Managing Business Continuity and Resiliency in 2015
Spring is here. And it could not have come soon enough, after a particularly difficult winter for most of the U.S. Record-setting snow falls, flooding, and extreme cold temperatures plagued businesses, homeowners and travelers from November through March. Businesses shut down, flights were grounded, and many people were forced to hunker down and stay home.
How is your business prepared for severe weather, to protect property and life? Because most businesses are unprepared, according to a poll of America’s workforce by FM Global.
Nearly one third of full-time American workers (32 percent) assign their employers a grade of C, D or F when it comes to preparedness for a major winter storm, the research finds. Furthermore, more than half of U.S. workers (52 percent) employed full time indicated they are dissatisfied with their employers’ preparedness, wanting their company to be better prepared for a winter storm.
“America’s feedback speaks to the need for businesses to be more proactive, and overall more resilient, when it comes to winter weather,” says Brion Callori, senior vice president, engineering and research for FM Global. “Insurance won’t bring back lost customers, market share or fix a damaged corporate reputation for unprepared businesses. A business continuity plan which has been well-tested and communicated to employees can address such risk and help companies avoid costly physical and financial losses.”
For Shane P. Berry, Vice President, Asset Protection for Abercrombie & Fitch (A&F), which is based in New Albany, Ohio, this past winter’s snow and extreme cold was managed well within the organization. In fact, he says, “Disruptions and potential disruptions in the supply chain are anticipated even in normal conditions. Product delays because of port strikes, because of theft or diversion, geo-political and labor unrest, are all typical fluctuations for which our internal partners have established protections and safeguards. That is probably the single biggest threat from a business standpoint: ensuring the product continues to flow.”
Berry, whose background is in State and Federal Law Enforcement, including a stint with the FBI, was a Supervisory Special Agent in the Bureau’s Intellectual Property Unit at Headquarters in Washington, DC. He’s been with A&F since 2005, overseeing Brand Protection programs, primarily focused on Anti-Counterfeiting efforts and Supply Chain Security/Vendor Integrity, and then responsibility for corporate Sustainability (Human Rights & Environmental). His current role includes everything of a corporate security team (except for Information Security, which is overseen by an Chief Information Officer and IT team), which includes employee/associate safety, store loss prevention, and campus security, as well as all of the initial responsibilities in Brand Protection.
He has Loss Prevention Group personnel in nearly every location where A&F operates stores, which is currently 20 countries. He also has Brand Protection team members in London, Shanghai and Hong Kong. There are Sustainability roles at the Home Office and in Hong Kong.
His challenges with managing A&F’s emergency response protocols begin with the global reach of the company’s operations. “We have a Global Security Operations Center that operates around the clock at our home office, but we have stores, offices and distribution centers scattered across every time zone. Staying connected and managing responses to emerging or catastrophic incidents requires 24/7 capabilities,” he explains. “This massive global footprint requires painstaking coordination during normal operations, even more so during natural or geo-political catastrophes, creating the challenge of managing communications. We have an incredible group of brilliant people who are constructively aggressive in running their businesses. Unfortunately, this command presence can result in communication silos that complicate coordination during an emergency. We spend a lot of energy simply educating and socializing our associates about ‘who to call’ when an incident occurs. This may seem like a simple issue, but in a big company, confusion and misunderstanding can set in,” he says.
“We want one consolidation point for all communication during an emergency – in from our associates and out. We work closely then with our executive group and press relations team to ensure we remain aligned enterprise-wide. Communication is the biggest challenge – up and down and across our global organization; between countries, languages and time zones; and from department to department.”
Berry’s team plays a role in the normal course of business to identify, investigate and where possible, remediate risks and issues within the company’s supply chain, he says. “Operationally, the biggest impact of the cold and weather has been to store operations (opening and closing) and travel disruption. Like most companies, our Asset Protection team monitors all corporate travel. We review who is where on an active basis, and we make contact when we believe there could be travel disruptions or safety risks. We work closely with our Travel Department to help redirect our associates in advance of weather or other issues, and we make direct contact with our associates prior to departure when there are concerns that arise along their itinerary. Our Security Operations Center functions as the primary communication point for our store management team when the weather may affect business operations. The majority of the time, those decisions are made by the mall where our stores are located, and we typically follow their local guidance. All store closings and openings that are affected by the weather are communicated to our team, and we periodically circulate that information to relevant business leaders so that business plans can be adjusted to accommodate. Our team does a great job of looking at weather or other disruptions from a total company perspective, for example, how does this specific incident/issue have the potential to affect our associates, our customers, and our business? The quicker we can identify those risks and convey appropriately to business leaders, the more likely that we can contribute to continuity or, in the severe cases, getting the business back on-line as soon as possible. Engagement with strategic partners across the business (PR, Facilities & Maintenance, Supply Chain, C-Suite) becomes the single most important weapon in our arsenal.”
His corporate travel partners and global medical service providers have a suite of resources for the company and associates to leverage in the event of a crisis, he says. “Like most companies, we use these partnerships to provide support to our employees globally for medical emergencies and, in extreme events, evacuation. We also participate in a significant number of public/private consortiums, which allows us to capitalize on synergies between relevant government entities and a broad range of public companies. One example of a local group that we are participating in is OP3, the Ohio Public Private Partnership. This group creates a consistent channel of communication between Ohio companies and the government sector enabling quicker response when catastrophic events occur. More efficient response means, of course, that our companies are all back to business as quickly as possible and local Ohioans are back to work sooner. This is just one example of a growing number of similar working groups around the country and across the globe, which are designed specifically to minimize or mitigate the impact of any emergency. We have a number of other established relationships with companies who we deploy to address localized emergencies as well, such as recovering from a store fire.”
Like Abercrombie & Fitch, Ryder System and its customers fared well on the East Coast this past winter, in part because they were so well prepared. “During Winter Storm Juno our storm and operations team showed customers how to keep their trucks running during the cold weather, in addition to letting them know about closed facilities and to help them manage their own customer expectations,” says Bill Dawson, VP of Operations for Ryder. During bad weather, Dawson’s main goal is to mitigate disruptions in the supply chain and to keep employees safe.
Before Juno struck, Dawson and his team not only sent email blasts to customers to help them prepare, but also had information distributed at point of sale and instructed sales teams to contact every customer by phone. An online winter preparedness website was established last fall that offers specific winter preparedness information, including safe driving tips.
Dawson emphasizes having key contacts and resources in place year long, as when a natural disaster strikes, “There’s a scarcity of resources, and everyone is battling to get every material they can get their hands on.”
“We are headquartered in south Florida, which is prone to hurricanes, so we have a comprehensive disaster and business continuity plan, which begins with the safety of our employees, then our facilities and our customers,” Dawson adds. “Many of our customers are food distributors, pharmacies and retailers, who need to get back up and running as soon as possible, and they need large generators that can’t be found without advance planning. If we are doing our job well, we are in the background, because we want our customers to get their freight to their clients. They expect us to have in-depth and well-thought plans so that they can continue to run their business.”
The 12-Week Cycle
In his nearly two decades of crisis management and response, Bob DiLossi has witnessed countless times the important role that people play during a disaster. DiLossi, who is Director of Crisis Management and Infrastructure Recovery Testing for Sungard Availability Services, provides companies best practices on how to better prepare their people for a disaster, including assessing telecommuting and work strategies, focusing on internal resource planning and ensuring that they have the appropriate workgroup space lined up should a disaster occur.
“I think preparing your people is the best way to create awareness,” he says. “People have to be prepared so they’re not blindsided or surprised.” DiLossi offers companies a 12-week test cycle of its disaster recovery procedures, which includes using the people who would be involved in a areal life disaster so as to best create a realistic test experience.
“You need an A team,” he says. “That’s your best people. And that’s all well and good, but there are going to be times – and it’s been proven through many different events – that the A team is not available. So you will want to create a B or C team, and put them in that hot seat, so to speak, for a test and afterwards, circle them out to make sure they’re aware what goes on.
“And also for preparation, an employee who is pulled into a disaster recovery situation, like Hurricane Sandy or Katrina; they have to be assured that their family is taken care of,” he says. “Keeping your employees safe is an extension of keeping your business safe.”
He says that the businesses that best recovered after a natural disaster are the ones who were “on point. They knew when to deploy their people. They knew they had a good plan of where to get people to that facility and how to get them there, and a backup team.”
So it’s really important to do two things, he says: “Test your plan with your people there, and then close those gaps when the test result is identified. I know Hurricane Katrina is a long time ago but it still resonates to me because some A teams couldn’t be deployed, and when the B team came in, they had no idea what to do. They were fish out of water.”
Sungard Availability Services’ mobile recovery units (MRUs) provide companies an office workspace in the event their existing space is impacted during or after a disaster. These “work away from work” centers, DiLossi says, assist companies to remain operational through the recovery stage. The trucks can house up to 50 people, and are equipped with PCs, DirectTV, VoIP and a diesel generator. “The MRU worked well for one of our customers during Hurricane Katrina,” DiLossi explains. “The customer declared a disaster just after an evacuation was ordered. The mobile truck was deployed to a field in Iowa, where they ran their trading without a hitch.”
Sidebar: The 10 Commandments of Workpalce Emergency Planning
By Bo Mitchell, President, 911 Consulting
Emergency plans for your workplace are required legally, operationally and morally. Every management has a duty of care to keep personnel safe in any emergency.
To experts in workplace safety and security, the 10 Commandments of Workplace Emergency Planning are self-evident truths. But, these experts also recognize that most senior managers in corporations, campuses and medical facilities are ignorant of even their core management responsibilities for personnel safety in the workplace. In fact, many employers’ inside and outside lawyers are ignorant of these responsibilities. Workplace and worker law is a specialty unknown to most. But, once through this door, the documentation regarding the Ten Commandments is voluminous. Accordingly, we lay out here the legal rationale that proves these Ten Commandments.
All U.S. employers without exception shall create Emergency Action and Fire Prevention Plans.
OSHA is not a town in Wisconsin. Yet there are legions of employers who believe they are exempt. These regulations apply to corporations, campuses, medical facilities, non-profits, employers of any size or business model, federal agencies and, in most cases, state and local agencies.
All Emergency Action and Fire Prevention Plans shall be about personnel, not about data.
Too many workplaces have emergency plans that are all about data. All agree that protecting data is critical. But, what about the personnel at your workplace? Most employers are not required by law to have emergency plans for data. Yet just about every employer has an emergency plan for stats but not for staff! Remember, data can’t sue you. But an injured person or dead loved one’s family will always sue you.
All U.S. employers shall create an emergency team manned by employees.
OSHA interpretations – and simple logic – demand that someone take charge of on-site personnel during an emergency to search to ensure safety, account for everyone, rescue personnel and perform medical duties. This is about command, control and communications. During any emergency, your workplace needs someone in command, a team to control response, and the ability to communicate orders, movements and the headcount. This is your emergency team manned by employees identified and organized in your EAP and FPP to take charge in any emergency.
Remember, police, fire and EMTs are not the First Responder... they are the official responders who will come to your workplace in four minutes or 14 minutes. Your employees are the First Responders…When you go down, the nearest employee is your First Responder. Your plan shall recognize this by organizing your emergency response team of employees.
Emergency Action and Fire Prevention Plans shall stand alone, separate from Disaster Recovery and Business Continuity Plans.
While EAPs and FPPs are required by law, DR and BC plans are not for the majority of employers. That said, DR and BC plans are smart best practices for any employer. Emergencies often require a long recovery period – from one day to many months – that could require employee counseling, facility repair, reconstruction and moving to a second site. This requires the DR and BC plans necessary to recover once the “hot” tactical trauma to personnel and facility are concluded.
Planning shall be for all hazards.
All-hazards planning has been mandated for decades by national law and standards. This is not your father’s Fire Plan. The standards mandate that planning for your workplace incorporate a long list of emergencies including all man- and nature-made crises. Any emergency that is a foreseeable circumstance shall be planned for your workplace. Since terrorists crashed planes into high-rise office buildings, there is no such thing as a workplace emergency that can’t be foreseen. Google any “what-if” scenario in your industry, and you will find that emergency has happened to a workplace like yours.
All emergency planning shall be site specific. No plagiarizing. No HQ plan for all sites.
No landlord plan can substitute for tenant’s responsibilities under law. That said, there are legions of employers that take other sites’ emergency plans and apply this paperwork to their site. This plagiarism may come from an employer’s headquarters, a multi-facility safety or security group, or a downloaded and plagiarized template. This “emergency planning by cut-and-paste” leads to planning that is generic, not site specific and thus illegal. Many employers have a wide variety of facilities from high rises to low rises, in cities with widely divergent regulations and procedures. Planning that might work in a low rise is silly – no, dangerous – for a NYC high rise. What works in a San Francisco high rise does not work for a Chicago high rise. And if the planning is plagiarized, then the planning is not site specific and thus illegal. And the landlord’s plan is not your plan. Any tenant that purports their landlord’s plan is their plan is negligent and in violation of federal law regarding planning of EAPs and FPPs.
Planning shall cover all personnel: employees, contractors, temps, part-timers, interns, volunteers, visitors, special needs personnel, etc.
They’re still employees under the regulations, whether paid or unpaid.
Plans shall be updated to be current.
A plan out of date is a plan that:
- Does not keep current with new threats, procedures and best practices;
- Does not recognize the addition of new equipment;
- Does not recognize the change in the design or layout of the facility because of renovation or restacking; and/or
- Does not recognize the change or introduction of new processes.
Plans shall include policies, procedures and protocols for training, drills and exercises.
OSHA requires every employer to train all employees annually, at hire, when the plan changes or when the people in the plan change or their responsibilities change. Training shall reflect the planning. Thus, training shall be for all hazards. Every state’s fire code requires drills of some sort for every workplace. At minimum, annual drills are always recommended. More is better for ensuring personnel respond properly. Fire drills should be augmented by drills for Shelter in Place, In-Building Relocation, Active Shooter and the long list of foreseeable emergencies. While not required by law in most states, exercises are an outstanding way to audit your planning, training and drilling. Exercises are simulated scenarios whether presented in a tabletop; or a live simulation with employees and actors walking through their response. Exercises measure whether your people understand the plans, have absorbed their training, and remember their drill experience. What gets measured gets done right. Exercises are management’s audit tool to ensure their duty of care has been actually implemented.
The CEO is the Responsible Party civilly, personally and criminally.
There is no surprise that the CEO is the responsible party civilly. The Supreme Court of the United States (SCOTUS) has gone further by making the CEO’s responsibility not only civil but also personal and criminal. In two cases, SCOTUS listened to all the excuses: “I’m busy.” “I’m not ‘personally concerned’ with these regulations.” “I have ‘dependable subordinates’ in whom I have ‘great confidence.’” “We’re too big and spread out for me to be responsible.” SCOTUS listened to all these arguments then ruled that the CEO has a “responsible relationship” to the application and implementation of federal regulations. The SCOTUS decisions don’t let all other senior managers and line supervisors off the hook. They too can be held responsible at court civilly and criminally. Like the captain of a ship, however, the CEO is the ultimate responsible party at your workplace.