The Scenario: The Can-Do organization is a heavy construction equipment leasing headquartered in Madison, CT and with additional operating facilities in Virginia and Nevada. Their data centers are located in Madison, CT and Richmond, VA. To support the leasing business, they also have a credit company that has evolved into a full-service bank and insurance underwriter and broker located in the firm’s 600 retail centers. Banking applications were housed in the Richmond, VA data center.

The Plan: The plan we were given was called the “Emergency Response Plan” dated July 15, 1998 and prepared by the VP of Training, Cafeteria Services and Vehicle Maintenance. HA-HA.

Recovery teams included Operations, HR, Finance, IT and physical security. I was on the IT recovery team.

Although the plan stated that Can-Do ascribes to the U.S.’s National Incident Management System (NIMS), no one knew who was in charge of the incident nor how to communicate with the incident management team. It was even questioned as to why a command center was stood up on the first day of the hurricane warning; that foresight proved to be fortuitous as it turned out. The first thing we all needed to do was elect an incident commander (assigned to the Operations recovery team) and one for each recovery team. All recovery teams also assigned coordinating responsibilities to their sister recovery teams. The IT recovery team was smart (wink wink) and assigned a supply chain/vendor management coordinator and a scribe – guess who took that role (me).

We started the exercise by getting a hurricane warning for Madison, CT along with a warning that a mild flu pandemic was possible. The first step that the IT team performed was topping off the fuel tanks for the CT data center generators. We then sent out a message to the IT staff instructing them to test their work-at-home capability. We also checked with the VPN service provider our ability to add additional bandwidth if needed – 60% of the workforce was able to work from home, but looking into the future, we wanted to ensure that if we needed more bandwidth for additional staff we would have it available to us.

The scenario intensified throughout the exercise and we received additional information including:

• flu shot availability in the cafeteria (a red herring);
• a cat 4 Hurricane Mary was off the coast of Bermuda – Important!;
• a fuel tanker accident at the Richmond, VA data center which closed down the facility – major crisis and also on the evening news in VA;
• the CT data center lost all power because a security guard had an adverse reaction to some over-the-counter flu medication, passed out and hit his head on the emergency power shutoff button. Physical security was automatically notified and the police were called to secure the disabled data center,
• Richmond, VA schools were closing at 1 pm due to the hurricane warning.

The IT recovery team notified the Richmond, VA data center recovery service provider that recovery was required; the turnkey arrangement ensured that the data center was up and running within a few hours. The Madison, CT data center had an active-active arrangement with a data center service provider (which the 1998 plan did not identify), so operations were automatically cut over to it once the power went out due to the untimely power shutoff. Prior to the power going out at the CT facility, the Incident commander asked IT to update the employee and franchisee crisis portal with information about how to communicate with Can-Do if the hurricanes hit either location. This activity was not completed because of the power outage in CT.

The power outage resulted in an IT recovery ETA of two days. That information was based on the very old emergency response plan which did not contain the current IT configuration at either data center nor recovery procedures for the current configurations. In reality, there was no loss of IT – even through the power outage due to the prior arrangements made with the DR service providers.

Finance issued a communication requesting that they be notified of any needed hotel and travel arrangements and that all expenses incurred needed to be justified correctly as storm-related or fuel spill-related. Due to the escalating conditions, they subsequently upped the credit limits on all corporate credit cards.

An interesting twist to the exercise was that somehow the FDIC got into the facility and was snooping around asking about Can-Do’s recovery ability. The FDIC person faked her identity to the IT recovery team as it turns out. Though they were smart enough to ask who she was, the team was a bit disjointed and she was given the information she asked for.

Multiple emergency messages were being sent to employees from the various recovery teams throughout the exercise but not everyone was getting the messages. As it turned out, some cell phone towers were down in Richmond, VA due to Hurricane Mary hitting land.

Finally, staff in CT were sent home at 7 pm that day in preparation for the hurricanes hitting.

Hopefully you can sense the problems that arose during this exercise. Some observations:

• The plan needed to be updated ASAP! An old plan is worthless and you waste a lot of time trying to figure out what the current practices are for production processing and recovery of those practices.
• Some exercise participants weren’t aware that they needed to DO something – they sat at the team table and just talked about what they would do in an actual recovery rather than going over to the table of the team with whom they needed to communicate.
• The exercise showed that internal recovery team roles need to be defined in advance so that when an incident occurs, everyone knows their role.
• Communications between the teams was strained at first – no one knew who the coordinators were. Although Can-Do ascribed to NIMS, no crisis command procedures nor crisis communication procedures were part of the plan.
• It was not clear that there was an emergency/mass notification tool available. It took a good 30 minutes for the tool to start being used consistently. AND the first time recovery teams wanted to send a message, they were informed that they needed to have that message approved by the incident command center – also not in the recovery plan and obviously not tested. And rather much a thorn in the side of IT because we thought we should be able to send out our own IT messages – WAKE UP CALL that external communications must be reviewed by the right people internally AND that certain kinds of messages should be set up in advance so that when the interruption occurs, you have much of the messaging in place and approved.
• Releasing recovery status information to someone who turned out to be from the FDIC presented a loophole in the crisis communications process.
• Command center check-in calls with all team coordinators need to be scheduled on a regular basis.
• There was no conference bridge capability for the incident command center to use so everyone had to physically be present at the command center.
• An activity log of actions and tasks and their status needs to be created and updated throughout the incident.
• Finally, a best practice for recovery exercising is to bring in outside observers to identify things during the exercise that you can’t see for yourself.

We had a great event and we all learned a lot about how important it is to have a current plan, clear recovery role assignment, how we personally respond in a crisis and how communications is KEY to recovery success.

However, we did see a major change directly related to 9/11 on the federal, state and local government side. The formation of the U.S. Department of Homeland Security in 2002 started the ball rolling. DHS/FEMA has done a very good job in maturing the readiness of federal, state, local and tribal nation emergency operations, but it has taken years for DHS/FEMA to have an impact on private sector BCM programs. The focus on improved public/private sector communications through multi-state and national-level exercises (especially for the healthcare, financial services and public utilities sectors), the introduction of Ready.gov, and the Voluntary Private Sector Preparedness Accreditation and Certification Program (PS-Prep) are three influential changes for private enterprises.

Even though 9/11 did not have an immediate impact on BCM maturity, it did set up the framework for preparedness, response and recovery improvements since for both the public and private sectors. The majority of these improvements have been a result of the confluence of three areas:

1. Increasing natural and man-made disaster events such as SARS, Hurricane Katrina, the bird and swine flu threats, the London and Mumbai bombings, the Iceland volcanic ash event, earthquakes in Haiti, Chile, New Zealand and Japan, oil spills, the global financial crisis of 2008, major ice and snow storms and so forth;
2. Technology innovations such as Internet broadband in the home, the real-time infrastructure, virtualization, hosting/outsourcing, smartphones and tablets, social media and cloud computing; and
3. Business operating practices such as regulatory changes in response to financial fraud, telework initiatives and outsourcing non-core competencies.

Without these changes to business and IT practices, many of the improvements we see today in BCM maturity would not be possible.

We have come a long way in BCM since 9/11 and we have a longer way to go for organizations of all sizes and operating models to be prepared from even the smallest, localized threat. Gartner is committed to your success in preparedness, response and recovery activities and continues to offer clients foundational and timely research in BCM and IT-DRM through our BCM key initiative for business and IT leaders. Take our maturity self-assessment called ITScore for Business Continuity Management to jump start your journey.

According to FEMA  “this new resource educates individuals and families about how using modern-day technology can help them prepare, adapt and recover from disruptions brought on by emergencies or disasters. Get Tech Ready provides Americans with tips on how to use technological resources before, during and after a crisis to communicate with loved ones and manage your financial affairs. Preparedness tips on the website include:

• Learn how to send updates via text and internet from your mobile phone to your contacts and social channels in case voice communications are not available;
• Store your important documents such as personal and financial records in the cloud or on a secure and remote area or flash or jump drive that you can keep readily available so they can be accessed from anywhere; and
• Create an Emergency Information Document using the Ready.gov Family Emergency Plan template in Google Docs or by downloading the Ready Family Emergency Plan to record your emergency plans.”

Check it out and let us know what you think.

The findings in this research are based on a joint Gartner and Business Continuity Institute (BCI) survey of business continuity management (BCM) consulting firms conducted during the first quarter of 2011. The survey objective was to better understand the breadth and depth of BCM service offerings. It was sent by BCI to its self-identified consultant membership and by Gartner to members on its BCM consultancy list that opted to participate. The survey closed on 4 March 2011.

Key Findings

• Many firms say they cover many BCM disciplines, but terminology varies across industries and countries, and so, misunderstandings are common.
• There is an increased need for consultants with specific skill sets:
  • Strategic program development
  • Tactical program improvements
  • Pragmatic, situation-based expertise
• A strong BCM program cannot be run by consultants alone. Therefore, BCM expertise must be brought in-house to ensure its continuing success.
• Due to the 2008 global financial crisis (GFC), consultant ranks have risen due to the layoffs of BCM professionals, and many of these people have taken jobs as consultants while waiting for a full-time BCM practitioner position.
• Fifty percent of BCM consultancies are small, with one to four full-time consultants onboard.
• Organization certification support is low — 13% of firms surveyed have BS 25999 Lead Auditor certification — in alignment with the existing low level of organizations that have such certification.
• Ninety-two percent of BCM consulting engagements are for planning services.
• Only one-quarter (24%) of BCM consulting firms offer a guarantee for services rendered.

Read the full report here: BCM Consultancy Survey, 2011. You may need to be a Gartner client to access the report.

Business Continuity Management Governance Defined, 2010

Without a governance framework in place, BCM programs will not progress as needed in the desired time frame. Use Gartner’s BCM governance framework to establish governance oversight according to your organization’s business model and availability needs.

Toolkit: BCM Governance and Implementation Responsibility Decision Matrix, 2010

Without a governance structure in place, business continuity management programs will not progress or succeed in the time frame desired. Use the BCM Governance and Implementation Responsibility Decision Matrix to document the governance oversight according to your organization’s business model.

Toolkit: Business Continuity Management Charter Best Practices and Template

A BCM charter is one of the most-effective tools for establishing and communicating effective preparedness, recovery and resiliency practices. Make the Gartner best-practice-based charter the foundation of an enterprisewide BCM program.

Toolkit: Business Continuity Management Policy Template

A business continuity management policy is an important component of the operational model for BCM governance. Combined with a BCM charter, BCM governance responsibility and implementation matrix, and the BCM activity cycle, it completes the Gartner BCM governance framework.

Not only is it National Preparedness Month, it’s prime time hurricane season in the northern hemisphere.  Watch for alerts about the status of storms at NOAH’s National Hurricane Center.

The American Red Cross has excellent advice about preparing your home and family for a disaster.

Ready.gov – a FEMA sponsored web site – is another great resource for family disaster preparedness.

Gartner has a cornucopia of research and advice including templates, vendor analysis, best practices, sample RFPs and more for organizations that are developing, maintaining and maturing their BCM programs. Read our note:  Research Roundup: Business Continuity Management and IT Disaster Recovery Management, 2Q10 to see the breadth and depth of our coverage on all things BCM.

And watch for a new BCM tool coming from Gartner in the coming weeks. Can’t say too much about it now, but organizations are so primed for it!

So take this time to promote, assess, enhance and EXERCISE your recovery plans and procedures. If you don’t, you are missing an opportunity to get management’s attention and commitment in protecting its workforce, customers and partners from disaster events.

I’m going to check and update my Go Bag today. I found a great First Aid kit through www.melaleuca.com. I’ve already used it once at a local retail outlet.  Who knew it would come in handy so quickly after purchase!

One last thing: have you given a friend or family member a list of your user IDs and passwords for personal web sites such as healthcare, insurance, online banking, investments, email, social media applications and so forth – just in case – well you know why.

The issue of how BCM will survive as a profession is one that is on the minds of many in the profession. Management is starting to see that BCM is another component of enterprise risk management, and it is expected that some mature BCM programs will become integrated into these efforts, and ultimately become centers of business operations strategy – the reason being is that BCM is the only place in the organization where all activities related to the day-to-day operations of the business are documented.

BCM professionals have a unique opportunity to transform their programs into this new position, but only if they transform themselves and their skills first. The skill sets needed to make this transition a successful one include: general management, project management, supply chain management, crisis/emergency management, business operations, workforce management, EH&S, business process management, sustainability management and risk management.

How do you see yourself managing your career in BCM? Do you expect that you will move u pin the organization? If so, how? To what position?

1.      We started the workshop by viewing the video “Business Not As Usual: Preparing for Pandemic Flu” from Seattle-King county.  Use it internally to educate your workforce (and senior executives) on the value of being prepared. You can request a free copy (you must pay for shipping) from NACCHO.

2.      Most of the workforce absences are expected to be a result of school closures.

3.      You must have a pandemic management process (or infrastructure) in place to handle the event as it occurs because plans are a necessary thing, but they don’t often reflect the reality of the specific situation. Policies decided upon on Monday may not apply to the facts of Tuesday’s situation.

4.      Some firms are talking to public health officials about hosting vaccine programs in their work facilities, or at least trying to secure the vaccine for their critical workers, e.g. electricity generation operators. However, some are concerned about the legal liability issues if they haven’t engaged in this type of public health activity in the past.

5.      On the point of electricity generation operators – If these folks get the flu, and the generation facility is on the small side, they could shut it down because they don’t have enough staff to operate.  That shutdown means blackouts – or “rotating feeder outages”.  We could see more power outages as a result of H1N1 – a connection that most folks aren’t making, but for pandemic planning would be covered under the traditional BCM plan.

6.      Organizations are struggling with human resource policies regarding how to compensate workers if they do have the flu, especially if the worker has already used their allotted personal time off days or sick days. Some are offering extended time off options, but not everyone.

7.      Work-at-home solutions are at a high risk of failure if the work-at-home population in any given area reaches anywhere close to the 40% absentee rate. Internet bandwidth supply is not adequate to meet the demand. (Gartner is publishing a research note on this topic specifically.)

8.      Similar to the results of my June/2009 survey, many firms are not including IT vendors or IT service providers in their efforts. See my note: A Perilous Practice: Not Planning for IT and Data Center Operations Support During a Pandemic, G00169949. (You may have to be a Gartner client to view it.)

9.      Most firms expect to implement workforce travel restrictions once a pandemic strikes.

10. Most firms are trying to balance their protective mask usage policy between protecting the workforce and not offending customers. The firms who have direct and frequent contact with the public (for example retail operations) request that workers wear a mask when escorting a sick person out of the building only. Those firms that don’t have direct public contact public allow their workers to wear masks based upon their personal comfort level.

11. Those firms that have public congregation areas plan to close off those areas once a pandemic strikes. For example, bank branch lobbies will be closed and only the drive-up window will be open.

12. Firms with workers who must make home visits have equipped those workers with protective gear such as masks, sanitizer fluid for the hands and steering wheels of their cars/trucks, disposable gloves and so forth.

13. You can’t build your preparedness plans using workers’ personal information that has been gathered through the normal social networking in the work environment.

14. Some firms are concerned about law suits as a result of family members getting the flu from the firm’s employee.

15. You can’t expect to get resources from your local neighbors, partners and so forth because everyone will be in the same situation when the pandemic strikes.

16. Your plans and handling process must include actions that will assist you to return to normal operations once the pandemic is over.

17. You must include cultural differences in your plan activities. For example, blood transfusions may be refused if they are not from a person with the same national origin as the intended recipient.

Gartner always advises businesses to review their pandemic preparedness planning from the perspective of 40% absenteeism – some of which is going to be workers staying home in order to care for children who are home due to school closures.  This particular point was considered in the June/2009  Harvard survey and the results are:

• 51% of US workers would be likely to stay home and miss work in order to care for children,
• 43% would be likely to lose pay or income and have money problems as a result, and
• 26% would be likely to lose their job or business as a result of staying home to care for children.

These survey results are something that businesses should take notice of and respond to in order to provide the workforce with as much information as possible regarding their approach to compensation and HR practices during a pandemic.   Not every business can afford to pay workers for time off during a pandemic – but providing the information to the workforce ahead of time means that they can plan for the event, and potentially have some of their fears allayed.

There are many areas where HR policies come under review for pandemic preparedness planning:

1. Paid time off;
2. Facility closures and quarantines;
3. Bereavement time;
4. Short-term and long-term disability;
5. Flexible work options; and
6. Sick workforce handling procedures.

There are no standard answers to these issues because HR laws are different by jurisdiction, and HR policies vary by organization and worker type (exempt and non-exempt).  Every organization must review its policies with internal and possibly external HR and compensation experts to find the right approach that is based on their business practices and their culture.

Finally, pay attention to privacy issues when developing sick workforce handling procedures.  Never disclose the name of a sick worker to the rest of the organization.  That said, most people in their work group already know who they are.  Therefore, regularly educate the workforce about their own need to maintain the privacy of their colleagues.