considered:
• Functions that support the organization’s primary mission statement
• Functions that support other agencies’ mission critical functions
• Functions that must be recovered immediately and quickly
• Functions that have a high‐dollar value
• Functions that have high client/customer impact
• Functions with political implications or ramifications
• Functions with legal requirements or liabilitiesAn executive Business Impact Analysis (BIA) tool can facilitate this process, helping planners and organizersunderstand the effects and impacts of interruption on the viability and vitality of operations and criticalbusiness functions, especially financial activities, including maintaining collections, processing payments,operating a supply chain, handling payroll and so forth.
BIA is the backbone of the BCM planning process but cannot stand alone without full approval, backing and support from the highest level managers.Risk analysis and Risk assessment are additional processes which support the BCM planning process. Risk analysis involves identifying probable threats and associated threat value to an organization and its assets and analyzing related vulnerability. Risk assessment evaluates existing environmental and physical controls and security, followed‐up by assessing their adequacy relative to potential threat.
Read more in paper written by Tittel & Koreic Understanding the need for Business Continuity Management and Disaster Recovery Planning
Environmental and Historic Preservation Review may occur for projects that involve repairing a structure to pre-disaster condition. Structures typically include:
Typical environmental and historic preservation laws and executive orders that may apply include the National Historic Preservation Act, Clean Air Act, and Floodplains Executive Order. Typical concerns may include historical impacts, air pollution, and redevelopment within a floodplain (if applicable).
Recently DHS delivered its long awaited document identifying the goals for national preparedness. DHS summarizes these high level objectives as follows:
Using the core capabilities, we achieve the National Preparedness Goal by:
Preventing, avoiding, or stopping a threatened or an actual act of terrorism.
Protecting our citizens, residents, visitors, and assets against the greatest threats and hazards in a manner that allows our interests, aspirations, and way of life to thrive.
Mitigating the loss of life and property by lessening the impact of future disasters.
Responding quickly to save lives, protect property and the environment, and meet basic human needs in the aftermath of a catastrophic incident.
Recovering through a focus on the timely restoration, strengthening, and revitalization of infrastructure, housing, and a sustainable economy, as well as the health, social, cultural, historic, and environmental fabric of communities affected by a catastrophic incident.
The core capabilities contained in the Goal are the distinct critical elements necessary for our success. They are highly interdependent and will require us to use existing preparedness networks and activities, improve training and exercise programs, promote innovation, and ensure that the administrative, finance, and logistics systems are in place to support these capabilities.
The capability targets—the performance threshold(s) for each core capability—will guide our allocation of resources in support of our national preparedness.Individual and community preparedness is fundamental to our success. By providing the necessary knowledge and skills, we seek to enable the whole community to contribute to and benefit from national preparedness. This includes children, individuals with disabilities and others with access and functional needs, diverse communities, and people with limited English proficiency. Their needs and contributions must be integrated into our efforts.
Each community contributes to the Goal and strengthens our national preparedness by preparing for the risks that are most relevant and urgent for them individually.We have made great progress in building and sustaining our national preparedness. The Goal builds on these achievements, but our aspirations must be even higher to match the greatest risks facing our Nation. As we prepare for these challenges, our core capabilities will evolve to meet those challenges.
To view the complete document click on the link below