B C P

Transcription

B C P
BUSINESS CONTINUITY
PLANNING GUIDE
ACKNOWLEDGEMENTS
Disaster Ready Chippewa Valley (DRCV) Steering Committee
The DRCV Steering Committee directed the development of this planning guide and the DRCV
Business Continuity Plan Template. As of October 2009, the DRCV Steering Committee
members were:
Tom Gillett, President, Indianhead Foodservice Distributor (co-chair)
Hal Swanstom, Director, Eau Claire County Emergency Management (co-chair)
John Baltes, Director of Loss Prevention & Safety, UW-Eau Claire
Randy Beck, Executive V.P./Risk & Facility Management, Royal Credit Union
Richard Kelly, Manager, Safety & Loss Control, Eau Claire Energy Cooperative
Gerald Leff, Dunn County ARES/RACES
Jenny Legaspi, Emergency Services Director, American Red Cross
Dan Liddell, Safety Engineer, Hutchinson Technology
Derrick Longdo, President, IRIS Technology, LLC
Marge McFarlane, Superior Performance, LLC
Colleen Schian, Risk Manager, City of Eau Claire
Funding Support
The compilation of this guide and the DRCV template were supported with grant
assistance from the State of Wisconsin Office of Justice Assistance to Eau Claire
County Emergency Management. This support enabled West Central Wisconsin
Regional Planning Commission to develop this guide under the direction of
DRCV.
Other Resources
Elements of the following business continuity models and materials in particular were adapted
for this planning guide and the DRCV template:
Ready Your Business: 12 Point Program for Success to Business Continuity Planning. PrivatePublic Partnership of Dane County. (www.countyofdane.com/ems)
Business Continuity Guideline. ASIS International. (www.asisonline.org)
Sample Business Continuity and Disaster Preparedness Plan. FEMA.
(www.ready.gov/business)
Florida Business Continuity Plan Template (www.fldisasterkit.com). Various Partners.
Various assessment and planning forms. School of Criminal Justice, Michigan State University
– Critical Incident Protocol Program (www.cip.msu.edu)
I. INTRODUCTION
a.
What is a Business Continuity Plan?
Business continuity planning is the processes of identifying actions so that your
organization can manage and survive a crisis. In order to identify actions, the
organization must assess its hazard risks
Business Continuity Plan
and threats.
Depending on the
organization, these risks may be natural
An ongoing process supported by senior
hazards,
man-made,
technological, management and funded to ensure that the
economic, or regulatory.
necessary steps are taken to indentify the
impact of potential losses, maintain viable
recovery strategies and plans, and ensure
the continuity of operations through
personnel training, plan testing, and
maintenance. – ASIS International
Since mitigating the impacts of crisis
situation or disaster event is an important
factor in your business’s survival, your
business continuity plan may refer to and
encompass other emergency plans for
your organization.
Within this guide, the terms “business” and “organization” are used interchangeably. The
approach is reasonably generalized so that the example template can be adapted for use
by private sector businesses, non-profit organizations, and public sector agencies.
b.
Why Plan?
Using a formal planning process requires an organization to consider existing conditions
and risks, then identify strategies to address these risks based on available resources and
circumstances specific to the business. Without such a process, an organization is not
fully prepared to meet changing conditions, protect its critical business functions, and
secure its assets (e.g., facility, equipment, data, personnel).
Consider the following statistics:
•
25+% of businesses do not reopen following a major disaster1
•
75% of companies without a business continuity plan fail within 3 years of a
disaster2
•
43% of businesses experiencing catastrophic data loss never reopen3
Also keep in mind that you are an important part of the community and your success is
important to the Chippewa Valley. And many organizations may be called upon to
provide resources during or after a disaster event in the area. For example, following
Hurricanes Katrina and Rita, the private sector often was far more nimble at providing
manpower, materials, and logistics than many parts of the federal government.
1
The Institute for Business & Home Safety
Crisis Management International
3
University of Texas – Center for Research on Information Systems
2
1
II. DEVELOPING YOUR PLAN
a.
Getting Started
The following is a suggested approach to getting started on a business continuity plan for
your organization:
1) Obtain a commitment from management (see Section III.a.)
2) Identify your planning team and team leader.
3) Review the DRCV Business Continuity Plan Template. Modify and add
additional sections if necessary. Use the template as a starting point.
4) Collect copies of existing emergency plans, procedures, etc.
5) Collect copies of organizational charts, business plans, system processes, etc.
6) Collect information on past hazard risks or disaster events which have impacted
your organization or business.
7) Establish a schedule for completion of the plan. Management should assign
accountability.
8) Obtain planning assistance if needed. As you review the plan template and begin
collecting information, it may become apparent that the assistance of a consultant
is needed for portions or all of your plan. For many organizations, planning for
computer data protection, storage, and recovery is sufficiently complex that
specialized expertise is needed and a stand-alone plan on this topic warranted.
What is most important is that you begin planning for your organization. Don’t let the
potential scope of the project deter you from starting. Complete those portions of the
plan that time and resources allow. You can continue to amend your plan and provide
greater details in the future.
b.
Identifying Your Planning Team
Create the planning team which best suits your organization. While one or two key
persons may sufficiently plan for smaller organizations and businesses, larger
organizations may require a larger planning team representing different aspects of the
business such as management, finance, security, information management, human
resources and safety. A planning team leader should be identified, along with who will
be responsible for compiling the business continuity plan document.
You may also need to contact additional resources during the development of your plan,
such as those list below and in the next sub-section:
key suppliers, clients, or contracted
firms
• public sector planning or emergency
personnel
your insurance agent and accountant
utilities and communications providers
trade associations and other area
businesses
• property management, if applicable
•
•
•
•
2
c.
Helpful Resources
Local Resources – Public Sector
Chippewa County Emergency Management:
http://www.co.chippewa.wi.us/emergency_management/
Dunn County Emergency Management: http://dunncountywi.govoffice2.com/
Eau Claire County Emergency Management: http://www.co.eauclaire.wi.us/CountyDepartments/planning_and_development/emergency_management.htm
Chippewa Valley Technical College – Emergency Service Education Center:
http://www.cvtc.edu/pages/556.asp
Chippewa Valley Technical College – Business & Industry Services:
http://www.pwebcluster1.cvtc.edu/pages/366.asp
UW-Eau Claire – Safety Reference Guides: http://www.uwec.edu/LPS/references/index.htm
City of Eau Claire Emergency Preparedness Information & Guides:
http://www.eauclaire.wi.gov/government/emergency-preparedess
Local Resources – Public Health
Western Region Partnership for Public Health Preparedness: http://www.wrpphp.org
Chippewa County Department of Public Health: http://www.co.chippewa.wi.us/CCDPH
Dunn County Public Health: http://dunncountywi.govoffice2.com/
Eau Claire City-County Health Department: http://www.ci.eau-claire.wi.us/health-departmenthome
Local Resources – Nonprofit
Disaster Ready Chippewa Valley: http://www.disasterreadychippewavalley.org
American Red Cross – Chippewa Valley Chapter: http://www.redcrossww.org
SCORE (general business counseling): http://www.score-eauclaire.org
Other Nonprofit and Professional Associations:
Institute for Business & Home Safety: http://www.ibhs.org
National Emergency Management Association: http://www.nemaweb.org
National Fire Protection Association: http://firewise.org
Public Entity Risk Institute: http://www.riskinstitute.org
U.S. Chamber of Commerce: http://www.uschamber.com
Other Government Resources:
U.S. Department of Homeland Security Emergency Preparedness: http://www.ready.gov
OSHA Emergency Preparedness: http://www.osha.gov/SLTC/emergencypreparedness/index.html
Small Business Administration Disaster Assistance:
http://www.sba.gov/services/disasterassistance/index.html
Wisconsin Emergency Management: http://emergencymanagement.wi.gov/
3
Business Continuity Planning Organizations:
Business Continuity Planners Association: http://www.bcpa.org
Disaster Recovery Institute International: http://www.drii.org
The Business Continuity Institute: http://www.thebci.org
Business Continuity Planning Publications and Materials:
Contingency Planning & Management: http://www.contingencyplanning.com
Disaster Recovery Journal: http://www.drj.com
Disaster Resource Guide: http://www.disaster-resource.com
On-line Business Continuity Planning Course: http://nonprofitrisk.org/tools/buinsesscontinuity/intro/1-htm
Glossary of Business Continuity Terms: http://en.bcmpedia.org/wiki/Main_Page
Private-Public Partnership of Dane County: http://www.countyofdane.com/ems
ASIS International Business Continuity Guideline. http://www.asisonline.org
FEMA. Sample Business Continuity and Disaster Preparedness Plan.
http://www.ready.gov/business
Florida “Partnership” Business Continuity Plan Template http://www.fldisasterkit.com
Michigan State University – Critical Incident Protocol Program http://www.cip.msu.edu
Cyber Security Sites:
Department of Homeland Security National Cyber Alert System:www.us-cert.gov
National Cyber Security Partnership: Small Business Cyber Security Guidebook:
http://www.cyberpartnership.org/CommonSenseGuideBus.pdf
National Cyber Security Alliance: Stay Safe Online: http://www.staysafeonline.info/
Pandemic/Avian Flu Preparedness:
City of Eau Claire Emergency Preparedness Information & Guides:
http://www.eauclaire.wi.gov/government/emergency-preparedess
Western Region Partnership for Public Health Preparedness: http://www.wrpphp.org
Wisconsin Pandemic Flu Resource: http://pandemic.wisconsin.gov
Centers for Disease Control: http://cdc.gov
U.S. Government Pandemic Flu: http://pandemicflu.gov
Critical Infrastructure: Pandemic Planning
http://pandemicflu.gov/plan/pdf/CIKRpandemicInfluenzaGuide.pdf
Also contact your county health department.
Emergency Evacuation Preparedness:
Guide for People with Disabilities and Other Activity Limitations: http://www.cdihp.org/training
American Red Cross http://www.prepare.org/disabilities
Family Preparedness
City of Eau Claire Emergency Preparedness Information & Guides:
http://www.eauclaire.wi.gov/government/emergency-preparedess
4
d.
Overview of Hazard Risks in the Chippewa Valley
Natural Hazards
Natural hazards have a long history in the Chippewa Valley and surrounding area:
•
Recent area tornado history includes 1958 Colfax, 1994 Foster, 2001 Siren, and 2002
Ladysmith.
•
Since 1983, approximately $10 million in property damage has been due to lightningcreated fires in Eau Clare County. High straight-line winds and/or hail can cause
significant damage to windows, outside inventory, and storage structures.
•
Expect 3 to 4 winter storms each year. Temperatures dipped to -45ºF in January
1951. Serious ice storms or freezing rain events every 2.4 years.
•
A serious flooding event occurs every
two to three years on average, with
growing stormwater flooding concerns
in the area. The 1993 floods caused
over $10 million in damage, including
damages to more than 50 businesses,
in Eau Claire County alone. In 2000,
about 8” of rain fell within 24 hours
causing stormwater flooding damage
in the area. Many structures not within
a 100-year floodplain do not have
flood insurance.
Eau Claire Flooding, 1905
Swine Flu (H1N1) has raised awareness of potential pandemic threats with new cases
continuing to be reported. To date, Avian Flu (H5N1) has not been confirmed in the
U.S., though it has a much higher death rate than the Swine Flu.
•
Technological Disasters
Chemical spills and infrastructure failure (power outages, bridge collapse, dam failure)
are types of technological disaster, which may be induced by a natural hazard event.
Some example threats:
•
In 1996, the City of Weyauwega was evacuated for 16 days to due to a hazardous
materials spill related to a train derailment; this same rail line runs through our area.
•
In the Winter of 1998, over 4 million persons in the Montreal area were without
power (some for over 3 weeks) due to an ice storm.
•
Large portions of the cities of Chippewa Falls and Eau Claire lie within a dam
shadow.
“Designer” Disasters
“Designer” disasters include acts of domestic or international terrorism, including bioterrorism, cyber-terrorism, eco-terrorism, bomb threats, sabotage, and other purposely
induced natural or technological hazards. Such acts have been uncommon and largely
limited in the Chippewa Valley to pipe bombs, arson, or vandalism.
5
Organizational Hazards
Some organizations may be drastically impacted by the loss of a key employee, a piece of
critical equipment, a key supplier, or a large customer. Product recalls, certain regulatory
changes, or labor relations can also impact certain businesses. Not all business continuity
plans encompass such threats which are often specific to an organization, though such
hazards can be as devastating to operations as a natural disaster event. Each organization
should individually assess the need to encompass organizational hazards within their
plan’s scope.
Weyauwega Train
Derailment, 1996
Siren Tornado,
2001
WRR Environmental
Services
Fire, Eau Claire, 2007
e.
DRCV Business Continuity Plan Template
Disaster Ready Chippewa Valley developed a companion document to this guide—the
DRCV Business Continuity Plan Template. The template was compiled from a review of
a numerous different planning models, offering local businesses and organizations an
easy to understand “fill-in-the-blank” style template.
The DRCV template includes ten sections encompassing existing conditions (business
information, key responsibilities, critical resources), assessment, and recommendations
(action plan, human resources, sheltering/evacuation, vital records).
The DRCV template should be considered a starting point. You may need to modify and
amend the document to best address the circumstance of your organization. For some
businesses, certain sections of the plan template may already be complete and can be
referenced or attached (e.g., emergency contact information, data management plan).
6
f.
Action Plan Ideas
The action plan is an important part of your business continuity plan (see Section 6 of the
DRCV Business Continuity Plan Template). The following is a list of action plan ideas
taken from the Private-Public Partnership of Dane County’s “Ready Your Business: 12
Point Program for Success to Business Continuity Planning”.
No Cost
Identify two or three contractors or supply sources for emergency items.
Pre-qualify with alternate suppliers/vendors for emergency accounts
Calculate the cost of business interruptions for one week, one month and six months.
Ask your insurance company or agent about policy coverage and costs.
Write a short checklist of recovery action items for your firm.
Maintain a current emergency contact list for employees and emergency services,
such as police, fire and utilities.
Contact your city or county building department to determine the Base Flood
Elevation (BFE) and the Design in Flood Elevation
(DFE) at your location and your building’s susceptibility to flooding.
Keep your building’s flood vents clear of debris or other blockage.
Conduct a fire drill and check with your local fire department to determine FIRE risk
at your location.
Talk to your people about the company’s disaster plans. Two-way communication
before, during and after a disaster.
Set up a telephone call tree – and alternate employee communication procedures.
Keep some cash and an ATM card or credit card on hand.
Identify an alternate location if your building becomes unusable
Talk to utility service providers about potential alternatives and identify back-up
options.
Promote family and individual preparedness among your co-workers; include
emergency preparedness information during staff
meetings, in newsletters, in company intranet, in periodic employee e-mails, and
other internal communications tools.
Request no-cost publications from FEMA (800) 480-2520 for individual, family and
workplace preparedness
Under $100
Purchase a First Aid Kit.
Purchase and store bottled water for emergency use (two days minimum).
Stock a supply of non-perishable foods, paper plates, napkins and plastic utensils.
Purchase a NOAA Weather Alert Radio with S.A.M.E. technology to program for
your specific area.
Buy a stock of flashlights, batteries, pens, paper, paper towels, packing tape, etc. for
disaster supply kit.
Keep supplies of items such as duct tape, waterproof plastic, shut-off wrench for
water and gas, whistle, compass, plastic bucket with
tight lid, work gloves, pliers, hammer, plastic garbage bags and ties.
Purchase/maintain camera and film.
7
Purchase an AM/FM radio, battery operated, or hand crank radio.
Restrain/secure desktop computers, compressed gas cylinders and other small items
from earthquake shaking.
Elevate valuable contents on shelves above base flood level.
Apply asphalt cement under tabs of loose shingles.
Caulk/insulate around openings in outside walls, roof and attic.
Purchase fire extinguishers and smoke alarms
Attend annual Ready Your Business Conferences (Utah Division of Homeland
Security)
$100 - $499
Provide C.E.R.T./ First Aid and CPR training for employees.
Purchase all items from the workplace supply list.
Purchase a small back-up generator and maintain fuel.
Purchase and maintain fuel for a sump pump.
Brace major appliances, such as water heaters, and furnaces to the floor or wall.
More than $500
Purchase and install a multi-KV generator, pre-wired to the building’s essential
electrical circuits.
Purchase removable shutters/ install permanent shutters for wind-borne debris
protection.
Re-roof with an impact resistant roof covering.
Install high wind connectors in roof systems.
Re-roof with Class A fire resistant roof covering in wildfire prone areas.
Hire an engineer to evaluate the building’s wind or seismic resistance.
Conduct a one-hour drill simulating the occurrence of a flood, earthquake or other
hazard.
Send the key safety/emergency response employee to several days training or
conference.
Purchase additional insurance (business interruptions, loss of income, extra expense,
flood, earthquake).
Store duplicate records off site at a secure facility.
Purchase a removable computer storage device, store data off-site.
Establish a voice communications system to meet your emergency needs – e.g. voicemail conference call capability, Private Branch
Exchange (PBX), Automatic Call Distribution (ACD) system.
Install a monitored smoke alarm system.
Install lightning protection system.
Given current concerns with pandemics due to the H1N1 (Swine Flu) virus,
information on small business planning for pandemics has been included as an
attachment at the end of this guide.
8
III. PUTTING YOUR PLAN INTO ACTION
a.
Management Commitment
Business continuity planning should not just be an exercise. It takes a commitment of
time to fully develop a plan and a completed plan may include recommended actions
which change policies or require an investment to protect critical business functions.
“Top down” leadership is vital to ensuring accountability in plan development,
implementation, and maintenance. The senior leadership of your organization should be
committed to undertaking a business continuity planning effort from the start and, if
possible, have an active role as part of the planning team. Once the plan is completed,
management approval is also needed, as well as a commitment to periodically review and
update the plan. The roles of management will vary by organization.
b.
General Implementation
The action plan section of the DRCV Business Continuity Plan Template prompts the
planning team to identify needed resources and a key responsible party for each strategy.
When possible, add a completion date for each strategy and ensure that the key
responsible parties are aware of management expectations. Communicate your plan
recommendations and emergency procedures to employees and supervisors.
Go that extra step. Some business continuity models suggest detailed forms be
completed for each employee, key supplier/vendor, key clients, essential equipment, and
each vital record. One such source for such forms is the Institute for Business & Home
Safety.4 Though the DRCV template does not include such detailed forms, we encourage
you to take your plan “to the next level” and incorporate such documents.
c.
Testing and Training
Exercises, drills, and training are important parts of plan implementation. Sections 7 and
8 of the DRCV template prompt you to identify a training approach. It may be helpful to
attach a calendar or list of key dates for testing and training.
d.
Plan Evaluation and Updates
Your business continuity plan is a living document, and should reflect the dynamic world
in which we live. It is recommended that you evaluate and update your plan at least
annually. As part of your evaluation, also review progress on the implementation of your
action plan and other plan recommendations. Consider scheduling your plan evaluation
and update to immediately following testing and training; strengthen your plan based on
the lessons learned during your training exercises. Changing conditions or a new risk
may require a plan update between your normally scheduled evaluation dates. Section 10
of the DRCV Business Continuity Plan Template addresses plan evaluation and updates.
4
Open for Business: A Disaster Planning Toolkit for the Small to Mid-Sized Business Owner.
www.ibhs.org/business_protection. Also includes a property protection checklist.
9
Special Addendum: Small Business
Planning for Pandemics
The following information was taken from the Private-Public Partnership of Dane
County’s “Ready Your Business: 12 Point Program for Success to Business Continuity
Planning”.
The CDC checklist, www.pandemicflu.gov/plan/businesschecklist.html is a great
resource for large companies, but may be difficult to read or follow for small businesses.
We have collected information that may be useful for small businesses that are trying to
prepare for a pandemic. This document may be changed as new information becomes
available, so check back for updated versions.
All businesses, even small ones, need to prepare for a pandemic. Small businesses have
fewer workers and less capital, and are more likely to have difficulty operating under
trying times. Spend some time planning now to save your business later.
First thing to do:
•
Find your important documents (such as business licenses, accounts, etc.) and be
sure you have backup copies. Make paper copies of essential documents. If your
power goes out for a long period, what papers would you need to continue running
your business?
•
Providing food (grocery, farmers), water (public utilities), commerce (banks),
energy (electricity, gas), transportation (mass transit, repair, cargo transport),
healthcare (doctors, nurses, hospitals), public safety (police, fire, EMS,), and
communications (phone service) are examples of critical or essential services. Do
you sell essential products or provide any essential services?
Communicate with your workers:
•
•
•
•
•
Talk to your workers NOW and work together to plan for an emergency. If your
workers are part of a union or labor group, involve them as well.
Keep a current list of phone numbers for your employees so that you can contact
them during an emergency.
Encourage workers to get an annual influenza vaccination (“flu shot”).
Help your workers prepare emergency kits for themselves and their families.
Educate Workers on the importance of:
o Hand washing
o Respiratory etiquette (cover coughs and sneezes, using disposable tissues
when possible)
o Healthy diet
o Exercise
10
o How to recognize the difference between influenza (“flu”) and a cold
(influenza is much more severe, it hits you very suddenly, you have fever and
aches)
o The difference between “seasonal flu” and “pandemic flu” (seasonal flu
comes every year, pandemic flu is when the flu strain changes and people may
become much sicker than usual, and some may die).
Reduced number of workers:
You may only have half of your workers during a pandemic. Some will be sick, and some
may stay home to take care of sick family members or care for children. Here are some
ideas on how you can keep your business open during a pandemic or other emergency.
•
Limit some of your services. At a minimum, try to provide essential services during
a pandemic or emergency situation.
•
Reduce the hours you are open for business.
•
Cross-train your employees. Make sure that you don’t have only one or two
workers that know how to do a critical part of your work. If they become ill, you
would have difficulty keeping your business open.
•
Recall and retrain retired workers. Keep home numbers and addresses of workers
who have retired. You may need to ask them to help during a pandemic or other
emergency.
•
Plan on selling, servicing, and making products with fewer workers.
•
If you are out sick, will your business continue to operate? Identify workers who
can make key decisions in the absence of owners/managers.
Social distancing:
If a pandemic occurs, you may be asked to have your business participate in social
distancing. This means that people should stay at least 3 feet apart from each other. Here
are some ideas that can help:
• Encourage frequent hand washing.
• Limit face-to-face contact.
o Try to reduce people standing in lines or crowds.
o Ask customers to stand further away from workers and each other.
o Install plexiglass panels between workers and customers.
o Use telephones to communicate with customers or internal staff.
o Stop hand shaking
o Spread out seating in meetings, or meet via teleconference.
o Stop sharing of workstations.
o Avoid unnecessary meetings.
o Limit the number of people on elevators, and encourage people to use the
stairs.
11
o Have your business work additional shifts or stagger shifts, with fewer
workers per shift, to increase the distance between employees.
o Have your employees work from home.
Plan ahead:
Keeping your workers healthy is one of your biggest priorities. Sick workers much not
come to work, or stay at work, because they can infect your other healthy workers.
• Review your sick leave policies. During a public health emergency, sick workers
must not come to work, even if you are short-staffed. Do not allow sick employees
to stay at work. You must not punish employees if they are sick during an
emergency. Establish clear policies and guidelines not that will help employees
understand options and expectations for when they are ill.
• What will your business do if a worker becomes ill while at work?
• Provide soap and hot water or alcohol-based hand sanitizers to your employees.
Provide disposable tissues.
• Mass transit (such as crowded buses) may be suspended during a pandemic.
Gasoline may become very expensive and/or difficult to get. How will your
employees get to work?
• Develop infection control practices, such as decontaminating office surfaces, such
as phones, keyboards, etc. daily.
Other things to consider:
•
Long distance travel may be temporarily stopped. Try to avoid travel (especially to
affected areas) by using teleconferencing or video conferencing. See if there are
local suppliers available to your business.
•
Do you have employees with special needs, such as disabled workers or those
unable to read/write, etc? How will they be cared for?
•
If a pandemic occurs, your suppliers may be cut off. Can you increase your
inventory of raw materials?
•
How will you communicate with your customers, suppliers, and general public
during an emergency? Do you have a website? Use password-protected websites to
communicate sensitive information with employees.
•
Make sure that you can access TV, radio, and/or the internet at work to follow
developments as they occur.
•
How will your business be affected by a pandemic? For example, if mass gatherings
are cancelled, would your business be affected? Some businesses may be very busy
during a pandemic, such as gas stations, grocery stores, etc.
12
13
14