Embed Size (px)
Citation preview
Emergencies: Protecting Staff & Assets
Presented By: Tom Heebner, CSP, ARM, ABCP
AVP / Risk Consultant HUB International Limited
Agenda • Why is Planning Important? • Lessons Learned From Recent Events • The Planning Process • Where Should You Go From Here? • Preparing Your Staff
WHY IS PLANNING IMPORTANT?
OSHA Emergency Action Plan Requirements
• Means of reporting fires or other emergencies • Evacuation procedures and emergency escape route
assignments • Procedures to be followed by employees who remain to
operate critical operations before they evacuate • Procedures to account for all employees after an
emergency evacuation has been completed • Rescue and medical duties for those employees who are
to perform them • Names or job titles of persons who can be contacted for
further information or explanation of duties under the plan
Events Impact….
• People • Facilities & Assets • Technology • Operations • Customer Trust • Customer Confidence
Events Result In…
• Loss of Life and/or Loss of Property
• Other significant losses – Reduced Productivity – Financial – Interrupted Services – Damaged Reputation – Other Expenses
Benefits of Good Planning…. • Decreases notification time • Improves coordination of
resources • Safeguard health and safety • Minimize property damage
and business interruption • Restore critical functions
quickly • Maintain revenue stream /
avoid loss of market share • Increases an organization’s
public image
Businesses & Governments
Plans, Training & Exercising
Response / Continuity
Teams
Occupants and Visitors
Prepared Organization
Statistics Show… • Companies that aren’t able to resume
operations within ten days are not likely to survive – 50% will be out of business within five years
• 75% of companies without business continuity plans fail within three years of a disaster
• Of those businesses that experience a disaster and have no plan – 43% never reopen – Of those that do reopen, only 29% are still operating
two years later
LESSONS LEARNED FROM RECENT EVENTS
Lessons of September 11th, 2001 • All types of threats must be considered • Plans must be updated and tested frequently • Dependencies and interdependencies should be
carefully analyzed • Key personnel may be unavailable • Telecommunications are essential • Alternate sites for IT backup should not be situated
close to the primary site • Employee support (counseling) is important • Copies of plans should be stored at a secure off-site
location • Sizable security perimeters can impede personnel
Lessons From Hurricane Sandy • Just because you are not on the coastline when a storm strikes doesn’t
mean you will not be heavily affected. • It is important to identify establish notification processes with your
employees and to utilize multiple channels to communicate (ex. SMS, Twitter, landline, e-mail, etc.).
• Although it may take some time, having a relationship with a restoration contractor before an event is invaluable.
• Fuel was not easy to come by following Hurricane Sandy and without fuel many could not operate their vehicle, chainsaws, generators and other equipment that was needed to be used during the recovery.
• Although we routinely pay for items using credit cards or by quickly going to an ATM machine, these items aren’t likely to work if there is a power outage.
• When you have a claim, it is important to call your insurance carriers and report it as soon as possible and not speculate as to the cause.
Lessons From a Practice Fire • The fire started at another property • The fire department had not visited the practice prior to the event • The practice manager indicated the fireman had to consult with their
technicians to assess the layout of the practice and to identify the locations of special hazards
• The practice worked very hard on keeping in contact with clients throughout the process (relied on social media and local chamber of commerce)
• The practice had business interruption coverage • The practice moved the office to one house and set up a network • The practice had a manual data backup process and was successful in
backing up data before the event • The Practice Manager wishes they had planned and had a better idea of
what they would do to keep things moving after the incident
Potential Events • Medical Emergencies • Adjacent Facility Emergency • Workplace Violence • Fire/Explosion • Bomb Threat • Loss of Utilities (steam,
electricity, natural gas) • Hazardous Materials
Release • Technological Issues
• Transportation Accident • Terrorist Attack - CBRNE • Suspicious Package • Civil Disorders • Flooding, Tornado,
Earthquake and other Natural Hazards
• Contamination of Food/Water
• Structural Collapse • Emerging Diseases
What Else?
THE PLANNING PROCESS
“The Big Picture”
Understand Your Business Develop Risk Mitigation Strategies Develop BCM Strategies
Development BCM Documentation
BCM Implementation & Training
BCM Exercising, Maintenance & Auditing
Department
Business Functions
Business Process Steps
Support Components
People IT Equip & Hardware
Voice & DataRecords
Suppliers &
VendorsFacilities
Emergency Response
Crisis Management
Business Continuation
Establish Planning CommitteeReview Organizational StrategyBusiness Impact AnalysisRisk Assessment
Protection SystemsHazard Elimination / Process ChangeDuplication of ResourcesAlternate Operating Strategies
Corporate StrategyProcess Level StrategyResource Recovery Strategy
Emergency Response PlanCrisis Management PlanBusiness Continuity/Recovery Plan
Assessing AwarenessDevelop / Monitor Awareness, Skills, & Culture
* Business Continuity Programs reduce risk through upfront mitigation and post disaster response, recovery and restoration
Minutes Hours Weeks
Dete
ctio
n
Reco
very
Business Continuity
Crisis Management
Emergency Response
Lifecycle of an Event
Intensity Levels of Phases
Emergency Response
Crisis Management
Inte
nsity
Business Restoration
Normalization (Recovery)
CMP CMP: Crisis Management Plan Event Escalation Response (Corporate Impact) Non-physical or physical impacts, Examples: Exxon –Valdez Oil Spill, J&J – Tylenol Tampering Hudson Foods – Meat Threat
IT-DRP
IT-DRP: IT Disaster Recovery Plan (Technology - Voice & Data Impact) Network Failure, Sabotage, Virus, Physical Loss of Systems Etc.
ERP: Emergency Response Plan Event Driven Response (Site Impact) Contamination, Bomb-threat, Fire, Earthquake, Wind, Etc.
ERP BCP
BCP: Business Continuity Plan Time Driven Response (Site and Business and Image Impact) Infrastructure Disruptions, Business Unit Disruptions, Department Disruptions (Failure to deliver product or service)
DISASTER MANAGEMENT
Depending on Event, The integration
of all Plans is Possible.
WHERE SHOULD YOU GO FROM HERE?
What plans does a practice need?
• Crisis Management Plan • Emergency Response Plan • Business Continuity Plan • IT Disaster Recovery Plan
Focus on Outcomes Not Causes
1. Loss of Technology – the technology you use is not available or doesn’t work (telephone, website, accounting systems, membership databases, etc.)
2. Loss of a Building – all or part of building is destroyed or out of action
3. Denial of Access to a building – your staff and/or tenants are not allowed into their place of work
Focus on Outcomes Not Causes cont.
Scenarios cont. 4. Loss of Staff – key staff are unable to
attend work (chain of command, cross training needs, etc.)
5. Loss of a Supplier – a supplier or vendor is unable to provide critical services, products or resources (contractors, consultants, etc.)
Business Impact Analysis
• Identify the risks that threaten the operations
• Identify Critical Functions • Analyze/Estimate impact on business
operations • Indentify/Analyze Resources/Capabilities
Risk & Vulnerability Assessment
• Naturally Occurring • Human-Caused • Technological
HazardsFire/Explosion
Natural HazardsTerrorism
Workplace ViolencePandemic Disease
Utility Outage
Assets at RiskPeople
BuildingsEquipment
Information TechnologyBusiness Operations
Cash/Financial Assets
ImpactsCasualties
Property DamageBusiness InterruptionLoss of Customers
Financial LossFines/Penalties
Lawsuits
Hazard Identification Vulnerability Assessment Impact Analysis
Disaster Declarations (Federal)
Critical Functions Assessment • Identify all
organization functions
• Identify critical processes/services
• Identify dependencies & interdependencies
• Identify priorities
• Recovery Time Objective (RTO)
• Staff • Facility / Equipment • Technology • Files
*Critical Function - Function that must be delivered during a disruption, even if it is at a reduced level, for the business to survive (ex. payroll, online systems, accounts payable)
Resource Assessment Internal • Personnel • Equipment • Facilities • Organizational capabilities
External • Local emergency
management office • Fire / Police Departments • Hazmat Response • Emergency medical services • Utilities • Critical Contractors /
Suppliers
Mitigation Strategies • Mitigate risks that
threaten the health and safety of people, company assets, operations, or the environment
• Hazard Elimination / Minimization
• Installation of Protection Systems
• Duplication of Critical Resources / Processes
• Relocation (personnel/patients)
• Qualification of Secondary Suppliers
• Outsourcing
Example Mitigation Strategies
• Substitution of Less Hazardous Components
• Fire Protection/Suppression Systems • Security Systems/Controls • Building Construction • Vendor Readiness • IT Backup Strategies / DR Sites
Business Continuity Strategies
• Corporate • Process-Level • Resource Recovery
• Workarounds • Remote Working • Mutual Agreements • Third-Party Alternate
Sites • Outsourcing • “Do nothing”
Crisis Management Plan Overview • Provides for the safety of personnel • Provides step by step action plan for facility
and people-related issues • Establishes a communication system for
response/recovery team mobilization • Establishes alternate operating and data
processing facilities
Emergency Response Plan Overview
Management Elements • Direction and control • Communications • Life safety • Property protection • Community outreach • Recovery and restoration • Administration and logistics
Response Elements • Threat-specific procedures • Protective Actions • Training • Resource Management • Termination, Reporting, and
Follow-up
Business Continuity Plan Overview • Step-by-step procedures for operating
critical business functions during recovery from an incident/disaster
• Establishes: – Pre-positioned contingencies to mitigate the
downtime impact on critical business functions
• Principle: Critical business functions need to be recovered within 48 hours our your business is at risk of failing at recovery
IT Disaster Recovery Plan Overview
• Illustrates how IT supports the business • Maps out step-by-step procedures to
ensure the recovery of each critical component of the IT infrastructure – Hardware – Data (electronic and paper) – Applications – Telecommunications – Specialized Equipment – Supplies
Supporting Documentation
• Emergency Call Lists • Resource lists • Detailed Building / Site
Maps • Business Unit Procedures • Alternate Sites • Critical Vendor Lists
(primary and secondary)
EDUCATING & PREPARING YOUR STAFF
Protective Action Planning
• Relocation – Used when an emergency is confined to a single floor/area
• Evacuation – Used when potential for massive fire or explosion or when
practical – Long duration incidents
• Shelter In Place – Short to mid-duration incidents – It’s a greater hazard to attempt to move or impractical to
evacuate
In a Disaster, Communication is King!
• Clear Procedures for Notifying Affected Parties – Where to report – Emergency Status
• Easy methods – Voicemail, Hotline, Call
Trees, E-mail, Public News, Social Media, etc.
Training
• Teams should be organized to execute on plan elements
• Training should be provided to all team members – Orientation / Ongoing
• Create an awareness campaign for all staff • Develop a “culture” of preparedness
General Employee Training • Roles and responsibilities • Information about threats, hazards and protective
actions • Notification, warning and communications
procedures • Emergency response procedures • Location / use of common emergency equipment • Emergency shutdown procedures • BCP Procedures / Alternate Operating Strategies
Drills / Exercises • Regularly Test/Exercise the Plan
– Tabletop – Functional – Full-Scale
• Test Protective Actions – Relocation – Evacuation – Shelter-in-Place
• Test Continuity/Recovery Strategies
• Integrate Internal and External Responders
Sample Table Top Exercise • 8:00AM
– Plenty of discussion on the past weekend in the NFL • 1:30PM
– Fire Reported in the kennel area – Attempts to extinguish fire were unsuccessful – 4 employees report smoke inhalation and are sent to hospital
• 2:30PM – Facilities Crisis Leader completes initial assessment – Report of severe damage to 25% of the building; Remainder of facility with only
smoke damage – 3 employees admitted into the hospital due to injuries/illnesses – Media representatives report to location for statement
• 9:30PM – Further assessment estimates a practice downtime is 4-6 weeks
What actions should be taken at this point if it were your practice?
TAKEAWAYS
Your Action Items • Gather a team • Assess Risks and Vulnerabilities • Develop Plans to Mitigate Hazards • Develop Plans to Respond to Events • Develop a Plan to Ensure Continuity of Your
Business • Train • Update Plans • Discuss and Practice Strategies
Resources
• www.ready.gov • AVMA Emergency Preparedness and
Response Guide (www.avma.org) • http://www.nfpa.org/catalog/product.asp?
pid=160013&icid=B484&cookie%5Ftest=1 • Insurance carrier resources
– Written materials – Educational events
“It” can happen, so plan for “It” before “It”
strikes
Questions?
Tom Heebner, CSP, ARM, ABCP AVP / Risk Consultant HUB International Risk Services Division P: 312.279.4957 E: [email protected]
