Business Continuity Blog By Reid Renicker
Source: Reid Renicker, CEM, CBCP, MBCI
Normally the CMT expects to be in control of the organizational response to a critical incident that directly affects the business continuity of the company and the business continuity plan should identify the most appropriate personnel to form that CMT response dependant on the skill set required to address the critical issues. For example, if the company has been affected by a cyber attack, then one would expect that the CMT response and the personnel with the required IT skills set to address the issue would be reasonably clear. However, if the incident is a terror event that involves a multi-agency response that directly involves the organization’s physical or personnel assets, or the business activities are contained within the geographical response cordon, then the CMT response may not be as clear.
Some considerations may include;
- Has the organization/CMT undertaken any multi-agency training with the emergency services in response to a terror event?
- Terror event emergency response, recovery and investigation timeframes can extend over days, weeks or months – does the CMT have the personnel and skillset ‘resilience’ to provide continued response and support to the multi-agency response? Emergency responders can rotate personnel over extended periods of response, does this apply to the CMT?
- Like every profession the emergency services have their own language full of acronyms – if a CMT member attends a multi-agency briefing session, would they fully understand the content?
- If attending such briefings what information should the CMT request and provide to the emergency responders, and who will be responsible for liaising with them?
- Which elements of your organization’s response will be managed by the CMT and what elements can be discharged to staff outside the CMT response?
- Who is responsible for the management of the business as usual (BAU) activities not directly affected by the incident?
- Emergency responders may request access to company resources, such as personnel, physical resources, technical information relating to building systems, and their construction, architectural plans et al. Who will control the allocation of company resources and provide the requested information? Is this considered a BAU or CMT role?
- The dynamics of a terror incident are ever changing, has the CMT communications plan considered the information ‘feedback’ loop between the business CMT emergency room and that of the multi-agency tactical, operational and strategic response management arrangements and how this will be managed?
These are just some of the issues the organizations CMT will have to consider and action, during the emergency response phase, there are many others that cannot be considered fully within this article, suffice to say, preparation, planning and training is key. So, let’s move on to the recovery phase.
Some risk managers may argue that the recovery phase, can be undertaken as a ‘business as usual’ activity, if the ‘crisis’ element is considered to be over, without completely understanding the demands that may be placed on the business from external sources in the aftermath of a terrorist attack
Would a BAU response be able to support and deliver on the expectations of the multi-agency recovery response? For example, depending on the numbers of injured or killed, a Disaster Victim Identification (DVI) response protocol may be required, that directly affects the business physical assets and dependant on the organizations business may involve DVI international coordination. Or closer to home, does the CMT have guidance within the business continuity plan on how to coordinate the response to employee’s being injured or killed during the terror event, particularly if they are not party to complete information on the status of any employees caught up in the incident in the early stages?
From an infrastructure and physical asset perspective, does the CMT appreciate the complexities of the reinstatement of premises that may have been structurally damaged by an IED or the bio-hazard contamination within the premises due to the injuries sustained by the victims? The recovery phase timeframe will be difficult for the CMT to establish as this will be partly determined by the complexity of the investigation required, potentially preventing access to business premises over an extended period with which they have no control.
Although this element is third in my considerations, the investigation into the circumstances prior to, during and after the event, begins as soon as the attack happens. Therefore, as I have previously argued the business continuity plan should consider and react to changes in the country’s terror threat levels as a response ‘baseline’.
Additionally, the organization should ensure that all CMT members have been trained to undertake their expected role in response to a terror attack that directly affects the business, as the organizational response from the CMT may form a part of any external/internal investigation or enquiry. Some of the questions the CMT may consider asking themselves regarding their ability to take charge of their organizations response specifically to a terror attack are;
- What will be your role within the CMT?
- Are you relevantly trained to carry it out?
- Do you have a clear plan and procedure to follow within the business continuity response plan?
- Will you be able to obtain all the support and resources you may require, or may be requested of your organization?
- Do you fully understand your role?
- Is the role of the other CMT members clear?
- Do you understand the key interoperability issues between your organization and the multi-agency response?
- What preparation, planning and risk mitigation has been undertaken by the organization prior to the event?
The last bullet point above will be key, in terms of identifying the protective security arrangements that were in place within the organization, to try and prevent or mitigate the effects of a terror attack, some examples are: does the company train staff in recognising ‘hostile reconnaissance’ activities of their premises; what physical barriers are in place, such as x-ray scanners in mail rooms, hostile vehicle mitigation strategies etc. Business premises will have a fire evacuation plan to ensure staff can safely exit from the building; do they have a separate and distinct terror attack evacuation plan and does the organization, and more importantly the staff understand the key factors as to why they must be different?
And the list goes on! Finally let’s consider the business return to normality.
Return to normality
At some point the CMT must decide when it is appropriate to ‘stand down’ and hand over their remaining identified tasks to business as usual activities.
In doing so, they should consider the ongoing impact the terror event may have on the organization, from an investigation, enquiry and audit and review perspective with guidance being available within the closing sections of the business continuity response to achieve the most appropriate transition. These processes will therefore impact on the return to normality, which in the case of a terror attack, the organization will have to accept, may take years!
As with all terror events, the preparation and response from all involved will be subject to ongoing scrutiny from an internal and external perspective, this can take many forms, from external police and security investigations, public enquiries, inquests et al, to the organizations internal audit and review processes.
The organization should have clear guidance within the business continuity plan on how to manage the information gathering, response and communication of the overall response within its normal audit and review processes, as part of the BAU activities, in support of the return to normality, however additional measures may be required dependant on the extent to which the business was involved and/or affected.
In addition, I would advise that the CMT should prepare for any scrutiny of their own performance during their response, from a personal and organizational perspective. A key point will be to ensure that any decisions made are recorded within a ‘decision log’, preferably by a trained ‘loggist’. The log should be a diary of events and decisions to show how a decision was arrived at, given the information available at the time.
They should also consider;
- What they decided-was it an instruction or advised?
- Why they made the decision
- When they made the decision-time stamped
- How they made the decision-depth and breadth of consultation
- Was the decision unanimous or made by consensus
- Where all decisions implemented and/or achieved-what was the follow-up process?
- What audit and review process were undertaken?
Organizations may consider that the points I have raised are commonplace and addressed within their business continuity planning processes, and their CMT members are suitably qualified to deal with any critical incident the organization may face, I would for the most part agree. However, I believe the challenge they will have is ensuring that when their business is directly affected by a terror event that the business continuity process has assessed and considered the impact that a terror event will have, and the CMT have access to previously prepared tactical, operational and strategic response options to guide them through a critical event, that they have never faced before and therefore will not have the required experiential learning or training to support and enhance their decision making processes. That lack of experiential learning or training presents a ‘risk’ to the organization that should be addressed through the introduction of a bespoke business continuity planning, preparation and training package for all staff, and in particular the CMT, specifically tailored to ensure a robust organizational response to a terrorist event that affects the business, in relation to the protection of assets and personnel, not forgetting customers, clients or members of the public resorting within the business premises.
Richard Duncan, Dip NEBOSH, Tech IOSH, Dip Mgt(Open)
Richard currently runs his own business continuity and risk management consultancy firm, Richard Duncan Consultancy. He previously served for 27 years with Strathclyde Fire and Rescue and latterly with the Scottish Fire and Rescue Service (SFRS), gaining five promotions, retiring at the rank of Group Commander (Personnel, Training and Contingency Planning) in the role of Deputy Area Commander for East Renfrewshire, Renfrewshire and Inverclyde local council areas.
Richard has extensive experience in all aspects of business continuity and health and safety management.
Contact Richard at email@example.com
By Gary Cox Your company depends on technology to power everything from building security to payroll. While you see excellent productivity gains from a technology-forward infrastructure, you are vulnerable to any situation that takes out your systems. A rogue ex-employee could delete essential databases, a flood could knock out electricity to your data centre and […]
Risk is more often than not the driving force behind uncertainty in any business. After all, businesses face all kinds of challenges. From cyber threats, right down to natural phenomenons. That is why it is so important to have an adaptable continuity plan as a business. After all, things happen. Certain projects may fall through. […]
The recent spate of natural disasters (hurricanes, earthquakes) have shown once again the need for readiness and resiliency for operational and business continuity.
It’s essential to plan thoroughly to protect yourself from the impact of potential crises – from fire, flood or theft to IT system failure, restricted access to premises or illness of key staff.
This planning is very important for small businesses since they often lack the resources to cope easily in a crisis.
Failure to plan could be disastrous. At best you risk losing customers while you’re getting your business back on its feet. At worst your business may never recover and may ultimately cease trading.
As part of the planning process you should:
- identify potential crises that might affect you
- determine how you intend to minimise the risks of these disasters occurring
- set out how you’ll react if a disaster occurs in a business continuity plan
- test the plan regularly
For example, if you’re reliant on computer information, you should put a back-up system in place so you have a copy of key data in the event of a system failure.
Benefits of a business continuity plan
A carefully thought-out business continuity plan will make coping in a crisis easier and enable you to minimise disruption to the business and its customers.
It will also prove to customers, insurers and investors that your business is robust enough to cope with anything that might be thrown at you – possibly giving you the edge over your competitors.
Depending on your business’ specific circumstances, there are many possible events that might constitute a crisis:
- Natural disasters – for example, flooding caused by burst water pipes or heavy rain, or wind damage following storms.
- Theft or vandalism – theft of computer equipment, for instance, could prove devastating. Similarly, vandalism of machinery or vehicles could not only be costly but also pose health and safety risks.
- Fire – few other situations have such potential to physically destroy a business.
- Power cut – loss of power could have serious consequences. What would you do if you couldn’t use IT or telecoms systems or operate other key machinery or equipment?
- IT system failure – computer viruses, attacks by hackers or system failures could affect employees’ ability to work effectively.
- Restricted access to premises – how would your business function if you couldn’t access your workplace – for example, due to a gas leak?
- Loss or illness of key staff – if any of your staff is central to the running of your business, consider how you would cope if they were to leave or be incapacitated by illness.
- Outbreak of disease or infection – depending on your type of business an outbreak of an infectious disease among your staff, in your premises or among livestock could present serious health and safety risks.
- Terrorist attack – consider the risks to your employees and your business operations if there is a terrorist strike, either where your business is based or in locations to which you and your employees travel. Also consider whether an attack may have a longer-term effect on your particular market or sector.
- Crises affecting suppliers – how would you source alternative supplies?
- Crises affecting customers – will insurance or customer guarantees offset a client’s inability to take your goods or services?
- Crises affecting your business’ reputation – how would you cope, for example, in the event of a product recall?
Though some of these scenarios may seem unlikely, it’s prudent to give them consideration.