In the News: From Survivor to Survivor – Managing the stress after a disaster

(The views expressed in the CNN story do not necessarily represent the official views of the United States, the Department of Homeland Security, or the Federal Emergency Management Agency. FEMA does not endorse any non-government organizations, entities, or services.)

With the great amount of devastation Sandy has brought upon states along the East Coast, I wanted to take a moment to share an article on CNN.com from Hurricane Katrina and Joplin survivors who felt the way many disaster survivors may feel at this point in time. Three days after Sandy’s landfall, millions of people remain without power and their homes and lives as they knew it, have completely changed.

Here’s an excerpt from storm survivors sharing their experiences and giving advice on how to move forward after experiencing a disaster:

Devastation is devastation, whether a hurricane rips up your home or a tornado takes the person you love most in the world. It’s loss, shock and confusion. It’s anger and sadness and resentment. It’s being flustered like you’ve never been flustered before.

But it’s going to be OK: Take it from the people who survived Hurricane Katrina and the Missourians from Joplin whose town was leveled by the worst tornado in U.S. history.

They want Sandy survivors to know a few things:

You’re probably on autopilot right now. You’re moving through it. Stand in the ruins of the life you had before the disaster. Understand that was before. The after is when you’re good and ready.

Hours will still go by though. Days will happen. You might not remember to eat because you’re filling out paperwork and talking to insurance operators. You will get put on hold.

Your life will feel forever on hold.

At some point, when you think you’re handling it, you will stumble on something that reminds you of that old life, maybe it’s a thing or it’s a memory. Maybe this will happen when you finally get the sleep you’ve gone without since the disaster. You’re going to feel really, really awful again for awhile.

Eileen Romero, Hurricane Katrina Survivor, “Understand that the life you had before something like this isn’t coming back, and that’s not always a bad thing. Discover and make yourself anew.”

Read the rest of the story from CNN.

As we continue to deal with the aftermath of Hurricane Sandy, we remain committed to bringing the resources of the federal family together to support disaster survivors. We are and will continue to work side by side in close coordination with state, local and tribal emergency management officials, voluntary and faith-based communities, and private sector to support response and recovery efforts in affected states.

Hurricane Sandy Update

Well, in theory the worst of Hurricane Sandy is now over. But for hundreds of thousands of people, the destruction left behind is a large barrier to getting over the storm’s destruction. With some people trying to get back to normal – battling traffic to get into Manhattan there are many many other people who are facing lost homes, missing belongings, the loss of businesses and many unanswered questions.

The East Coast is in the early days of realizing how much Sandy has really impacted folks. While some will be wringing their hands suggesting that people, government, and business should have been better prepared – there really are no clear cut answers. In coming days we will learn of communities, businesses, people and institutions that were prepared for such a disaster and we’ll hear and read stories of those that weren’t. Now is not a time for placing blame and pointing fingers – but rather a time to come together and support those that we can.

As we did earlier in the week, we’ve pulled together some links about Hurricane Sandy:

  • Status of services and transportation in New York City
  • Google’s crisis map
  • Gas shortages and traffic jams
  • A report on communities that were and weren’t prepared
  • Medical research losses mounting
  • Disaster relief funding
  • The New York City marathon will go on
  • Prepared but not prepared enough
The thoughts of everyone here at DRJ are with those who have been impacted by Hurricane Sandy. 

In the News: From Survivor to Survivor – Managing the anxiety after a Disaster

Posted by: Lars, Anderson, Director, Public Affairs

(The views expressed in the CNN story do not necessarily represent the official views of the United States, the Department of Homeland Security, or the Federal Emergency Management Agency. FEMA does not endorse any non-government organizations, entities, or services.)

With the great amount of devastation Sandy has brought upon states along the East Coast, I wanted to take a moment to share an article on CNN.com from Hurricane Katrina and Joplin survivors who felt the way many disaster survivors may feel at this point in time. Three days after Sandy’s landfall, millions of people remain without power and their homes and lives as they knew it, have completely changed.

Here’s an excerpt from storm survivors sharing their experiences and giving advice on how to move forward after experiencing a disaster:

Devastation is devastation, whether a hurricane rips up your home or a tornado takes the person you love most in the world. It’s loss, shock and confusion. It’s anger and sadness and resentment. It’s being flustered like you’ve never been flustered before.
But it’s going to be OK: Take it from the people who survived Hurricane Katrina and the Missourians from Joplin whose town was leveled by the worst tornado in U.S. history.

            They want Sandy survivors to know a few things:

You’re probably on autopilot right now. You’re moving through it. Stand in the ruins of the life you had before the disaster. Understand that was before. The after is when you’re good and ready.
Hours will still go by though. Days will happen. You might not remember to eat because you’re filling out paperwork and talking to insurance operators. You will get put on hold.

            Your life will feel forever on hold.

At some point, when you think you’re handling it, you will stumble on something that reminds you of that old life, maybe it’s a thing or it’s a memory. Maybe this will happen when you finally get the sleep you’ve gone without since the disaster. You’re going to feel really, really awful again for awhile.
Eileen Romero, Hurricane Katrina Survivor, “Understand that the life you had before something like this isn’t coming back, and that’s not always a bad thing. Discover and make yourself anew.”

Read the rest of the story from CNN.

As we continue to deal with the aftermath of Hurricane Sandy, we remain committed to bringing the resources of the federal family together to support disaster survivors. We are and will continue to work side by side in close coordination with state, local and tribal emergency management officials, voluntary and faith-based communities, and private sector to support response and recovery efforts in affected states.

Using Toolkits to Make Company Continuity Less complicated

By Greg Marbais, Avalution Consulting
Article originally posted on Avalution Consulting’s Blog

Many business continuity professionals face shrinking budgets and, because of an expanding business continuity program scope and aggressive recovery objectives, lack the time necessary to “touch” all areas of the organization and optimally prepare for disruptive events. As a result, practitioners need a way to create repeatable processes to execute recurring planning activities in a decentralized manner while making efficient use of the organization’s personnel to comply with management’s expectations. One approach we often find useful in rolling out a standardized, thorough, efficient and repeatable process for business continuity activities is the creation of a business continuity program toolkit. A business continuity toolkit typically contains a set of instructional narratives, as well as templates, tools and examples to help dispersed personnel appropriately execute business continuity planning activities consistent with organizational standards.

The development of business continuity toolkit is an approach growing in popularity, with the end goal of implementing and executing repeatable, effective business continuity activities across larger, dispersed organizations in order to meet management’s performance objectives. Business continuity toolkits often include instructions that are easy for those charged with planning – especially those planning on a part-time basis – to follow and understand. This approach makes the most out of centralized business continuity professionals and provides part-time planners with the proper information to be effective in their planning role.

Preparing to develop and implement a business continuity toolkit should begin with a clear set of objectives, outcomes and how success will be measured, obtaining approval from management (as required by the organization) and establishing a timeline with key milestones.

What’s in a Business Continuity Toolkit?
The contents of a toolkit are necessarily unique to each organization; however, most contain the following:

  • Governance materials that establish the expectations of the organization for business continuity planning. 
  • Written instructions and guidance to prepare for, execute and conclude each core business continuity activity, together with recommendations regarding how to select and engage the most appropriate resources. 
  • Templates that address common program elements. 

Documents commonly included in a toolkit are shown in the following diagram:

Example Toolkit

The materials and application of the toolkit will vary from organization to organization; however, it’s important to ensure that the toolkit is written and designed at a high enough level so that every organizational element can utilize the content and apply it effectively. Instructions should include task detail, links to templates and examples, and the method to maintain and continually improve the outcome. Further, the instructions included in the toolkit should provide users with a structured process to execute a business continuity activity in alignment with organizational policy and program requirements.

As noted above, an effective toolkit will include templates and examples that help those charged with planning to perform the required activities and tasks listed in the instructions, all leading to an appropriate level of preparedness for disruptive events. Templates and examples included in most toolkits include interested party communications, meeting and planning session agendas, report structures and presentation files. Each template should be referenced in the instructions as to when it should be used. Templates often included in a toolkit are:

  • Communications templates provide a structured method to convey expectations for all planning participants. An example email template used for a business impact analysis (BIA) kickoff meeting would explain that the department is implementing or reviewing a BIA, that the recipient has been identified as a person that should be involved in the process and what the recipient will be expected to do during the data gathering effort and throughout the BIA process. 
  • Agenda templates provide a basic structure to help planners carry out meetings designed to plan for or perform business continuity planning activities. An example agenda template used for a BIA kickoff meeting often includes an introduction to the BIA, a discussion of the scope of the BIA, a review of roles and responsibilities for all participants, an overview of the BIA process, and next steps in order to prepare for the BIA. 
  • Report templates provide a structure that enables planners to document the information necessary to enable preparedness for disruptive events. For example, a template used for summarizing BIA information would include a high-level summary of the information necessary to justify recovery objectives, a structure for reporting the detailed findings, and next steps. 
  • Presentation templates provide the basic structure and content used to convey findings, recommendations and enable management decision-making. For example, a BIA summary presentation would convey recommended recovery objectives, justification and perhaps even gaps between recommendations and current-state capabilities. 

Before Building a Toolkit
A business continuity toolkit is only valuable when the basic process for conducting a business continuity activity is defined and expectations agreed upon. When developing a toolkit, it is important to first create the structure for the business continuity program and reflect this structure in a policy statement and standard operating procedures (SOP). The toolkit essentially translates the program into actionable activities and tasks for those required to perform business continuity activities. Since the toolkit is meant to make performing business continuity activities easier and the outcomes better, it may not be valuable early in a program’s maturity when frequent changes to the toolkit are likely needed. In addition, it may be helpful to “beta test” the toolkit prior to rolling it out throughout the organization.

Another important consideration is the effect of culture on the use toolkits. Large organizations with independent business units spread across multiple geographies could have significantly different corporate cultures. Different cultures could lead to differing approaches to executing business continuity activities, such as a BIA. The toolkit needs to be adapted to the local culture – and diverse regulatory requirements and customer expectations – which is more than translating it into the local language. In addition, the process described in the toolkit may need to be adapted. For example, an organization that uses workshops to elicit business continuity strategy options in the United States may run into difficulty using the same process in China. In China, a similar process would often generate few strategy ideas, especially if the workgroup includes personnel at multiple levels of the organization. There is a cultural factor in China that prevents employees from providing feedback which may harm the reputation of another member of the group. This cultural factor means that conducting a BIA or trying to obtain strategy options requires changing the approach to get valid information. Ultimately, culture plays a substantial role in the effectiveness of a business continuity program, so it’s important that the program is adapted to the culture.

Conclusions
A business continuity toolkit enables the execution of a decentralized program and the implementation of standardized, consistent and compliant business continuity activities in an efficient manner. Bottom-line, the benefits a toolkit provides to the business continuity professional and the organization as a whole are that it:

  1. Clarifies expectations for those performing planning activities and provides examples to illustrate expectations; 
  2. Reduces the risk of non-compliance with regulatory requirements or other obligations; and 
  3. Enables the business continuity professional’s transition from an advisor on all preparedness tasks to a consultant to the most important and complex tasks. 

In the end, a business continuity toolkit helps optimize limited resources and appropriately engage personnel throughout the organization, thus mitigating risk and enabling effective recovery from disruptive events.

If you’re considering using a toolkit to roll out business continuity across your organization, please contact us to discuss how we can quickly establish a toolkit for your organization and aid you in deploying it.

—————————

Greg Marbais, Consultant
Avalution Consulting: Business Continuity Consulting

Our consulting team regularly publishes perspectives (shorter, independent articles) that touch on the trends currently affecting our profession and the strategic issues facing our clients. This is one of our most recent posts, but the full catalog of our perspectives – over 100 published since 2005 – can be accessed via our blog.

Planning for Disaster

Nothing can sink your small business faster than an unexpected disaster, so you need to be prepared. And disaster recovery preparation is easier than you think.

Planning For DisasterHurricanes, tornadoes, earthquakes, sprinkler malfunctions, burst pipes, electrical fires, power outages, a failed hard drive – big or small, a disaster could knock your company offline long enough to put you out of business. But it doesn’t take much preparation to make sure you can get back online quickly.

John Motazedi, CEO of SNC Squared – a business that was saved after a tornado thanks to its disaster recovery plan – recommends starting with a few things that would make it difficult to run your business if they were suddenly gone. Once you’ve figured out where you’re vulnerable, it should be pretty clear what you need to do to protect those assets and processes.

Planning for Disaster Records

Keep detailed records of all your business contacts so you can reach them in event of emergency. You may need backup office space, an emergency credit line, a cloud backup copy of your critical data – it might not take much to keep you going.

So take the time to think about what you absolutely need for your business to survive. It should tell you valuable things about your business regardless of whether you ever need that disaster recovery plan.

Adapted from How a Disaster Recovery Plan Can Save Your Business at Small Business Computing.

Read more on Planning for Disasterhttp://business.time.com/2012/10/22/planning-for-disaster/#ixzz2A99YeXMW

5 Tips for Keeping Your Information Secure in the Cloud

Sometimes after you migrate your business data and applications to the cloud via cloud servers, it is easy to forget that data security is something that should be consistently monitored.  There are a few things to consider after your company’s migration to the cloud to ensure your data stays safe at all times. 

 

  1. Credentials:  Your username and password should be complex and unique for every service or site you use credentials for.  This way, if the credentials for one account get compromised, the rest of your accounts remain safe.  If you are worried that login information will be lost or forgotten, there are apps and software available to help with password management.  
  2. Be careful where you login:  Often times, users login from devices that are not their own, which could be saving login information through the web browser and therefore, jeopardizing the data’s security.
  3. Security Questions:  Avoid implementing security questions for your accounts that can be answered by simply conducting an online search.  For example, if the answer to your security question can easily be found on your Facebook, Twitter, or LinkedIn profile, choose a different question.
  4. Encryption:  Encryption software scrambles and codes your credentials so that they are harder to procure, which helps your data remain uncompromised.
  5. Anti-Virus and Anti-Spy Software:  All access to the cloud comes from your local system first.  Therefore, if your system is at risk, so is your data in the cloud.  Anti-virus/anti-spy software is important to keep out trespassers and to block unsafe sources that can download software and steal personal information from your computer. 

 

Atlantic.Net provides secure cloud hosting solutions where data can be stored in an encrypted format using Public Key Encryption (PKE).  Atlantic.Net is constantly monitoring and upgrading their systems to ensure that their client’s data is as safe as possible. 

A Closer Appear At: ISO 22301

I just downloaded the updated Rules and Regulations spreadsheet… To say there is a lot of great content and information in this spreadsheet would be an understatement. This Rules and Regulations spreadsheet was compiled by a team of industry experts (all members of the DRJ EAB). 

The most recent update to this resource was in August 2012, and I thought it would be a good idea to write about different rules and regulations that you might not know about, have been recently amended or added or you might not fully understand. (Yes, this is me urging you to post comments about which rules and regulations you would like me to investigate and write about for you!) 

For the first look at the rules and regulations that impact everyone in the BC space, this post focuses on ISO 22301. 

 ISO 22301 

Here is the short summary of ISO 22301 from the bsigroup.com website: 

ISO 22301 is the new international standard for business continuity management. It has been created in response to strong international interest in the original British Standard BS 25999-2 and other regional standards. And if you meet the requirements to gain certification, your organization will be recognized globally. 

ISO 22301 identifies the fundamentals of a business continuity management system, establishing the process, principles and terminology of business continuity management. 

It provides a basis for understanding, developing and implementing business continuity within your organization and gives you confidence in business-to-business and business-to customer dealings. Use it to assure key stakeholders that your business is fully prepared and you can meet internal, regulatory and customer requirements. 

The standard provides organizations with a framework to ensure that they can continue operating during the most challenging and unexpected circumstances – protecting their staff, preserving their reputation and providing the ability to continue to operate and trade. 

What does this really mean? 

Essentially, this standard gives your organization the basis for identifying the threats facing your organization and how to withstand and be prepared for these threats. With ISO 22301 you have the tools to react proactively and be prepared for these threats. 

With this level of preparation and framework, your investors, colleagues, partners and brand have the confidence that your organization is prepared and ready to face threats and disaster head-on. 

ISO 22301 provides a formal business continuity framework and will help you to develop a business continuity plan that will keep your business running during and following a disruption. It will also minimize the impact so you can resume normal service quickly, ensuring key services and products are still delivered. 

How does it impact your business? 

We’ve written before in this space about how critical it is to be prepared for every level of threat – this includes natural disasters as well as normal day-to-day disruptions such as employee illness or loss of supply chain continuity. All of these can have a big impact on the success of your business and its ability to remain profitable. 

With ISO 22301 you have undergone the certification that proves, you are aware of and have identified these threats. The impact to your business being that your business is ready and prepared to react to threats and limit disruption. 

What do you need to tell your colleagues? 

A visit to the bsigroup.com website details a long list of benefits – so we’ll highlight a few here that stand out: 

Cost savings : You’ll have the opportunity to reduce the burden of internal and external BCM audits, improve financial performance and reduce business disruption insurance premiums.

Business improvement: 
Certification requires a clear understanding of your entire organization which can identify opportunities for improvement. 

Continuous improvement : The certification process involves regular audits that ensure your management system is up to date. 

Maximize quality and efficiency : ISO 22301 provides a framework based on international best practice based around the ‘Plan, Do’ Check, ‘Act’ concept. 

As you know there is a very long list of reasons why your business needs to adhere to rules and regulations – and each rule and regulation has its own benefits. 

What is interesting with ISO 22301 is the impact it has on BS 25999-2: 

  • BS 25999-2 has been superseded by ISO 22301. 
  • BS 25999-2 should be withdrawn on November 1, 2012. 
  • Businesses can make a transition from BS 25999-2 to ISO 22301. 
  • BS 25999-2 certification remains valid during the transition to ISO 22301. 
  • Certifications and renewals for BS 25999-2 will end after May 2014. 

Next steps? 

Now that you have the basics of this new standard, it is time to sit down and really review the website, watch the webinars, and send your questions to [email protected]

Make sure you review the recently updated DR Rules and Regulations spreadsheet – you can use this spreadsheet to quickly compare these rules and regulations and easily access more information. (And don’t forget to respond to this post and let us know about the rules and regulations you’d like us to take a closer look at.)

DR and Crisis Management

Recently, DR/BCP professionals have sent me inquiries about how to handle crisis management or crisis communication, especially during a DR event.  DR/BCP professionals may be highly involved in managing a data or system recovery and unable to devote attention to managing the entire crisis that may result. They need crisis management professionals on their team.  It wouldn’t be practical to have a crisis management professional on each DR/BCP team, but it w0uld be an excellent time to partner with the corporate or organizational crisis management/crisis communication professional.

I’ve done Incident Management Team training for private sector organizations, sometimes at several of their critical facilities across the nation.  The Incident Command System (ICS) model provides a framework for integrating crisis management, crisis communication and DR/BCP operations when disaster strikes.  Most private sector organizations have found ICS to be extremely helpful and affordable if it has be tailored to their business and presented by consultants who understand both the private and public sector uses of ICS.  Private sector CEOs also see the benefit in being compatible with public emergency response organizations.

Crisis management is NOT DR/BCP.  It is a necessary subset.  In my experience, ICS can be taught from the bottom up, rather than the traditional top-down, command and control orientation.  I teach private sector Incident Management Teams that the key figure in response is the Operations Section Chief (the DR/BCP CIO or designee in the case of an IT emergency). This is the person and section that can “fix the problem,” as Ed Devlin would say. All other ICS positions are there to support the Operations Section. I like the Incident Commander (ICS term) to be thought of as an “Incident Manager.”

How are you prepared to manage a crisis and to communicate critical information to stakeholders? Do you have crisis management expertise to support you DR/BCP resiliency team?

South Carolina’s Faults due for a ShakeOut

Posted By: Derrec Becker, S.C. Emergency Management Division (@SCEMD)

The earthquake threat that exists in South Carolina typically doesn’t get much attention as say, a hurricane, a tornado or even an ice storm potential.  Many living in the Palmetto State aren’t aware that the epicenter of the largest earthquake ever recorded on the eastern seaboard was near Charleston, S.C. on August 31, 1886.  This magnitude 7.3 earthquake resulted in 60 deaths, 90 percent of all buildings in the Charleston area were destroyed and property damage was estimated at $ 5-$ 6 million in the period’s currency.

The 1886 quake was felt over 2.5 million square miles from Chicago to Cuba.  The South Carolina Emergency Management Division estimates an earthquake of similar magnitude occurring today would result in hundreds of fatalities; the damage to infrastructure and the economy would be spread over many states for many years afterwards.

It’s important for communities that may not be as susceptible to frequent earthquakes to be aware that it’s still a risk they should prepare for.  Even though South Carolina hasn’t experienced an earthquake of such severity since the 1886 Charleston event, we experience 10-30 measurable tremors a year, with 5-6 on average physically felt.  That’s why as part of the South Carolina’s annual Earthquake Awareness Week, more than 213,000 people from the state are participating in the Great Southeast ShakeOut.  For example, an elementary school will be visiting the South Carolina State Museum on Thursday, visiting an exhibit on the 1886 earthquake and also participating in the drill at 10:18 a.m. Additionally, South Carolina Emergency Management Division is holding an earthquake preparedness table top earthquake exercise with several county emergency management agencies near the South Carolina-Georgia border.

Planning for this drill has given state emergency management communities an opportunity to have a little fun while conducting a disaster preparedness campaign.  Through the development of Public Service Announcements, promoting social media pages, hosting chats and getting out in the communities, public information teams from the Nation’s Capital to Savannah and everywhere in between have been creative and enthusiastic about the Great Southeast ShakeOut- a testament to how dedicated our emergency management community is to making sure the people we serve have the information they need to make decisions about their personal safety.

We’ve been able to discuss the differences between the Richter and Mercali scales, to explain why some companies don’t offer earthquake insurance and to encourage people to take this opportunity to understand the types of emergencies their communities are most vulnerable to and take steps to prepare for them; all through multiple platforms, traditional and new.  Plus, in states where college football reigns supreme, it’s been a friendly competition to see which state gets the most participants to practice “Drop, Cover and Hold On” at 10:18, on 10/18. I hope you’ll sign up to participate, too.

Derrec Becker is a Public Information Officer with the South Carolina Emergency Management Division and can be reached at [email protected] and via social media @SCEMD.

The GAP in DR/BCP/EM Technologies

The GAP in DR/BCP/EM Technology

Recently I attended a concert at my grandchildren’s school
in a small, rural community in Upstate New York.  A small child in the row behind me was using
what appeared to me to be a tablet computer. Amazed by the use of technology, even
by very young children, I had thoughts of how widespread the use of
sophisticated technology had become, even in remote areas.  There have been times when I felt government
agencies and some businesses assumed the presence and use of technologies to be
far greater than actual.  I challenged a
DHS employee on the use of GIS and various mapping capabilities, stating that
rural communities lacked such capabilities. He replied that his information was
just the opposite, that the use of GIS and other mapping functions was very
popular and widespread.

From my experience in rural counties, computing capacity is
not as great as reported by the DHS. 
This raises the question of capabilities of small and medium-sized
businesses to use sophisticated systems often displayed in the DRJ exhibit hall
and in articles about systems including rapid notification, GIS, and
applications for emergency and business continuity planning and response.  Is preparedness as well equipped as we often
assume?

I suspect small businesses are underprepared with business
continuity technologies.  Some larger
businesses may have the means to acquire such applications, but are not supporting
their use and maintenance.  Larger
government agencies seem to have the technology, but local governments,
especially rural municipalities, have less. Awareness is lacking in some
cases.  I met with an IT systems person
at a rural county who had ESRI and the tools to do mapping and global
positioning of such items as fire hydrants, but had no awareness of HAZUS-MH,
the free natural hazard tool from FEMA for mitigation planning.

What I am suggesting is that there is a gap between those
who are knowledgeable about new technologies for disaster recovery,
preparedness, and business continuity and those who are less aware or unable to
afford such technologies.  The danger is
for the “haves” to assume that the “have nots” can keep up with preparedness,
response and recovery efforts when disaster strikes.  The greatest gap is in public
information.  We assume the public can
receive a critical message, but many cannot. As we progress with technology,
and we should, we cannot forget those who don’t have it.

And, by the way, the child sitting in the row behind me at
the concert was playing with an Etch-a-Sketch.