Detailed Planning Guide

Planning Now for When:

Strategies for Disaster Planning and Recovery

Santa Barbara HR Association

Kathryn McKee, SPHR; SHRM-SCP

Co-Author, “Leading People Through Disasters”

December 2017

Table of Contents

Leading People

Self-Assessment Questionnaire

Business Continuity Planning Steps

Step 1: Making the Business Case

Step 2: Establish a Planning Team.

Step 3: Analyze Capabilities

Business Impact Analysis

Business Vulnerability Analysis

Step 4: Writing the plan

Step 5: Implement the plan

Emergency Management and Recovery Planning

Critical thought Questions: Crisis Management and Response Teams

Human Resources

Communications

Creating a Contingency Communications Plan

Scenario Planning

Major Types of Crises

Scenario Planning Model

Writing the Scenario

Some Cost Ideas for Planning

Vulnerability Analysis Chart

Key Contacts

Organization Training Plan

Sample Department Business Impact Questionnaire

Developing your Business Continuity Plan

The first look at a Business Continuity Planning Outline is daunting, confusing, and can be overwhelming. The purpose of this workbook and the presentation that accompanies it, is to assist you in understanding how to begin a complicated process. As we go through the materials, you’ll see a series of Critical Thought Questions. These will aid you back in the office as you progress through the development of your plans. They are excerpted from the “ASIS International Business Continuity Guidelines” which have been endorsed by the American Standards Institute. Here is the first set of these questions:

Critical Thought Questions: Overview

If a major disaster occurred today, has your organization planned for survival?
Does your organization have a Business Continuity Plan (BCP), and is it up to date?
Has senior management approved the BCP?
Does senior management support the BCP?
Has the cost of the BCP been determined, including development and maintenance?
Have the internal audit, security, insurance and Human Resources departments reviewed the BCP?
Has the BCP been tested, including a surprise test?

Answering these questions is the first step to either begin the development of or updating your organization’s Business Continuity Plan.

Business Continuity Planning is a complex and demanding effort. What we will do today is educate you about the things to think about, discuss and try out some of the processes involved, and provide you with a list of questions to take back and gather information preparatory to developing a detailed plan involving the subject matter and resource experts in your organization.

Leading People

What does it take to lead a Planning effort, then lead people through a disaster, recovery and back to running a viable business? Do you have it? Let’s look first at Behavioral Attributes:those qualities within yourself that impact on your behavior. As we discuss the Competencies shown on the slides, you complete the questionnairethat follows to do a mini self-assessment.

Self-Assessment Questionnaire

Competency / How satisfied am I with my strengths in this area? / What can I do about it?
Initiative - ready to act and seize opportunities
Relationship management - inspirational leadership; influence; change catalyst; conflict management; networking; teamwork and collaboration
Self-awareness – aware of your emotions and their impact; knowing your strengths and weaknesses; sense of self-confidence
Self-control – ability to control emotions; maintain objectivity. empathetic, have a degree of dispassion
Innovation – creativity, tangential or peripheral thinking

Now let’s examine the Skills, knowledge, abilities that are learned

Competency / How satisfied am I with my strengths in this area? / What can I do about it?
Strategic planning – creating a vision; mission and key strategies to move the business forward.
Tactical planning and organizing – developing action plans, structure and staffing so the strategies can come to life
Communication and interpersonal Skills – getting your message across to others; building relationships with others; open to other’s input
Project management – leading others in the execution of a short-term project; understanding of Pert and Gantt charting; task and staff scheduling; critical path

Putting a Plan Together

What are Disaster Preparedness, Recovery and Business Continuity Planning?

You become prepared for a disaster andrecovering from it by developing a business continuityplan. For example, an ammonia spill in the Men’s room is a small emergency in the area where it occurs. Fumes can seep out and make people nearby nauseous, so they may need to leave the area. It’s cleaned up, and you’re back to business in an hour or so.

But, an ammonia spill on equipment in the manufacturing area can turn into a much larger emergency: the spill shorts out the assembly line, assemblers become ill and some faint, the line is shut down, employees sent home, and the plant is inoperable for a week.

Or a train wreck occurs ½ mile from the plant, cars overturn that are carrying ammonia– it spills, and the entire neighborhood must be evacuated for the chemical mixes with another, creating a toxic cloud. In this example, we’ve moved from an emergency to a disaster.

Business Continuity Planning Steps

Step 1:Making the Business Case

In many organizations, there is a reluctance or resistance to investing in time and money to prepare a Business Continuity Plan. Psychologists suggest this is denial of an inevitable situation. To overcome this obstacle, here are some to aid in buildingthe business case for planning. It all has to do with financial success…the “Bottom Line”. On page 15 of this Field book you’ll find lists of items to consider in making your business case that range in cost from no out of pocket expenses to over $500.

Step 2:Establish thePlanning Team.

Critical Thought Questions: Accountability

Does your organization's policy include a definition of crisis?
Has the person responsible for critical systems and business processes been identified?
Has a BCP Team been appointed, and does it include senior business function leaders?
Has the BCP been communicated throughout the organization?
Has a person been assigned with the responsibility to update the BCP?

Form the Core Team. Who will serve? The CEO should NOT be on this team; rather, the CEO should appoint a Core Planning Team of senior leaders responsible for the critical aspects of your business. Who are they in your organization? List below the Title and Name of your people in critical management roles who should serve on this team.

Title / Employee Name / Title / Employee Name

Establish authority. The CEO should delegate decision-making powers to the Core Team, and the Core Team in turn will advise the CEO of decisions that have been made or make recommendations that may need Board approval.

Incident Commander. The CEO should appoint the executive who will be the Incident Commander should an emergency or disaster occur. The CEO delegates complete authority for managing the Incident to this individual. HR should play a role in selecting the Incident Commander. Ideal candidates are those who understand the intricacies of your business operations, including IT.

The Incident Commander runs the Incident – the CEO does not.Who do you recommend be the Incident Commander for your organization?Write his/her name in the box below:

Create and issue a plan mission statement. This statement should be succinct and to the point.

The Core team should create it and ensure it demonstrates the organizations’ commitment to emergency management, define the purpose of the plan, indicate it will involve the entire organization, and define the authority and structure of the planning group.

The CEO should issue it.

Establish a schedule and budget. The Core team puts together its work schedule, project deadlines, who does what, and by when. It also develops project budget for items such as research consultation, printing, educational seminars, and the like.

From this point on, we will focus on establishing a Business Continuity Plan for YOUR organization. It will model the way for the development of an organization-wide plan, but working on your own will give you the basics of what will happen in the larger context. Pick one of YOUR functions to use today for planning purposes.

Step 3: Analyze Capabilities

Critical Thought Questions: Risk Assessment

Has your organization conducted a Risk Assessment?
Have the types of risks that may impact your organization been identified and analyzed?
Has the likelihood for each type of risk been rated?

Review internal plans and policies. Do you have any or all of the following?Check all the ones you have.

Item / Yes / No / Who owns this?
Evacuation Plan
Fire protection plan
Safety & Health Program
Security Procedures
Insurance programs
Finance & Purchasing procedures
Plant closing Policy
Employee Manual
Hazardous materials plan
Risk Management Plan
Mutual aid agreements

Meet with outside groups. You may want to meetwith or contact outside organizations to ask about their view on potential disasters, and obtain any emergency planning information they may have.This is a step to do back on the job.

Item / Have we met? / Who will do?
Community emergency management office
Any local emergency planning committees.
(Check with the local Red Cross Chapter for these)
Your City and or County Office of Emergency Services (OES).
You may also want to check with the State OES
City, County Public Works
Fire and Police Departments. What will they do for you? What special procedures do they want you to follow?
Public utilities and local phone companies, including cellular, local cable and satellite television distributors
Neighboring businesses

Business Impact Analysis

Which of your business functions are critical to your survival? Here are some key questions to help you decide what they are:

What are our most critical and time sensitive business functions?

Have the business processes been ranked (low, medium, high)?

How much down time can we tolerate for each of our business functions?

Have the maximum allowable outage and recovery time objectives been determined?

Have the resources required for resumption and recovery been identified?

Which of our business functions are necessary to fulfill our legal and financial obligations andmaintain any cash flow related to our business functions?

Which business functions are essential to maintain our market share and stakeholder reputation, or to strategically adjust to changed circumstances?

If a crisis were to happen, has the impact, in terms of human and financial costs, been assessed?

We will use the Sample Business Impact Questionnaire on page 21 for discussion now.

Business Vulnerability Analysis

Conduct a Vulnerability Analysis. What is the vulnerability of the facility in which you work? Below are explanations of what goes in each section of the Chart:

Type of Emergency / Probability / Human Impact / Property Impact / Business Impact / Internal Resources / External Resources / Total Points
Scale / High Low
5 1 / High Impact 5 1 Low Impact / Weak 5 1 Strong

Potential emergencies.List all the emergencies that could affect your facility. Be sure to include those that the local emergency management office has identified. Consider both the types that could occur IN your facility as well as those that could occur in your community. We will go through each of these categories now:

Historical. What types of emergencies have occurred in your facility, or could occur in your facility?

Fires / Severe Weather / Earthquakes / Employee Health emergency / High Wind event / Terrorism
Floods / Transportation accidents / Hazardous materials spills / Utility outages / employee violence, / Active shooter

Geographic. What could happen as a result of the facility’s proximity to:

Flood plains / Seismic faults / Dams
Major transportation routes and airports / Nuclear power plants / Companies that produce, store, use or transport hazardous materials

Technological. What could result from:

Fire, explosion, hazardous materials incident / Safety system failure / Telecommunications failure
Computer system failure / Power Failures / HVAC system failure
Emergency notification system failure

Human Error. What emergencies could staff create as a result of:

Poor training / Poor maintenance / Carelessness / Misconduct / Substance Abuse / Fatigue

Physical. What emergencies could occur due to the design/construction of your facility? Consider:

The physical construction of the facility / Hazardous processes or by-products / Facilities for storing combustibles / Layout of equipment / Lighting / Evacuation routes and exits
Proximity of shelter areas

Regulatory. What emergencies or hazards are you regulated to dealwith?

Environmental. After identifying each potential emergency, the next step is to analyze each one from the beginning of the event to its end. What could happen as a result of each of the following?

Prohibited access to the building / Loss of electric power / Communication lines down
Ruptured gas mains / Water damage / Smoke damage
Structural damage / Air or water contamination / Explosion
Building collapse / Trapped persons / Chemical release

Estimate Probability. What is the likelihood of each emergency’s occurrence? Use the scale 5 to 1 with 5 as the highest probability and 1 as the lowest.

Assess the potential Human Impact. What is the potential human impact of each emergency, i.e., the possibility of death or injury? Use the 5-1 Rating Scale.

Assess the potential property impact. Consider the potential of properly losses and damages. Sue the 5-1 Rating Scale and consider:

Cost to replace

Cost to set up temporary replacement

Cost to repair

Assess the potential business impact. Consider the potential loss of market share. Using the 5-1 Scale assess the impact of:

Business interruption / Employees unable to report to work / Customers unable to reach facility
Company in violation of contractual agreements / Imposition of fines and penalties or legal costs / Interruption of critical supplies
Interruption of product distribution

Assess internal and external resources. Assess your resources and ability to respond. Using the 5-1 scale, ask these questions for each emergency:

Do we have the needed resources/capabilities to respond?

Will external resources be able to respond quickly as we need them?

If answers are yes, move on to calculate the Total score.

If answers are no, identify what can be done to correct them. You may need to:

Develop additional emergency procedures / Conduct additional training / Acquire additional equipment
Establish mutual aid agreements / Establish agreement with specialized contractors

Now, complete the Analysis for the facility where your business function is located. Pick one Emergency to work on today.

[On page 16of this Field book is a Vulnerability Analysis Chart that you can use back at work.]

Step 4:Writing the plan

See separate handout for outline

Step 5: Implement the plan

Integrate the plan into company operations
Conduct training of employees

Determine the planning considerations

Evaluate training activities and results of employee training

Evaluate and modify the plan

Emergency Management and Recovery Planning

This section provides an outline of subjects to use for the Emergency Management section of your plan: Who will do what? What will you need? Who goes where? Most of this should be completed back on the job;

Critical thought Questions: Crisis Management and Response Teams

Does the Crisis Management Team include members from Human Resources?
Have Response Teams to support the Crisis Management Team been organized?
Have response plans to address the various aspects of the crisis been developed and incorporated into the organization's overall BCP?
Do the response plans address damage assessment, site restoration, payroll, human resources, information technology, and administrative support?
Has contact information been included in the plan for the Crisis Management and the Response Teams?

Emergency Management Team “Joint Chiefs of Staff”

EOC Director
Incident Commander
Reps from Key business functions
HR
Communications

Incident Command System – pure Command and Control

Coordinated response

Clear Chain of Command – buck stops HERE

Incident Commander: - The “General” in charge

Assumes Command – CEO follows IC’s Command / Assesses the situation
Implements the emergency plan / Determines response strategies
Activates resources / Orders evacuation
Oversees ALL incident response activities / Declares the incident is “over”

Critical thought Questions: Logistics

Has a designated Crisis Management Center been identified, and does it have necessary life support functions, including uninterruptible power supply and communications equipment?
Have alternate worksites for business resumption and recovery been identified?
Have critical and vital records been stored at an offsite storage facility?
How long can each business function operate effectively without normal data input storage processes?
What must be done to restore data to the same previous point in time within the recovery time objective?
Can any alternate data storage processes be used, after the initial data recovery, to speed recovery?

EOC Emergency Operations Center

Centralized Command Post for Incident