Roberta Witty

I am doing some research regarding when an organization should invoke their pandemic preparedness plan(s) from a business operations perspective. I’m not talking about the personal hygiene/medical aspects, but the business operations impact view. Tell me how your firm is handling the issues expressed in the questions below.

1. How do you determine when to invoke pandemic preparedness plans such as workforce isolation and social distancing? Is it by absenteeism rate? Some other data point? If absenteeism rate, are you monitoring the change between the normal rate of say 5-7% and the pandemic influenced rate?

2. How are you invoking your plans – by enterprise, by location, by department? Are you conferring with your pandemic crisis management team in doing so?

3. How do you determine when you will issue a stand down order?

Getting management attention and investment commitment for BCM can be hard. Linking key performance indicators to key risk indicators for resilience is an effective approach for communicating to business management the value of business continuity and resilience management, so that business management takes ownership of these programs and commits to the needed investments year over year.

You need a management champion, and that’s where key business performance indicators come into the picture. If you translate availability/resilience risk to on-time delivery, supply chain performance, R&D success, customer retention and so forth – leading indicators of future business performance, then management can understand the impact to the business of a risk being exploited. It’s an educational and iterative process – few get it out of the gate unless perhaps they have been personally involved in a prior event.

BCM has to move from a FUD operation to a business enablement operation – tying risk to performance is the way to get there.

Read my latest research note “A New Approach: Obtain Business Ownership and Investment Commitment for Business Continuity and Resilience Management Through Key Performance and Risk Indicator Mapping” – free to clients or for a fee to non-clients: http://tinyurl.com/yjfcmpz .

The need for supply chain resilience could push still-unready organizations to attain business continuity management program certifications. Monitor the PS-Prep program and associated standards to ensure you are prepared.  

On 15 October 2009, the U.S. Department of Homeland Security (DHS) announced three proposed standards that would be used by the Voluntary Private Sector Preparedness Accreditation and Certification Program (PS-Prep) program, which enables private-sector businesses, nonprofit organizations and universities to receive emergency preparedness certification. The public can submit comments on the standards and the program at www.regulations.gov in Docket ID FEMA-2008-0017 by 15 November 2009.

Improving recovery capabilities will benefit all businesses and humankind globally. But certification is not a guarantee that an organization can recover from a disaster. Organizations should go slowly when starting down the path toward organization certification.

Read the rest of my First Take at: http://tinyurl.com/yjhwz3u.

Today, DHS Secretary Janet Napolitano held a press conference to commemorate the end of “National Preparedness Month” in the U.S. Her key message was that readiness and resilience is a shared responsibility starting at the personal level and extending to government agencies, communities and the workplace.

According to Secretary Napolitano, readiness and resilience are related activities – readiness meaning being prepared with needed plans and resources before an emergency occurs so that one can adapt in the moment and emerge stronger after the crisis – a demonstration of resilience.

In order to be prepared, we must change our attitude that someone will be there when something bad happens to us. To highlight this point, Secretary Napolitano stated that readiness and resilience is not just the job of the government. Disasters (from power outages, natural disasters to terrorist attacks) can happen to each of us – not just others, and therefore, we each need to be personally prepared.

To achieve that end, Secretary Napolitano stated that the heart of resilience is individual family readiness. Every family needs to take very basic steps so that we act with control and not fear during a very chaotic and disorienting time such as a crisis. We need to know the events that are likely to impact our particular location, have an emergency kit and family reunification plan (see my research note: “Personal Preparedness enhances Corporate Recovery” as well advice from www.Ready.gov)

Secretary Napolitano also encourages everyone to get involved and work as a part of a community. She said that America is not just a nation of individuals and families; rather, we are a nation of groups of all kinds – groups being the fiber of our society and we need to keep the fiber strong so that we are more effective to respond when something bad happens.  She encourages everyone who is already part of a group to go one step further and raise their hand in the group to which they belong and ask the question: “What’s our plan?” Organizations, social groups and efforts like Citizen Corps –a grassroots effort from FEMA to bring together government and community leaders to involve citizens in all-hazards emergency preparedness and resilience all help to prepare communities for any kind of emergency

DHS has made $3 billion in grants available to communities to bolster the preparedness of the local and state government agency network.  At the federal level, Secretary Napolitano stated that DHS will start to hold “no-notice” disaster exercises to ensure everyone at the federal level knows how to respond in a moment’s notice. This is a very different practice from past exercises which were scripted well in advance.

DHS has also launched a series of public service announcements as well as a weekly email message that will directed at family preparedness.

DHS is also expanding to other communities the secure communities network (SCN) which today provides emergency preparedness training and rapid communication services during a crisis the Jewish community.

Finally, DHS will be starting a national award program that awards people and organizations that bring innovation and excellence to national preparedness and resilience.

The following questions were asked at the end of her speech.

1. Will states take on the no-notice drills? Secretary Napolitano responded that DHS can encourage states to do so, but cannot mandate it. They plan to lead by example.
2. What can business do to help with readiness and resilience? Secretary Napolitano responded that citizens should work with your employees to put in place workplace preparedness programs.
3. Is there any support to include a donation, for example $2, on the annual IRS tax return? Secretary Napolitano responded that it is not planned, but DHS is happy to take those donations.
4. Does resilience include building code guidelines and so forth? Secretary Napolitano responded that resilience does extend to such practices.
5. What is the assessment of the country’s readiness for H1N1? Secretary Napolitano responded that the U.S. is ready and prepared, having worked throughout the spring and summer of 2009 with such activities as reaching out to the private sector to ensure they have plans, working with school districts for response plans and school closures, and states in preparation for the H1N1 vaccine program rollout.

A replay can be found at: www.Ready.gov

At this week’s Midsize Enterprise Summit, not one hand went up when I asked the audience if they knew what PS-Prep was.  That was the main reason I wanted this session at the conference – organization certification for business continuity management is coming and few organizations – large, midsize and small in fact – know what it is all about.  It’s biggest business value is in supply chain risk management – organizations wanting to ensure that their supply chain partners – business as well as IT product/service providers – are able to recover from a disaster so that the delivery of goods in not impeded.  However, there is a cost associated with it. 

At today’s general session, DHS, Cisco, Radian Compliance and I spoke about what PS-Prep and BCM organization certification are and what they aren’t, the value of it, how in the long-term it will likely be a mandatory requirement to do business – through market pressure rather than the voluntary program put forth through US Public Service law 110-53, and what organizations should be doing now to prepare for the time when your larger customers and partners will start assessing your ability to recover.

What is your organization doing to prepare for it? Have you already been approached by your customers and partners to show some level of maturity around business continuity management before they sign a contract with you, or when renewing a contract?

Information on the PS-Prep Program can be found at the FEMA web site.

The denial of service attack on Twitter should remind organizations that are automating their emergency call trees and crisis communications that a single end point isn’t good enough. Given the growth in social networking, more and more organizations are starting to think about leveraging these sites for emergency/crisis communications. But if it becomes your only end point, you risk not getting your message out when it is most needed – during a disaster.  In addition, no national telcom network has been tested for a regional disaster, so your phone messages might not get delivered either. Hence, build for emergency notification around multiple channels for best coverage. What is your organization doing to support best coverage?

Last week, I attended the IntraPoint User Forum in Norway, and I came away with a real education about the extreme measures some enterprises in the oil and gas and transportation industries take to provide the safest possible environments for their workers and their customers. Just a couple of examples: tracking every single ship traveling near North Sea oil platforms to prevent collisions, and using radio frequency identification (RFID) tags to muster the workforce for platform evacuation. The demands of protecting life and ensuring safety have new meaning for me when I think about what it takes to operate in such hazardous environmental conditions.

Linda Tavlin of Tavlin Training a crisis communications firm based in Paris (you can see the fruits of her work by watching how the Air France Flight 447 disaster is being managed in the press), asked the attendees a thought-provoking question: “Are you a commercial firm selling safety to your stakeholders, or are you a safety firm selling a commercial product/service?” Depending on your answer, your approach to crisis communications will be vastly different — and the impact on your brand and reputation will be damaged, preserved or enhanced as a result. Those that seeing themselves as safety firms have a crisis communications program focused on addressing the intangibles of a crisis — the emotional and the investigation/fact-based side of the incident. I didn’t have to think too hard to understand Linda’s basic point: that an enterprise that says, “We’re sorry this happened” immediately after a crisis is addressing the emotional needs of everyone involved, including employees and their families, customers, business partners and the community at large. (I admit I do struggle with the idea that saying you’re sorry about something means implying that you’re at fault. Maybe that’s a female trait?)

Linda made another important point: that a crisis communications program should focus more on investigating and remediating a crisis than on public relations. Lawyers, executives and other key stakeholders will inevitably want to put the firm in the best possible light following a crisis, but their efforts to do that may run counter to what really needs to be done from a formal and perhaps regulatory perspective. Misleading or insensitive statements can put your firm in a precarious position, so the inevitable media questions should be referred to authorized investigators. (Remember, every country, region and jurisdiction has its own approach to these issues, so make sure you have the necessary legal and regulatory knowledge before moving ahead.) Taking this approach achieves several key goals: It lets everyone know that there are many parties involved in the crisis, its impact and its investigation, and it diverts some of the media attention away from the firm to other parties. Perhaps most important, it focuses attention on fact-finding activities that can determine conclusively why the crisis occurred and lead to the implementation of mitigation controls to prevent it happening again.

One more thing: Pay keen attention to your executives and their ability to act as spokespersons for the firm. Their interpersonal skills may not be the type you need during the initial crisis and its aftermath. (You may need to shift spokespersons over the course of the investigation, based on their skill sets and your communication needs.) Empathy and respect for all involved — especially members of the community, the jurisdictional investigators and political leaders — will serve you better than bravado and posturing.

The recent outbreaks of the swine flu are highlighting the need for organizations to have pandemic plans that address workforce absenteeism rates of 40% or higher. There are 20 laboratory-confirmed human cases in California, Texas, Ohio, Kansas and New York. In fact, we’re in Chicago for the Gartner Business Continuity Management Summit and we’ve already been notified that at least one company planning to attend cannot because they have already initiated their crisis management plan to monitor the swine flu outbreak in their area. With luck, this will be a very minor event as according to the WHO “laboratory testing has found the swine influenza A (H1N1) virus susceptible to the prescription antiviral drugs oseltamivir and zanamivir.”

Immediate steps for organizations to take include:

• Go to www.pandemicflu.gov to find out the actions the US government recommends to ensure workforce safety and continuous business operations.

• Download and examine the FFIEC’s “Pandemic Flu Exercise of 2007 After Action Report” immediately, and disseminate their findings across your organization. To the best of our knowledge, this is the only large-scale testing of business pandemic plans ever conducted.

• Download Rick DeLotto’s research note “New U.S. Guidance on IT in Pandemics” dated March 3, 2008.

• Emphasize the urgency of performing personal hygiene disciplines that will inhibit the spread of the virus.

• Identify existing and projected critical skills shortages; and initiate staff cross-training, testing and certification. Make sure that cross-trained personnel are also given the appropriate access rights in your applications. This is the longest lead-time and most disruptive of the improvements.

• Determine which business operations are sustainable, at what level, and likely durations of downtime for normal business operations with staff absentee rates of 40%. Test for various combinations of leaders and skilled staff.

• Testing should start immediately to isolate and remediate problem areas. Testing should be rigorous, inventive, ongoing and documented.

Gartner has many research notes related to pandemic planning and we will continue to update you as to the severity of events and actions you should take as the situation evolves. Please visit our business continuity blog for more information.

Rick DeLotto and Roberta Witty

Sometimes the best things in life are still free, and good news can come from surprising sources.

On Tuesday, Rick DeLotto and I were briefed by the Sahana Project, an award winning, free and open source, web-based disaster relief management system designed to “Help alleviate human suffering and help save lives through the efficient use of IT during a disaster”. It was first developed by the open source community, and is maintained by volunteers, with support from IBM, Google, NSF and Sida. You should run right over to Sahana and get a look at it, tell your friends, and spread the word. It might be just what your home town needs to keep YOU safe.

So far Sahana has quite a track record since its introduction in 2005; it has helped manage disaster outcomes in Sri Lanka, The Philippines, Indonesia Peru and Myanmar. It has been selected for use by the City of New York, Pakistan’s National Database and Registration Authority, The Disaster Management Bureau of Bangladesh, the Disaster Management Center of Sri Lanka and Indonesia’s NDCC and by various agencies across the EU, South America, Australia and China. It is available in 30 languages, has very limited infrastructure requirements, and can be run effectively on systems ranging from a simple laptop (with data exchange by USB drives) to satellite-linked client server.

As shown to us it has 4 main modules:

* Organization Registry, which helps maintain data (contact data, services offered, region, etc) of organizations, groups and volunteers working in the disaster
* Missing Persons / Disaster Victim Registry, which helps the authorities track and find missing, deceased, injured and displaced people and families
* Shelter Registry, a central repository for data on all temporary shelters setup following the disaster, and
* Request Management System, which tracks all requests and helps match pledges for support, aid and supplies to fulfillment.

Other modules include inventory management, volunteer coordination and situational awareness for incident managers, with more in the pipeline.

This is a non-profit, volunteer organization—and you or one of your professional organizations might have some skills, resources or spare time to help.

Many enterprises have successful (up-to-date and exercised) recovery plans in place for technology outages, or for a disaster that strikes the data center.  But they aren’t as prepared to handle the public communications, community/government coordiation and workforce continuity aspects of a crisis.  Recognizing that gap in their overall business resilience, a growing number of organizations are implementing crisis management teams to handle a variety of crises, not just the “big ones”.

Want to find out how prepared you are? At the Gartner Business Continuity Management Summit - April 27-29, 2009 in Chicago, IL, you will have an opportunity to participate in a special 2 1/2-hour “Mock Disaster” crisis management exercise. Led by Eagle Rock Alliance, the workshop will test your mettle and your ability to make quick, viable decisions as the senior manager of a fictitious company. Are you up to the task?