B C P
Transcription
B C P
BUSINESS CONTINUITY PLANNING GUIDE ACKNOWLEDGEMENTS Disaster Ready Chippewa Valley (DRCV) Steering Committee The DRCV Steering Committee directed the development of this planning guide and the DRCV Business Continuity Plan Template. As of October 2009, the DRCV Steering Committee members were: Tom Gillett, President, Indianhead Foodservice Distributor (co-chair) Hal Swanstom, Director, Eau Claire County Emergency Management (co-chair) John Baltes, Director of Loss Prevention & Safety, UW-Eau Claire Randy Beck, Executive V.P./Risk & Facility Management, Royal Credit Union Richard Kelly, Manager, Safety & Loss Control, Eau Claire Energy Cooperative Gerald Leff, Dunn County ARES/RACES Jenny Legaspi, Emergency Services Director, American Red Cross Dan Liddell, Safety Engineer, Hutchinson Technology Derrick Longdo, President, IRIS Technology, LLC Marge McFarlane, Superior Performance, LLC Colleen Schian, Risk Manager, City of Eau Claire Funding Support The compilation of this guide and the DRCV template were supported with grant assistance from the State of Wisconsin Office of Justice Assistance to Eau Claire County Emergency Management. This support enabled West Central Wisconsin Regional Planning Commission to develop this guide under the direction of DRCV. Other Resources Elements of the following business continuity models and materials in particular were adapted for this planning guide and the DRCV template: Ready Your Business: 12 Point Program for Success to Business Continuity Planning. PrivatePublic Partnership of Dane County. (www.countyofdane.com/ems) Business Continuity Guideline. ASIS International. (www.asisonline.org) Sample Business Continuity and Disaster Preparedness Plan. FEMA. (www.ready.gov/business) Florida Business Continuity Plan Template (www.fldisasterkit.com). Various Partners. Various assessment and planning forms. School of Criminal Justice, Michigan State University – Critical Incident Protocol Program (www.cip.msu.edu) I. INTRODUCTION a. What is a Business Continuity Plan? Business continuity planning is the processes of identifying actions so that your organization can manage and survive a crisis. In order to identify actions, the organization must assess its hazard risks Business Continuity Plan and threats. Depending on the organization, these risks may be natural An ongoing process supported by senior hazards, man-made, technological, management and funded to ensure that the economic, or regulatory. necessary steps are taken to indentify the impact of potential losses, maintain viable recovery strategies and plans, and ensure the continuity of operations through personnel training, plan testing, and maintenance. – ASIS International Since mitigating the impacts of crisis situation or disaster event is an important factor in your business’s survival, your business continuity plan may refer to and encompass other emergency plans for your organization. Within this guide, the terms “business” and “organization” are used interchangeably. The approach is reasonably generalized so that the example template can be adapted for use by private sector businesses, non-profit organizations, and public sector agencies. b. Why Plan? Using a formal planning process requires an organization to consider existing conditions and risks, then identify strategies to address these risks based on available resources and circumstances specific to the business. Without such a process, an organization is not fully prepared to meet changing conditions, protect its critical business functions, and secure its assets (e.g., facility, equipment, data, personnel). Consider the following statistics: • 25+% of businesses do not reopen following a major disaster1 • 75% of companies without a business continuity plan fail within 3 years of a disaster2 • 43% of businesses experiencing catastrophic data loss never reopen3 Also keep in mind that you are an important part of the community and your success is important to the Chippewa Valley. And many organizations may be called upon to provide resources during or after a disaster event in the area. For example, following Hurricanes Katrina and Rita, the private sector often was far more nimble at providing manpower, materials, and logistics than many parts of the federal government. 1 The Institute for Business & Home Safety Crisis Management International 3 University of Texas – Center for Research on Information Systems 2 1 II. DEVELOPING YOUR PLAN a. Getting Started The following is a suggested approach to getting started on a business continuity plan for your organization: 1) Obtain a commitment from management (see Section III.a.) 2) Identify your planning team and team leader. 3) Review the DRCV Business Continuity Plan Template. Modify and add additional sections if necessary. Use the template as a starting point. 4) Collect copies of existing emergency plans, procedures, etc. 5) Collect copies of organizational charts, business plans, system processes, etc. 6) Collect information on past hazard risks or disaster events which have impacted your organization or business. 7) Establish a schedule for completion of the plan. Management should assign accountability. 8) Obtain planning assistance if needed. As you review the plan template and begin collecting information, it may become apparent that the assistance of a consultant is needed for portions or all of your plan. For many organizations, planning for computer data protection, storage, and recovery is sufficiently complex that specialized expertise is needed and a stand-alone plan on this topic warranted. What is most important is that you begin planning for your organization. Don’t let the potential scope of the project deter you from starting. Complete those portions of the plan that time and resources allow. You can continue to amend your plan and provide greater details in the future. b. Identifying Your Planning Team Create the planning team which best suits your organization. While one or two key persons may sufficiently plan for smaller organizations and businesses, larger organizations may require a larger planning team representing different aspects of the business such as management, finance, security, information management, human resources and safety. A planning team leader should be identified, along with who will be responsible for compiling the business continuity plan document. You may also need to contact additional resources during the development of your plan, such as those list below and in the next sub-section: key suppliers, clients, or contracted firms • public sector planning or emergency personnel your insurance agent and accountant utilities and communications providers trade associations and other area businesses • property management, if applicable • • • • 2 c. Helpful Resources Local Resources – Public Sector Chippewa County Emergency Management: http://www.co.chippewa.wi.us/emergency_management/ Dunn County Emergency Management: http://dunncountywi.govoffice2.com/ Eau Claire County Emergency Management: http://www.co.eauclaire.wi.us/CountyDepartments/planning_and_development/emergency_management.htm Chippewa Valley Technical College – Emergency Service Education Center: http://www.cvtc.edu/pages/556.asp Chippewa Valley Technical College – Business & Industry Services: http://www.pwebcluster1.cvtc.edu/pages/366.asp UW-Eau Claire – Safety Reference Guides: http://www.uwec.edu/LPS/references/index.htm City of Eau Claire Emergency Preparedness Information & Guides: http://www.eauclaire.wi.gov/government/emergency-preparedess Local Resources – Public Health Western Region Partnership for Public Health Preparedness: http://www.wrpphp.org Chippewa County Department of Public Health: http://www.co.chippewa.wi.us/CCDPH Dunn County Public Health: http://dunncountywi.govoffice2.com/ Eau Claire City-County Health Department: http://www.ci.eau-claire.wi.us/health-departmenthome Local Resources – Nonprofit Disaster Ready Chippewa Valley: http://www.disasterreadychippewavalley.org American Red Cross – Chippewa Valley Chapter: http://www.redcrossww.org SCORE (general business counseling): http://www.score-eauclaire.org Other Nonprofit and Professional Associations: Institute for Business & Home Safety: http://www.ibhs.org National Emergency Management Association: http://www.nemaweb.org National Fire Protection Association: http://firewise.org Public Entity Risk Institute: http://www.riskinstitute.org U.S. Chamber of Commerce: http://www.uschamber.com Other Government Resources: U.S. Department of Homeland Security Emergency Preparedness: http://www.ready.gov OSHA Emergency Preparedness: http://www.osha.gov/SLTC/emergencypreparedness/index.html Small Business Administration Disaster Assistance: http://www.sba.gov/services/disasterassistance/index.html Wisconsin Emergency Management: http://emergencymanagement.wi.gov/ 3 Business Continuity Planning Organizations: Business Continuity Planners Association: http://www.bcpa.org Disaster Recovery Institute International: http://www.drii.org The Business Continuity Institute: http://www.thebci.org Business Continuity Planning Publications and Materials: Contingency Planning & Management: http://www.contingencyplanning.com Disaster Recovery Journal: http://www.drj.com Disaster Resource Guide: http://www.disaster-resource.com On-line Business Continuity Planning Course: http://nonprofitrisk.org/tools/buinsesscontinuity/intro/1-htm Glossary of Business Continuity Terms: http://en.bcmpedia.org/wiki/Main_Page Private-Public Partnership of Dane County: http://www.countyofdane.com/ems ASIS International Business Continuity Guideline. http://www.asisonline.org FEMA. Sample Business Continuity and Disaster Preparedness Plan. http://www.ready.gov/business Florida “Partnership” Business Continuity Plan Template http://www.fldisasterkit.com Michigan State University – Critical Incident Protocol Program http://www.cip.msu.edu Cyber Security Sites: Department of Homeland Security National Cyber Alert System:www.us-cert.gov National Cyber Security Partnership: Small Business Cyber Security Guidebook: http://www.cyberpartnership.org/CommonSenseGuideBus.pdf National Cyber Security Alliance: Stay Safe Online: http://www.staysafeonline.info/ Pandemic/Avian Flu Preparedness: City of Eau Claire Emergency Preparedness Information & Guides: http://www.eauclaire.wi.gov/government/emergency-preparedess Western Region Partnership for Public Health Preparedness: http://www.wrpphp.org Wisconsin Pandemic Flu Resource: http://pandemic.wisconsin.gov Centers for Disease Control: http://cdc.gov U.S. Government Pandemic Flu: http://pandemicflu.gov Critical Infrastructure: Pandemic Planning http://pandemicflu.gov/plan/pdf/CIKRpandemicInfluenzaGuide.pdf Also contact your county health department. Emergency Evacuation Preparedness: Guide for People with Disabilities and Other Activity Limitations: http://www.cdihp.org/training American Red Cross http://www.prepare.org/disabilities Family Preparedness City of Eau Claire Emergency Preparedness Information & Guides: http://www.eauclaire.wi.gov/government/emergency-preparedess 4 d. Overview of Hazard Risks in the Chippewa Valley Natural Hazards Natural hazards have a long history in the Chippewa Valley and surrounding area: • Recent area tornado history includes 1958 Colfax, 1994 Foster, 2001 Siren, and 2002 Ladysmith. • Since 1983, approximately $10 million in property damage has been due to lightningcreated fires in Eau Clare County. High straight-line winds and/or hail can cause significant damage to windows, outside inventory, and storage structures. • Expect 3 to 4 winter storms each year. Temperatures dipped to -45ºF in January 1951. Serious ice storms or freezing rain events every 2.4 years. • A serious flooding event occurs every two to three years on average, with growing stormwater flooding concerns in the area. The 1993 floods caused over $10 million in damage, including damages to more than 50 businesses, in Eau Claire County alone. In 2000, about 8” of rain fell within 24 hours causing stormwater flooding damage in the area. Many structures not within a 100-year floodplain do not have flood insurance. Eau Claire Flooding, 1905 Swine Flu (H1N1) has raised awareness of potential pandemic threats with new cases continuing to be reported. To date, Avian Flu (H5N1) has not been confirmed in the U.S., though it has a much higher death rate than the Swine Flu. • Technological Disasters Chemical spills and infrastructure failure (power outages, bridge collapse, dam failure) are types of technological disaster, which may be induced by a natural hazard event. Some example threats: • In 1996, the City of Weyauwega was evacuated for 16 days to due to a hazardous materials spill related to a train derailment; this same rail line runs through our area. • In the Winter of 1998, over 4 million persons in the Montreal area were without power (some for over 3 weeks) due to an ice storm. • Large portions of the cities of Chippewa Falls and Eau Claire lie within a dam shadow. “Designer” Disasters “Designer” disasters include acts of domestic or international terrorism, including bioterrorism, cyber-terrorism, eco-terrorism, bomb threats, sabotage, and other purposely induced natural or technological hazards. Such acts have been uncommon and largely limited in the Chippewa Valley to pipe bombs, arson, or vandalism. 5 Organizational Hazards Some organizations may be drastically impacted by the loss of a key employee, a piece of critical equipment, a key supplier, or a large customer. Product recalls, certain regulatory changes, or labor relations can also impact certain businesses. Not all business continuity plans encompass such threats which are often specific to an organization, though such hazards can be as devastating to operations as a natural disaster event. Each organization should individually assess the need to encompass organizational hazards within their plan’s scope. Weyauwega Train Derailment, 1996 Siren Tornado, 2001 WRR Environmental Services Fire, Eau Claire, 2007 e. DRCV Business Continuity Plan Template Disaster Ready Chippewa Valley developed a companion document to this guide—the DRCV Business Continuity Plan Template. The template was compiled from a review of a numerous different planning models, offering local businesses and organizations an easy to understand “fill-in-the-blank” style template. The DRCV template includes ten sections encompassing existing conditions (business information, key responsibilities, critical resources), assessment, and recommendations (action plan, human resources, sheltering/evacuation, vital records). The DRCV template should be considered a starting point. You may need to modify and amend the document to best address the circumstance of your organization. For some businesses, certain sections of the plan template may already be complete and can be referenced or attached (e.g., emergency contact information, data management plan). 6 f. Action Plan Ideas The action plan is an important part of your business continuity plan (see Section 6 of the DRCV Business Continuity Plan Template). The following is a list of action plan ideas taken from the Private-Public Partnership of Dane County’s “Ready Your Business: 12 Point Program for Success to Business Continuity Planning”. No Cost Identify two or three contractors or supply sources for emergency items. Pre-qualify with alternate suppliers/vendors for emergency accounts Calculate the cost of business interruptions for one week, one month and six months. Ask your insurance company or agent about policy coverage and costs. Write a short checklist of recovery action items for your firm. Maintain a current emergency contact list for employees and emergency services, such as police, fire and utilities. Contact your city or county building department to determine the Base Flood Elevation (BFE) and the Design in Flood Elevation (DFE) at your location and your building’s susceptibility to flooding. Keep your building’s flood vents clear of debris or other blockage. Conduct a fire drill and check with your local fire department to determine FIRE risk at your location. Talk to your people about the company’s disaster plans. Two-way communication before, during and after a disaster. Set up a telephone call tree – and alternate employee communication procedures. Keep some cash and an ATM card or credit card on hand. Identify an alternate location if your building becomes unusable Talk to utility service providers about potential alternatives and identify back-up options. Promote family and individual preparedness among your co-workers; include emergency preparedness information during staff meetings, in newsletters, in company intranet, in periodic employee e-mails, and other internal communications tools. Request no-cost publications from FEMA (800) 480-2520 for individual, family and workplace preparedness Under $100 Purchase a First Aid Kit. Purchase and store bottled water for emergency use (two days minimum). Stock a supply of non-perishable foods, paper plates, napkins and plastic utensils. Purchase a NOAA Weather Alert Radio with S.A.M.E. technology to program for your specific area. Buy a stock of flashlights, batteries, pens, paper, paper towels, packing tape, etc. for disaster supply kit. Keep supplies of items such as duct tape, waterproof plastic, shut-off wrench for water and gas, whistle, compass, plastic bucket with tight lid, work gloves, pliers, hammer, plastic garbage bags and ties. Purchase/maintain camera and film. 7 Purchase an AM/FM radio, battery operated, or hand crank radio. Restrain/secure desktop computers, compressed gas cylinders and other small items from earthquake shaking. Elevate valuable contents on shelves above base flood level. Apply asphalt cement under tabs of loose shingles. Caulk/insulate around openings in outside walls, roof and attic. Purchase fire extinguishers and smoke alarms Attend annual Ready Your Business Conferences (Utah Division of Homeland Security) $100 - $499 Provide C.E.R.T./ First Aid and CPR training for employees. Purchase all items from the workplace supply list. Purchase a small back-up generator and maintain fuel. Purchase and maintain fuel for a sump pump. Brace major appliances, such as water heaters, and furnaces to the floor or wall. More than $500 Purchase and install a multi-KV generator, pre-wired to the building’s essential electrical circuits. Purchase removable shutters/ install permanent shutters for wind-borne debris protection. Re-roof with an impact resistant roof covering. Install high wind connectors in roof systems. Re-roof with Class A fire resistant roof covering in wildfire prone areas. Hire an engineer to evaluate the building’s wind or seismic resistance. Conduct a one-hour drill simulating the occurrence of a flood, earthquake or other hazard. Send the key safety/emergency response employee to several days training or conference. Purchase additional insurance (business interruptions, loss of income, extra expense, flood, earthquake). Store duplicate records off site at a secure facility. Purchase a removable computer storage device, store data off-site. Establish a voice communications system to meet your emergency needs – e.g. voicemail conference call capability, Private Branch Exchange (PBX), Automatic Call Distribution (ACD) system. Install a monitored smoke alarm system. Install lightning protection system. Given current concerns with pandemics due to the H1N1 (Swine Flu) virus, information on small business planning for pandemics has been included as an attachment at the end of this guide. 8 III. PUTTING YOUR PLAN INTO ACTION a. Management Commitment Business continuity planning should not just be an exercise. It takes a commitment of time to fully develop a plan and a completed plan may include recommended actions which change policies or require an investment to protect critical business functions. “Top down” leadership is vital to ensuring accountability in plan development, implementation, and maintenance. The senior leadership of your organization should be committed to undertaking a business continuity planning effort from the start and, if possible, have an active role as part of the planning team. Once the plan is completed, management approval is also needed, as well as a commitment to periodically review and update the plan. The roles of management will vary by organization. b. General Implementation The action plan section of the DRCV Business Continuity Plan Template prompts the planning team to identify needed resources and a key responsible party for each strategy. When possible, add a completion date for each strategy and ensure that the key responsible parties are aware of management expectations. Communicate your plan recommendations and emergency procedures to employees and supervisors. Go that extra step. Some business continuity models suggest detailed forms be completed for each employee, key supplier/vendor, key clients, essential equipment, and each vital record. One such source for such forms is the Institute for Business & Home Safety.4 Though the DRCV template does not include such detailed forms, we encourage you to take your plan “to the next level” and incorporate such documents. c. Testing and Training Exercises, drills, and training are important parts of plan implementation. Sections 7 and 8 of the DRCV template prompt you to identify a training approach. It may be helpful to attach a calendar or list of key dates for testing and training. d. Plan Evaluation and Updates Your business continuity plan is a living document, and should reflect the dynamic world in which we live. It is recommended that you evaluate and update your plan at least annually. As part of your evaluation, also review progress on the implementation of your action plan and other plan recommendations. Consider scheduling your plan evaluation and update to immediately following testing and training; strengthen your plan based on the lessons learned during your training exercises. Changing conditions or a new risk may require a plan update between your normally scheduled evaluation dates. Section 10 of the DRCV Business Continuity Plan Template addresses plan evaluation and updates. 4 Open for Business: A Disaster Planning Toolkit for the Small to Mid-Sized Business Owner. www.ibhs.org/business_protection. Also includes a property protection checklist. 9 Special Addendum: Small Business Planning for Pandemics The following information was taken from the Private-Public Partnership of Dane County’s “Ready Your Business: 12 Point Program for Success to Business Continuity Planning”. The CDC checklist, www.pandemicflu.gov/plan/businesschecklist.html is a great resource for large companies, but may be difficult to read or follow for small businesses. We have collected information that may be useful for small businesses that are trying to prepare for a pandemic. This document may be changed as new information becomes available, so check back for updated versions. All businesses, even small ones, need to prepare for a pandemic. Small businesses have fewer workers and less capital, and are more likely to have difficulty operating under trying times. Spend some time planning now to save your business later. First thing to do: • Find your important documents (such as business licenses, accounts, etc.) and be sure you have backup copies. Make paper copies of essential documents. If your power goes out for a long period, what papers would you need to continue running your business? • Providing food (grocery, farmers), water (public utilities), commerce (banks), energy (electricity, gas), transportation (mass transit, repair, cargo transport), healthcare (doctors, nurses, hospitals), public safety (police, fire, EMS,), and communications (phone service) are examples of critical or essential services. Do you sell essential products or provide any essential services? Communicate with your workers: • • • • • Talk to your workers NOW and work together to plan for an emergency. If your workers are part of a union or labor group, involve them as well. Keep a current list of phone numbers for your employees so that you can contact them during an emergency. Encourage workers to get an annual influenza vaccination (“flu shot”). Help your workers prepare emergency kits for themselves and their families. Educate Workers on the importance of: o Hand washing o Respiratory etiquette (cover coughs and sneezes, using disposable tissues when possible) o Healthy diet o Exercise 10 o How to recognize the difference between influenza (“flu”) and a cold (influenza is much more severe, it hits you very suddenly, you have fever and aches) o The difference between “seasonal flu” and “pandemic flu” (seasonal flu comes every year, pandemic flu is when the flu strain changes and people may become much sicker than usual, and some may die). Reduced number of workers: You may only have half of your workers during a pandemic. Some will be sick, and some may stay home to take care of sick family members or care for children. Here are some ideas on how you can keep your business open during a pandemic or other emergency. • Limit some of your services. At a minimum, try to provide essential services during a pandemic or emergency situation. • Reduce the hours you are open for business. • Cross-train your employees. Make sure that you don’t have only one or two workers that know how to do a critical part of your work. If they become ill, you would have difficulty keeping your business open. • Recall and retrain retired workers. Keep home numbers and addresses of workers who have retired. You may need to ask them to help during a pandemic or other emergency. • Plan on selling, servicing, and making products with fewer workers. • If you are out sick, will your business continue to operate? Identify workers who can make key decisions in the absence of owners/managers. Social distancing: If a pandemic occurs, you may be asked to have your business participate in social distancing. This means that people should stay at least 3 feet apart from each other. Here are some ideas that can help: • Encourage frequent hand washing. • Limit face-to-face contact. o Try to reduce people standing in lines or crowds. o Ask customers to stand further away from workers and each other. o Install plexiglass panels between workers and customers. o Use telephones to communicate with customers or internal staff. o Stop hand shaking o Spread out seating in meetings, or meet via teleconference. o Stop sharing of workstations. o Avoid unnecessary meetings. o Limit the number of people on elevators, and encourage people to use the stairs. 11 o Have your business work additional shifts or stagger shifts, with fewer workers per shift, to increase the distance between employees. o Have your employees work from home. Plan ahead: Keeping your workers healthy is one of your biggest priorities. Sick workers much not come to work, or stay at work, because they can infect your other healthy workers. • Review your sick leave policies. During a public health emergency, sick workers must not come to work, even if you are short-staffed. Do not allow sick employees to stay at work. You must not punish employees if they are sick during an emergency. Establish clear policies and guidelines not that will help employees understand options and expectations for when they are ill. • What will your business do if a worker becomes ill while at work? • Provide soap and hot water or alcohol-based hand sanitizers to your employees. Provide disposable tissues. • Mass transit (such as crowded buses) may be suspended during a pandemic. Gasoline may become very expensive and/or difficult to get. How will your employees get to work? • Develop infection control practices, such as decontaminating office surfaces, such as phones, keyboards, etc. daily. Other things to consider: • Long distance travel may be temporarily stopped. Try to avoid travel (especially to affected areas) by using teleconferencing or video conferencing. See if there are local suppliers available to your business. • Do you have employees with special needs, such as disabled workers or those unable to read/write, etc? How will they be cared for? • If a pandemic occurs, your suppliers may be cut off. Can you increase your inventory of raw materials? • How will you communicate with your customers, suppliers, and general public during an emergency? Do you have a website? Use password-protected websites to communicate sensitive information with employees. • Make sure that you can access TV, radio, and/or the internet at work to follow developments as they occur. • How will your business be affected by a pandemic? For example, if mass gatherings are cancelled, would your business be affected? Some businesses may be very busy during a pandemic, such as gas stations, grocery stores, etc. 12 13 14