Directory of business continuity planning and
|Directory of Software & Services for Risk Analysis and Disaster Recovery|
1. Ostrich Syndrome
Out of Sight, Out of Mind
The ostrich is alleged to hide its head in the ground when a threat is suspected on the theory that if the threat can't be observed, it isn't there.
Whether the "ostrich" is an airline security expert or a Business Continuity "client," the bottom line is the same: a disaster waiting to happen.
I always am amazed when someone hires a Subject Matter Expert and then ignores the expert's advice. Yes, I now know there are "experts" and there are "experts."
Just as dangerous is to accept advice and even implement corrective measures but only for a short period.
The commercial airline industry provides an excellent example here, too.
Immediately after September 11, 2001, security at America's airports was drastically increased. No more curbside check-in, no more drop-offs and pick-ups, no, no, and more no.
The other day I took The Spouse to the local flying field for an interstate flight.
I stopped the car in front of the building and unloaded The Spouse's carry on and to-be-checked cases.
She checked the luggage with the guy outside the building while I parked the car. He matched the name on a driver's license with her e-ticket.
The wife went directly to her plane's gate - standard procedure. The only difference was that I was prevented from going past the security check point. Her checked bag supposedly went to the airline where it was checked by - who, what?
Her comment to me was "You know, that guy who took my suitcase could put anything inside and no one ever would know."
I responded by telling her all checked luggage was being inspected before being loaded.
Now I know better. She, as she is quick to point out, was "right again."
The bottom line is that in the space of four months, our security awareness already has dropped to an abysmal level.
U.S. military personnel still search Afghanistan for terrorists and the U.S. State Department is making noises about eliminating safe havens for terrorists, yet at home we already are letting down our guard.
If a threat is not imminent we can bury our heads and ignore the possibility. Worst case, the "experts" will protect us.
A new security system recently was installed at the company where I currently hang my hat.
The system includes a closed-circuit television system (CCTV) with a camera aimed at the main entrance and a "swipe card" for employees to pass through a series of doors.
A similar system is used by a major insurance company.
The difference between the insurance company and my current employer is that the insurance company has a strictly enforced "no tailgating" policy that basically states: if two employees enter the building on one employee's swipe card, the person who tailgated is fired and the person who allowed the tailgater may be fired.
Justice or not, the action is swift.
While the insurance company is not "perfect," its swipe card rule is something that other organizations should consider.
Granted, it can be an inconvenience, especially in inclement weather.
Granted, it is an inconvenience for everyone to swipe a card - it is time consuming and can create temporary back-ups at some doors.
But it works.
Locally, tailgating is permitted since, admittedly, the company has a much smaller local population that the insurer and it would be "inconvenient" to each individual swipe his or her card.
There also is the politeness factor; the current employer is located in a very polite society where courtesy for a co-worker is a way of life. That's delightful and I fully appreciate it, but it comes at the cost of security.
More Than Security
Until now, this article has focused on security. First airline security and then building security.
The only reason for this focus is because the lack of security is so obvious; it is easy to make the point that if the threat isn't hanging heavy over our heads, we'll ignore it even in the face of relatively recent disasters.
Security, however, is not the only issue people elect to ignore.
A former client moved to a new location.
Beautiful multi-story building.
The client showcased its product in a glass-enclosed "war room" on the building's first floor.
Security, while an issue here, is not the focus.
It turns out that the beautiful new structure was built in a flood plain.
That, in itself, is bad enough (unless you build on "stilts"). The real problem is that the business' critical business function is located on the first floor - the floor that will be flooded in a severe storm.
Every planner, especially consultants who have worked with a wide variety of clients, can tell similar stories.
Granted, part of the Business Continuity process is to evaluate risks; drag out the faithful X-Y chart and graph the probability of the risk occurring versus the impact of the risk if it occurs.
But when the obvious is ignored . . .
We, Business Continuity planners, are paid to identify all the risks, to put names to the "ubiquitous others" that always populate my check lists.
Long before 9-11, I was warning clients that they needed to consider aircraft accidents.
Admittedly, I cautioned some clients - those with facilities under a local airport's take-off and landing patterns - more than those distant from airports, but the plan did consider the risk.
Before 9-11, many clients considered the risk to be "minimal."
Immediately after 9-11 many of those same clients were reconsidering.
Now, with 9-11 little more than an entry in a future history book, the risk is once again rated as "minimal."
This is not to say that risk probabilities don't change; they do and that is one of many reasons to maintain a Business Continuity plan by both "calendar" and a "trigger."
I'm not certain if we - Business Continuity planners - need to take the responsibility for pulling ostrich heads into the real world of risks. I am certain we must not become ostriches.
I also am convinced that some "experts" are, in fact, ostriches that, for whatever reason, don't want to see what the rest of us clearly see. (I never said the sky was falling; only that some planes were falling from the sky.)
2. Crisis Management
Crisis Management, like business continuation, has for too long been ignored or relegated to a post-event PR function in typical Business Continuity plans.
When we were "disaster recovery" planners, we created plans to restore the organization to "business as usual" in the most efficient manner possible.
When we became "business continuity" planners, we looked for ways to avoid or mitigate risks and to discover work-arounds when a risk turned into an event; we now were concerned not only with avoiding and mitigating risks and restoring "business as usual" but making certain a minimum level of service was maintained while the business was restored.
We made certain selected personnel were trained to perform assigned tasks even under the pressures of the moment.
Our plans included notification of Emergency Management personnel (usually something like "Call 911") and "have the telephone operator tell everyone to evacuate the area." Good, albeit incomplete, planning for most events.
Some of us, given the opportunity, even promoted "all hands" awareness of threats.
But most of us - this scrivener included - gave little thought to crisis management beyond disaster recovery and business continuation team responses and perhaps what to tell the public - the press, the stockholders, and - hopefully - the personnel and their families..
That has to change and planners need to think in terms of global populations - all hands - rather than only selected team players.
Defining a crisis
Webster's describes "crisis" as, among other things, "paroxysmal attack of pain, distress, or disordered function." I am not about to argue with Mirriam-Webster, but my definition includes panic which I think is in line with Webster's "disordered function."
Webster also defines "crisis" as "the decisive moment."
For my purposes, "crisis" is the time when all personnel must evacuate a facility or area to avoid injury or death. This can be a fire, an accident, terrorist threat or action . . . any number of things that cause an evacuation.
The crisis - at least for me - is not the event triggering the evacuation, but the panic that often accompanies an evacuation. By the time we get around to evacuating after an event, that crisis' "decisive moment" is past.
Planners need only look at the identified risks to understand the need for crisis management and "all hands" involvement.
Any event that could cause an evacuation - from a single room to an entire campus - is an event that justifies crisis management.
When we were kids at school we usually were happy to hear the fire alarm sound - a break from the books. Those of us who spent time in the military know it had training exercises for just about everything. If you sailed on a cruise ship, you know about lifeboat drills, and if you work in a hazardous environment, you know about accident response and probably some advanced first aid.
This is the essence of "crisis management."
It makes no difference what caused the crisis, the only thing that matters is our response to the crisis.
Just who is involved
Crisis management, in my "all hands" scenario, starts and ends with training.
Initial training is "awareness" training, making everyone - all hands - aware of their surroundings and what is "normal."
When we take our children to the doctor for annual checks - let's be honest, how many of us go for annual check ups? - the medics record the patient's normal vital signs; pulse, temperature, breaths-per-minute, etc. when the vital signs are not influenced by illness. Later, when we return with a sick child, the medics can compare the "normal" to the current and act accordingly.
We need to do the same with our work environment, the office, the building, the streets outside.
Fire fighters will tell us that the sooner a fire is detected and action taken to extinguish it, the easier it is to extinguish and the less damage will be incurred. (If you feel like saying "duh!" feel free.)
When someone becomes aware that something is "out of place" or "just not right," they are expected to act on the awareness. In the case of a fire, activate the fire alarm to alert the fire department and evacuate the building. Depending on the size of the fire, the person may - emphasis on "may" - attempt to extinguish the blaze after - and only after - sounding the alarm.
The primary objective is to alert the right people, in this case "the world," that something is amiss.
Awareness is not limited to sniffing the air for fires. Unfortunately, awareness must extend to the streets and parking lots around the facility. Events in Oklahoma City, New York City, in Saudi Arabia and elsewhere force us to pay attention to what is outside as well as what - and who - is inside.
Unlike the fire scenario, knowing who to tell - and that person's knowing how to respond - is something only a formal crisis management structure and training can accomplish.
Hall monitors rule
Remember again the fire drills in elementary school - or the bomb drills in high school - and faculty directing students from the building to assigned assembly areas where a teacher attempted to do a head count of his or her charges.
Nothing changed as we move into the organizational environment.
Hall monitors are now fellow employees with additional duties and training; they, not teachers, tell us which exit to use and they make certain that everyone - from C*O to janitor - evacuates the building.
Since we are adults and since our organization does have evacuation drills - it does if such drills are in our plans - the "hall monitor" can be anyone who doesn't panic and who volunteered for both additional responsibility and training.
The remark, "they tell us which exit to use," begs the question "how will hall monitors know which exit to use?" and the answer is simple: "two-way radios; walkie-talkies."
Two-way radios are relatively inexpensive (but make certain to test them in the environments in which they will be used before they are needed) and provide means for hall monitors to know which exits are available.
Unlike school days when teachers "took roll" at the beginning of every class, the business environment demands use of another childhood scheme - the buddy system.
The grown-up version of the buddy system puts people into groups of not less than four and not more than 10. Four people is enough so that if one or two people are out of the building, there still are two "buddies" to account for each other. More than 10 people and individuals can too easily be overlooked.
As a facility is evacuated, personnel must assemble in assigned areas - either the primary area or an alternate. All assembly areas need to be far enough away from the facility to protect the evacuees and to allow Emergency Management personnel access.
The evacuees are expected to take a nose count of their own buddies and to report anyone missing to assembly point monitors. These monitors can contact the hall monitors to make certain no one is left inside. If the hall monitor, for his or her own protection, already exited the facility, a radio search can be conducted with other assembly areas.
The nose count serves two purposes: it accounts for all personnel by eliminating those absent before the event and it lets emergency personnel know if they need to risk their lives looking for someone who may remain in danger.
In addition to hall monitors, at least two people (as with all things in business continuity, a primary and alternate) need to be assigned as "Emergency Management liaison."
These people are charged with, and known to Emergency Management leaders, letting the rescuers know if anyone is inside the facility, what caused the evacuation and what was done in the interim to mitigate the event.
Knowing what is - and is not - inside a building makes emergency responders' lives both safer and easier.
Training, training, and more training
The key to crisis management, at least in this scrivener's opinion, is training.
It worked when we were in elementary school.
It worked when we were in the service and when we were on the cruise.
It works with the disaster recovery and business continuity teams.
Crisis management training has two components: special training for hall monitors, and "all-hands" training for everyone.
Hall monitors must first be selected based on their ability to maintain self control in a pressure situation. They also must have a personality to deal with all manner of people who may panic or be reluctant to evacuate.
Everyone, "all hands," must be trained to be aware of their surroundings and must understand the importance of the "school yard" exercises.
Management must understand that while evacuation drills are costly in terms of lost production, they are worthwhile in the potential to save lives in a real event; this translates into financial savings and good PR for the organization.
Finally, Emergency Management must be included in the training exercises so the drills will be as lifelike as possible. (Just make certain someone coordinates the drill with the Emergency Management folks so they know it is not the "real thing.")
We've come a long way since we filed out of our first grade classrooms in response to the fire alarm, but the lesson of that day must remain the lesson of this day.
Training develops confidence, and confidence is a key ingredient to crisis management.
At least in this planner's book.
For comments and questions on these papers please write to: JGlennCRP@yahoo.com
Return To Previous Page
HOME ~ WEBLINKS ~ CONTACTS
Copyright © 1993-2002