Post on 14-Mar-2018
transcript
1
Business Continuity and Crisis Management
Crisis Management, Crisis Management, Business Continuity and Business Continuity and The Incident Command SystemThe Incident Command System
Understanding Differences Understanding Differences and Putting it all together?and Putting it all together?
by Max Ckonjevic FBCI, CBCPby Max Ckonjevic FBCI, CBCP
2
ObjectivesObjectives
•• To challenge your ideas and To challenge your ideas and understanding of Crisis Management understanding of Crisis Management and Business Continuity Plansand Business Continuity Plans
•• To present recommended components To present recommended components in a Crisis Management Planin a Crisis Management Plan
•• To present an organizational structure To present an organizational structure that may tie it all together (ICS Model)that may tie it all together (ICS Model)
3
Who is in Attendance?Who is in Attendance?
Functional perspectiveFunctional perspective•• Emergency Management ProfessionalsEmergency Management Professionals•• Business Continuity ProfessionalsBusiness Continuity Professionals•• Security ProfessionalsSecurity Professionals•• ConsultantsConsultants
4
Who is in Attendance?Who is in Attendance?
Industry perspectiveIndustry perspective•• Manufacturing Manufacturing •• WholesaleWholesale•• ServicesServices•• RetailRetail
5
Preparedness Management
Managing threats and preparing for disasters is complex
Nomenclature for preparedness activities differs
6
Preparedness Management Components
PrePre-- IncidentIncidentActivities that attempt Activities that attempt prevent or lessen the effect prevent or lessen the effect of a threat or incidentof a threat or incident
PostPost--IncidentIncidentActivities that follow an Activities that follow an incident incident –– to minimize the to minimize the effects of the incidenteffects of the incident
7
Preparedness Management Components
PrePre-- IncidentIncident•• IntelligenceIntelligence•• Preventive MeasuresPreventive Measures•• Mitigation or Emergency Mitigation or Emergency
Response PlanningResponse Planning
8
Preparedness Management Components
Post Post -- IncidentIncident•• Emergency Emergency
ManagementManagement•• Incident Control or Crisis Incident Control or Crisis
ManagementManagement•• Business Continuity and Business Continuity and
Recovery Recovery
9
Plans, Plans, Plans…?
Emergency Action Plans Emergency Action Plans ------
Disaster Recovery Plans Disaster Recovery Plans ------
Business Continuity Plans Business Continuity Plans ------
Crisis Management Plans Crisis Management Plans
10
Plans, Plans, Plans…
Why so many different plans?Why so many different plans?
Are they really needed?Are they really needed?
What’s your opinion?What’s your opinion?
11
Differences need to be understood
•• To develop plans that will address the proper To develop plans that will address the proper situationsituation
•• To engage the proper plan for the To engage the proper plan for the corresponding eventcorresponding event
•• Not knowing the differences Not knowing the differences –– creates a false creates a false sense of security sense of security
•• Not having the proper plan could become the Not having the proper plan could become the negative turning point of an organization that negative turning point of an organization that will lead that organization to significant losses will lead that organization to significant losses and liberalitiesand liberalities
12
Loss RealityLoss Reality
Losses attributable to disasters - doubled in the past 5 years and will double again by 2010. (Gardner)
• 43% of companies experiencing a major disaster do not re-open. Another 29% close within 2 years. (NYC Port Authority)
• Regulatory and legal requirements are increasing for some form of continuation capability
• Stakeholders and governing bodies are increasingly holding a company’s management to their fiduciary responsibilities.
13
The Good News is…The Good News is…
An October An October 2005 Research Survey 2005 Research Survey completed completed by the Economist Intelligence by the Economist Intelligence
Unit and Lloyds titled:Unit and Lloyds titled:
Taking Risk On Board, How Global Taking Risk On Board, How Global Business Leaders View RiskBusiness Leaders View Risk
Board of Directors are taking “Risk” more Board of Directors are taking “Risk” more seriouslyseriously!!
14
and the Survey says why….and the Survey says why….
•• One in five companies suffered significant One in five companies suffered significant damage from a failure to manage risk damage from a failure to manage risk adequately last year*adequately last year*
•• Over ½ had at least one “near miss” *Over ½ had at least one “near miss” *
•• Lloyds Survey, Taking Risk On Board, completed in October 2005, Lloyds Survey, Taking Risk On Board, completed in October 2005, How Global How Global Business Leaders View Risk.Business Leaders View Risk.
15
BC’s Role and Risk Management
What is Business Continuity Planning from a Risk Management Perspective?
16
BC’s Role is Risk Management
Business Continuity Planning is a risk reduction technique designed to reduce a potential impact of an event or action to a manageable/acceptable level.
17
BC’s Role in Risk Management
BC Planning is designed to manage risk:• Reduces the impact of an event to an
acceptable level by;• Maintaining availability of critical products
and services in the marketplace,• Protecting corporate assets, • Ensuring timely and cost effective
recovery.
18
General Definition Business Continuity Planning
AA process to identify, prioritize, protect and restore critical business assets, processes and resources required to maintain an acceptable level of operations and services by the organization in the aftermath of an event or an interruption to the business.
19
Definition of a Crisis
20
General Definition of a Crisis
Extreme threats to important values, Extreme threats to important values, intense time pressures, high stress, and intense time pressures, high stress, and the need for rapid, but careful decision the need for rapid, but careful decision making.*making.*
* Billings, A Model Of Crisis Perception* Billings, A Model Of Crisis Perception
21
Organizational Crisis
A turning point in which a situation of A turning point in which a situation of impending danger to the organization runs the impending danger to the organization runs the risk of escalating in intensity, interfering with risk of escalating in intensity, interfering with normal business operations, jeopardizing the normal business operations, jeopardizing the organization’s public image, and damaging organization’s public image, and damaging the bottom line.*the bottom line.*
* * LebingerLebinger, Managing Corporate Crisis: Strategies , Managing Corporate Crisis: Strategies for Executivesfor Executives
22
My Favorite Definition…. Organizational Crisis
A extreme threat to an organization that is A extreme threat to an organization that is intensified by time and has the potential for intensified by time and has the potential for significant negative results to important significant negative results to important organizational values, functions and/or services. organizational values, functions and/or services. This threat could result in major damageThis threat could result in major damageto the organization, its employees, to the organization, its employees, products, services, financial products, services, financial condition and/or reputation.*condition and/or reputation.*
**M. CkonjevicM. Ckonjevic
23
Plan Reality Check
•• How many have BC Plans?How many have BC Plans?
•• How many have CM Plans?How many have CM Plans?
24
Crisis Plan Reality Check
•• Does your plan focus on the recovery Does your plan focus on the recovery of business functions and services?of business functions and services?
•• Is your Plan Designed around the “worst case Is your Plan Designed around the “worst case scenario” or “all hazards” approach?scenario” or “all hazards” approach?•• Facility Losses (no or limited access to a Facility Losses (no or limited access to a
facility)facility)•• Technology Losses (no access to systems, Technology Losses (no access to systems,
equipment, information/data or services)equipment, information/data or services)
25
Plan Reality Check
If you answer hand is still up ….If you answer hand is still up ….
Congratulations, those are BC Congratulations, those are BC plans….plans….
Not Crisis management plansNot Crisis management plans
26
Plan Reality Check
Does you BC Plan support …..Does you BC Plan support …..
27
Examples of Crisis Threats
•• White Collar CrimeWhite Collar Crime•• Fraud Fraud •• Workplace ViolenceWorkplace Violence•• Sexual HarassmentSexual Harassment•• Class Action Class Action
LawsuitsLawsuits•• MismanagementMismanagement•• Labor Disputes
•• Product Tampering, Product Tampering, Recalls, FailuresRecalls, Failures
•• Environmental Environmental AccidentsAccidents
•• Casualty AccidentsCasualty Accidents•• ExtortionExtortion•• Insider TradingInsider Trading•• CrashesCrashesLabor Disputes
28
Business Continuity Plan
What is the Primary Purpose of a What is the Primary Purpose of a Business Continuity Plan?Business Continuity Plan?
29
Business Continuity Plan Primary Purpose
To recover or continue the business!To recover or continue the business!
•• The recovery and continuation of The recovery and continuation of mission critical and time sensitive mission critical and time sensitive business functions and services after business functions and services after an incident!an incident!
30
Crisis Management Plan
What is the Primary What is the Primary Purpose of a Crisis Purpose of a Crisis Management Plan?Management Plan?
31
Crisis Management PlanPrimary Purpose
To manage a crisis!To manage a crisis!
•• To limit the intensity or impact of a To limit the intensity or impact of a negative threat or event to organization's negative threat or event to organization's employees, products, services, financial employees, products, services, financial condition and/or reputationcondition and/or reputation
32
Summary of Plan Differences
Business Continuity Business Continuity Plan (BCP)Plan (BCP)
•• To recover mission To recover mission critical business critical business services and/or services and/or processesprocesses
•• Limited scenariosLimited scenarios•• Focus on technology Focus on technology
facilities and/or datafacilities and/or data
Crisis Management Plan Crisis Management Plan (CMP)(CMP)
•• To limit, control and To limit, control and manage negative manage negative effects of an eventeffects of an event
•• Many scenariosMany scenarios•• Focus on people, Focus on people,
products, services and products, services and organization valuesorganization values
33
Summary of Plan Differences
You can have a crisis without a disasterYou can have a crisis without a disaster•• A Crisis can exist with NO physical damage to A Crisis can exist with NO physical damage to
facilities or technologies. facilities or technologies.
You can have a disaster without a crisis You can have a disaster without a crisis •• You can have a loss to physical facilities or You can have a loss to physical facilities or
technologies and NOT have a crisis.technologies and NOT have a crisis.
Both will escalate if not managedBoth will escalate if not managed
34
Summary of Plan Differences
If not effetely managedIf not effetely managed
A Crisis can become a Disaster A Crisis can become a Disaster
A Disaster can become a CrisisA Disaster can become a Crisis
35
10 Basic Components of a Crisis Management Plan
1. 1. Document IntroductionDocument Introduction2. Crisis Scenarios/Situations2. Crisis Scenarios/Situations3. Crisis Considerations3. Crisis Considerations4. Crisis Management Team 4. Crisis Management Team 5. Crisis Management 5. Crisis Management
FacilityFacility
36
10 Basic Components of a Crisis Management Plan
(not discussed)(not discussed)6. Notification Procedures6. Notification Procedures7. Action Procedures7. Action Procedures8. Post8. Post--Crisis AnalysisCrisis Analysis9. Plan Exercising9. Plan Exercising10. Appendix10. Appendix
37
2. Crisis Scenarios
•• Likely scenarios (8 to 12)Likely scenarios (8 to 12)
•• Risk Assessment Risk Assessment -- tool of choicetool of choice
38
3. Crisis Considerations3. Crisis Considerations
•• DocumentationDocumentation•• Proprietary InformationProprietary Information•• Financial and Legal ConsiderationsFinancial and Legal Considerations•• Media RelationsMedia Relations
39
3. Crisis Considerations
Documentation Section Documentation Section –– ((Crisis = Lawsuits)Crisis = Lawsuits)
•• Critical to document all eventsCritical to document all events•• Formal notesFormal notes•• Crisis team contact formsCrisis team contact forms•• Press contact formsPress contact forms
40
3. Crisis Considerations
Proprietary InformationProprietary Information•• Guidelines in dissemination of information Guidelines in dissemination of information
•• Confidential informationConfidential information•• State and Federal statutes State and Federal statutes
preclude certain datapreclude certain data
41
3. Crisis Considerations
Financial & Legal ConsiderationsFinancial & Legal Considerations•• Implementation guidelines Implementation guidelines
•• Suspending trading of firm’s stockSuspending trading of firm’s stock•• Acquiring stock in volumesAcquiring stock in volumes•• Communications with brokerage Communications with brokerage
firms, vested interest groups, firms, vested interest groups, consumers, employeesconsumers, employees
42
3. Crisis Considerations
Media RelationsMedia Relations•• Single point of contactSingle point of contact•• Log all press calls (Press Contact Form) Log all press calls (Press Contact Form) •• Media packages Media packages –– Dark websiteDark website•• Clipping ServiceClipping Service•• Example press releasesExample press releases•• Guidelines for information Guidelines for information
disseminationdissemination
43
4. Crisis Management Team
•• Senior Management, President, Senior Management, President, V.P., CEO, CFO, etc.V.P., CEO, CFO, etc.
•• Public RelationsPublic Relations•• CommunicationsCommunications•• Legal, HRLegal, HR
44
5. Crisis Management Facility
Command Center considerations Command Center considerations •• Presentation area Presentation area –– Media ControlMedia Control•• Additional media Additional media
support equipmentsupport equipment
45
10 Basic Components of a Crisis Management Plan
6. Notification Procedures6. Notification Procedures7. Action Procedures7. Action Procedures8. Post8. Post--Crisis AnalysisCrisis Analysis9. Plan Exercising9. Plan Exercising10. Appendix10. Appendix
46
ICS Model
An Incident Command System consist of two An Incident Command System consist of two primary structures:primary structures:
1.1. Damage Assessment Team Damage Assessment Team –– (First Responders)(First Responders)2.2. Incident Command System Incident Command System
•• Incident Commander Incident Commander •• Planning (“Tactical Action”)Planning (“Tactical Action”)•• Operations (“Business Operations”)Operations (“Business Operations”)•• Logistics (“Provide Support”)Logistics (“Provide Support”)•• Finance & Admin (“Account & Procure”)Finance & Admin (“Account & Procure”)
47
ICS Model
BRANCH
DIVISIONS & GROUPS
GROUP
GROUPSTRIKE TEAMS & TASK FORCES
RESOURCES
SITUATION UNIT
DEMOBILIZATION
DOCUMENTATION
TIME UNIT
PROCUREMENT UNIT
COMPENSATION
COST UNIT
SERVICE BRANCH
COMMUNICATIONS
MEDICAL
FOOD
SUPPORT BRANCH
SUPPLY
FACILITIES
GROUND SUPPORT
COMMAND
OPERATIONS LOGISTICS PLANNING FINANCE
INFORMATIONSAFETYLIAISON
RESOURCES
TECHICAL SPECIALIST
BRANCH
48
IM/CM Organization Model Private Companies
Taking the ICS structure supporting the uniform Taking the ICS structure supporting the uniform services and enhancing it to support the suits, services and enhancing it to support the suits, private industryprivate industryTheThe Incident Management Model consist of three Incident Management Model consist of three (3) teams:(3) teams:•• Damage/Crisis Assessment Team Damage/Crisis Assessment Team –– Private Private
Company’s First Responder Functions Company’s First Responder Functions •• Incident Management Team Incident Management Team –– (Same ICS Model)(Same ICS Model)•• Crisis Team Crisis Team –– newly added teamnewly added team
49
TITLE: Incident Management's Relationship to Other Emergency Management Elements
INCIDENTOCCURRENCE
INCIDENTMANAGEMENT
TEAM
* Damage Assessment * Crisis Assessment * Emergency Declaration * Primary/Secondary Notification * Repair & Resume
BC PLAN
BUSINESS CONTINUITY@ ALTERNATE SITE
BUSINESS RECOVERY@ PERMANENT SITE
Crisis Plans
EmergencyAction Plans
Max Ckonjevic2006
EXECUTIVEMGMT.
CRISIS TEAM
Damage/CrisisAssessment
Team
* Evacuation Plans * Shelter in Place * Emergency Power
* Incident Manager * PLANNING * OPERATIONS * LOGISTICS * FINANCIAL
50
Summary of Plan DifferencesSummary of Plan Differences
Business Continuity PlanBusiness Continuity Plan Crisis Management Plan Crisis Management Plan
•• To recover mission To recover mission critical business critical business services and services and processesprocesses
•• Limited scenariosLimited scenarios•• Focus on facilities Focus on facilities
and technologyand technology
•• To limit intensity, To limit intensity, manage and control manage and control negative results of negative results of an eventan event
•• Many scenariosMany scenarios•• Focus on people, Focus on people,
products, services products, services and/or reputation and/or reputation
51
Summary of Plan Differences
You can have a crisis without a disasterYou can have a crisis without a disaster•• A Crisis can exist with NO physical damage to A Crisis can exist with NO physical damage to
facilities or technologies. facilities or technologies.
You can have a disaster without a crisis You can have a disaster without a crisis •• You can have a loss to physical facilities or You can have a loss to physical facilities or
technologies and NOT have a crisis.technologies and NOT have a crisis.
Both will escalate if not managedBoth will escalate if not managed
52
SummarySummary
•• The focus of Crisis Management The focus of Crisis Management Planning is different then Business Planning is different then Business Recovery PlanningRecovery Planning
•• A Crisis Management Plan (CMP) and a A Crisis Management Plan (CMP) and a Business Continuity Plan (BCP) are Business Continuity Plan (BCP) are usually two different documents that can usually two different documents that can work together or separatelywork together or separately