b. The Marriott Corporation Practices Business Continuity Planning
c. The University of Washington’s Experience with the FEMA Disaster Resistant Universities Program
7. Suggested Out of Class Exercises
Introduction All organizations from all sectors (public, private and not-for-profit) face the possibility of disruptive events that have impacts ranging from mere inconvenience and short-lived disruption of normal operations to the very destruction of the organization. Organizational functions supporting business1 disruption prevention, preparedness, response and recovery such as risk management, contingency planning, crisis management, emergency response, and business resumption and recovery are thus established and resourced based upon the organization’s perception of its relevant environments and the risks within those environments.
Unlike public sector emergency management, which is a primary function at all levels of government, Business Crisis and Continuity Management (the term Business Crisis and Continuity Management [BCCM] will be defined in the next section] remains largely a supporting project or program that is discretionary except in highly regulated industries such as healthcare2 and banking3 where BCCM related requirements and standards have been established. The preparations for Y2K and the impacts of the 9/11 attacks have provided some impedance for the more widespread recognition and acceptance of BCCM as a strategic function and have resulted in the development of voluntary BCCM standards/guidelines across the private sector and not-for-profit sectors such as National Fire Protection Association (NFPA) 1600 Standard on Disaster/Emergency Management and Business Continuity Programs4 and the ASIS International Business Continuity Guideline.5
Despite these recent advances in BCCM, resources required to develop an ongoing and robust program still compete with other organizational priorities which may result in a less than optimal program with functional deficiencies, poor integration and dispersed authority and responsibility. Witness the August 2005 study Disaster Planning in the Private Sector: A Look at the State of Business Continuity in the U.S. conducted by the International Association of Emergency Managers and AT&T.6 This study found that business continuity planning is not a high priority at four in ten companies surveyed and that almost one third of the companies have no business continuity plans. The reasons for this low priority may extend beyond resource considerations to a lack of understanding of what actually comprises a comprehensive BCCM program. A functional framework for BCCM, displaying the component functions and their relationships to one another is provided in this chapter and is intended to be simple enough to be understandable at all levels of the organization, yet complete enough to identify and support the need for the various functions and their integration. This functional BCCM framework should be considered in the context of the case studies presented in this chapter.
The Term Business Crisis and Continuity Management The hybrid term business crisis and continuity has been introduced as a title for an enterprise wide strategic program and process. It is necessary to include a brief discussion of the creation and choice of this term since much of the current literature and business practices use the individual terms crisis management or business continuity management separately and often interchangeably while recognizing that they work together to support overall business enterprise management. The Business Continuity Institute’s Business Continuity Management: Good Practices Guidelines (Smith, 2002) and the Standards Australia draft Business Continuity Handbook (Standards Australia 2003)use the term Business Continuity Management as a unifying process and the umbrella under which multiple supporting functions, including crisis management and business continuity operate and integrate. United States based organizations such as Disaster Recovery Institute International (DRII 2004), ASIS International (ASIS 2004), and the Association of Contingency Planners (ACP 2004) also use the term Business Continuity Management or Business Continuity Planning as an umbrella with crisis management as an essential component. Noted experts such as Ian Mitroff (Mitroff and Pauchant 1992) and Stephen Fink (Fink 1986) use crisis management as their umbrella term with business continuity as one of many supporting functions.
Despite the difference in terminology, there is little debate in the business continuity and crisis management literature that crisis management, business continuity management, and their supporting functions need to be thoroughly integrated in support of overall business enterprise management. Business Continuity Management: Good Practices Guidelines explains the inconsistency in terminology by stating “Crisis Management and BCM (Business Continuity Management) are not seen as mutually exclusive albeit that they can of necessity stand alone based on the type of event. It is fully recognized that they are two elements in an overall business continuity process and frequently one is not found without the other.” (Smith 2002)
Thus, in an attempt to emphasize the inter relatedness and equal importance of crisis management and business continuity management, Business Crisis and Continuity Management has been chosen as the umbrella term for this proposed research study and is defined as:
Business Crisis and Continuity Management – “The business management practices that provide the focus and guidance for the decisions and actions necessary for a business to prevent, mitigate, prepare for, respond to, resume, recover, restore and transition from a disruptive (crisis) event in a manner consistent with its strategic objectives.” (Shaw and Harrald 2004)
Moving Ahead – The Future of BCCM The reality of business is that increasing and dynamic natural, technological and human induced threats, business complexity, government regulation, corporate governance requirements, and media and public scrutiny demand a comprehensive and integrated approach to BCCM. Classic natural, technological and human induced events such as Hurricane Andrew (1992), the Northridge Earthquake (1994), the Exxon Valdez oil spill (1989), the Bhopal chemical release (1984), the World Trade Center attack of 1993, and the Tylenol poisoning case (1982) have provided lessons learned that emphasize each of these factors and the need for coordination and cooperation within and between organizations, and between all levels of government, the private and not-for-profit sectors. The tragic events of September 11th, 2001 and the implications for businesses directly and indirectly impacted by the physical events further reinforce the need for enterprise wide recognition and coordination of the multiple functions supporting BCCM.
One of the barriers to more universal acceptance and implementation of comprehensive BCCM programs that support the strategic goals of individual businesses and business sectors is a lack of understanding of the necessary and sufficient components of such a program and their inter relations within and between organizations. Attempts to define such a program, as found in most literature prior to the 9/11 attacks, provide a list of business continuity planning steps/elements such as those set forth in Geoffrey Wold’s Disaster Recovery Journal (DRJ) article Disaster Recovery Planning Process7 (Figure 1) or the Disaster Recovery Institute International (DRII) Professional Practices for Business Continuity Professionals8 (Figure 2).
Developing Business Continuity Management Strategies
Emergency Response and Operations
Developing and Implementing Business Continuity Plans
Awareness and training Programs
Exercising and Maintaining Business continuity Plans
Coordination with External Agencies
There is no argument that these are necessary steps/elements, however a mere listing falls short of emphasizing the inter relationships and temporal nature of the functions that comprise a comprehensive and ongoing program and the establishment of widely accepted standards. In the aftermath of 9/11, there have been several initiatives to define and communicate such standards.
The National Fire Protection Association Standard, NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity Programs (2004)9 provides a “total program approach for disaster/emergency management and business continuity programs (NFPA 2004).” Similar to the DRJ and DRII and steps/elements, NFPA 1600 does not provide a functional framework for, but lists a set of program elements (Figure 3) that contain general descriptions and are referenced to the DRII Professional Practices.
NFPA 1600 2004 Edition Disaster/Emergency Management and Business Continuity Programs Elements
The NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity Programs has been recommended as a national standard by the 9/11 Commission Report 10and the Intelligence Reform and Terrorism Prevention Act of 200411 and is evolving into the de facto standard for private sector continuity.
Complementing the NFPA Standard, ASIS International, a preeminent organization not-for-profit organization dedicated to increasing the effectiveness and productivity of security professionals published its ‘all sector’ Business Continuity Guideline12document which provides a generic planning guide applicable to any organization. The Guideline makes the following statement which places the importance of the Business Continuity/Continuity of Operations process in the context of organizational survival and success:
“Recent world events have challenged us to prepare to manage previously unthinkable situations that may threaten the organization’s future. The new challenge goes beyond the mere emergency response plan or disaster management activities that we previously employed. Organizations must now engage in a comprehensive process best described generically as Business Continuity. … Today’s threats require the creation of an on-going, interactive process that serve to assure the continuation of an organization’s core activities before, during, and most importantly, after a major crisis event. Regardless of the organization – for profit, not for profit, faith-based, non-governmental—its leadership has a duty to stakeholders to plan for its survival (ASIS 2005).”
The ASIS Business Continuity Guideline does providea functional framework (figure 4) which provides a means of visualizing some BCCM functions, but falls short of providing a level of detail necessary to capture and explain the totality of a comprehensive program.
A Functional Framework for BCCM The intent of this chapter is not to be critical of any of the before mentioned lists of steps/elements and the ASIS framework, but to recommend areas of improvement. Each of them were the result of a consensus process representing multiple constituencies and present a logical and necessary first step in the development of national standards written at a level of detail that can be used to define and measure compliance. As presented, they provide relatively broad descriptions of the program steps/elements with minimal detail and remain open to very liberal interpretations as to what actually comprises compliance at the function and program level. A listing of the program elements is useful, but a graphical presentation of the elements, their hierarchy and interdependency could assist in the understanding and marketing of a comprehensive program that truly integrates the component parts.
The functional framework presented below (Figure 5), which displays the hierarchy of the functions (from top to bottom) and the temporal nature of each (from left to right), accompanied by functional area and function definitions (provided following the functional diagram) provides such a graphical presentation. This framework reflects the following research process as documented in the Journal of Homeland Security and Emergency Management article The Core Competencies Required of Executive Level Business Crisis and Continuity Managers (2004).13
A literature search of existing frameworks.
Synthesis of existing frameworks into a proposed framework
Expert review – Fourteen interviews with recognized ‘experts’ from the private, public and education sectors.
Revision of the proposed framework based upon the ‘expert’s’ comments
A final ‘expert’ review – Six interviews with recognized ‘experts’ from the private, public and education sectors.