CEMP Plan Components Check Valve Flood Proofing Prevention Prevent or Reduce Impact Mitigation Use Manual Process New Equip. New Bldg. Dry Out & Restart Hot Site Recovery Solution Loss of Application Building Fire Laboratory Flood Mainframe or server failure Example Event Make Do Return to Normal Process Recovery Data Recovery Focus Process Workaround Process Restoration Critical Business Processes Critical Computer Apps Objective Contingency Planning Business Resumption Business Continuity Disaster Recovery CEMP
Assess - identify and triage all threats (BIA)
Evaluate - assess likelihood and impact of each threat
Mitigate - identify actions that may eliminate risks in advance
Prepare – plan for contingent operations
Respond – take actions necessary to minimize the impact of risks that materialize
Recover – return to normal as soon as possible
Building a CEMP Plan
Business Impact Assessment
Identify critical systems, processes and functions;
Establish an estimate of the maximum tolerable downtime (MTD) for each business process;
Assess the impact of incidents that result in a denial of access to systems, services or processes; and,
Determine the priorities and processes for recovery of critical business processes.
BIA Review Factors
All Hazards Analysis
Likelihood of Occurrence
Impact of Outage on Operations
Personnel and Liability Risks
Risk Analysis Matrix Probability of Likelihood Severity of Consequence High Medium Low Low Medium High Area of Major Concern
Review External Dependencies Infrastructure Dependence (power, telecom, etc.) System Up Time (computing, data,networks, etc.)
How bad will the “big one” be?
Loss of Lifelines?
Supply Chain Disruptions?
Develop various scenarios and pick which ones to plan for.
Understand alternatives and their advantages, disadvantages, and cost ranges, including mitigation and mutual aid as recovery strategies.
Identify viable recovery strategies with business functional areas.
Identify off-site storage requirements and alternative facilities.
Develop business unit consensus.
Present strategies to management to obtain commitment.
Contingency Planning Process Phases
Assessment - organizing the team, defining the scope, prioritizing the risks, developing failure scenarios
Planning - building contingency plans, identifying trigger events, testing plans, and training staff
Plan Execution - based on a trigger event, implementing the plan (either preemptively or reactively)
Recovery - disengaging from contingent operations mode and restarting primary processes of normal operations by moving from contingency operations to a permanent solution as soon as possible.
It’s Not Enough Just to Plan
Use focus groups and brainstorming
Seek “what can go wrong”
Find alternate plans & manual work arounds
Find innovative solutions to risks
Plans must be exercised
Hold table top exercises for disasters
Conduct “fire drills” of plans
Train staff for action during emergencies
Work with local and regional disaster agencies and business associations
Assess special problems with disasters
Loss of lifelines
Review and revise existing disaster plans
Look for new areas for disaster plans
Include Disaster Recovery Planning
Emergency Support Functions
1 Laws And Authorities 2 Hazard Identification And Risk Assessment 3 Hazard Management 4 Resource Management 5 Planning 6 Direction, Control And Coordination 7 Communications And Warning 8 Operations And Procedures 9 Logistics And Facilities 10 Training 11 Exercises 12 Public Education And Information 13 Finance And Administration
Capabilities Assessment for Readiness Benefits
Identify existing strengths and weaknesses
Evaluate the current state of readiness
Develop strategic plans to improve identified weaknesses for terrorism and other threats
Justify existing program staffing and budget
Demonstrate need for additional program development resources, e.g. staff, budget, support from other community agencies, etc
Support professional development and accreditation programs
Using the Incident Command Structure
The Incident Command System in use today is an outgrowth of California’s FIRESCOPE program developed in the 1970s to improve management of large wildfires.
It was designed to provide a commonly accepted management structure that would result in better decisions and more effective use of available resources.
It was specifically designed for incidents that involve many local, state, and federal agencies and multiple political jurisdictions.
Incident Action Plan
Span Of Control
Unity of Command
Common ICS Terminology
Operations, Intelligence, Logistics, and Finance.
Functions pre-designated and named for the ICS.
Refers to the combination of personnel and equipment used in response and recovery.
Common identifiers used for those facilities in and around the incident area which will be used during the course of the incident. These facilities include the command center, staging areas, etc.
ICS's organizational structure is modular.
As the need arises, functional areas may be developed.
Several branches may be established.
Structure based upon the needs of the incident.
One individual can simultaneously manage all major functional areas in some cases.
If more areas require independent management, someone must be responsible for that area.
Typical EOC Organization Emergency Response and Recovery Teams
Cisco’s EOC Based on the Incident Command System
In Charge At The Incident
Assigned By Responsible Jurisdiction Or Agency
May Have One Or More Deputy Incident Commanders
May Assign Personnel For Command Staff & General Staff
Manages the EOC - not the incident
Makes sure everything is working
Maintains a safe environment
Facilitates and coordinates
EOC Staff Members
Check-in with the EOC Manager.
Review the situation report (sit reps) and incident logs.
Make sure that your name is listed on the current EOC organization chart.
Review the staff Operating Guide (SOG) and set up your work station.
Start an incident log which details your actions (chronologically.)
Ready to Roll?
Keys to Success
Vulnerabilities Clearly Identified
Comprehensive Plan in Place
Plan Understood, Communicated and Updated
Lead a top-notch team
Update risk/threat assessments
Assess all hazards and risks
Complete and test contingency plans
Design a robust Command Center
Drill the Command Center
Implement a system for command, control, communication, and intelligence
The Challenge of Coordination
Event Information Tracking
1. Stakeholder notices possible disruption
2. Alert message sent to the Command Center
3. Alert message evaluated by response managers
4. Incident Log opened to track each event
5. SOPs implemented using checklists
6. Tasks assigned according to plan
7. Resource allocation tracked in log
8. Task performance tracked in log
9. Status briefings and updates to stakeholders
External Your Organization Command Center Organization Emergency Response Teams Post to Operations Log Task Assigned Executive Briefing Incident Response Mgm’t Plan Response Tasking Task Tracking Stake-holders Public Public Relations Executive Group Contingency Plan Activated SOP Checklist Activated Procedures Implemented Teams Deployed Personnel Resources Assigned Resources Performance Tracked Incident Established Emergency Input Command Center Information Flow Employee Customer Contractor Call Center ERT State/Fed Govt. Local Govt. Supplier Other Businesses Vendor
The Ideal Information System
Easy to use and robust information and decision management system
Central command and control
Early alert communications function
Event tracking and logging
SOP and automated check lists
Documentation of response actions for due diligence