Introduction to Business Introduction to Business Continuity PlanningContinuity Planning

An Introduction to the Business An Introduction to the Business Continuity Planning Process Including Continuity Planning Process Including

Developing your Process and the Developing your Process and the Plans to Support RecoveryPlans to Support Recovery

©Green Oak Solutions, L.L.C.

Brighton, MI

The primary goals of BCP are to The primary goals of BCP are to ensure Staff Safety and delivery of ensure Staff Safety and delivery of goods and services to external and goods and services to external and

internal customers in spite of internal customers in spite of adverse conditionsadverse conditions

Goals for the Process

Process DriversProcess Drivers

Just in Time Operations- JIT, Lean ManufacturingJust in Time Operations- JIT, Lean Manufacturing Limited Redundancy in OperationsLimited Redundancy in Operations Reliance Upon Technology to Accomplish JobReliance Upon Technology to Accomplish Job Low Maximum Acceptable DowntimeLow Maximum Acceptable Downtime Single Points of Failure in OperationsSingle Points of Failure in Operations Supply Chain Network RisksSupply Chain Network Risks Financial, Reputation, Legal, Market RisksFinancial, Reputation, Legal, Market Risks Post 9/11 Concerns- People and OperationsPost 9/11 Concerns- People and Operations

Business Continuity Business Continuity Planning involves:Planning involves:

Emergency Response PlanningEmergency Response Planning

Crisis Management and Crisis Management and CommunicationCommunication

Business Resumption PlanningBusiness Resumption Planning

Business Continuity Planning

Maximum Acceptable Downtime

The period the operation or business functions can be shut down without there being a significant impact on the company’s revenue stream, public credibility, regulatory compliance, etc.

Business Continuity Planning

Disaster

Any event that causes disruption to company operations or business functions for a period beyond the Maximum Acceptable Downtime.

Following a Crisis, Insurance Following a Crisis, Insurance Won’t:Won’t:

Retain customer confidence and market Retain customer confidence and market shareshare

Address Customer MigrationAddress Customer Migration Restore damage to company imageRestore damage to company image Develop and bring new products into the Develop and bring new products into the

marketplacemarketplace Replace valuable employees or improve Replace valuable employees or improve

employee moraleemployee morale

Ultimate GoalsI. Integrate Operational and Business Risk

Reduction with Business Continuity.

II. Create a Risk Reduction/Disaster Resistance Mentality

III. Cover all aspects of the Response/Recovery process from Emergency Response through Business Recovery

IV. Integrate all key aspects of planning- Security, Crisis Management, Crisis Communications, Damage Assessment and Restoration, Business Resumption

Critical Success Factors

1. Provide management support and direction- Process Owner and Process Sponsorship

2. Recognize scope and magnitude of effort

3. Commit sufficient financial and personnel resources to Process- Project Manager

4. BCP is a Process not a Project

A Risk Based View of PlanningA Risk Based View of Planning

Planning involves the reduction of risksPlanning involves the reduction of risks In order to determine the priorities for In order to determine the priorities for

planning a Needs Assessment/ Business planning a Needs Assessment/ Business Impact Analysis is conductedImpact Analysis is conducted

The BIA forms the The BIA forms the Pre IncidentPre Incident operations risk assessmentoperations risk assessment

Risks are Identified, and Quantified Risks are Identified, and Quantified Mitigation Priorities are Established-see Mitigation Priorities are Established-see

Flowchart that followsFlowchart that follows

Business Continuity Planning

Pre Incident Planning and Post Incident Response

The Pre Incident Planning Process identifies the key risks to the organization, quantifies them and suggests ways to mitigate them

The Post Incident Response Plans are designed to provide the full range of response to incidents beginning with the initial stages of an event through to its resolution, and resumption of operations

Business Continuity Planning and Recovery Process

Pre-Incident Planning Process

EMERGENCYRESPONSE

CRISIS MANAGEMENT

STEP 1

Post-Incident Response Planning Process

INCIDENT

RISKIDENTIFICATION

RISK QUANTIFICATION

RISK MITIGATION

STEP 2 STEP 3

STEP 4 STEP 5 STEP 6

BusinessResumption

Key Factors for ProcessKey Factors for Process

Each step in process can be defined and Each step in process can be defined and measuredmeasured

Several key factors for each step are summarized Several key factors for each step are summarized in slides that followin slides that follow

Can form measurement grid for processCan form measurement grid for process Provide an indication of the issues to be Provide an indication of the issues to be

addressed at each step in the processaddressed at each step in the process

Risk Identification - Typical Risk Generators

> Physical risks identified

> Operational risks identified

> Critical single source suppliers identified

> Revenue impact potential identified

> Contractual/Regulatory exposures identified

> Process flow mapped

Risk Quantification - Typical Measurement Methods

> Physical risk controls identified and evaluated for effectiveness

> Operational risk controls identified and evaluated for effectiveness

> Residual risk identified and translated to outage and impact potential

> Outage potential translated to revenue impact, regulatory impact, long term migration potential, etc.

> Risk and impact quantification used to develop mitigation priorities

Risk Mitigation - Typical Risk Reduction

> Future mitigation priorities supported by risk ID, and quantification

> Physical and Operational risk reduction from mitigation quantified

> Mitigation issues assigned time frame and responsibility

> Review process addresses mitigation issue resolution

Emergency Response – Typical Initial Emergency Response – Typical Initial ResponseResponse

>> Emergency Response Team is in place and trainedEmergency Response Team is in place and trained

> All potential hazard scenarios are considered> All potential hazard scenarios are considered

> Evacuation and Take Cover procedures are in place and > Evacuation and Take Cover procedures are in place and testedtested

> Employee gathering spots are defined> Employee gathering spots are defined

> Plan addresses notification and direction of police, fire, EMS, > Plan addresses notification and direction of police, fire, EMS, and Utilitiesand Utilities

> Restoration and Reconstruction contractors identified and > Restoration and Reconstruction contractors identified and engagedengaged

> Damage Assessment Team and Plan is developed> Damage Assessment Team and Plan is developed

Crisis Management – Typical Incident Crisis Management – Typical Incident Management ControlsManagement Controls

>> Facility Crisis Management Team identified and completeFacility Crisis Management Team identified and complete

> Roles and Responsibilities are detailed> Roles and Responsibilities are detailed

> Crisis Communications Plan is in place for all effected/interested > Crisis Communications Plan is in place for all effected/interested partiesparties

> Damage Assessment reporting is linked with CMT operations> Damage Assessment reporting is linked with CMT operations

> Disaster Declaration criteria/decision points are defined> Disaster Declaration criteria/decision points are defined

> CMT directs both Restoration and Resumption> CMT directs both Restoration and Resumption

> CMT is the focal point for local recovery and Corporate liaison> CMT is the focal point for local recovery and Corporate liaison

Business Resumption – Typical Longer Business Resumption – Typical Longer Range ActionsRange Actions

>> Recovery teams are identified with detailed Roles and Recovery teams are identified with detailed Roles and ResponsibilitiesResponsibilities

> Mitigation of customer impact is captured in the plan> Mitigation of customer impact is captured in the plan

> Restoration of productive capacity and capability with timeframes> Restoration of productive capacity and capability with timeframes

> Restoration of Host Site is addressed> Restoration of Host Site is addressed

> Alternative Production operations are defined in detail> Alternative Production operations are defined in detail

> Manufacturing Contingency Plans are in place> Manufacturing Contingency Plans are in place

> Mega Application of sound Manufacturing Engineering principles> Mega Application of sound Manufacturing Engineering principles

> IT and Telecommunications recovery plan is identified> IT and Telecommunications recovery plan is identified

Operation of The Operation of The Business Continuity PlanBusiness Continuity Plan

Flowchart that follows depicts a typical Flowchart that follows depicts a typical recovery sequencerecovery sequence

Can be modeled to any operationCan be modeled to any operation Identifies the Key Escalation points, and Identifies the Key Escalation points, and

Plans that are activatedPlans that are activated Every Operation is Different…Every Operation is Different… The Response Process is Similar…The Response Process is Similar… The Solution is Customization of the Plan The Solution is Customization of the Plan

ElementsElements

Key Elements of ResponseKey Elements of Response

Emergency Response PlanEmergency Response Plan Crisis Management PlanCrisis Management PlanDamage Assessment and Facility Damage Assessment and Facility

RestorationRestorationCrisis Communications and Human Crisis Communications and Human

ResourcesResourcesThese plans Respond to the Incident, Mitigate These plans Respond to the Incident, Mitigate

its effects, and Manage the Process of its effects, and Manage the Process of Restoring Full OperationsRestoring Full Operations

Key Elements of ResponseKey Elements of Response

Emergency Operations CentersEmergency Operations Centers

Crisis Management TeamCrisis Management Team

Crisis Communications TeamCrisis Communications Team

Damage Assessment TeamDamage Assessment Team

Key Elements of ResponseKey Elements of Response

Full Business Resumption PlansFull Business Resumption Plans

These plans are developed at the These plans are developed at the operations level to address recovery operations level to address recovery from incidents ranging from from incidents ranging from moderate to severe in nature- All moderate to severe in nature- All operating areas should develop a operating areas should develop a planplan

ERP Activated and Initial

Response is Conducted.Employee

Evacuation and Safeguarding, etc.

Initial Assessment of

Damage by First

Responders

Incident Contained by First

Responders>Limited Damage

>No Crisis Management Plan

Activation

Damage Assessment Plan Activated by CM

Team LeaderDAT Leadership Deploys to Site

Crisis Management Plan

Activated

CMT Activated and Deploys to the EOC

EOC Plan ActivatedFor CMT

Operations

Damage AssessmentRestorationRepair and

Reconstruction Plan Activated

Crisis Management and

Crisis Communications Plan Activated

Is Maximum Acceptable

Downtime going to be Exceeded?

MAD Not Exceeded

Repairs Expedited and Restoration to Full

Production Within MAD

MAD Exceeded

Activate Full Recovery and Contingency Efforts Including:

> Rapid Reconstruction

> Expanded Crisis Communications

> Production Contingency Plan

> Supply Chain Network Response Plan

2-4 Hours Into IncidentInitial Activation of Crisis Management Plan-Damage

Assessment PlanCrisis Management Plan Fully Activated

4 to 8 Hours Into Incident

Crisis Management Sub Plans Activated 4 hours to 48 Hours after Incident

Evaluation of Potential for ExceedingMaximum Acceptable Downtime

2 to 3 days after Incident

Crisis Management

Plan

Incident Response Flow And

Plan Activation

Copyright 2005 Green Oak Sol utions, L.L.C.

Key Elements of ResponseKey Elements of Response

TeamsTeams Emergency Response Team-Emergency Response Team- Safety, Security, Safety, Security,

Medical, Line Management, EnvironmentalMedical, Line Management, Environmental Crisis Management Team-Crisis Management Team- Senior leadership, Senior leadership,

Operations ManagementOperations Management Damage Assessment Team-Damage Assessment Team- Facility and Utilities Facility and Utilities

Engineering, Process Maintenance, Purchasing, Engineering, Process Maintenance, Purchasing, Logistics, SecurityLogistics, Security

Crisis Communications-Crisis Communications- HR and Communications HR and Communications SpecialistsSpecialists

Business Resumption-Business Resumption- Line Management and Staff Line Management and Staff

TheThe Value of Emergency ResponseValue of Emergency Response

1991-2000 Business Interruption Losses1991-2000 Business Interruption Losses 2,281 Losses Examined2,281 Losses Examined Emergency Response Plan ActivatedEmergency Response Plan Activated Properly Planned and Implemented - $920,000Properly Planned and Implemented - $920,000 Not well planned or implemented - $4,100,000Not well planned or implemented - $4,100,000 4.45:1 Loss Ratio4.45:1 Loss Ratio Conclusion- Emergency Response Planning Conclusion- Emergency Response Planning

CriticalCritical

Courtesy of FM Global

www.fmglobal.com

The Value of Continuity The Value of Continuity PlanningPlanning

100 Losses Examined100 Losses Examined 54 Determined to have Continuity Planning in Some 54 Determined to have Continuity Planning in Some

FormForm Average Business Interruption Loss - $7.1 MillionAverage Business Interruption Loss - $7.1 Million With Contingency Planning Considered Adequate - With Contingency Planning Considered Adequate -

$4.0 MM$4.0 MM With Contingency Planning Considered Poor - $7.9 With Contingency Planning Considered Poor - $7.9

MMMM Approximately 50% Reduction in BI with Good Approximately 50% Reduction in BI with Good

ContingencyContingency No Statistics on Remaining 46%No Statistics on Remaining 46% Contingency Planning Further Reduces Deep Losses Contingency Planning Further Reduces Deep Losses

in Time Elementin Time Element Courtesy of FM Global

www.fmglobal.com

Green Oak SolutionsGreen Oak Solutions

Business Continuity Program Development and PlanningBusiness Continuity Program Development and Planning Crisis Management PlanningCrisis Management Planning Executive Level Needs AssessmentsExecutive Level Needs Assessments Business Impact AnalysisBusiness Impact Analysis Physical and Operational Risk AssessmentsPhysical and Operational Risk Assessments Damage Assessment and Facility Restoration PlanningDamage Assessment and Facility Restoration Planning Training and Education in Emergency ManagementTraining and Education in Emergency Management

Green Oak Solutions, L.L.C.

Craig Holmes, PE-Managing Director

cholmesgos@charter.net

1-810-813-8396