Introduction to Business Continuity

Planning

An Introduction to the Business Continuity

Planning Process Including Developing your
Process and the Plans to Support Recovery

©Green Oak Solutions, L.L.C.

Brighton, MI
 Goals for the Process

The primary goals of BCP are to ensure Staff

Safety and delivery of goods and services to
external and internal customers in spite of
adverse conditions
 Process Drivers
 Just in Time Operations- JIT, Lean Manufacturing
 Limited Redundancy in Operations
 Reliance Upon Technology to Accomplish Job
 Low Maximum Acceptable Downtime
 Single Points of Failure in Operations
 Supply Chain Network Risks
 Financial, Reputation, Legal, Market Risks
 Post 9/11 Concerns- People and Operations
 Business Continuity Planning
involves:

 Emergency Response Planning

 Crisis Management and Communication

 Business Resumption Planning

Business Continuity Planning

Maximum Acceptable Downtime

The period the operation or business functions can be shut
down without there being a significant impact on the
company’s revenue stream, public credibility, regulatory
compliance, etc.
Business Continuity Planning

Disaster

Any event that causes disruption to company operations

or business functions for a period beyond the Maximum
Acceptable Downtime.
 Following a Crisis, Insurance Won’t:

 Retain customer confidence and market share

 Address Customer Migration
 Restore damage to company image
 Develop and bring new products into the marketplace
 Replace valuable employees or improve employee
morale
 Ultimate Goals
I. Integrate Operational and Business Risk Reduction with
Business Continuity.

II. Create a Risk Reduction/Disaster Resistance Mentality

III. Cover all aspects of the Response/Recovery process from

Emergency Response through Business Recovery

IV. Integrate all key aspects of planning- Security, Crisis

Management, Crisis Communications, Damage Assessment
and Restoration, Business Resumption
 Critical Success Factors

1. Provide management support and direction- Process Owner and

Process Sponsorship

2. Recognize scope and magnitude of effort

3. Commit sufficient financial and personnel resources to Process-

Project Manager

4. BCP is a Process not a Project

 A Risk Based View of Planning

 Planning involves the reduction of risks

 In order to determine the priorities for planning a
Needs Assessment/ Business Impact Analysis is
conducted
 The BIA forms the Pre Incident operations risk
assessment
 Risks are Identified, and Quantified
 Mitigation Priorities are Established-see Flowchart
that follows
 Business Continuity Planning

Pre Incident Planning and Post Incident Response

The Pre Incident Planning Process identifies the key risks to the
organization, quantifies them and suggests ways to mitigate them

The Post Incident Response Plans are designed to provide the full range of
response to incidents beginning with the initial stages of an event through
to its resolution, and resumption of operations
 Business Continuity Planning and Recovery Process

Pre-Incident Planning Process

RISK RISK RISK

IDENTIFICATION QUANTIFICATION MITIGATION

STEP 1 STEP 2 STEP 3

INCIDENT

Post-Incident Response Planning Process

EMERGENCY CRISIS Business

RESPONSE MANAGEMENT Resumption

STEP 4 STEP 5 STEP 6

 Key Factors for Process
 Each step in process can be defined and measured
 Several key factors for each step are summarized in slides that
follow
 Can form measurement grid for process
 Provide an indication of the issues to be addressed at each step
in the process
Risk Identification - Typical Risk Generators

> Physical risks identified

> Operational risks identified

> Critical single source suppliers identified

> Revenue impact potential identified

> Contractual/Regulatory exposures identified

> Process flow mapped

 Risk Quantification - Typical Measurement Methods

> Physical risk controls identified and evaluated for effectiveness

> Operational risk controls identified and evaluated for effectiveness

> Residual risk identified and translated to outage and impact potential

> Outage potential translated to revenue impact, regulatory

impact, long term migration potential, etc.

> Risk and impact quantification used to develop mitigation priorities

 Risk Mitigation - Typical Risk Reduction

> Future mitigation priorities supported by risk ID, and quantification

> Physical and Operational risk reduction from mitigation quantified

> Mitigation issues assigned time frame and responsibility

> Review process addresses mitigation issue resolution

 Emergency Response – Typical Initial Response

> Emergency Response Team is in place and trained

> All potential hazard scenarios are considered

> Evacuation and Take Cover procedures are in place and tested

> Employee gathering spots are defined

> Plan addresses notification and direction of police, fire, EMS, and Utilities

> Restoration and Reconstruction contractors identified and engaged

> Damage Assessment Team and Plan is developed

 Crisis Management – Typical Incident Management
Controls
> Facility Crisis Management Team identified and complete

> Roles and Responsibilities are detailed

> Crisis Communications Plan is in place for all effected/interested parties

> Damage Assessment reporting is linked with CMT operations

> Disaster Declaration criteria/decision points are defined

> CMT directs both Restoration and Resumption

> CMT is the focal point for local recovery and Corporate liaison
Business Resumption – Typical Longer Range Actions

> Recovery teams are identified with detailed Roles and Responsibilities

> Mitigation of customer impact is captured in the plan

> Restoration of productive capacity and capability with timeframes

> Restoration of Host Site is addressed

> Alternative Production operations are defined in detail

> Manufacturing Contingency Plans are in place

> Mega Application of sound Manufacturing Engineering principles

> IT and Telecommunications recovery plan is identified

 Operation of The
Business Continuity Plan
 Flowchart that follows depicts a typical recovery
sequence
 Can be modeled to any operation
 Identifies the Key Escalation points, and Plans that
are activated
 Every Operation is Different…
 The Response Process is Similar…
 The Solution is Customization of the Plan Elements
 Key Elements of Response
 Emergency Response Plan
 Crisis Management Plan
Damage Assessment and Facility Restoration
Crisis Communications and Human Resources
These plans Respond to the Incident, Mitigate its effects, and
Manage the Process of Restoring Full Operations
 Key Elements of Response
Emergency Operations Centers

Crisis Management Team

Crisis Communications Team

Damage Assessment Team

 Key Elements of Response
Full Business Resumption Plans

These plans are developed at the operations level

to address recovery from incidents ranging
from moderate to severe in nature- All
operating areas should develop a plan
 Initial Activation of Crisis Management Plan-Damage Crisis Management Plan Fully Activated
2-4 Hours Into Incident
Assessment Plan 4 to 8 Hours Into Incident

ERP Activated
Damage Crisis
and Initial Initial
Assessment Plan Management Plan
Response is Assessment of
Activated by CM Activated
Conducted. Damage by
Team Leader
Employee First
DAT Leadership CMT Activated and
Evacuation and Responders
Deploys to Site Deploys to the EOC
Safeguarding, etc.

Incident
Damage
Contained by First Crisis
Assessment
Responders Crisis Management Sub Plans Activated EOC Plan Activated Management and
Restoration
>Limited Damage 4 hours to 48 Hours after Incident For CMT Crisis
Repair and
>No Crisis Operations Communications
Reconstruction
Management Plan Plan Activated
Plan Activated
Activation

Is Maximum
Acceptable
Evaluation of Potential for Exceeding Downtime going to
Maximum Acceptable Downtime be Exceeded?

2 to 3 days after Incident

MAD Exceeded
Crisis
Activate Full Recovery and
Management MAD Not Contingency Efforts Including:
Plan Exceeded > Rapid Reconstruction

Repairs Expedited and > Expanded Crisis Communications

Incident Response Restoration to Full
Flow Production Within MAD > Production Contingency Plan
And > Supply Chain Network Response
Plan Activation Plan

Copyr ight 2 00 5 Gr e e n Oak Sol ut ion s , L.L.C.

 Key Elements of Response
Teams
 Emergency Response Team- Safety, Security, Medical, Line
Management, Environmental
 Crisis Management Team- Senior leadership, Operations
Management
 Damage Assessment Team- Facility and Utilities Engineering,
Process Maintenance, Purchasing, Logistics, Security
 Crisis Communications- HR and Communications Specialists
 Business Resumption- Line Management and Staff
 The Value of Emergency Response
 1991-2000 Business Interruption Losses
 2,281 Losses Examined
 Emergency Response Plan Activated
 Properly Planned and Implemented - $920,000
 Not well planned or implemented - $4,100,000
 4.45:1 Loss Ratio
 Conclusion- Emergency Response Planning Critical

Courtesy of FM Global
www.fmglobal.com
 The Value of Continuity Planning
 100 Losses Examined
 54 Determined to have Continuity Planning in Some Form
 Average Business Interruption Loss - $7.1 Million
 With Contingency Planning Considered Adequate - $4.0 MM
 With Contingency Planning Considered Poor - $7.9 MM
 Approximately 50% Reduction in BI with Good Contingency
 No Statistics on Remaining 46%
 Contingency Planning Further Reduces Deep Losses in Time
Element

Courtesy of FM Global
www.fmglobal.com
 Green Oak Solutions
 Business Continuity Program Development and Planning
 Crisis Management Planning
 Executive Level Needs Assessments
 Business Impact Analysis
 Physical and Operational Risk Assessments
 Damage Assessment and Facility Restoration Planning
 Training and Education in Emergency Management

Green Oak Solutions, L.L.C.

Craig Holmes, PE-Managing Director
cholmesgos@charter.net
1-810-813-8396