The Advancing Process of Business Continuity Planning in North America

Disaster recovery, emergency management, and continuity planning professionals in both the public and private sectors worldwide face many challenges as they strive to do their jobs in a rapidly changing business and service environment. These include downsizing, re-engineering, outsourcing, changes in technology, lack of uniform standards, globalization, worldwide demand for disaster-resistant communities and constant requirements for ongoing dialogue and cooperation between public and private sectors.

Recognition of the increasing danger of long term business and service interruption due to natural, manmade, and technological disasters has forced corporations and institutions to extend their recovery planning efforts beyond the life safety, emergency response and data center recovery issues alone. Although our business and government organizations today are more and more dependent upon information that allows mission critical data to move quickly from one system to another, protection of these systems in this distributive architecture alone does not ensure a successful recovery. Y2K issues are now regarded as part of overall contingency planning concerns and must be addressed with remediation and continuity planning efforts.

Business continuity planning and management today includes addressing the identification and continuity of time-sensitive business and service functions and processes and all of their complex internal and external interdependencies as well. Experience has taught us that in our technology-entwined global marketplace, an earthquake in Asia, for example, can seriously interrupt business in the United States. A loss affecting an entity anywhere in our supply chain can have a direct affect upon our ability to continue our operations and get our finished goods to market or negate our ability to continue providing critical services to our customers.

Many organizations today are demanding that their first and in some cases, second tier suppliers have documented disaster recovery and continuity of operations plans in place. This criterion is increasingly being required across all industries. Our customers have become more sophisticated and their expectations are higher. Cyberspace has allowed customers to have virtual access to more products and services than ever before and “zero tolerance” is becoming the ‘norm’ when it comes to downtime in a disaster. Today, for example, we have ‘mission critical’ facilities wherein zero is the tolerance level for downtime. In searching for the ‘competitive edge’, crisis management has become ‘reputation management’.

As our businesses and government face more and more scrutiny of how they manage risks and protect assets, executive management is presented with the challenge of providing ‘value added’ services to their clients. It is an accepted fact today that no service is more important than the ability to deliver what was promised and in a timely manner, disasters not withstanding.Chief executive and operating officers, including the President of the United States expect there to be a plan to accomplish this.

Regulations concerning the maintenance of the critical infrastructure of the United States (PDD 67) and class action suits addressing potential lack of “duty of trust” and “due diligence” increasingly appear on the scene in the United States. Responsible chief executives, within small to large companies and institutions seek to conduct their own review as to the current state of disaster preparedness within their organizations and among their critical suppliers and mandate planning for recovery and continuity of operations at all critical levels.

Over the past several years, with more and more risk managers operating at a strategic managerial level, ‘continuity of operations’ planning has become an integral part of their job. We are seeing risk managers integrating their work with the financial decisions of their organization and bringing ‘continuity of operations’ planning issues to their executive management.

Whereas in previous years, contingency planning resided in the realm of a contingency planner with heavy information systems or information technology background, today we are seeing the mandate for this planning being handed down from a chief executive officer or chief operation officer, through the chief financial officer to the risk manager. The risk manager looks for assistance from a business continuity planner or coordinator who has the experience to take this effort organization-wide.

The establishing of a position known as Corporate Risk Officer in mid to large corporations exemplifies this. In some cases, risk management personnel are the champion of this cause, establishing and participating in the steering committee, helping to define the scope of the project and ensuring that the necessary senior management commitment and resources are provided to accomplish the goals and objectives of the planning effort. There is increasing communication between the risk manager of an organization and their business continuity coordinator regarding the business continuity planning effort.

Risk mapping through hazard and risk analysis is a process that has historically been used by organizations to accomplish the identification of a business’s internal and external physical exposures. Today, a Business Impact Analysis (BIA), long used by the business sector to determine the financial and operational impacts of a disruption upon the business, has also recently become a useful underwriting tool within the insurance industry. They have recognized that this analysis process can help to better determine the true state of disaster preparedness of an organization and its suppliers.

Utilization of the business impact analysis process and a specific automated business impact analysis product has most recently been exemplified by the Reliance National offering of Enterprise Earnings Protection Insurance (EEPI). EEPI is the first insurance policy specifically designed to protect publicly held companies against earnings disruptions, volatility and adverse results. EEPI combines property and casualty insurance with coverage for many financial, operational and business risks that traditionally have not been insured.

Knowledge of today’s automated planning technology is becoming a pre-requisite for responding to business continuity planning RFPs (Request For Proposals), especially those issued by the United States government. In today’s extremely competitive business continuity planning industry, there is much demand for experienced business continuity planners and consultants who can expedite the impact analysis and continuity planning process through the use of automated planning tools.

The required credentials, responsibilities, pay scale and image of the business continuity planner/coordinator have risen greatly over the last few years. Today, we see increased job descriptions requiring business continuity planning industry certifications, e.g. CBCP, (Certified Business Continuity Professional), FBCI (Fellow of the Business Continuity Institute), as well as a requirement for the knowledge and ability to expand existing recovery plans to encompass continuity of operations planning organization-wide.

The ever-increasing natural disasters with their tragic loss of life and long term economic impact within communities worldwide have greatly raised the need for cooperative mitigation efforts between the public and private sectors. On Wednesday June 3rd, 1998, the Federal Emergency Management Agency (FEMA) Director James L. Witt nationally launched the agency’s initiative, Project Impact: Building a Disaster Resistant Community. In addition to the original seven pilot communities created at the end of 1997, Director Witt invited 50 localities to become the initiative’s first disaster resistant communities.

The Project Impact initiative challenges communities across the nation to build local partnerships, to assess vulnerabilities to natural hazards and to implement actions that protect families, businesses and communities by preparing for and reducing the damaging effects of natural disasters.

The first round of communities will form a peer-to-peer network of American communities building partnerships and taking actions to better prepare for natural disasters. In each community, a local partnership of government leaders, representatives of the business sector and individuals will provide funding, in-kind services, technical support and labor to undertake disaster-resistant activities. In addition, FEMA will provide technical support and funds to states to provide administrative support to the initiative.

Cooperative discussions are taking place between business executives, organization and industry leaders and government agencies all throughout the country with local emergency management personnel playing a major role in this effort. In addition to Disaster Recovery Business Alliances (DRBA) – a nationwide initiative to unite public and private sectors one municipality at a time – there are also more than 50 contingency planning organizations throughout the United States and Canada which have representation from both the public and private sectors. The majority of these are independent groups consisting of small to large organizations working very closely with local and state emergency managers on joint mitigation, disaster recovery and continuity planning efforts. For example, New York State sponsors the Joint Loss Reduction Partnership Project under the leadership of the State Emergency Management Office and with the support of the Contingency Planning Exchange (CPE) which meets quarterly in New York City. The partnership comprises a cross section of the state’s business leadership, along with key federal, state and local government officials. The Federal Emergency Management Agency is funding the project, which will leverage the expertise of many companies based in New York concerning actions necessary to make the state’s businesses “disaster resistant”. CPE serves as the awareness and educational arm of the Partnership Project and progress reports are made at CPE meetings and on their web site throughout the year.

Public and private sector members of contingency planning groups also participate actively in disaster mitigation and continuity of operations education and training within their communities, separate from their association conferences. Many of these are held in conjunction with Disaster Preparedness Day or Fire Safety Week programs.

Many of the private sector contingency planning groups have made, or are pursuing, arrangements for representation in, or a liaison to, the official community Emergency Operations Center. This is tremendously important in enabling the private sector to have better communications with the public sector responders and make them aware of their needs. It also enables the public sector to be aware of and utilize, private sector resources in mitigating community disasters.

Industry organizations are also addressing disaster recovery and business or service continuity of operations mandates and requirements. IAEM (International Association of Emergency Managers), for example, actively pursues partnerships that advance coordination and support between public and private organizations and constituencies and has a Public/Private Partnership Committee as part of its organization.

Progress is also being made in moving towards establishing uniform recovery industry standards. Industry organizations are also addressing disaster recovery and business or service continuity of operations mandates and requirements. For example, working in conjunction with the national disaster resistant community effort, is the State’s Capabilities Assessment for Readiness (CAR) objective, which helps the individual states to identify their strengths, as well as vulnerabilities, in disaster situations. Stan McKinney, past-President of NEMA (National Emergency Management Association) believes “ that this can help to establish recommended practices and ultimately national standards for state and local emergency management capabilities."

Many organizations, including IAEM, NEMA and the American Red Cross, are signing Memorandums of Understanding (MOUs) with the business community to ensure more cooperative and efficient mitigation and recovery. IAEM for example, actively pursues partnerships that advance coordination and support between public and private organizations and constituencies.

The Disaster Recovery Institute International (DRII), the Canadian Centre for Emergency Preparedness (CCEP), the Business Continuity Institute (BCI), the Institute for Home and Business Safety (IHBS), formerly known as the Insurance Institute for Property and Loss Reduction ( IIPLR ), the National Fire Protection Association (NFPA) and the Joint Commission on Accredited Healthcare Organizations (JCAHO) are working hard to try and establish uniform recovery industry standards by endorsing and supporting each other’s efforts. Examples of this are as follows:

• The April 1997 agreement between the Disaster Recovery Institute International (DRII) and the Business Continuity Institute (BCI).

This agreement produced the document known as the “Professional Practices for Business Continuity Planners which defines the boundaries of the business continuity planning profession and knowledge that must be considered for DRI International’s designation as an Associate Business Continuity Planner (ABCP), Certified Business Continuity Professional (CBCP), and Master Business Continuity Professional (MBCP). BCI also uses this document as the basis for their examination procedures for Membership of the Business Continuity Institute (MBCI) and the Fellowship of the Business Continuity Institute (FBCI).

• The National Fire Protection Association (NFPA) Disaster Management Committee has just finished reviewing public comments on their final draft of NFPA 1600 - Standard On Disaster/Emergency Management and Business Continuity Programs which will be presented to their membership for approval at the NFPA Fall meeting in New Orleans, La. November 15 – 18,1999.

“This standard establishes a common set of criteria for disaster management, emergency management and business continuity programs herein after referred to as “the program”. The purpose of this standard is to provide those with the responsibility for disaster/emergency management and business continuity the criteria to assess current programs or to develop, implement and maintain a program to mitigate, prepare for, respond to and recover from disasters and emergencies.” FEMA, NEMA and IAEM are seriously considering endorsement of this standard.

• The Institute for Home and Business Safety (IHBS), Headquartered in Boston, Mass. USA has a very aggressive mitigation program in place to help build disaster resistant communities as well. Their strategic plan, which was adopted by their Board of Directors in October 1996, had a vision to incorporate structural and nonstructural loss reduction initiatives into the building environment, enabling the public and business communities to live and work in an atmosphere of personal safety, financial security and social stability. Their mission is to reduce injuries, deaths, property damage, economic losses and human suffering caused by natural disasters.

Individuals within both the public and private sectors are seeking knowledge and certification within each other’s fields. Certified Emergency Managers (CEM) for example, are taking DRII and BCI courses for additional certifications.  Accredited industry organizations and educational institutions are expanding their requirements and curriculums to include merging the emergency management, life safety and business and service continuity issues. Examples of this include: The Joint Commission on Accredited Healthcare Organizations (JCAHO) has expanded its accreditation requirements beyond the life safety and patient care areas to include “continuity of operations” capabilities in their “environment of care.”

Many institutions in the last few years have added business and government recovery and continuity planning courses to their emergency management curriculum. These include the following:

• The Institute for Crisis and Disaster Management at George Washington University, Washington, DC
• St. Petersburg Jr. College, St. Petersburg, Florida
• School of Continuing Studies at the University of Richmond, Richmond, Virginia
• University of California at Berkeley, CA.
• The Emergency Management Institute, Emmitsburg, Md.
• The Emergency Management Division of The Justice Institute of British Columbia in New Westminster, BC
• The Canadian College of Emergency Preparedness in Arnprior, Ontario.

There is tremendous progress taking place in Canada, as well, with regard to emergency preparedness, emergency management and business continuity planning. Emergency Preparedness Canada, a Federal Government organization, under the Department of National Defense, whose main purpose is to provide emergency preparedness training, education and awareness programs on a Federal basis, established a partnership program known as the Safeguard Program in 1995. This partnership program is now managed by Emergency Preparedness Partners, which is a not for profit organization and involves the residential and business communities across Canada. The focus of the program includes all aspects of emergency management such as mitigation, preparedness, response and recovery.

The Canadian Centre for Emergency Preparedness (CCEP) is a private, self-funded, not for profit organization, which exists for the purpose of providing training and shared expertise and emergency management resources to both the public and private sectors. For example, CCEP provides emergency planning personnel to a number of communities on an ongoing basis and maintains a pool of experienced emergency management personnel who are contracted out to municipalities to meet individual or project specific needs. This support was most recently evident during the January 1998 ice storm that inundated Quebec and Eastern Ontario. CCEP provided, voluntarily, the assistance of their emergency management professionals to this area. CCEP also hosts the annual World Conference on Disaster Management, held in Hamilton, Ontario in June of each year.

In addition, independent contingency planning and business continuity professional organizations have expanded greatly in Canada since 1985 when the first Disaster Recovery Information Exchange (DRIE) group was formed with six people in Toronto. In 1998, these associations of business continuity professionals are now formalized groups such as DRIE Toronto; DRIE Ottawa, DRIE Southwest Ontario, DRIE Montreal and DRIE West, which includes Calgary, Edmonton and Vancouver. DRIE Manitoba, including Winnipeg is now being formed.

The United States / Canadian border is practically non-existent in this disaster recovery and business continuity industry. There is DRI Canada, which is the first international, federally incorporated, affiliate of the Disaster Recovery Institute International headquartered in the United States, and NCCEM Canada, the first international affiliate of NCCEM, also headquartered in the United States.

This brief overview of North America’s advancements in contingency planning hopefully shows that presenting continuity of planning concepts and programs is no longer as ‘hard a sell’ as it was seventeen years ago when this author first started out in this field. However, we still have a long way to go to raise the position and responsibility of the business continuity planner or coordinator to the ‘board room’ and/or ‘officer’ levels where this author knows it needs to reside.

This article may not be reprinted, reproduced or distributed in part, or in total, in any medium, without the express written consent of the author. Copyright © Strohl Systems 1999 - All Rights Reserved