Disaster Drill As an industry our ideas about business continuity have been transformed if not expanded in the wake of the recent hurricanes. New lessons and insights have been gained about the role of business travel in mobilizing employees for recovery efforts and restoration of business assets in affected areas. Bruce McIndoe will share with the audience his company's experience and observations in getting businesses restarted and planning for the next disaster. Presenter: 11:45 a.m. - 12:30 p.m. (45 min) Bruce McIndoe, CEO, iJET Intelligent Risk Systems
One key fact regarding emergency management was borne out during the recent events around the gulf coast, the longer it takes you to respond the higher the chance for loss of life and the more it costs the organization.
The only way to reduce response time is to invest in preparedness before the incident. Preparedness is not just planning. It includes on-going risk identification and mitigation. Maybe more importantly, on-going communication and training with both employees and the management team.
Most organizations have some level of Enterprise Risk Management (ERM) program. This is a holistic program looking at all types of risk such as financial risk, market risk, reputational risk, etc. Travel falls primarily in the area of operational risk and we should apply risk management principles to travel.
Within Operational Risk Management, organizations will talk about Emergency Management. In short, the program to prepare for, respond to and recover from an emergency.
An emergency can escalate into a crisis or the potential to become a crisis. Again, most organizations have a crisis management plan (CMP) that addresses this situation and how to deal with it.
Organizations that have been working this issue for some time tend to integrate all of these activities into a business continuity or business resilience program. The business continuity program becomes all encompassing covering anything that may impact the business.
Business continuity principles, such as this 9-Step Readiness Process, can be applied at any level of the organization. From a single business process or department to the entire global enterprise. Today, we will look at this planning cycle in terms of travel as a business activity (booking trips) as well as travel as an operational element (department).
Travel Manager’s have a huge challenge even ever increasing frequency and impact of world events. Managers are looking for and employees are expecting a higher level of care – especially for international travel. Preparedness is on everyone's tongues - most organizations are reviewing and updating their business continuity plans. As such, Travel is having to look at or develop their plans while spending time interfacing with the overall organization’s effort. All of this effort is on top of the need to be a full member of the organization’s incident or crisis management team. Oh by the way, the CFO is asking for you to reduce T&E expenses by 10% next year!
Let’s look at travel risk management within the context of an overall operational risk management program. The key is to apply a consistent risk management methodology to each trip. This methodology will ensure that each trip is evaluated for risk and that the company has standard processes depending on the level of risk. By taking a consistent approach, everyone benefits – the employee feels that the company is looking out for him/her, the company will lower the number of incidents, and if something does happen the overall liability for the company will be significantly reduced.
Travel Risk Management needs to be a comprehensive and 24X7 program PLANNING Crisis Management Plan - Corporate and Remote Facilities Travel Risk Management Plan Evacuation Plan - For Each Operations Area TRAINING General Travel Safety Training High Risk Environment Training Surveillance Training Crisis Simulation Training 24X7 MONITORING Continuous evaluation of Threats Real-time, Proactive Advisories Scoring & Risk Assessment of Trip Risk Mitigation Plan Traveler Hotline - Before, During & After Corporate/Family Communications
The Travel Risk Management Plan is just like the other plans we talked about. You need to go through this process and make sure it is integrated with the overall Corporate Crisis Management Plan. What are the “threats to travelers”? How can we mitigate these threats? How can we be notified if the threat environment changes? What if something happens? Do we have the resources to respond quickly?
To have a successful program, you need to have constantly updated information. This requires formal processes and depending on the size of the organization some level of automation. Employee Locator – answers “What is my potential exposure?” Employee Emergency Profile – basic census data on the employee in an emergency Key Contact Information - how do I contact the employee or “next of kin”? CMT – Who do I escalate a significant issue to within the organization? Safe Haven Locations – Where do I send the employee for protection?
The Travel Manager can’t do it alone. A comprehensive TRM program is a multidisciplinary effort. The key participants should be Security (Risk Management), HR/Legal, and Medical (in-house or outsourced).
Let’s talk specifically about lessons learned from the recent hurricane events. These lessons learned were gathered from interactions with clients dealing with these incidents. They are not scientific, just observations.
Any time you have a big disaster, it generates multiple issues that all have to be dealt with at one time. This is a huge drain on resources and you get “lots of cooks in the kitchen”. Communications between departments can break down when everyone is just dealing with their own local issues. This can ripple through the entire company while key managers are distracted from the day-to-day operation of the business.
Most business continuity plans rely on local incident support. When this local support is not functioning or not available, the plan tends to break down. The HQ staff step in to take on that role, but it takes them time to get the local perspective and access to detailed information. Due to ramp-up time and lack of information, decision making is slow and fragmented. This delays response efforts and increases overall recover cost and unfortunately loss of life.
A total failure in the communications structure compounded the problems. You would think that organizations would have learned from our experiences with the blackout in the northeast. Organizations need backup communications plans. This should include multiple technologies – land line, satellite, even radio. Every major metro area where the company operates should have at least one “hardened” facility. This would include power backup, backup data and voice communications, and shelter in place resources to keep the staff for 3 to 5 days.
Virtually every company had to deal with delays in getting access to critical information. Information systems were designed for business not emergency management. Fundamental information such as what facilities do we have in the impacted area or a list of employees by facility were slow in coming. The HR database did not have up-to-date or in many case any emergency contact information. There was trouble just finding out who should be in charge at each location.
Access to travel data was not a big issue for the impacted areas. Virtually all travelers had moved out of the area by the time the storm hit. However, as the impact grew regionally and Rita heated up, the lack of domestic travel data hampered decision making and employee communications.
The fact that this was a US domestic incident generated an unusual event for most travel managers. They found themselves working both ends of the incident. Evacuating impacted employees, but also working as the transportation and logistics “officer” to get response and recovery teams into the area. Most travel departments did not have resources in place to accomplish this task. This delayed getting people on the road and in the local area to help.
Unfortunately, some travel departments may have had a local travel office that was impacted. This added to the emotional toll and pressure of the incident. The travel department staff could see first hand the frustration and difficulties encountered by the colleagues and friends. The staff was frustrated in that there was little that they could do for days.
With all of this going on here at home, organizations still needed to operate around the globe. Unfortunately, we saw the travel manager do involved in the organizations efforts or their own incident management that they were completely distracted from running the business of travel. Given the level of outsourcing in the market, organizations had little depth to delegate tasks and handle 24x7 operations. Some travel managers were literally working 24 hours a day trying to get it all done. Fatigue will set in quickly and decision making is severely impacted.
The key takeaways are few – Travel cannot make it happen alone – you need to reach out and work with your counterparts. Learn and apply basic risk management methods – this will help you systematically reduce the likelihood of incidents and focus your energy and resources in the right places. Training for your staff and travelers is critical to the overall success of your program. Having access to reliable and accurate information is key in making good decisions and helping to avoid problems. Planning ahead reduces the time and effort to respond to an incident – how quickly you respond can save lives.
To travel managers specifically: Learn the language used by security and business continuity professionals Take on the full-scope of being the transportation officer for the company. Take ownership of the TRM program, but get broad support. Think about evacuation planning and how you would handle this in the future. You need to be proactive and collaborate with like-minded functional managers. If you think and act strategically, it will enhance your value to the organization and when called upon you will be prepared.
ACTE Executive Forum Disaster Drill
ACTE Executive Forum Disaster Drill Bruce McIndoe, CEO iJET Intelligent Risk Systems November 15, 2005
Response Time Impacts Level of Loss Response Time Cost $
Preparedness Impacts Response Time Response Time Cost $ Preparedness Planning Mitigation Communication Exercises/Drills
Operational Risk Management <ul><li>Risk of disruption to a company’s ability to conduct business - a result of inadequate or failed </li></ul><ul><ul><li>Internal Processes </li></ul></ul><ul><ul><li>People & Systems </li></ul></ul><ul><ul><li>Or External Events </li></ul></ul><ul><li>Travel Issues are Operational Risk Issues </li></ul>
Emergency Management <ul><li>“ Emergency Management” when an event affects a specific product, location, or line of business </li></ul>
Crisis Management <ul><li>“ Crisis Management” when an event affects the entire business or brand reputation, driving significant loss in shareholder value </li></ul>
Business Continuity Planning <ul><li>“ BCP” </li></ul><ul><li>An all-encompassing activity covering both disaster recovery planning and business resumption planning </li></ul><ul><li>Tends to be heavy IT focus </li></ul><ul><li>Should cover all aspects of the business </li></ul>
9-Step Readiness Process 1 Establish Response Organization 2 Conduct Risk Assessment 3 Identify Response Resources 4 Develop Protective Action Plan 5 Develop Crisis Communication Plan 6 Provide For Well-Being Of All Involved 7 Prepare Recovery Plan 8 Train Personnel & Exercise Plan 9 Maintain & Update Plan Planning Cycle
Travel Manager’s Challenge Today <ul><li>1. Higher level of care expected for “customers” </li></ul><ul><li>2. Hands-on preparedness for your organization </li></ul><ul><li>3. Integrating these efforts into the organization’s BCP program </li></ul><ul><li>4. Responding to and recovering from incidents </li></ul>“ Reduce T&E by 10%”, Your CFO
What is Travel Risk Management? <ul><li>A well defined process to identify risks, prepare travelers pre-trip, monitor threats, and respond to incidents as they arise. </li></ul><ul><li>Benefits include: </li></ul><ul><ul><li>More productive and prepared employees </li></ul></ul><ul><ul><li>Reduced number of costly “incidents” </li></ul></ul><ul><ul><li>Lower cost of response </li></ul></ul><ul><ul><li>Reduced corporate liability </li></ul></ul><ul><ul><li>Higher “Duty of Care” for all personnel </li></ul></ul>
Basic Program Building Blocks Planning Training 24X7 Monitoring Incident Response Feedback Proactive Reactive
Travel Risk Management Plan <ul><li>Travel Safety & Security Policy </li></ul><ul><li>Country/City Risk Rating & Travel Alerts </li></ul><ul><li>Travel Risk Assessment & Process </li></ul><ul><li>Pre-Travel Responsibilities & Process </li></ul><ul><li>Communication Plan </li></ul><ul><li>Evacuation Plan & Procedures </li></ul><ul><li>Emergency Contacts, Safe Havens, etc. </li></ul>
Data Requirements <ul><li>Employee Locator </li></ul><ul><ul><li>Traveler, Expat, Business Locations </li></ul></ul><ul><li>Employee Emergency Profile </li></ul><ul><ul><li>Nationality, Gender, Passport, Blood Type, etc. </li></ul></ul><ul><li>Key Contact Information </li></ul><ul><ul><li>Department/Location, Office #, 24 Hr #, etc. </li></ul></ul><ul><li>Crisis Management Team (CMT) </li></ul><ul><ul><li>Role, Name, Location, 24 Hr Numbers, etc. </li></ul></ul><ul><li>Safe Haven Locations </li></ul>
Multidisciplinary Process <ul><li>Security </li></ul><ul><li>Risk Assessment </li></ul><ul><li>Crisis & Evacuation Plans </li></ul><ul><li>Emergency contact info </li></ul><ul><li>Up to date itinerary </li></ul><ul><li>HR/Legal </li></ul><ul><li>Focus on expats </li></ul><ul><li>Responsible for employees </li></ul><ul><li>Policy & procedures </li></ul><ul><li>Corp. insurance programs </li></ul><ul><li>Medical </li></ul><ul><li>Pre-trip health planning </li></ul><ul><li>Immunizations </li></ul><ul><li>Medical assistance and evacuation for international travelers </li></ul><ul><li>Travel </li></ul><ul><li>Advisor and Knowledge Base </li></ul><ul><li>Books Trip & Handles Travel Issues </li></ul><ul><li>Provides Reporting </li></ul>Employee
Lessons Learned form Katrina/Rita <ul><li>Big disasters cause big problems </li></ul><ul><li>Local decision making failed or was incapacitated </li></ul><ul><li>Communications broke down </li></ul><ul><li>Information systems not designed for Emergency Management </li></ul><ul><li>“ Domestic” travel was not monitored </li></ul><ul><li>Travel involved both in getting people out and getting people in </li></ul><ul><li>Dealing with own recovery effort </li></ul><ul><li>Needed to maintain on-going operations </li></ul>
Big Disasters – Big Problems <ul><li>Multiple issues at one time </li></ul><ul><li>Little depth in organization to delegate </li></ul><ul><li>Resources redirected to “crisis support” </li></ul><ul><li>On-going business processes suffer </li></ul>
Local Decision Making <ul><li>Both Government and Organizations defer to local incident management team </li></ul><ul><li>Fail to consider when this team is not functioning </li></ul><ul><li>“Corporate” takes on responsibility </li></ul><ul><li>May not have local perspective or good information </li></ul><ul><li>Decision making becomes slow and fragmented </li></ul>
Communications FAILED <ul><li>Major contributor to response and recovery failures </li></ul><ul><li>Organizations need backup communications plans </li></ul><ul><li>Need multi-media – terrestrial, satellite and radio </li></ul><ul><li>Should be “hardened” location in each major metro area </li></ul><ul><ul><li>Power Generator with Fuel Supply </li></ul></ul><ul><ul><li>Backup Internet (Satellite) & Comms </li></ul></ul><ul><ul><li>Shelter in place resources </li></ul></ul>
Where is the data I need? <ul><li>Information systems not designed to support EM </li></ul><ul><li>Needed information on facilities in effected area </li></ul><ul><li>Needed information on employees in facilities, expatriates, travelers, etc. </li></ul><ul><li>Did not have updated Emergency Contact Information </li></ul><ul><li>Did not have responsible manager information </li></ul>
Lack of Travel Data <ul><li>Highlighted gaps in travel program policy and data consolidation </li></ul><ul><li>Conscious decision to not “track” domestic travel </li></ul><ul><li>Impacted both preparedness and response </li></ul><ul><li>More important in dealing with regional impacts </li></ul>
Travel Busy on Both Ends <ul><li>Pressure from management to move people from area - Evacuation </li></ul><ul><li>Pressure from management to move people into the area – Response & Recovery </li></ul><ul><li>Lacked response resources in advance </li></ul><ul><li>Competed with other organizations for scarce resources </li></ul><ul><li>Lack of good information for decision support </li></ul>
Travel Department Recovery <ul><li>Local travel office may have been impacted </li></ul><ul><li>Strong emotional ties </li></ul><ul><li>More pressure on department </li></ul><ul><li>First hand experience faced by employees impacted </li></ul>
Business as Usual <ul><li>Major issue for US domestic operations </li></ul><ul><li>Rest of world still “operating as normal” </li></ul><ul><li>Travel manager becomes incident manager or key member of CMT </li></ul><ul><li>Distracted from “running the business” </li></ul><ul><li>Lack of depth – 24x7 job fatigue </li></ul>
Summary <ul><li>Protection of human assets is a multidisciplinary effort </li></ul><ul><li>Best approach is a risk management framework </li></ul><ul><li>Training is critical to overall success </li></ul><ul><li>Prevention and decision support through real-time intelligence & communication </li></ul><ul><li>Planning for response minimizes impact </li></ul>
Enhancing Your Role <ul><li>Learn the Language </li></ul><ul><li>Be the “Transportation Officer” </li></ul><ul><li>Own the Travel Risk Management Plan </li></ul><ul><li>Get Involved in Evacuation Planning </li></ul><ul><li>Be Proactive and Collaborate </li></ul><ul><li>Think and Act Strategically </li></ul>When you are called upon - Be Prepared
Questions & Discussion “ There are no dumb questions”
Key Messages <ul><li>Consolidation/Integration of asset information </li></ul><ul><li>Notification of threat/exposure assessment </li></ul><ul><li>Response integration across providers </li></ul><ul><li>Company “owned” (branded) program </li></ul><ul><li>Automated compliance monitoring </li></ul><ul><li>Consistent initial and on-going corporate communication </li></ul><ul><li>Robust telecom infrastructure </li></ul><ul><li>Global backup repository for key information </li></ul>
A particular slide catching your eye?
Clipping is a handy way to collect important slides you want to go back to later.