Disaster Preparedness I Lessons Learned

1
Disaster Preparedness ILessons Learned
Expect the Unexpected Are We Clearly Prepared?

• Don Hall
• Thomson Prometric

Council on Licensure, Enforcement and Regulation
2006 Annual Conference
Alexandria, Virginia
2
Thomson Prometric

• Thomson Prometric is the leading global provider
  of comprehensive testing and assessment services.
  We deliver standardized tests for 600 client
  programs, in 26 languages, over the Web or
  through a global network of 3,200 testing centers
  in 135 countries.

3
Continuity Management at Prometric

• Thomson Prometric has defined a comprehensive
  Business Continuity Management (BCM) program that
  provides for contingency operations that will
  ensure the continuity of services provided to our
  clients, candidates, and channel testing partners
  using established best practices to safeguard
  the interest of our clients, reputation, brand,
  and revenue.

4
Best Practices

• Disaster Recovery Institute Intl (DRII)
• Business Continuity Institute (BCI)
• Promote a common knowledge and standards for BCM
• Certify individuals in the discipline
• As such, in 1997, DRII, together with BCI,
  published the Professional Practices for Business
  Continuity Planners as the industry's
  international standard.

5
Professional Practices

• Pre-Planning
• Project Initiation and Management
• Risk Evaluation and Control
• Business Impact Analysis
• Planning
• Developing Business Continuity Strategies
• Emergency Response Operations
• Develop and Implement Business Continuity Plans
• Post-Planning
• Awareness and Training Programs
• Maintenance and Exercising Business Continuity
  Plans
• Public Relations and Crises Communications
• Coordination with Public Authorities

6
Professional Practices

• Pre-planning
• Project Initiation and Management
• Risk Evaluation and Control
• Business Impact Analysis

7
Project Initiation and Management

• Define Scope, Objectives, Policies and Critical
  Success Factors
• Establish the need for BCP
• Communicate the need for BCP
• Involve Executive Management
• Establish a Steering Committee or Task Force
• Develop the Budget
• Identify Planning Team(s) and Responsibilities
• Develop and Coordinate Action Plans
• Develop Ongoing management and documentation
  requirements for BCM
• Report to Senior Management Team

8
Risk Evaluation and Control

• Identify the threats
• Eliminate threats, if possible
• Estimate probability of threats
• Perform Risk Analysis
• Identify costs to reduce risks
• Spend resources on risks most likely to occur
  80/20 Rule (1897, Vilfredo Pareto)
• Implement controls to reduce risks
• Exercise, evaluate, and make changes as needed to
  reduce the impact of risks

9
Business Impact Analysis (BIA)

• Establish the value of each organizational
  resource as they relate to the function of the
  whole
• Provide the basis for identifying the critical
  resources required to develop your business
  recovery strategy
• Establish order of priority for restoration

10
Professional Practices

• Planning
• Developing Business Continuity Strategies
• Emergency Response Operations
• Develop and Implement Business Continuity Plans
  (BCP/COOP)

11
Develop Business Continuity Strategy

• Identify the Enterprise Requirements
• Identify strategies, costs, advantages, and
  disadvantages for each
• Compare internal and external
• Identify strategies for functional areas
• Assess strategies using BIA results
• Perform Costs/Benefits Analysis
• Consolidate Continuity and Recovery Strategies
  Across the Enterprise
• Consolidate workspace recovery sites
• Enterprise-level plans for media and
  communications

12
Emergency Response and Operations

• Identify Types of Emergencies and the Response
• Fire, Flood, HAZMAT, etc
• Identify Components of Emergency Response
• Reporting procedures (internal/external)
• Pre-incident preparation
• Emergency Actions (evacuation, firefighting,
  notifications, etc)
• Facility Stabilization
• Damage mitigation
• Testing procedures and responsibilities
• Develop Detailed Emergency Response Procedures
• Protection of Personnel
• Containment of the Incident
• Assessment of effect
• Decide optimum actions

13
Emergency Response and Operations

• Identify Command and Control Requirements
• Design and equip the Emergency Operations Center
  (EOC)
• Define Command and Decision Authority roles
• Communications vehicles (radio, e-mail,
  messengers, etc)
• Logging and documentation methods
• Develop Command and Control Procedures
• Opening the EOC
• Security for the EOC
• Scheduling the EOC teams (24 hour operations)
• Management of the EOC
• Closing the EOC
• Emergency Response and Triage
• Salvage and Restoration

14
Develop Business Continuity Plans

• Advanced planning that is necessary to ensure the
  continuity of critical functions for an
  organization
• Putting in place supporting infrastructure and
  resources to respond to a disaster event
• Implement procedures to reduce the risk of
  identifiable threats
• Develop plans that cover all events that result
  in the total or partial destruction of a
  facility, or create an inability to perform
  essential functions
• Create plans that include procedures, equipment,
  and personnel for both automated and manual
  procedures.

15
Professional Practices

• Post-Planning
• Awareness and Training Programs
• Maintenance and Exercising Business Continuity
  Plans
• Public Relations and Crises Communications
• Coordination with Public Authorities

16
Awareness and Training

• Components of the COOP/BCP
• Why is BCP important to them!
• Who is the Business Continuity Coordinator
• Where to find more information
• When is it exercised
• How is the COOP activated

17
Maintenance and Exercising BCP

• Maintenance
• Monthly
• Call-trees
• Personnel data
• Quarterly
• Plan review
• As needed
• Organizational Change
• Process Change
• Technology Change
• Exercise
• Before (exercise preparation/plan review)
• After (lessons learned)
• Annually
• BIA
• Corporate Strategic Direction

18
Maintenance and Exercising BCP

• Exercise
• Validate your plans
• Familiarity with BCP procedures
• Reduce decisions, confusion, and recovery time
• Reduced costs at time of recovery!
• Exercise Types
• Walk-through (paper-based)
• Simulation
• Operational
• Exercise Guidance
• Start small
• Detailed procedures should be followed closely
• Should include backup data (restores) and
  call-trees
• Conduct surprise tests (very risky, only a few)
• Use actual but not live data

19
Crises Communications

• Escalation
• Disaster declaration criteria
• Problem Identification and Escalation
• when is it a disaster
• Contact Lists
• Initial Response Items
• Primary Notifications
• BC Coordinator, SMT, CMT/IMT
• BC Teams
• Damage Assessment Teams
• Secondary Notifications
• Other employees
• Customers
• Public
• Suppliers

20
Crises Communications

• Public Relations
• Issue initial Press Release
• canned response
• Establish a schedule for Press Conferences
• Communicate the name of official spokesperson
• Be prepared for all audiences (internal,
  external, media, agencies)

21
Coordination with External Agencies

• Identify applicable laws and regulations and
  determine impact
• Identify statutory industry requirements
• Ensure your plans meet all statutory and
  regulatory requirements
• work with statutory agencies as appropriate
• Identify and coordinate with agencies supporting
  BCP aims
• Identify and develop procedures with external
  agencies providing disaster assistance (financial
  and resources)
• Develop exercises with external agencies
• Establish exercise objectives
• Coordinate and execute exercises
• Debrief and report on exercises to include action
  plans

22
Speaker Contact Information

• Don Hall, Director Business Continuity
• Thomson Prometric
• 1000 Lancaster Street,
• Baltimore, MD 21202
• Phone 443-923-8000
• E-mail don.hall_at_thomson.com
• Website www.prometric.com