Learn from Southern Company’s Corporate Business Assurance Program
Learn from Southern Company’s Corporate Business Assurance ProgramInterview with Michele Guido, CBCP, MBCI, Business Assurance Principal atSouthern CompanyWhile electric and gas utility companies havedeveloped business continuity and disaster recoveryplans in the past, the challenging economicenvironment of recent years has caused utilities toboth accelerate new plan development and strengthenexisting plans. With increasing threats such aspandemic, natural disasters and physical and cybersecurity attacks, the changing landscape created bythese drivers highlights the need to revisit businesscontinuity management.Michele Guido answered a series of questions posed bymarcus evans before the forthcoming BusinessContinuity & Organizational Resilience Conference, July16-18, 2013, in Atlanta, GA. Michele shares how toeffectively utilize the incident command system.How was the business assurance program with Southern Companyoriginally initiated and implemented? How long did it take to get whereyou are today, and what were some of your challenges along the way?Michele Guido: Business Assurance is defined as “the confidence in our ability tomaintain business-critical operations during an unexpected disruption.”Preparedness is institutionalized across Southern Company and its operatingcompanies. Over the past 10 years, we have transformed from project to programto culture.The Business Assurance program supports this transformation through three keyelements: Protect, Prepare, Respond. The elements focus on minimizing oreliminating the impact of events that have the potential to disrupt critical businessoperations, functions or services. There are many owners and vehicles to supportthe program from evacuation, safety, storm operations, business continuity, riskmanagement, crisis communication and compliance. Many of these programs havebeen established and operationalized across Southern Company over many years.This represents our culture.An opportunity presented itself to place “all” of what we do under one umbrellacalled the Business Assurance program. Another was to develop supporting policiesto ensure compliance. Ongoing executive support was another critical path toimplementation. The Business Assurance program reports to an executive council
that sets prioritization of work, ranging from policy to engagement. The councilmeets on a quarterly basis. Advisory and working committees meet on a regularbasis to support policy implementation during steady state and as needed during anincident. Our Business Assurance department is the enabling arm of the program.However, ownership is across the company from executives, business unitmanagers, information technology, enterprise risk, legal, compliance, facilities andsecurity.With all of Southern Company’s subsidiaries and vast operations, how doyou ensure each group, department, etc. stays up to speed with theirindividual business assurance plans?MG: Southern Company is focused on providing our customers clean, safe, reliableand affordable electricity. In the context of reliability, being part of our nation’scritical infrastructure emphasizes the need for the prioritization for critical functionsand services. Our program is a business issue. It’s managing risk across theenterprise along with stakeholder expectations.At a high level, Southern Company has adopted and institutionalized the concept ofall-hazard planning for both electric and corporate operations. This approach toplanning ensures understanding of critical process, associated businessinfrastructure (technology, personnel, data, facilities, etc) and interdependencies;both internal and external. Needs may be unique for a group but the approachprovides viability, sustainability and consistency. Policy and procedures haveensured this across the enterprise. An example is the annual exercises that must beconducted at many levels to stay in compliance with the policy.What types of exercises, drills, or dry runs do you perform for themultitude of potential disasters that could affect Southern Company’soperations?MG: Plans are developed, maintained and exercised on all levels throughout theenterprise. Plans include continuity of operations, incident response, crisismanagement, storm response, emergency management (fire/tornado/hostileintruder/etc) and disaster recovery for our business infrastructure (technology,network and data).As an example, Southern Company’s operating subsidiaries maintain detailed anddynamic disaster recovery plans for storms along the Gulf Coast. These plans aregraduated based on the expected damage from the five categories of hurricanes,with specific responses and actions identified for each. Our plans provide for flexibleand decentralized authority to make decisions as close as possible to the disaster.Hurricane season begins June 1st, but planning and exercising is year round.Education and awareness are vital to success. We practice and routinely revise theplans as we gain new experience, whether that be through a hurricane, tornado or
technology failure. Continuous learning in an organization is a critical component toachieving superior performance. Lessons learned are captured through a root-causeanalysis and post mortem meetings.How do you manage the various public-private partnerships SouthernCompany has during the stages of the business assurance plan (protect,prepare, respond)?MG: Southern Company is an industry leader in all facets of reliability andresilience. Southern Company’s leadership and active participation in significantforums and initiatives with the Homeland Security Enterprise (HSE)icontinues to bea priority as Southern Company is an important member of the nation’s criticalinfrastructure.Our HSE objective is to support the shared mission of resilience and nationalpreparedness. Resilience for HSE refers to the ability to adapt to changingconditions and withstand and rapidly recover from disruption due toemergencies. National Preparedness refers to the actions taken to plan,organize, equip, train, and exercise to build and sustain the capabilitiesnecessary to prevent, protect against, mitigate the effects of, respond to andrecover from those threats that pose the greatest risk to the security of theNation.This strategy is also shaped by external bodies through FERC, NERC, DOE, EPA, forexample, as well as future and existing Federal legislation and State regulationsthrough our Public Service/Utility Commissions.Continued participation clearly promotes Southern Company’s commitment topreparedness and to bridge existing gaps between the public-private sectors.Commitment to bridge gaps is proactive and demonstrates partnership, whilesupporting the National Infrastructure Protection Plan (steady state) and NationalResponse Framework (crisis state).Michele Guido is a Business Assurance Principal for Southern Company, which ownselectric utilities in four states and a growing competitive generation company, aswell as fiber optics and wireless communications. Michele has 20 years experiencein the continuity industry. Prior to joining Southern Company, Michele wasemployed at IBM, BellSouth and Federated Systems Group with responsibilitiesranging in all facets of crisis management, response, disaster recovery andbusiness continuity. Michele has a B.S. degree in Computer and InformationSystems, an A.S. degree in Business Administration; both degrees from KingsCollege and graduate studies in Emergency in Preparedness and Planning fromUniversity of California at Berkeley.
For more information, please contact Michele Westergaard, Senior MarketingManager at 312-540-3000 ext. 6625 or Michelew@marcusevansch.com.About marcus evansmarcus evans conferences annually produce over 2,000 high quality eventsdesigned to provide key strategic business information, best practice andnetworking opportunities for senior industry decision-makers. Our global reach isutilized to attract over 30,000 speakers annually; ensuring niche focused subjectmatter presented directly by practitioners and a diversity of information to assistour clients in adopting best practice in all business disciplines.iHSE includes public sector entities; DHS, DOE, DOD, FEMA and the nation’s critical infrastructureowners (public and private).