Emergencies: Protecting Staff & Assets. Presented By: Tom Heebner, CSP, ARM, ABCP AVP / Risk Consultant HUB International Limited

Transcription

1 Emergencies: Protecting Staff & Assets Presented By: Tom Heebner, CSP, ARM, ABCP AVP / Risk Consultant HUB International Limited

2 Agenda Why is Planning Important? Lessons Learned From Recent Events The Planning Process Where Should You Go From Here? Preparing Your Staff

3 WHY IS PLANNING IMPORTANT?

4 OSHA Emergency Action Plan Requirements Means of reporting fires or other emergencies Evacuation procedures and emergency escape route assignments Procedures to be followed by employees who remain to operate critical operations before they evacuate Procedures to account for all employees after an emergency evacuation has been completed Rescue and medical duties for those employees who are to perform them Names or job titles of persons who can be contacted for further information or explanation of duties under the plan

5 Events Impact. People Facilities & Assets Technology Operations Customer Trust Customer Confidence

6 Events Result In Loss of Life and/or Loss of Property Other significant losses Reduced Productivity Financial Interrupted Services Damaged Reputation Other Expenses

7 Benefits of Good Planning. Decreases notification time Improves coordination of resources Safeguard health and safety Minimize property damage and business interruption Restore critical functions quickly Maintain revenue stream / avoid loss of market share Increases an organization s public image Businesses & Governments Response / Continuity Teams Prepared Organization Plans, Training & Exercising Occupants and Visitors

8 Statistics Show Companies that aren t able to resume operations within ten days are not likely to survive 50% will be out of business within five years 75% of companies without business continuity plans fail within three years of a disaster Of those businesses that experience a disaster and have no plan 43% never reopen Of those that do reopen, only 29% are still operating two years later

9 LESSONS LEARNED FROM RECENT EVENTS

10 Lessons of September 11th, 2001 All types of threats must be considered Plans must be updated and tested frequently Dependencies and interdependencies should be carefully analyzed Key personnel may be unavailable Telecommunications are essential Alternate sites for IT backup should not be situated close to the primary site Employee support (counseling) is important Copies of plans should be stored at a secure off-site location Sizable security perimeters can impede personnel

11 Lessons From Hurricane Sandy Just because you are not on the coastline when a storm strikes doesn t mean you will not be heavily affected. It is important to identify establish notification processes with your employees and to utilize multiple channels to communicate (ex. SMS, Twitter, landline, , etc.). Although it may take some time, having a relationship with a restoration contractor before an event is invaluable. Fuel was not easy to come by following Hurricane Sandy and without fuel many could not operate their vehicle, chainsaws, generators and other equipment that was needed to be used during the recovery. Although we routinely pay for items using credit cards or by quickly going to an ATM machine, these items aren t likely to work if there is a power outage. When you have a claim, it is important to call your insurance carriers and report it as soon as possible and not speculate as to the cause.

12 Lessons From a Practice Fire The fire started at another property The fire department had not visited the practice prior to the event The practice manager indicated the fireman had to consult with their technicians to assess the layout of the practice and to identify the locations of special hazards The practice worked very hard on keeping in contact with clients throughout the process (relied on social media and local chamber of commerce) The practice had business interruption coverage The practice moved the office to one house and set up a network The practice had a manual data backup process and was successful in backing up data before the event The Practice Manager wishes they had planned and had a better idea of what they would do to keep things moving after the incident

13 Medical Emergencies Adjacent Facility Emergency Workplace Violence Fire/Explosion Bomb Threat Loss of Utilities (steam, electricity, natural gas) Hazardous Materials Release Technological Issues Potential Events Transportation Accident Terrorist Attack - CBRNE Suspicious Package Civil Disorders Flooding, Tornado, Earthquake and other Natural Hazards Contamination of Food/Water Structural Collapse Emerging Diseases What Else?

14 THE PLANNING PROCESS

15 The Big Picture Understand Your Business Develop Risk Mitigation Strategies Develop BCM Strategies Establish Planning Committee Review Organizational Strategy Business Impact Analysis Risk Assessment Protection Systems Hazard Elimination / Process Change Duplication of Resources Alternate Operating Strategies Corporate Strategy Process Level Strategy Resource Recovery Strategy Department Business Functions Business Process Steps Emergency Response Crisis Management Development BCM Documentation Emergency Response Plan Crisis Management Plan Business Continuity/Recovery Plan People IT Support Components Records Voice & Data Equip & Hardware Suppliers & Vendors Facilities Business Continuation BCM Implementation & Training Assessing Awareness Develop / Monitor Awareness, Skills, & Culture * Business Continuity Programs reduce risk through upfront mitigation and post disaster response, recovery and restoration BCM Exercising, Maintenance & Auditing

16 Lifecycle of an Event Business Continuity Detection Crisis Management Recovery Emergency Response Minutes Hours Weeks

17 Intensity Levels of Phases Emergency Response Crisis Management Business Restoration Normalization (Recovery) Intensity

18 DISASTER MANAGEMENT ERP: Emergency Response Plan Event Driven Response (Site Impact) Contamination, Bomb-threat, Fire, Earthquake, Wind, Etc. ERP IT-DRP Depending on Event, The integration of all Plans is Possible. IT-DRP: IT Disaster Recovery Plan (Technology - Voice & Data Impact) Network Failure, Sabotage, Virus, Physical Loss of Systems Etc. BCP CMP: Crisis Management Plan Event Escalation Response (Corporate Impact) Non-physical or physical impacts, Examples: Exxon Valdez Oil Spill, J&J Tylenol Tampering Hudson Foods Meat Threat CMP BCP: Business Continuity Plan Time Driven Response (Site and Business and Image Impact) Infrastructure Disruptions, Business Unit Disruptions, Department Disruptions (Failure to deliver product or service)

19 WHERE SHOULD YOU GO FROM HERE?

20 What plans does a practice need? Crisis Management Plan Emergency Response Plan Business Continuity Plan IT Disaster Recovery Plan

21 Focus on Outcomes Not Causes 1. Loss of Technology the technology you use is not available or doesn t work (telephone, website, accounting systems, membership databases, etc.) 2. Loss of a Building all or part of building is destroyed or out of action 3. Denial of Access to a building your staff and/or tenants are not allowed into their place of work

22 Focus on Outcomes Not Causes cont. Scenarios cont. 4. Loss of Staff key staff are unable to attend work (chain of command, cross training needs, etc.) 5. Loss of a Supplier a supplier or vendor is unable to provide critical services, products or resources (contractors, consultants, etc.)

23 Business Impact Analysis Identify the risks that threaten the operations Identify Critical Functions Analyze/Estimate impact on business operations Indentify/Analyze Resources/Capabilities

24 Risk & Vulnerability Assessment Naturally Occurring Human-Caused Technological Hazards Fire/Explosion Natural Hazards Terrorism Workplace Violence Pandemic Disease Utility Outage Assets at Risk People Buildings Equipment Information Technology Business Operations Cash/Financial Assets Impacts Casualties Property Damage Business Interruption Loss of Customers Financial Loss Fines/Penalties Lawsuits Hazard Identification Vulnerability Assessment Impact Analysis

25 Disaster Declarations (Federal)

26 Critical Functions Assessment Identify all organization functions Identify critical processes/services Identify dependencies & interdependencies Identify priorities Recovery Time Objective (RTO) Staff Facility / Equipment Technology Files *Critical Function - Function that must be delivered during a disruption, even if it is at a reduced level, for the business to survive (ex. payroll, online systems, accounts payable)

27 Internal Personnel Equipment Facilities Organizational capabilities Resource Assessment External Local emergency management office Fire / Police Departments Hazmat Response Emergency medical services Utilities Critical Contractors / Suppliers

28 Mitigate risks that threaten the health and safety of people, company assets, operations, or the environment Mitigation Strategies Hazard Elimination / Minimization Installation of Protection Systems Duplication of Critical Resources / Processes Relocation (personnel/patients) Qualification of Secondary Suppliers Outsourcing

29 Example Mitigation Strategies Substitution of Less Hazardous Components Fire Protection/Suppression Systems Security Systems/Controls Building Construction Vendor Readiness IT Backup Strategies / DR Sites

30 Business Continuity Strategies Corporate Process-Level Resource Recovery Workarounds Remote Working Mutual Agreements Third-Party Alternate Sites Outsourcing Do nothing

31 Crisis Management Plan Overview Provides for the safety of personnel Provides step by step action plan for facility and people-related issues Establishes a communication system for response/recovery team mobilization Establishes alternate operating and data processing facilities

32 Emergency Response Plan Overview Management Elements Direction and control Communications Life safety Property protection Community outreach Recovery and restoration Administration and logistics Response Elements Threat-specific procedures Protective Actions Training Resource Management Termination, Reporting, and Follow-up

33 Business Continuity Plan Overview Step-by-step procedures for operating critical business functions during recovery from an incident/disaster Establishes: Pre-positioned contingencies to mitigate the downtime impact on critical business functions Principle: Critical business functions need to be recovered within 48 hours our your business is at risk of failing at recovery

34 IT Disaster Recovery Plan Overview Illustrates how IT supports the business Maps out step-by-step procedures to ensure the recovery of each critical component of the IT infrastructure Hardware Data (electronic and paper) Applications Telecommunications Specialized Equipment Supplies

35 Emergency Call Lists Resource lists Supporting Documentation Detailed Building / Site Maps Business Unit Procedures Alternate Sites Critical Vendor Lists (primary and secondary)

36 EDUCATING & PREPARING YOUR STAFF

37 Relocation Protective Action Planning Used when an emergency is confined to a single floor/area Evacuation Used when potential for massive fire or explosion or when practical Long duration incidents Shelter In Place Short to mid-duration incidents It s a greater hazard to attempt to move or impractical to evacuate

38 In a Disaster, Communication is King! Clear Procedures for Notifying Affected Parties Where to report Emergency Status Easy methods Voic , Hotline, Call Trees, , Public News, Social Media, etc.

39 Training Teams should be organized to execute on plan elements Training should be provided to all team members Orientation / Ongoing Create an awareness campaign for all staff Develop a culture of preparedness

40 General Employee Training Roles and responsibilities Information about threats, hazards and protective actions Notification, warning and communications procedures Emergency response procedures Location / use of common emergency equipment Emergency shutdown procedures BCP Procedures / Alternate Operating Strategies

41 Drills / Exercises Regularly Test/Exercise the Plan Tabletop Functional Full-Scale Test Protective Actions Relocation Evacuation Shelter-in-Place Test Continuity/Recovery Strategies Integrate Internal and External Responders

42 Sample Table Top Exercise 8:00AM Plenty of discussion on the past weekend in the NFL 1:30PM Fire Reported in the kennel area Attempts to extinguish fire were unsuccessful 4 employees report smoke inhalation and are sent to hospital 2:30PM Facilities Crisis Leader completes initial assessment Report of severe damage to 25% of the building; Remainder of facility with only smoke damage 3 employees admitted into the hospital due to injuries/illnesses Media representatives report to location for statement 9:30PM Further assessment estimates a practice downtime is 4-6 weeks What actions should be taken at this point if it were your practice?

43 TAKEAWAYS

44 Gather a team Your Action Items Assess Risks and Vulnerabilities Develop Plans to Mitigate Hazards Develop Plans to Respond to Events Develop a Plan to Ensure Continuity of Your Business Train Update Plans Discuss and Practice Strategies

45 Resources AVMA Emergency Preparedness and Response Guide ( pid=160013&icid=b484&cookie%5ftest=1 Insurance carrier resources Written materials Educational events

46 It can happen, so plan for It before It strikes

47 Questions? Tom Heebner, CSP, ARM, ABCP AVP / Risk Consultant HUB International Risk Services Division P: E: thomas.heebner@hubinternational.com