However, we did see a major change directly related to 9/11 on the federal, state and local government side. The formation of the U.S. Department of Homeland Security in 2002 started the ball rolling. DHS/FEMA has done a very good job in maturing the readiness of federal, state, local and tribal nation emergency operations, but it has taken years for DHS/FEMA to have an impact on private sector BCM programs. The focus on improved public/private sector communications through multi-state and national-level exercises (especially for the healthcare, financial services and public utilities sectors), the introduction of Ready.gov, and the Voluntary Private Sector Preparedness Accreditation and Certification Program (PS-Prep) are three influential changes for private enterprises.

Even though 9/11 did not have an immediate impact on BCM maturity, it did set up the framework for preparedness, response and recovery improvements since for both the public and private sectors. The majority of these improvements have been a result of the confluence of three areas:

1. Increasing natural and man-made disaster events such as SARS, Hurricane Katrina, the bird and swine flu threats, the London and Mumbai bombings, the Iceland volcanic ash event, earthquakes in Haiti, Chile, New Zealand and Japan, oil spills, the global financial crisis of 2008, major ice and snow storms and so forth;
2. Technology innovations such as Internet broadband in the home, the real-time infrastructure, virtualization, hosting/outsourcing, smartphones and tablets, social media and cloud computing; and
3. Business operating practices such as regulatory changes in response to financial fraud, telework initiatives and outsourcing non-core competencies.

Without these changes to business and IT practices, many of the improvements we see today in BCM maturity would not be possible.

We have come a long way in BCM since 9/11 and we have a longer way to go for organizations of all sizes and operating models to be prepared from even the smallest, localized threat. Gartner is committed to your success in preparedness, response and recovery activities and continues to offer clients foundational and timely research in BCM and IT-DRM through our BCM key initiative for business and IT leaders. Take our maturity self-assessment called ITScore for Business Continuity Management to jump start your journey.

Business Continuity Management Governance Defined, 2010

Without a governance framework in place, BCM programs will not progress as needed in the desired time frame. Use Gartner’s BCM governance framework to establish governance oversight according to your organization’s business model and availability needs.

Toolkit: BCM Governance and Implementation Responsibility Decision Matrix, 2010

Without a governance structure in place, business continuity management programs will not progress or succeed in the time frame desired. Use the BCM Governance and Implementation Responsibility Decision Matrix to document the governance oversight according to your organization’s business model.

Toolkit: Business Continuity Management Charter Best Practices and Template

A BCM charter is one of the most-effective tools for establishing and communicating effective preparedness, recovery and resiliency practices. Make the Gartner best-practice-based charter the foundation of an enterprisewide BCM program.

Toolkit: Business Continuity Management Policy Template

A business continuity management policy is an important component of the operational model for BCM governance. Combined with a BCM charter, BCM governance responsibility and implementation matrix, and the BCM activity cycle, it completes the Gartner BCM governance framework.

1.      We started the workshop by viewing the video “Business Not As Usual: Preparing for Pandemic Flu” from Seattle-King county.  Use it internally to educate your workforce (and senior executives) on the value of being prepared. You can request a free copy (you must pay for shipping) from NACCHO.

2.      Most of the workforce absences are expected to be a result of school closures.

3.      You must have a pandemic management process (or infrastructure) in place to handle the event as it occurs because plans are a necessary thing, but they don’t often reflect the reality of the specific situation. Policies decided upon on Monday may not apply to the facts of Tuesday’s situation.

4.      Some firms are talking to public health officials about hosting vaccine programs in their work facilities, or at least trying to secure the vaccine for their critical workers, e.g. electricity generation operators. However, some are concerned about the legal liability issues if they haven’t engaged in this type of public health activity in the past.

5.      On the point of electricity generation operators – If these folks get the flu, and the generation facility is on the small side, they could shut it down because they don’t have enough staff to operate.  That shutdown means blackouts – or “rotating feeder outages”.  We could see more power outages as a result of H1N1 – a connection that most folks aren’t making, but for pandemic planning would be covered under the traditional BCM plan.

6.      Organizations are struggling with human resource policies regarding how to compensate workers if they do have the flu, especially if the worker has already used their allotted personal time off days or sick days. Some are offering extended time off options, but not everyone.

7.      Work-at-home solutions are at a high risk of failure if the work-at-home population in any given area reaches anywhere close to the 40% absentee rate. Internet bandwidth supply is not adequate to meet the demand. (Gartner is publishing a research note on this topic specifically.)

8.      Similar to the results of my June/2009 survey, many firms are not including IT vendors or IT service providers in their efforts. See my note: A Perilous Practice: Not Planning for IT and Data Center Operations Support During a Pandemic, G00169949. (You may have to be a Gartner client to view it.)

9.      Most firms expect to implement workforce travel restrictions once a pandemic strikes.

10. Most firms are trying to balance their protective mask usage policy between protecting the workforce and not offending customers. The firms who have direct and frequent contact with the public (for example retail operations) request that workers wear a mask when escorting a sick person out of the building only. Those firms that don’t have direct public contact public allow their workers to wear masks based upon their personal comfort level.

11. Those firms that have public congregation areas plan to close off those areas once a pandemic strikes. For example, bank branch lobbies will be closed and only the drive-up window will be open.

12. Firms with workers who must make home visits have equipped those workers with protective gear such as masks, sanitizer fluid for the hands and steering wheels of their cars/trucks, disposable gloves and so forth.

13. You can’t build your preparedness plans using workers’ personal information that has been gathered through the normal social networking in the work environment.

14. Some firms are concerned about law suits as a result of family members getting the flu from the firm’s employee.

15. You can’t expect to get resources from your local neighbors, partners and so forth because everyone will be in the same situation when the pandemic strikes.

16. Your plans and handling process must include actions that will assist you to return to normal operations once the pandemic is over.

17. You must include cultural differences in your plan activities. For example, blood transfusions may be refused if they are not from a person with the same national origin as the intended recipient.