Inside Business Continuity
Apr 1, 2004 12:00 PM, By Mark Pickett
Few business functions are as capable and prepared to react to emergency and crisis situations as are the physical security department and its officers. However, many companies' corporate security departments do not address the function of business continuity — although common sense dictates there is no better place for that responsibility to reside.
A recent study by the Conference Board, “Managing Corporate Security: Patterns of Organization” found that most major companies manage their security responsibilities in a decentralized way, usually through three distinct silos consisting of physical security, IT security and risk management. Given this structure, business continuity initiatives requiring well-coordinated planning and training are difficult — if not impossible — to achieve.
Business continuity relates specifically to the continuation and survival of the core function of the enterprise. It is important that the continuity plan should be a way of doing the business, not just an adjunct to the business. IT departments illustrate the best example of this approach — they cannot lose or have electronic information inaccessible, so they integrate continuity practices as part of their normal business functions.
An integrated approach to business continuity requires organizations to merge the many standalone efforts into a cohesive process that blends together strategy, competitive intelligence and event- or response-driven management. This approach can then facilitate the typical “pro-active” planning principles of detection and deterrence. It can also enhance education and awareness programs, and training and response capabilities.
A truly integrated continuity plan provides value by reducing multiple plans down to a single format plan that is readily manageable. It provides a consistent framework for operations, whereas separate plans for disaster recovery, emergency response and crisis management can create confusion, duplication of effort, depletion of resources and possibly cause inaction.
An integrated plan provides a consistent response process and framework for operations, combining strategy and competitive intelligence into business continuity processes. It will enhance security safeguards against errors and omissions and provide a basis for ensuring operational resilience through prepared responses. Most importantly, an integrated business continuity plan should enhance clear communications between the continuity facilitation team and external business partners because these partners will become vital to the organization during the recovery process.
Ten Action Steps
Reviewing and then implementing the following ten action steps developed by Geary W. Sikich, a principal of Logistical Management Corp. and a strategic alliance partner of The Wackenhut Corp., into one's own situation can produce positive results for an organization.
- Make the enterprise an unattractive target
Although it may be contrary to the golden rule of advertising, make your place of business as inconspicuous as you can. Additionally, present an immediate or sudden image of security and protection. Identify appropriate psychological barriers and deterrents.
- Revise employee screening processes
If your company does not provide an in-depth background search on new-hires, then management is placing employees and assets at great risk. Basic due diligence principles validate that you need to know whom you are hiring. At a minimum you should conduct a background check that includes the following:
Social Security number confirmation trace;
Credit report for employment purposes;
Verification of activity for last seven years, to include prior employment, education and unemployment of 60 days or more;
Criminal record history including nationwide wants and warrants, residential addresses for last seven years and statewide searches (where available);
State driving record history; and
Specially designated nationals and block persons lists.
- Validate business, community and government contracts
Know whom your company is doing business with. Conducting investigations with suppliers, vendors and customers will help reduce issues of fraud and work stoppage. It will also help prevent liability issues through third party criminal activity.
- Assess business continuity plans
If your company already has a business continuity plan then consider the following:
Does the plan present an integrated approach by incorporating recovery, emergency response and crisis management issues?
Is the plan current?
Has the facilitation team exercised the plan within the last 12 months?
When was the plan last revised or updated?
- Train and educate the workforce
Practitioners know and understand that the best of plans never work unless the employee base has been properly trained and know how to respond appropriately. Continuing to educate employees, key managers and plan facilitators will make or break the recovery process. Key players in a response or recovery program cannot perform if they don't understand their role. Train, exercise, train and exercise again.
- Equip the workforce
Make sure the workforce has the necessary tools to fulfill their role in an emergency recovery situation. Do key facilitators understand the plan objectives and have they been equipped with the authority, means and tools to accomplish their role?
- Review leases and contracts for risk exposure
Current lease agreements and contracts for operating centers, sales offices, administrative offices and contingency backup locations should be reviewed to identify potential risk exposure. Are lease arrangements for potential relocation sites current? Considerations should include whether or not contracts may have clauses that provide for business asset losses or security protection provisions. Is, for example, the landlord responsible for providing a certain level of security, and can he be held liable if property loss occurs? Is it stated or implied that the lessee is responsible for rent or payment of utilities if the property is uninhabitable? How do the insurance provisions provide for the gap caused by lease or contract shortfalls?
- Assess value-chain exposure to supply disruptions
Critical to all organizations is their value chain. The value chain includes all internal and external “touchpoints” to suppliers, customers, outsourcing, strategic partners and other entities that ensure an organization's continued success. As with the critical infrastructure assessments, the organization needs to assess the potential effects of a disruption of its value chain to supply disruptions. In conducting the assessment, a variety of scenarios need to be developed to assess the short-term, intermediate-term, and long-term effects of a disruption.
- Review insurance policies and conduct cost/benefit analysis
As a result of the events that occurred on Sept. 11, 2001, and subsequent events taking place now, a review of insurance policies with respect to coverage, exclusions and exceptions needs to be accomplished. Insurance companies have been and will be impacted by the events of Sept. 11 and events yet to occur. Many organizations will find that a cost-benefit analysis will offer an effective aid to decision-making processes, strategy planning and the development of risk reduction solutions.
- Communicate commitment
Executive management must demonstrate their commitment by being involved in the plan exercise implementation process. Key facilitators and other employees must also know of and understand the importance of this commitment level. Additionally, executive management should clearly understand that plan implementation protects them as well as the company.
FOR THE RECORD
About the author
Mark Pickett, CPP is the vice president of consulting services for The Wackenhut Corp. He has over 20 years of experience in the security consulting industry.
BUSINESS STUDY
| PHASE | TASK |
|---|---|
| Assessment and Business Impact Analysis | • Perform Risk Assessment • Assess Existing Mitigation Programs • Determine Mission Critical Processes • Determine Potential Impacts • Develop Response Recovery Procedures |
| PHASE | TASK |
| Strategy Evaluation and Selection | • Define Event Response Strategies • Compare Response Strategies to Timeframes and Resources • Perform Cost Benefit Analysis • Establish Preferred Strategy • Document Selection Rationale |
| PHASE | TASK |
| Business Continuity Plan Development and Documentation | • Analyze Existing Plans and Operating Procedures • Prepare Draft Continuity Plan • Prepare Standard Operating Procedures • Finalize Continuity Plan and Supporting Materials • Identify Plan Commitments and Establish Tracking System |
| PHASE | TASK |
| Testing Maintenance | • Design Training Program • Design Testing Protocols • Develop and Facilitate Simulation Exercise • Develop Maintenance Procedures • Establish Audit Plan |
Want to use this article? Click here for options!
© 2008 Penton Media Inc.
Today's New Product
|
B.I.G. Parking Control/Guard BoothManufactured for Louisiana State University, The Estate parking control/guard booth from B.I.G. Enterprises was built to strict hurricane codes due to Hurricane Katrina. The booth features a copper standing seam roof, gutters and downspouts. It comes factory-prepared for on-site installation of architectural brick and has extensive electrical, high-output HVAC, data and communication lines, shelves and cabinets. |
advertisement
This month in Access Control
- Opening Up About Door Closers
- An Enterprise Approach
- The Framework For Open Systems
- On A Higher Plane
- More from April's issue
advertisement
