The document provides information about a presentation on continuity of operations (COOP) planning. It notes that FEMA released new COOP guidelines in 2011 that may become required for companies doing business with the government. While COOP and business continuity planning (BCP) have similar goals of continuing essential functions, COOP has more standardized requirements around elements, testing, and compliance. The presentation advises organizations to consider whether COOP guidelines apply to their operations and conduct a gap analysis between their current BCP plan and the COOP requirements.
2. WELCOME TO SECURE360 2012
Did you remember to scan your badge for CPE
Credits? Ask your Room Volunteer for
assistance.
Please complete the Session Survey front and
back (this is Room 4), and leave on your seat.
Note: “Session” is Tuesday or Wednesday
Are you tweeting? #Sec360
3. ABOUT ME
• Certified Minnesota Emergency Manager
• Certified Business Continuity Professional
• Full-Time Director of Public Safety for North Hennepin Community
College
• Part-Time Security Consultant and Trainer
The opinions and views expressed in this presentation are my own and do not reflect
those of North Hennepin Community College, the Minnesota State Colleges and
University System, or the State of Minnesota.
I am not a representative of FEMA or the Federal Government. All of the information
presented here is based on my research of open-source FEMA training materials.
4. THEY’RE FROM THE GOVERNMENT, AND
HERE TO HELP…
• FEMA released new Continuity Of Operations Planning (COOP)
“Guidelines” in 2011.
• FEMA has a full-time Division and staff devoted to COOP
• FEMA has stated their COOP “Guidelines” will be required for companies
doing business with the government
• Historically, “Guidelines” have become “Requirements” over time.
• NIMS example
5. I THOUGHT WE ALREADY DID THAT?
Disaster Recovery Institute International (DRII)
British Standards Institution
National Fire Protection Agency 1600
International Organization for Standardization
Other regulatory guidance
6. IS THIS REQUIRED?
YES – if you are a Federal agency
YES – if you are a vendor who does business with the Federal government
PROBABLY – if you are a State or Local government agency that receives
Federal funding
Historically, “Guidelines” usually become “Requirements”
7. A TALE OF TWO PLANS
Business Continuity Planning (BCP)
VS.
Continuity Of Operations Planning (COOP)
8. COOP OBJECTIVES:
• Ensure the performance of an agency’s essential functions during a COOP
event.
• Reduce loss of life by minimizing damage and losses.
• Ensure the successful succession to office in the event a disruption renders
agency leadership unavailable to perform their responsibilities.
• Reduce or mitigate disruptions to operations.
• Ensure that agencies have alternate facilities from which to operate.
• Protect essential facilities, equipment, vital records, and other assets.
• Achieve a timely and orderly recovery from a COOP situation.
• Achieve a timely and orderly reconstitution from an emergency and
resume full service to internal and external customers.
9. ELEMENTS OF A COOP PLAN:
• Plans and Procedures
• Essential Functions
• Delegations of Authority
• Orders of Succession
• Alternate Operating Facilities
• Interoperable Communications
• Vital Files, Records and Databases
• Human Capital
• Test, Training and Exercise Program
• Devolution of Control and Direction
• Reconstitution Operations
• Agency Head Responsibilities
10. WHAT’S THE SAME?
Both programs stress the necessity of making continuity part of the
organizational culture.
COOP objectives are consistent with model BCP objectives
11. COMMON ELEMENTS
The foundation of planning -
• Identification of essential functions (COOP)
• Identification of critical functions (BCP)
COOP identifies “PMEFs” = Primary Mission Essential Functions
Government COOPs identify “MEF” = Federal Executive Branch Mission
Essential Functions and “NEF” = National Essential Functions
Both BCP and COOP use a similar Business Impact Analysis method.
12. BENEFITS AND GOALS ARE THE SAME
Anticipate events and necessary response actions.
Adapt to sudden changes in the operational environment.
Improve their performance through the identification of essential functions, work
processes, and communications methods.
Improve management controls by establishing measures for performance.
Improve communication to support essential functions throughout the agency.
The absolute necessity for personal and family preparedness is stressed in both
COOP and BCP.
13. WHAT’S DIFFERENT?
Terminology differs in some areas
COOP documents and guidance specifically exclude facility Emergency Plans
• BCP explicitly includes Emergency Response as a major function. This
includes protecting , communicating with and accounting for employees.
• It should be noted that the COOP model assumes these priorities are
addressed in a separate Emergency Operations Plan (EOP)
14. DISCRETION VS. REGULATION
COOP requirements are clearly standardized, while BCP standards are more
discretionary (except within highly regulated industries)
COOP compliance = regulatory compliance
BCP = best business practices and reduced liability exposure
15. TEST, TRAINING AND EXERCISE PROGRAM
COOP mandates each plan contain a Test, Training, and Exercise program
(TT&E) to support COOP. Specific requirements are identified for:
• Testing
• Training
• Exercising
• Participation
• After-Action and Compliance Reports
BCP program “best practices” include similar requirements, but are often not
followed through for a variety of reasons (lack of resources, funding, buy-in).
These are not “optional” in COOP.
16. MORE ALIKE THAN DIFFERENT
Although there are some differences between COOP and BCP programs both are
focused on the continuity of essential/critical functions following a disruptive
event.
BCP includes a more proactive component of mitigation/prevention and the added
emphasis on crisis management which not only comes into play with physical
events, but is also concerned with the risks associated with the protection of an
organization’s reputation and proper governance.
The core competencies for BCP and COOP are very similar and transferable
between the public and private sector.
Both make good business sense and support the strategic goals and objectives of an
organization.
17. CONSIDERATIONS
Keep following the BCP Industry-Based recommendations
- Could affect business with the Government in the long run
- What you are paying DRII for, FEMA does for free (well, tax dollars
anyway)
Transition to the FEMA COOP “Guidelines”
- Unproven, for the most part
- Unclear impact on underwriting
Is your plan EFFECTIVE?
Is your plan DEFENSIBLE?
Bottom line: who underwrites your risk?
18. IS COOP FOR YOUR BUSINESS?
What’s the impact on your business?
- Are you receiving Federal Funding?
- Are you in business with the Federal Government?
- Are you in business with State/Local Government?
Conduct a gap analysis between your current BCP-based plan and the Federal
COOP guidelines
Transition your plan’s structure and terminology to meet the COOP guidelines
and format