Emergency Preparedness FMJ Article

Business continuity planning: a strategic facility management function

Pat Moore

Increasing industry and government regulations addressing protection of an organization’s assets and continuity of operations have increased the need for facility, security, environmental health and safety, and loss control professionals to ensure that their organizations have well-designed and practiced business/service continuity plans in place.

Over the past several years, with more and more professional facility management personnel operating at a strategic managerial level, “continuity of operations” planning has become an integral part of their jobs. Whereas in previous years, disaster recovery or contingency planning resided in the realm of a contingency planner with heavy information systems or information technology background, the mandate for this planning is now being handed down from a CEO, COO, CFO or risk manager to the director of facilities.

As you leverage the critical recovery information you developed in your Y2K plans and review the programs that protect your organization’s assets, you should also research additional methods of mitigating potential losses. With the challenge of natural, man-made and technological disasters, it is important that the appropriate recovery strategies and procedures be in place to ensure not only recovery of the facility itself, but also to ensure continuity of the core revenue or service-generating business or operations within those mission critical facilities.

For example, in a manufacturing or distribution environment, business continuity issues go well beyond just getting the plant or warehouse back in operation after a disaster. They include: continuing to get product to market; producing excess capacity versus just-in-time inventory; buying replacement product externally for resale; the possibility of shifting product from other markets to protect your best market; adhering to regulatory compliance schedules; and meeting contract deadlines.

Successful contingency planning includes planning for the identification and continuity of time-sensitive business and service functions and processes and all of their complex internal and external interdependencies as well. Experience has taught us that in our technology-entwined global marketplace, an earthquake in Asia, for example, can seriously interrupt business in the United States. A loss affecting an entity anywhere in our internal or external supply chain can affect our continued operations and delivery of finished goods to market or negate our ability to provide critical services to our customers—no matter how large or small the size of the organization.

As we look at what is actually involved in expanding disaster recovery beyond emergency response, life safety issues, recovering computerized critical applications at an alternate site, or cleanup of the facility itself, it is important to understand what we mean by business continuity planning. Just as there are many ways of performing risk and hazard analysis for a facility, there are also alternate methodologies for defining and accomplishing business or service continuity planning.

The description often used for business or service continuity planning is “the process that defines the procedures employed to ensure timely and orderly resumption of an organization’s business cycle through its ability to execute plans with minimal or no interruption to time-sensitive business or service operations.”

How well your organization is prepared to survive a business/service disruption with minimum interruption to its daily routine will depend on the elements identified, and the provisions made for review, implementation, maintenance, quality assurance and accuracy of your business/service continuity plans.

The business or service continuity plan itself is defined as “the documentation of the strategies, procedures, resources, organizational structure, and information database utilized by an organization to respond to, recover from, resume and continue operations in the event of a substantial disruptive incident.”

When addressing issues such as continuity of operations in revenue- or service-generating business units, zero-tolerance for downtime in mission-critical facilities, supply-chain management; enterprise resource planning; just-in-time inventory, getting product to market, and defining and addressing internal and external interdependencies, organization-wide business continuity planning can seem overwhelming. In truth, it does not need to be.

Findings indicate that, within most organizations, some levels of recovery planning exist. The safety, security, vital records and facilities department may have plans in place to recover their own operations. In most organizations, the information systems or information technology department will have a documented contingency plan for their systems and technology functions—many of which were recently reviewed and tested to address the Y2K issue. However, the key to a successful recovery operation and reduced business interruption is the integration of these independent plans so that all critical and interdependent components (both internal and external) are in place to ensure a successful recovery and continuity of operations no matter what incident occurs.

Since we cannot expect to recover everything, and since each department, business unit or facility’s needs cannot be considered the number one priority, current information must be available to prioritize planning efforts. Additionally, to establish cost-effective recovery and continuity strategies, we must first understand where our exposures and vulnerabilities are.

Risk-mapping through hazard and risk analysis is a process that has historically been used by organizations to accomplish the identification of a business’s internal and external physical exposures. Today, a business impact analysis (BIA) is effectively used by organizations, in both the private and public sector, to determine the financial and operational impacts of a disruption upon their business or service operation. In addition to identifying the financial and operational impacts of a disruption upon the business or service organization and the suppliers, a business impact analysis effectively determines, at a minimum, the following:

• extraordinary recovery expenses;
• technology recovery requirements;
• special recovery resource requirements;
• critical disaster-specific information systems support;
• internal and external dependencies;
• existing and required work-around procedures; and
• insight into the organization’s current state of preparedness.

A business impact analysis is also being used effectively to determine impacts of an incident upon continuity of operation issues such as:

• loss of key staff;
• loss of vital records;
• global issues, such as change in political climate;
• difficulty of operational integration across borders;
• disruption of importing and exporting functions;
• critical labor relationships;
• new revenue streams;
• supplier disruptions; and
• regulatory controls.

Today, the time-consuming data-gathering function of performing a business impact analysis has been greatly expedited through the use of automation. Utilizing software to perform the majority of the BIA not only reduces the “people hours” involved, but provides for the objective, automated analyzing of the data, as well as the reporting of the data through professional charts and graphs within the software. With specific internal and external interdependencies and vulnerabilities factually identified, this business impact analysis process has proven to be of great assistance to senior management in making educated decisions about:

• which business units, operations and processes are essential to the survival of the organization;
• how quickly essential business units or processes have to be back in operation before the impacts are catastrophic;
• what are the most plausible recovery alternatives to meet the recovery windows;
• what resources are needed to resume operations at a survival level for the essential parts of the business;
• what elements must be pre-positioned in order to meet the recovery windows;
• what will be reused and recovered and to what capacity levels over what period of time;
• what changes, if any, need to be implemented in the supply chain, inventory and distribution management programs;
• how to address the organization’s internal and external interdependencies; and
• what recovery and continuity policies and procedures must be in place to address both a short-term disaster such as a brief systems failure or a long-term major property loss.

As business and service organizations expand their contingency planning umbrella to ensure continuity of operations, there are specific systemic or operational issues that must be considered. These include potential loss of competitive advantage or market-share; negative public image; product recall; inability to meet projected earnings; loss of specialized workforce; civil or labor disturbances, increasing workplace violence; and potential loss of the critical infrastructure of the United States through terrorism.

The objectives of a successful plan must include (at a minimum):

• ensuring health and life safety protection;
• minimizing interruptions to business/service operations;
• resuming critical operations within a specified time after a disaster;
• minimizing financial loss;
• assuring clients, customers, community, suppliers, employees and share holders and stakeholders that their interests are protected; and
• maintaining a positive public image of the organization.

The following guidelines should always be addressed when developing business/service continuity plans for any organization:

(This particular checklist encompasses only a small portion of the business/service continuity planning effort and is generic in nature.)

• Write your plans so that you can recover equally well in a singular, community-wide, or hazardous material disaster.
• Establish an organization liaison to the municipal authorities and develop a coordinated recovery plan with them that addresses good communications during an incident, including early insight as to how bad the damage is and when you might have access to the facility.
• Ensure that your crisis management plans are expanded to address “continuity of operations” planning beyond the incident management, emergency response and business resumption and recovery phases.
• Ensure that your pre-qualified, critical suppliers of services and supplies will be available to you when you need them. Your vendors must have their own disaster recovery and business continuity plans, and responding to your needs must be a part of their plans. Ask to see documentation of this response commitment.
• Have, at minimum, two or three sources for your critical materials or services. If one is local, an alternate should be elsewhere in the state, region or nation.
• Establish a list that identifies who needs to be notified in the event of a disaster at any of your locations(including clients) and who will do the notifying. This capability should exist whether or not there is telephone service at the site.
• Pre-identify critical resources (communications equipment, supplies, hardware, specialized workforce, etc.) and determine the timeframes needed not only to mobilize them, but fulfill delivery commitments.
• Establish telecommunications recovery procedures for voice and data, including switching capabilities and backup networks.
• Address the possibility of denied access to your facility due to assessment of structural integrity, forensic investigations, and/or toxic contamination. (Plan for at least a 24- to 72-hour delay in getting back into your facility—even for site/damage assessment. If it is necessary to test for hazardous materials, your access can be delayed several weeks or longer.)
• Determine when you will implement your crisis management plan.
• Determine the parameters for declaring a disaster and moving off-site to your hot-site, cold-site or internal warm-site. Establish who goes where, for how long, and what their needs are.
• Identify both temporary and potentially permanent relocation sites for your strategic revenue-generating and administrative staff support functions and personnel. Determine what special needs these departments and personnel have. These sites should not have the same hazard exposures as your existing site(s).
• Determine who authorizes this move and other emergency acquisitions, and what special accounting procedures need to be established for tracking these disaster-specific costs.
• Determine the location of your command center(s), its requirements and what special security/access control procedures you need to establish in advance. Consider utilizing your Y2K command center as a permanent emergency operations center.
• Ensure that the pre-identified locations will be available in both a community-wide and singular disaster. Research what real estate transactions need to be completed prior to a move.
• Determine how you will resume your production and distribution capabilities and get your finished goods to market.
• Determine how you will recover your print and mail functions and services.
• Determine how your crisis communications plan will address the continuity of positive communications to your clients, employees and the public regarding your recovery progress.
• Determine what issues you must address to be sensitive to global, cultural and philosophical differences.
• Review insurance issues with your risk manager or insurance coordinator.
• Identify your recovery teams and their tasks.
• Identify who will implement and maintain the plan.
• The litmus test for any business/service continuity plan is that it works when executed. To ensure your plans work, exercise them. Make certain that the logistics, procedures and tactical strategies you developed are sound.

Plans must be exercised to determine whether:

• Your organization and its critical vendors are prepared to cope with a business/service interruption or disastrous event anywhere in the world you have operations.
• Backed-up data and documentation stored off-site are adequate to support resumption, recovery, continuity and restoration operations.
• Inventories, tasks and procedures are adequate to support resumption and recovery and continuity operations.
• Plans have been properly maintained and updated to reflect actual resumption, recovery and continuity needs—in particular, any changes to the organization.

The information contained in a business/service continuity plan must be kept alive. Organizations are constantly changing. Businesses are acquired, merged and divested; new operations and processes begin, some cease; people leave, are hired and promoted; customer commitments and supplier relationships change; locations change; responsibilities change; and priorities change. You cannot rely on outdated information.

In today’s constantly changing environment, where people are often asked to do more with less, it’s a challenge to maintain a living plan. Although you may maintain the text portion of your plans such as corporate policy in a word processing document if, a disaster occurs, you don’t want to have to be searching through a manual looking for action lists, notification procedures, critical vendor information, etc. Automated planning systems are invaluable in developing and maintaining your continuity plans and helping you quickly access the information you need in the event of a disaster. Cutting-edge technology provides for easy integration and expansion of existing plans, as well as customization within these planning tools to address organization or industry-specific terminology and needs. The challenge of organization-wide planning can be more easily met through the utilization and implementation of the above recovery and continuity planning methodology.

This article may not be reprinted, reproduced or distributed, in part or in total, in any medium, without the express written consent of the author. © Strohl Systems 2000 All rights reserved.

FMJ
About the author: Pat Moore, CBCP (Certified Business Continuity Professional), FBCI (Fellow of the Business Continuity Institute), CP&M 1999 Hall of Fame inductee, and winner of FEMA’s 1999 “Outstanding National Business Person” award is vice-president of business continuity education for King of Prussia, Pa.-based Strohl Systems. She is known internationally for her experience and expertise in disaster recovery, business continuity planning, physical property restoration and loss mitigation. She lectures and is published worldwide on these subjects. Among her numerous professional affiliations are chairperson of the public/private partnership committee of the International Association of Emergency Managers, the National Fire Protection Association’s disaster management committee and the 1995-1998 chairperson of the Disaster Recovery Institute International Education and Standards Council. Strohl Systems is a global leader in business continuity planning software, consulting and educational services. For more information, call 1-800-634-2016, extension 145, or 1-610-768-4120. Fax 1-610-768-4135. E-mail: This e-mail address is being protected from spambots. You need JavaScript enabled to view it .