DEPARTMENT OF BUSINESS & PROFESSIONAL REGULATION Office of Inspector General Ken Lawson Lynne T. Winston Secretary Inspector General

1

BEST PRACTICES FOR CONTINUITY OF OPERATIONS (COOP) PLANS

Project Number C-1516BPR-005

INTRODUCTION Section 252.365, Florida Statutes, requires each state agency to establish a disaster-preparedness plan that:

1. Outlines a comprehensive and effective program to ensure continuity of essential state functions under all circumstances

2. Identifies a baseline of preparedness for a full range of potential emergencies to

establish a viable capability to perform essential functions during any emergency or other situation that disrupts normal operations

This “all-hazards” approach to Continuity of Operations (COOP) planning ensures that state agencies can continue to perform mission essential functions during emergencies or other situations that disrupt normal operations whether natural, manmade, or technological. Accordingly, agency COOP plans should be capable of activation in response to events ranging from a building fire to the threat or occurrence of a terrorist attack—in short, any event that makes it impossible for employees to continue work in their regular facility. The section further specifies that, at a minimum, agency COOP plans must include the following elements:

Identification of essential functions, programs, and personnel Procedures to implement the plan and personnel notification and accountability Delegations of authority and lines of succession Identification of alternative facilities and related infrastructure, including those for

communications Identification and protection of vital records and databases Schedules and procedures for periodic tests, training, and exercises

BEST PRACTICES COOP plans should provide for: The capability to implement the COOP plan, both with and without warning Operation of mission critical functions within 12 hours of plan activation The capability to maintain sustained operations for up to 30 days

Office of Inspector General Project Number C-1516BPR-005

2

The state’s requirements for agency COOP plans are consistent with and mirror best practices for COOP plan development and maintenance. Our review of federal and state guidance and of literature on continuity of operations indicates that well-maintained COOP plans generally incorporate the following 10 overarching elements:

1. Essential Functions 2. Orders of Succession 3. Delegations of Authority 4. Continuity Facilities 5. Interoperable Communications

6. Vital Records Management 7. Human Resources 8. Tests, Training, and Exercises 9. Devolution of Control and Direction 10. Reconstitution

Related best practices are discussed in the following sections. 1. Essential Functions Not every agency service or function must be performed in an emergency. The COOP plan should therefore focus on those mission critical activities the department must continue to perform with no or minimal disruption.

BEST PRACTICES Identify the functions the department must continue in all circumstances (functions

that cannot be interrupted for more than 12 hours) List the department’s essential functions in priority order Identify the staffing and resources required to perform each essential function

In identifying essential functions, the department should refer to statutory requirements, functions established by the Secretary, and functions that provide vital support to other state agencies. Functions that are not deemed essential to immediate department or customer needs should be identified and noted as being deferred until additional personnel and resources become available. 2. Orders of Succession Orders of succession provide for an orderly and predefined transition of leadership. An established order of succession for the Secretary ensures a designated official is available to serve as acting agency head until that official is appointed by the appropriate authority, replaced by the Secretary, or otherwise relieved. Orders of succession should also be established for other key leadership positions, including deputy secretaries, division directors, and bureau chiefs. Lines of succession should be sufficient to ensure the department can perform essential functions and remain viable through any emergency.

BEST PRACTICES Recommended minimal depth = 3 successors Geographic dispersion with at least one successor located off-site Successors identified by position/title (not by name)

Office of Inspector General Project Number C-1516BPR-005

3

Orders of succession should include: The conditions under which succession will take place The method of notification Limitations on delegations of authority by successors

The department’s General Counsel should review all orders of succession for legal sufficiency. The orders should be maintained with the department’s vital records and successors to leadership positions should receive annual training on the duties and responsibilities of the position to which they may succeed. 3. Delegations of Authority Delegations of authority are required to ensure continued operation of essential functions and rapid response to any situation requiring COOP activation. Delegations of authority document the legal authority for officials—including those below the Secretary—to make key policy decisions during a continuity event.

BEST PRACTICES Delegations of authority should be made before an emergency Delegations of authority should state: The authority that is being delegated Any limitations or exceptions to the delegated authority To whom the authority is being delegated (by position/title, not name) The circumstances under which delegated authority becomes effective and

when such authority terminates The delegate’s authority to re-delegate authority

Pre-determined delegations of authority generally take effect whenever normal channels of direction are disrupted and terminate when these channels are reestablished. A copy of all delegations of authority should be maintained with the department’s vital records for access during an event. 4. Continuity Facilities The COOP plan must identify a location, other than the primary facility, where the department can carry out essential functions during a continuity event. The plan should also identify a devolution site should the alternate facility become inoperable.

BEST PRACTICES Alternate Site Requirements: Operational no later than 12 hours after COOP activation Accommodate sustained operations for up to 30 days Accommodate all necessary personnel and communications equipment Is located in a threat-free environment Has immediate access to food, water, fuel, and medical and government

services Has appropriate physical security and access controls.

Office of Inspector General Project Number C-1516BPR-005

4

The COOP plan should identify which of its essential functions must be conducted at the alternate facility and which functions can be performed via telecommuting/work from home. In the event the department does not own or lease the alternate site, the department should execute a Memorandum of Understanding/Agreement with the facility owner that specifies the department’s space and service needs, the owner’s notification requirements, and the length of time it will take before the facility will be available for COOP purposes. COOP planners should also evaluate transportation resource requirements for the relocation facility, as well as the availability of housing for emergency staff. A documented review of the alternate site should be conducted annually to evaluate the facility’s continued suitability for continuity operations. 5. Interoperable Communications

Interoperable communications provide the means to communicate internally and externally via radio and other communications systems during a continuity event, and to exchange voice and/or data on demand and in real time. Interoperable communications must be available within 12 hours of COOP activation and be sustainable for 30 days. The department should identify and acquire effective communications systems that support full connectivity under all conditions among department leadership and staff, other agencies, critical customers, and the public. The COOP plan should address protective measures for critical communications systems and provide for backup systems. The department should acquire communication capabilities that support the organization’s senior leadership while they are in transit to continuity facilities. Communications capabilities must be compatible with existing equipment and should be updated as appropriate to make use of emerging technologies. 6. Vital Records Management Vital records management includes the identification, protection, and ready availability of electronic and hard copy documents, references, records, information systems, data management software, and equipment needed to support essential functions during a continuity event.1 Vital records may be physically protected through duplicate copies, dispersal, and placement in safe and secure storage facilities.

BEST PRACTICES Identify all vital files, records, and databases needed to support individual mission

critical functions during a COOP event

1 COOP Plans are distinct from Information System Contingency Planning, which refers to a coordinated strategy involving plans, procedures, and technical measures for the recovery of information systems, operations, and data after a disruption. Contingency planning generally includes approaches such as restoring information systems using alternate equipment; performing some processes using alternate (manual) processing means for short-term disruptions; recovering information system operations at an alternate location; and implementing appropriate contingency planning controls based on information system’s security impact level. COOP functions may be supported by information systems and applies to mission essential functions whereas Information System Contingency Planning applies to all information systems.

Office of Inspector General Project Number C-1516BPR-005

5

To the extent possible, vital records and databases should be available at the alternate facility

Provide for the protection of confidential or sensitive data and information. Vital records management should ensure that emergency operating records such as emergency plans and directives, orders of succession, delegations of authority, staffing assignments, and related policies and procedures are available to staff during an emergency. The COOP plan should include a complete inventory of essential records, identify their location, and provide instructions for accessing the records. Copies of essential records should be maintained at a back-up/off-site location to ensure continuity if the primary operating facility is damaged or unavailable. Organizations should assess the risk of loss of essential records and databases, the means available to maintain or reestablish access to these resources during a continuity event, and the difficulty of reconstituting records if destroyed. The COOP plan’s list of essential records and databases should be reviewed annually with the dates of review documented. All COOP training should include a component on vital records management. Management of essential records and databases should be evaluated during COOP tests and exercises. 7. Human Resources COOP plans should specify the procedures employees must follow during plan activation. A process should exist to contact and account for all staff in the event of an emergency, and all staff should know their responsibility for accountability reporting. COOP planning should include processes to identify, document, and prepare staff that are able to relocate to alternate sites or to perform essential functions via telework. The plan should clearly define the expectations, roles, and responsibilities of essential staff members during an event and employees should be kept informed of their roles and responsibilities, in writing. The COOP plan should include a roster of the employees designated to perform each essential function. The roster should be updated periodically and include the employee’s name and detailed contact information. The COOP plan should also include information employees will need during a continuity event regarding telework/work-from-home, work hours, pay, use of leave time, etc. Many COOP plans include information on the content and maintenance of drive-away kits for emergency personnel, as well as information for employees and their families on advance planning for emergencies. 8. Tests, Training, and Exercises The COOP plan should include measures to ensure the plan will support the execution of essential functions throughout the duration of a continuity event. Accordingly, the COOP plan must undergo periodic testing. Mock drills and tabletop exercises validate the plan and ensure that agency personnel are thoroughly trained in alert, notification, and deployment procedures in advance of an incident. COOP training should include the deliberate and preplanned movement of personnel to the designated alternate site, at least annually.

Office of Inspector General Project Number C-1516BPR-005

6

BEST PRACTICES Use real-time emergency simulations in training drills Test COOP activation procedures annually Test emergency alert and notification procedures quarterly Use inter-agency exercises to promote preparedness, improve coordination, and

enhance response capabilities both internally and across entities COOP training and exercises should assess whether the records and data needed to support essential functions at the alternate facility were sufficient, complete, and current, and whether staff were able to access vital records, as planned. Training and exercises should also assess whether interoperable communications equipment is functioning as intended. The agency should document the date of each test or training event, those participating in the event, and event results. An after-action report should identify any issues and recommend steps to correct deficiencies and/or improve plan execution. 9. Devolution of Control and Direction Devolution of control and direction defines the capability to transfer statutory authority and responsibility for essential functions from the agency’s primary operating staff and facilities to another agency’s employees and facilities. Devolution of control and direction thus provides the means to sustain operational capability for an extended period should the responsible agency become inoperable. This plan element should address how the agency will transfer its essential functions in the aftermath of a catastrophic event in which the primary operating facility, alternate site, and essential staff are no longer available. The COOP plan should identify the circumstances under which the agency must devolve and specify procedures for the transfer of each essential function to the devolution site. 10. Reconstitution Reconstitution is the process by which the agency resumes normal operations. The COOP plan should thus include procedures for the orderly transition of essential functions from the alternate location back to the primary facility. As part of the reconstitution plan, the agency must first assess the status of affected personnel, assets, and facilities. The plan should then specify procedures for deploying personnel, records, and equipment back to the primary facility. The plan should also detail how the agency will notify personnel of COOP termination and return to normal operations.

CONCLUSION

COOP plans provide a roadmap for ensuring the continuity of mission critical functions when an emergency or other event disrupts normal operations. The plans are living documents. They require ongoing maintenance to retain currency and must undergo periodic testing to ensure their viability. Agency staff must receive training in COOP procedures prior to an incident and they rely on these plans for information and guidance during a continuity event.

Office of Inspector General Project Number C-1516BPR-005

7

Governments must continue to perform essential functions despite the occurrence of natural and manmade disasters. COOP plans provide the framework to preserve and maintain basic governmental functions. COOP plans thus promote public confidence in the government’s ability to maintain order, minimize loss, and save lives during such times. To promote accountability, integrity, and efficiency in government, the Office of Inspector General conducts audits and reviews of Department of Business and Professional Regulation programs, activities, and functions. This project was conducted pursuant to Section 20.055, Florida Statutes, and in conformance with applicable Principles and Standards for Offices of Inspectors General as published by the Association of Inspectors General and applicable standards of the International Standards for the Professional Practice of Internal Auditing as published by the Institute of Internal Auditors, Inc. Other reports prepared by the Office of Inspector General of the Department of Business and Professional Regulation can be obtained by telephone (850-414-6700) or by mail (1940 North Monroe Street, Tallahassee, FL 32399-1018).