Preparing for scenarios such as an active shooter, power outage, or fire that causes extensive damage to facilities requires continuously exercising and refining disaster preparedness and recovery programs. Regular drills will serve to both train employees and reveal weaknesses in existing plans. And in any event, changing business operations will demand evolving plans.
These were some of the top takeaways from experts who participated in AgilQuest’s Don’t get stuck in the snow! Digging into business continuity and COOP webinar on March 18.
Defining business continuity and disaster recovery
Carol DeLatte, continuity of operations specialist at Virtual Computing Environment Company, said that business continuity and disaster preparedness are about planning ahead to avoid and mitigate damage and disruption.
“We are firefighters — we do mostly prevention and preparation in getting ready for the big storm,” she said.
DeLatte distinguished between business continuity, which focuses on people and processes, and disaster recovery, which refers to data centres and IT.
Contingency planning is about coming up with a “Plan B” for long-term disruptions, she said. If, for example, employees can’t come to the office due to an ice storm, it may be acceptable to have employees work from home for the day. Beyond short-term scenarios, though, a different solution may be required.
Disaster recovery considers how much time is needed for IT to get back up and running, DeLatte said. If an organization needs to minimize downtime, it may consider spending the money to maintain a redundant data centre.
Developing and implementing programs
Shane Hebert is a facilities operations specialist and program manager of physical security and emergency preparedness with the National Cancer Institute. In August 2011, Hebert was in a building shaken by a 5.8-magnitude earthquake with multiple aftershocks. Earthquakes are uncommon on the east coast, so no one really knew what do, he said.
Afterward, management asked his office some key questions: did everyone get out of the building safely? When would it be safe for everyone to re-enter the buildings? What would the organization do next if its buildings had sustained structural damage?
“As an office, we didn’t have good answers to these questions,” he said, “so we took a look internally about how we could do better, and we came up with some immediate solutions and some more long-term solutions.”
Rather than using a pencil and clipboard to account for employees, they adopted a hand-held device with which they can scan 2,000 employees out by their badges in just 20 to 25 minutes.
Other improvements included developing a better tree structure of communication to get information from off-campus facilities to on-campus facilities, and urging employees to subscribe to an emergency notification system provided by a third party.
By implementing National Fire Protection Association 2010 standards at new facilities, the organization is now able to use life-safety speakers in its buildings to deliver emergency communication, such as orders to evacuate or shelter in place.
Finally, when disruption does occur, a computerized facility management system helps to identify unaffected buildings to transplant employees to available spaces, and a mobile workforce program allows for telework arrangements.
Testing and improving programs
Kathleen Lucey, president of Montague Risk Management, said that before ISO 22301 was introduced, many countries and regions had standards that largely said the same thing: “Get a plan, exercise it, review changes in your organization, go back.”
“All of these standard methodologies are circular,” Lucey said. “It starts out with: what do we have, what do we need to fill, so you do a business impact analysis.”
Business impact examines what the organization does, when it needs to do it and how critical it is to the organization, she said. The recovery time objective (RTO) sets out how long the organization has before losses will begin to threaten its existence. The recovery point objective (RPO) refers to the frequency with which an organization backs up its data.
“If you back up your data once a day, then you have to be willing to lose a day to a day-and-a-half’s worth of data,” Lucey said. “If you need to have greater currency of data than that, you need to have a solution which replicates the data more in real time.”
Depending on the size of the organization, business continuity programming may produce a single, unified plan or thousands of interconnected plans, she said.
“Testing makes up the majority of time and effort during the lifetime of the project,” Lucey said.
The objective, she said, is to train employees, test different aspects of the plan and correct problems as they are identified.
Lucey recommended conducting a variety of drills throughout the year to ensure that employees aren’t relearning programs anew. Ideally, she said, drills should be conducted quarterly.
Michelle Ervin is the editor of Canadian Facility Management & Design.