Ask the EAB - January/February 2011
Mon, 01/10/2011 - 7:00pm
Last year was filled with a variety of significant challenges, opportunities and misses. My pick for the most significant industry event was the BP oil spill in the Gulf of Mexico. This catastrophic event reminded us of the consequences of: underestimating operational risks; ineffective management oversight; and untested business contingency plans. An unexpected, but important, lesson of the BP oil spill is the need to ensure that communication plans are comprehensive, flexible and familiar to everyone who is responsible for managing the crisis. The biggest advancement for 2010 was the “flu that never was.” A lot of planning went into the preparation for the A/H1N1 influenza pandemic that most organizations didn’t have to fully implement. Fortunately, the planning process forced us to develop human capital resiliency plans to reduce key people dependencies and effectively manage unusually high rates of absenteeism for an extended period of time. This effort improved our ability to respond to the unthinkable – mass casualty or large scale people events.
Looking to the future, I predict the following for BCP in 2011:
We will have to devote more time to planning for “threats from within.” This includes man-made threats such as terrorism and intentional (or even unintentional) acts by trusted employees. Unfortunately, we are only “the next significant event” away from having to catch up on mitigating this vulnerability.
Clients, business partners and vendors will experience greater scrutiny for demonstrating the business resiliency of their organizations. Trends towards establishing stronger industry standards, like PS-Prep, are driving these expectations.
Public/private partnerships will grow and become a more significant part of planning for regional events. The economy and limited resources will encourage greater engagement, sharing of resources and cooperation between the public and private sectors.
There will be increased use of technology for business continuity planning, testing, maintenance and reporting. I predict faster movement towards integrated response and recovery systems. These systems will combine physical devices such as cameras, sensors and alarms with emergency communication and response procedures. This will provide a more automated framework for virtual simulation and testing for training, and faster response times to real events.
In 2010, I witnessed more and more organizations talk about the performance of their business continuity strategies (solutions) and far less about the planning approach. Related to this, I also heard a significant number of business continuity professionals discuss how they intended to measure preparedness in ways acceptable to their program sponsors. In 2011 and beyond, business continuity professionals will spend more time consulting with their business customers to pragmatically prepare them to meet obligations and less time focusing “almost exclusively” on administering the planning process.
Significant events of 2010 should be closely tied to what’s moving ahead in 2011 — here is a summary of some of what I observed:
1. There will be greater human incident focus: security and travel concerns in the U.S. and abroad. Those who work at creating trouble/incidents and wreaking havoc will likely be even more focused in the coming year.
2. Cyber security is a major issue for all organizations, whether they are aware of this or not. The amount of effort that is being put into stealing intellectual property, private and confidential information, and so on, is unbelievable. By taking human element type actions, a great deal of the risks that are out there can be avoided, and we must all continue to focus on that.
3. A greater effort on not only our own internal business continuity planning, but that of critical partners (suppliers, customers, etc.) is necessary. We must be willing to share general information and make our partners stronger, so we all benefit. Do you put requirements into agreements, review others’ planning, and offer suggestions to help them?
4. What will happen with PL 110-53? Regardless of how it navigates its way through the system, we should all select a standard to follow, get engaged and build the process in your organization. Implement a process like NFPA 1600 and DRI International’s Professional Practices because it benefits your entire organization, not because you are being asked to voluntarily comply with regulations.
5. Business Continuity “maturity models” – internal benchmarking and an audit process to validate it is very important. You must define what you have, where you want to be, and how you will get there – and then track progress to it effectively.
6. Crisis communications is critical – how well-prepared you are and how you deliver a message can have significant impact on your survival. Every year, we see hundreds of examples of how this was done well and it really stands out when it was done poorly. Just look at your local paper, media website or news broadcast, and you will see examples of what not to do.
7. Financial incidents and risks must start to be rolled in with operational and facility risks to have a true risk register. This has been on everyone’s agenda and those who figured it out are doing well.
8. The ability to work remotely is critical. Will you work from home, go to another location, have you tested your team’s plans, do you have the right bandwidth, is IT security in place, are all your assumptions validated, etc.?
9. Implementing lessons learned from actual incidents is critical. Do you repeat the same mistakes over and over, or have you learned from them and improved your process?
10. Final one – make every attempt to attend the CI Conference Apr. 11-13 in Atlanta to hear the dynamic speakers, listen to how theory has been put to practice, and network with experienced professionals to improve your process – this should be in everyone’s goal for 2011!
2010 was a very challenging year for business and individuals. There are many significant industry events that took place this year and it would be nearly impossible to address all of them. I chose to take a look at three events that had a significant impact on both business and individuals.
1. The spring 2010 eruption of the Eyjafjallajökull
volcano in Iceland caused a major issue for businesses across the globe. Millions of passengers were stranded all over the world after flights were cancelled in most of Europe’s major airports. These airports serve as hubs, and as many have come to know, hubs can be the Achilles heel in air transportation. The financial impact of the eruption has not been fully calculated. Early estimations have approached multiples of billions of dollars. Executives, vacationers, overnight packages and critical cargo were grounded. This sleeping giant of a volcano had a very big impact on global commerce.
2. The 2007-2010 global financial crisis continues and looks like it will not release its tight grip any time soon. Businesses have been forced to close, downsize, shutter product lines or otherwise cut back. Spending in most cases was brought to a halt, and we found ourselves becoming creative in how we conducted business in the “new normal.” Many continuity programs suffered as corporations looked to our areas for additional savings.
3. Record unemployment in the United States is closely tied
to the global financial crisis, however, it deserves its own mention. Many of us know of individuals, some highly talented and skilled, who are seeking work or are working but seeking work in which they can fully utilize their skills.
I am optimistic that 2011 will be a better year. In my opinion, we will still be contending with the global financial crisis, record unemployment and natural events such as the Eyjafjallajökull volcano eruption. We are a resilient people, and we take the opportunity to learn from our past. We know how to “do more with less” and we will be developing plans for when things improve. In the meantime, keep your chin up and a smile on your face. Happy New Year!
As an emergency manager who also delves into the business continuity world, my answer will irritate some, amuse others, scare a few, and be scoffed at by most. In the past 18 months, I have seen emergency management and business continuity drawing closer together. Delving deep into my crystal ball (Caithness crystal from the Highlands of Scotland, not that cheap mainland European stuff!), I see this trend continuing. Before you toss this magazine in the corner cursing my existence and wondering how you can get Buffy or Bob to fire me, hear me out. Emergency management is concerned with keeping government operating during or just after a disaster (which includes facilities), business continuity professionals are concerned with keeping a business operating during or just after a disaster (including facilities). EMs and BCPs both use an all-hazards approach realizing that the threats not considered are the ones that bite you in the … well, this is a family magazine … but to continue, many professionals in each field are certified in both approaches. Emergency management types write for Continuity Insights magazine and business continuity types write for EM publications like the International Association of Emergency Managers Bulletin. Many of each discipline attend each conference (by the way, this emergency manager looks forward to seeing you all in Atlanta for the Continuity Insights Conference in April). I think that these diverse disciplines will continue to develop closer relationships. I think friends will be made, contacts established, and growth of both will flourish because of the acceptance of our similarities versus our promotion of differences. CI