emergencies: protecting staff & assetsaaha.hubinternational.com/content/emergencies protecting...

Emergencies: Protecting Staff & Assets

Presented By: Tom Heebner, CSP, ARM, ABCP

AVP / Risk Consultant HUB International Limited

Agenda • Why is Planning Important? • Lessons Learned From Recent Events • The Planning Process • Where Should You Go From Here? • Preparing Your Staff

WHY IS PLANNING IMPORTANT?

OSHA Emergency Action Plan Requirements

• Means of reporting fires or other emergencies • Evacuation procedures and emergency escape route

assignments • Procedures to be followed by employees who remain to

operate critical operations before they evacuate • Procedures to account for all employees after an

emergency evacuation has been completed • Rescue and medical duties for those employees who are

to perform them • Names or job titles of persons who can be contacted for

further information or explanation of duties under the plan

Events Impact….

• People • Facilities & Assets • Technology • Operations • Customer Trust • Customer Confidence

Events Result In…

• Loss of Life and/or Loss of Property

• Other significant losses – Reduced Productivity – Financial – Interrupted Services – Damaged Reputation – Other Expenses

Benefits of Good Planning…. • Decreases notification time • Improves coordination of

resources • Safeguard health and safety • Minimize property damage

and business interruption • Restore critical functions

quickly • Maintain revenue stream /

avoid loss of market share • Increases an organization’s

public image

Businesses & Governments

Plans, Training & Exercising

Response / Continuity

Teams

Occupants and Visitors

Prepared Organization

Statistics Show… • Companies that aren’t able to resume

operations within ten days are not likely to survive – 50% will be out of business within five years

• 75% of companies without business continuity plans fail within three years of a disaster

• Of those businesses that experience a disaster and have no plan – 43% never reopen – Of those that do reopen, only 29% are still operating

two years later

LESSONS LEARNED FROM RECENT EVENTS

Lessons of September 11th, 2001 • All types of threats must be considered • Plans must be updated and tested frequently • Dependencies and interdependencies should be

carefully analyzed • Key personnel may be unavailable • Telecommunications are essential • Alternate sites for IT backup should not be situated

close to the primary site • Employee support (counseling) is important • Copies of plans should be stored at a secure off-site

location • Sizable security perimeters can impede personnel

Lessons From Hurricane Sandy • Just because you are not on the coastline when a storm strikes doesn’t

mean you will not be heavily affected. • It is important to identify establish notification processes with your

employees and to utilize multiple channels to communicate (ex. SMS, Twitter, landline, e-mail, etc.).

• Although it may take some time, having a relationship with a restoration contractor before an event is invaluable.

• Fuel was not easy to come by following Hurricane Sandy and without fuel many could not operate their vehicle, chainsaws, generators and other equipment that was needed to be used during the recovery.

• Although we routinely pay for items using credit cards or by quickly going to an ATM machine, these items aren’t likely to work if there is a power outage.

• When you have a claim, it is important to call your insurance carriers and report it as soon as possible and not speculate as to the cause.

Lessons From a Practice Fire • The fire started at another property • The fire department had not visited the practice prior to the event • The practice manager indicated the fireman had to consult with their

technicians to assess the layout of the practice and to identify the locations of special hazards

• The practice worked very hard on keeping in contact with clients throughout the process (relied on social media and local chamber of commerce)

• The practice had business interruption coverage • The practice moved the office to one house and set up a network • The practice had a manual data backup process and was successful in

backing up data before the event • The Practice Manager wishes they had planned and had a better idea of

what they would do to keep things moving after the incident

Potential Events • Medical Emergencies • Adjacent Facility Emergency • Workplace Violence • Fire/Explosion • Bomb Threat • Loss of Utilities (steam,

electricity, natural gas) • Hazardous Materials

Release • Technological Issues

• Transportation Accident • Terrorist Attack - CBRNE • Suspicious Package • Civil Disorders • Flooding, Tornado,

Earthquake and other Natural Hazards

• Contamination of Food/Water

• Structural Collapse • Emerging Diseases

What Else?

THE PLANNING PROCESS

“The Big Picture”

Understand Your Business Develop Risk Mitigation Strategies Develop BCM Strategies

Development BCM Documentation

BCM Implementation & Training

BCM Exercising, Maintenance & Auditing

Department

Business Functions

Business Process Steps

Support Components

People IT Equip & Hardware

Voice & DataRecords

Suppliers &

VendorsFacilities

Emergency Response

Crisis Management

Business Continuation

Establish Planning CommitteeReview Organizational StrategyBusiness Impact AnalysisRisk Assessment

Protection SystemsHazard Elimination / Process ChangeDuplication of ResourcesAlternate Operating Strategies

Corporate StrategyProcess Level StrategyResource Recovery Strategy

Emergency Response PlanCrisis Management PlanBusiness Continuity/Recovery Plan

Assessing AwarenessDevelop / Monitor Awareness, Skills, & Culture

* Business Continuity Programs reduce risk through upfront mitigation and post disaster response, recovery and restoration

Minutes Hours Weeks

Dete

ctio

n

Reco

very

Business Continuity

Crisis Management

Emergency Response

Lifecycle of an Event

Intensity Levels of Phases

Emergency Response

Crisis Management

Inte

nsity

Business Restoration

Normalization (Recovery)

CMP CMP: Crisis Management Plan Event Escalation Response (Corporate Impact) Non-physical or physical impacts, Examples: Exxon –Valdez Oil Spill, J&J – Tylenol Tampering Hudson Foods – Meat Threat

IT-DRP

IT-DRP: IT Disaster Recovery Plan (Technology - Voice & Data Impact) Network Failure, Sabotage, Virus, Physical Loss of Systems Etc.

ERP: Emergency Response Plan Event Driven Response (Site Impact) Contamination, Bomb-threat, Fire, Earthquake, Wind, Etc.

ERP BCP

BCP: Business Continuity Plan Time Driven Response (Site and Business and Image Impact) Infrastructure Disruptions, Business Unit Disruptions, Department Disruptions (Failure to deliver product or service)

DISASTER MANAGEMENT

Depending on Event, The integration

of all Plans is Possible.

WHERE SHOULD YOU GO FROM HERE?

What plans does a practice need?

• Crisis Management Plan • Emergency Response Plan • Business Continuity Plan • IT Disaster Recovery Plan

Focus on Outcomes Not Causes

1. Loss of Technology – the technology you use is not available or doesn’t work (telephone, website, accounting systems, membership databases, etc.)

2. Loss of a Building – all or part of building is destroyed or out of action

3. Denial of Access to a building – your staff and/or tenants are not allowed into their place of work

Focus on Outcomes Not Causes cont.

Scenarios cont. 4. Loss of Staff – key staff are unable to

attend work (chain of command, cross training needs, etc.)

5. Loss of a Supplier – a supplier or vendor is unable to provide critical services, products or resources (contractors, consultants, etc.)

Business Impact Analysis

• Identify the risks that threaten the operations

• Identify Critical Functions • Analyze/Estimate impact on business

operations • Indentify/Analyze Resources/Capabilities

Risk & Vulnerability Assessment

• Naturally Occurring • Human-Caused • Technological

HazardsFire/Explosion

Natural HazardsTerrorism

Workplace ViolencePandemic Disease

Utility Outage

Assets at RiskPeople

BuildingsEquipment

Information TechnologyBusiness Operations

Cash/Financial Assets

ImpactsCasualties

Property DamageBusiness InterruptionLoss of Customers

Financial LossFines/Penalties

Lawsuits

Hazard Identification Vulnerability Assessment Impact Analysis

Disaster Declarations (Federal)

Critical Functions Assessment • Identify all

organization functions

• Identify critical processes/services

• Identify dependencies & interdependencies

• Identify priorities

• Recovery Time Objective (RTO)

• Staff • Facility / Equipment • Technology • Files

*Critical Function - Function that must be delivered during a disruption, even if it is at a reduced level, for the business to survive (ex. payroll, online systems, accounts payable)

Resource Assessment Internal • Personnel • Equipment • Facilities • Organizational capabilities

External • Local emergency

management office • Fire / Police Departments • Hazmat Response • Emergency medical services • Utilities • Critical Contractors /

Suppliers

Mitigation Strategies • Mitigate risks that

threaten the health and safety of people, company assets, operations, or the environment

• Hazard Elimination / Minimization

• Installation of Protection Systems

• Duplication of Critical Resources / Processes

• Relocation (personnel/patients)

• Qualification of Secondary Suppliers

• Outsourcing

Example Mitigation Strategies

• Substitution of Less Hazardous Components

• Fire Protection/Suppression Systems • Security Systems/Controls • Building Construction • Vendor Readiness • IT Backup Strategies / DR Sites

Business Continuity Strategies

• Corporate • Process-Level • Resource Recovery

• Workarounds • Remote Working • Mutual Agreements • Third-Party Alternate

Sites • Outsourcing • “Do nothing”

Crisis Management Plan Overview • Provides for the safety of personnel • Provides step by step action plan for facility

and people-related issues • Establishes a communication system for

response/recovery team mobilization • Establishes alternate operating and data

processing facilities

Emergency Response Plan Overview

Management Elements • Direction and control • Communications • Life safety • Property protection • Community outreach • Recovery and restoration • Administration and logistics

Response Elements • Threat-specific procedures • Protective Actions • Training • Resource Management • Termination, Reporting, and

Follow-up

Business Continuity Plan Overview • Step-by-step procedures for operating

critical business functions during recovery from an incident/disaster

• Establishes: – Pre-positioned contingencies to mitigate the

downtime impact on critical business functions

• Principle: Critical business functions need to be recovered within 48 hours our your business is at risk of failing at recovery

IT Disaster Recovery Plan Overview

• Illustrates how IT supports the business • Maps out step-by-step procedures to

ensure the recovery of each critical component of the IT infrastructure – Hardware – Data (electronic and paper) – Applications – Telecommunications – Specialized Equipment – Supplies

Supporting Documentation

• Emergency Call Lists • Resource lists • Detailed Building / Site

Maps • Business Unit Procedures • Alternate Sites • Critical Vendor Lists

(primary and secondary)

EDUCATING & PREPARING YOUR STAFF

Protective Action Planning

• Relocation – Used when an emergency is confined to a single floor/area

• Evacuation – Used when potential for massive fire or explosion or when

practical – Long duration incidents

• Shelter In Place – Short to mid-duration incidents – It’s a greater hazard to attempt to move or impractical to

evacuate

In a Disaster, Communication is King!

• Clear Procedures for Notifying Affected Parties – Where to report – Emergency Status

• Easy methods – Voicemail, Hotline, Call

Trees, E-mail, Public News, Social Media, etc.

Training

• Teams should be organized to execute on plan elements

• Training should be provided to all team members – Orientation / Ongoing

• Create an awareness campaign for all staff • Develop a “culture” of preparedness

General Employee Training • Roles and responsibilities • Information about threats, hazards and protective

actions • Notification, warning and communications

procedures • Emergency response procedures • Location / use of common emergency equipment • Emergency shutdown procedures • BCP Procedures / Alternate Operating Strategies

Drills / Exercises • Regularly Test/Exercise the Plan

– Tabletop – Functional – Full-Scale

• Test Protective Actions – Relocation – Evacuation – Shelter-in-Place

• Test Continuity/Recovery Strategies

• Integrate Internal and External Responders

Sample Table Top Exercise • 8:00AM

– Plenty of discussion on the past weekend in the NFL • 1:30PM

– Fire Reported in the kennel area – Attempts to extinguish fire were unsuccessful – 4 employees report smoke inhalation and are sent to hospital

• 2:30PM – Facilities Crisis Leader completes initial assessment – Report of severe damage to 25% of the building; Remainder of facility with only

smoke damage – 3 employees admitted into the hospital due to injuries/illnesses – Media representatives report to location for statement

• 9:30PM – Further assessment estimates a practice downtime is 4-6 weeks

What actions should be taken at this point if it were your practice?

TAKEAWAYS

Your Action Items • Gather a team • Assess Risks and Vulnerabilities • Develop Plans to Mitigate Hazards • Develop Plans to Respond to Events • Develop a Plan to Ensure Continuity of Your

Business • Train • Update Plans • Discuss and Practice Strategies

Resources

• www.ready.gov • AVMA Emergency Preparedness and

Response Guide (www.avma.org) • http://www.nfpa.org/catalog/product.asp?

pid=160013&icid=B484&cookie%5Ftest=1 • Insurance carrier resources

– Written materials – Educational events

“It” can happen, so plan for “It” before “It”

strikes

Questions?

Tom Heebner, CSP, ARM, ABCP AVP / Risk Consultant HUB International Risk Services Division P: 312.279.4957 E: thomas.heebner@hubinternational.com