Emergency notifications - many things to consider (Part 1)

Emergency notifications are an area that every organization needs to master before it is needed. Solutions basically fall into 3 groups:

• Call tree or cascade system
• A 1-800 hotline number for employees to call
• An automated Emergency Notification System (ENS)

Call trees, I've observed, are typically organized in one of two ways. Using a department of 30 people as an example, the call tree would usually be organized one of the following ways:

1. The department manager calls all 30 people, noting anyone they are unable to get in touch with.
2. The department manager calls employee #1, who calls employee #2, who calls employee #3, and so on until employee #30 is contacted, who then calls the department manager to confirm all notifications were made. If employee #1 is unable to reach employee #2, they are to call employee #3, and continue calling employees until the next person is reached. The is also called a cascade system, or "call stick" since it resembles a stick more than a tree.

Call tree procedures often lack the depth needed in the event of an actual incident. Even if procedures are sufficiently detailed, both methods have benefits and pitfalls, as illustrated in the two tables below.

With either of these options, notifications will take a long time. Both methods are open to human error. 

Both methods have the problem of keeping the call trees updated and distributed, which may be feasible for an organization with 20 people, but not for an organization with hundreds or thousands. Both methods have the issue of how you are generating the call trees and storing information: is this information being pulled from he human resources / payroll data, or are departments expected to maintain their own call trees?

I've talked with many defenders of call trees, who believe if the procedures are detailed enough, they will be successful when needed.

I have to disagree. Getting employees to keep their contact information current in human resources / payroll data is difficult, getting employees to maintain current contact information in two systems in nearly impossible. Someone has to enter new employees and take out employees no longer with the company. It is almost certain that at any given time, the information in the two systems will differ. 

As business continuity professionals, we have to take into consideration the opportunity (and great potential) for human error in the middle of an incident or disaster.

The time it takes to reach employees can be critical if, for example, your company is trying to verify no one was in the building at midnight when a disaster happened.

I've never encountered, in any company, someone in the legal department who would approve of giving out employee contact information past the management level. It's simply a breach of confidentiality, and something the company has no right to do without documented consent from employees.

So why are so many companies using call trees? I think it's often a case where the business continuity professional is given direction to use call trees as a notification strategy, often  by upper management. The business continuity professional distributes the call trees, and no one objects . . . until something goes wrong. Upper management sometimes just fails to realize that confidential information is being shared not only with management but other employees, possibly even the legal department doesn't realize what is happening, and no one considers the risks and implications of this strategy.

Some of the best Human Resources personnel I've known have refused to grant Business Continuity any access to employee contact information, because of the confidentiality involved and because of the risks in granting access to systems often used for payroll. Obviously, that is a problem that impacts call trees and other methods of employee notification.

I can't recommend call trees to any organization I work with other than small businesses, and then the confidentiality issue still has to be addressed. 

Business continuity professionals need to educate upper management about the risks and short-comings of call trees, and steer them in another direction.

I'll discuss other options for notification tomorrow. Thanks for reading.

The CEO's knowledge of business continuity

Check out this great article from Continuity Central:

CEO? Here are three key business continuity questions you need to ask

So often, the CEO believes they have an understanding of business continuity that is greater than their true understanding. 

Business continuity professionals need to regularly communicate with the CEO to assure they understand the risk level the company was willing to take (as identified in the last Risk Analysis), what business functions were identified as critical to the survival of the company (and what business functions weren't deemed critical), and the resources required to either maintain critical functions without interruption, or recover critical functions in the in the Recovery Time Objective (RTO) as documented in the last Business Impact Analysis - including systems, data, sites, personnel, hardware including workstations

A CEO that understood these things 2 years ago when a Risk Analysis and Business Impact Analysis were completed may not recall everything, if they aren't involved in Business Continuity on a very regular basis (such as weekly, not yearly).

Can your CEO explain what is recoverable and in what time frame? Can they explain how many people would be working from home (if able) or waiting for facilities to secure a new site that can accommodate all employees and functions? 

Check out Continuity Central's article, and I'd love to know what you think.

And keep in mind that Business Continuity Awareness week is coming up in March and could be a great time to work on awareness with your CEO and upper management.

A common theme you may notice in my blogs is that I campaign hard against the idea that disaster recovery is dead (long live business resilience). Unless your RTOs for every function are zero downtime, and you have a perfect mirroring of all systems (which doesn't mean you're immune to disaster), you have work-space recovery for 100% of employees, disaster recovery is still relevant. Even if you have all of those things, you still have to deal with Crisis Communication, Emergency Response and Emergency Management, and Disaster Recovery. 

There is no getting around it. Business Continuity and Business Resilience plans enhance the Disaster Recovery plan, not replace. You can't disaster-proof your business. If you could, well, a lot of us would be out of a job!

Check out my Toolbox page for some resources you may want to incorporate for Business Continuity Awareness week.

More Dynamic Tabletop Exercises for Emergency Response and Crisis Management

One of the challenges of tabletop exercises is that they don't become a predictable reading of the plan. Tabletop exercises are very cost effective, but they aren't known for being creative or exciting  (in general).

One of the benefits of tabletop exercises is that they're very cost effective. And they are a great tool to use with upper management since travel can be minimized. But in order to keep upper management in your organization interested in tabletop exercises, you've got to lead dynamic tabletop exercises that stay fresh and non-repetitive.

FEMA has developed tabletop scripts for organizations to use for three scenarios: a critical power failure to multiple communities, a chemical accident, and an impending hurricane. The chemical accident and hurricane scenarios both have "video inject scripts" that you can use as the exercise progresses:

Emergency Planning Exercises (FEMA)

If you've never presented a tabletop exercise, or would like some new ideas to incorporate, check out the FEMA site and put this in your toolbox!

Ready.gov - Testing & Exercises

Ready.gov Testing and Exercises

Ready.gov has put together a list of the benefits of testing. They also did a fantastic job of discussing the use of the term 'exercising' vs. 'testing':

Testing the Plan

When you hear the word “testing,” you probably think about a pass/fail evaluation. You may find that there are parts of your preparedness program that will not work in practice. Consider a recovery strategy that requires relocating to another facility and configuring equipment at that facility. Can equipment at the alternate facility be configured in time to meet the planned recovery time objective? Can alarm systems be heard and understood throughout the building to warn all employees to take protective action? Can members of emergency response or business continuity teams be alerted to respond in the middle of the night? Testing is necessary to determine whether or not the various parts of the preparedness program will work.

Exercises

When you think about exercises, physical fitness to improve strength, flexibility and overall health comes to mind. Exercising the preparedness program helps to improve the overall strength of the preparedness program and the ability of team members to perform their roles and to carry out their responsibilities. There are several different types of exercises that can help you to evaluate your program and its capability to protect your employees, facilities, business operations, and the environment

I know some people have become adverse to the word 'testing', feeling that if the test isn't 100% successful, it reflects poorly, like a failure. Personally, I use the words interchangeably. I think one key to a successful exercise program is setting the expectation with management that it is designed to find the areas that need improvement, and there will always be areas that need improvement.

In my opinion, if an organization is testing year after year and they're finding no weaknesses in the continuity plan, then they need to look at changing the testing scenario. Recovering the IT environment isn't proof of business continuity, it's one component. Some  organizations may over-focus on IT recovery/resilience, at the expense of other plan components such as:

• Command and control procedures
• Communications with employees, shareholders and the media (employees may have been told not to speak to the media if an event occurs, but have you updated that direction to include not posting to any social media or taking unauthorized pictures during a recovery?)
• Alternate facility for employees to work in, both locally and farther away in the case of a large incident
• Staffing, cross-training and the need for alternate staff
• Managing customer communications and expectations

Testing is such an important component to the business continuity program. Once it's become an integrated part of the program, it's important to continuously reevaluate the scope and scenario of your exercises.

Notification Wallet Card Template and Awareness Training

Business Continuity Contact Card (Wallet Card) Template

This PowerPoint presentation was shared on www.slideshare.net: Best Practices in Business Planning for Pandemic Influenza, by Jim Goble, CBCP, at National City Corporation. It's from 2006 but a lot of it is still relevant, including the Wallet Card template on slide 12. 

If you've never created a Wallet Card for your organization, they're very useful. Team members may have a lot of that information on their phones, but it could be outdated. By developing and distributing a Wallet Card, they can refer to it and updates contact information in their phones. This is Crisis Communication, something a team would access during the Notification Phase of an event as well as the Assessment Phase.

Make sure you date your Wallet Cards, so employees can easily tell if they're looking at the most recent version. I recommend updating the card quarterly, or more often if important information changes.

If your organization isn't used to the idea of a Wallet Card, this can be something you introduce during Business Continuity Awareness Week, March 16 - 20, 2015.

http://bcaw.groupsite.com/main/summary

BCAW also has a lot of information you may want to add to your toolbox. You can also sign up for the group so that you'll get reminders about Business Continuity Awareness Week. 

If you know that Business Continuity Awareness is an area your organization needs to work on, make this the year that you introduce Business Continuity Awareness Week!