Standards and Guidelines
Risk Assessment, Annex F: Examples of Risk Treatment Procedures that Enhance Resilience of the Organization
Hurricane Harvey & Hurricane Irma: What's Next?
James W. Satterfield
Bruce T. Blythe
R3 Continuum, Inc.
The webinar will provide insights into the issues and solutions. What are the risks? What made Harvey a crisis? What are the lessons learned? What is the Crisis Index in the days and weeks after the storm? What do you need to do now regarding Hurricane Irma? What do you need to know now?
The focus of the webinar is on the crisis impacts on employees, customers, facilities, supply chain, finances and brand. Crises are fluid over time. A crisis can escalate or deescalate causing an adjustment of the Crisis Index over time. Recognition of the escalation and source will impact and shift the responses, DECISIONS, ACTIONS AND WORDS. The lifecycle of the crisis can be documented by recognizing the changing in Crisis Index over time.
- Understand crisis impacts and related decisions
- Prioritize actions to be taken
- Focus communications messages
Preparing Your Healthcare Facility for All Hazards
Ron Lander, CPP, CMAS, CHEPS, PSM
James Keith Flannigan, Ph.D., CMAS
In 2016, the U.S. Centers for Medicare and Medicaid Services published CMS-3178: The Final Rule for Healthcare Emergency Preparedness. The regulation aims to establish consistent emergency preparedness requirements across provider and supplier networks, establish a more coordinated response to natural and man-made disasters, and increase patient safety during emergencies.
Business Continuity Planning (BCP) and Security Management…Do They Go Hand in Hand?
Security management often concentrates on preventative controls and immediate responses, as opposed to Business Continuity Management. Business Continuity Planning ensures there are plans and procedures in place to continue the core, time-critical processes of an organization; thereby ensuring the brand/reputation are safeguarded as key services continue to be delivered. This is becoming increasingly relevant as we have been seeing larger scale disasters and security threats, and an increasingly competitive market where customers easily switch brands if a product/service is unavailable.
Security and Emergency Preparedness
Sponsored by the ASIS International Commercial Real Estate Council and BOMA International
Carlos Villarreal, CSP, senior vice president, SecurAmerica, LLC, Commercial Real Estate
LaNile Dalcour, security director, Brookfield Properties
The speakers explore how two types of emergencies affect a business and its employees: workplace violence, specifically active shooter incidents, and natural disasters, specifically Hurricane Sandy.
Noting that there had been twenty mass shootings per year between 1976 and 2011 and in light of recent high-profile incidents, the speakers presented a five-step response plan that employees should follow when coping with an active shooter situation, including “take note of the two nearest exits in any building,” and “if you are in an office, stay there and secure the door.” They also discussed how a weather emergency can affect all phases of a business, including its revenue, reputation, and vendors as well as its employees and their families.
A key factor in both types of incidents is a business continuity plan that focuses on the company’s access control system, which must be up to date to account for employees during an emergency. Villarreal and Dalcour recommend the following access control best practices:
- Conduct internal audits monthly to ensure that the system is functioning to the manufacturer’s specifications.
- Audit card numbers monthly to look for duplicates.
- Distribute quarterly employee rosters to tenants for updating.
- Purge the database quarterly.
CSO Center Contributed Content
Dear Mom And Dad: Here's What I Mean By "Business Continuity"
by Bryan Weisbard
When family and friends ask me what I do for a living, I'm almost always greeted by the same blank, confused stare when I respond with "Business Continuity." To me and others in our profession, the words seem to fit the job. However, even business-minded individuals do not always understand what business continuity means, let alone the important role it plays within organizations. To complicate matters even further, the focus of business continuity has evolved over recent years and will continue to do so as new issues such as cybersecurity and privacy compliance gain more attention. In the simplest sense, the goal of business continuity is to enable an organization to continue fulfilling its mission, vision and objectives, even during the worst of circumstances. Regardless of what Murphy's Law, mother nature, or those with bad intentions throw our way, we have prepared our organization to succeed. By now, you must be asking what it takes to build a successful Business Continuity program and how I can best explain it to my family and friends? I find that it's less about the technical details and more about the strategy explained in my 5 Steps to Success:
5 Steps to Success:
Understand the culture and risk appetite of the organization. Each and every organization is different. This seems like a relatively simple concept, but truly understanding what makes your organization different is difficult; however, understanding its mission, vision, and culture is essential--the culture of the organization drives the risk appetite and the risk appetite drives the framework of the business continuity program. Senior leadership defines the organization's risk appetite, and the role of the business continuity professional is to build and maintain a program consistent with these risk tolerances. Notice I specifically used the term "organization" rather than "business." Not all organizations are run as businesses, and organizations like nonprofits or governments (and any other organizations who do not operate with the intention of generating profits) need to be equally prepared to respond to crisis (or even slow-burn disruptions). By recognizing the culture and risk appetite established by leadership, we can then focus on understanding the inner workings of the organization...
Understand the inner workings of the organization. How is revenue generated (or does the organization even generate revenue)? What are the key processes that enable the organization to achieve it's mission? During the first 90 days on the job, business continuity professionals should meet with as many different teams as possible--from accounting, finance and HR to operations, engineering, and sales. Each and every department in an organization should play a role in advancing the mission (if not, why does it exist?). The thing to keep in mind is that while each team plays a role, not all functions are time critical during an unexpected emergency. Identifying which teams are time-sensitive during a disaster is crucial. It's important to note that just because a team is not time-sensitive doesn't make it any less important. For example, in a for-profit business, without sales the company will cease to exist--but generating new sales during a crisis isn't necessarily as important as meeting immediate obligations to existing customers. Next, the business continuity professional needs to understand how those time-sensitive departments operate and the key people, facilities, suppliers, and technology required to perform the supporting activities. Priority should be placed on the departments that enable core products/services and departments which enable the organization to meet its critical obligations to internal and external stakeholders (employees, investors/shareholders, customers, users, compliance/regulatory organizations etc.). By understanding these inner workings, we can build a strategic plan to drive tactical execution…
Develop a strategic business continuity plan to drive tactical execution. Risk, corporate security, and crisis management are tightly interconnected. It's impossible to anticipate or plan for every crisis scenario, so developing a strategic framework to drive and guide future tactical response is critical. Proactively building an environment to prevent or reduce the likelihood of a risk should be coupled with a reactive plan to respond to an incident.
Resources should be dedicated to trying to prevent a disruptive incident from occurring, but we can't let ego cloud our judgement. We need to recognize that Murphy's Law and uncontrollable incidents will get the best of us at times, and we need to be prepared to respond accordingly. Strategic planning should drive tactical execution, but we need to be pragmatic and thoughtful in how we allocate resources...
Be pragmatic. When making resource decisions about the size and scope of a business continuity program, be pragmatic. Executives want to know that cost-benefit analyses are being conducted to understand the impact of potential risks (financial, reputational, legal). The investment in your business continuity program should be proportional to the risks faced by the organization and the acceptable pre-defined risk tolerances and culture. The "best" business continuity program is not necessarily the "biggest." Sure I can build you the Fort Knox of a business continuity program, but that might cost more than the worst case scenario caused by a disruptive incident. It's not worth spending $100,000 to mitigate a risk if the maximum lost value is $50,000 (should the risk even become a reality). It's perfectly acceptable to accept a risk without mitigation efforts as long as this is a conscious, pre-planned decision and not an afterthought. On the other hand, organizations might be willing to spend more than the maximum value lost to mitigate certain brand or reputational risks based on company values or culture. It might be worth paying $200,000 to avoid a negative impact to brand, even if the estimated financial losses of a risk are estimated to be $100,000. Balance is essential to obtain executive buy-in as is the ability to adapt to the changing role of business continuity...
Step 5: Adapt. The business continuity function has continued to evolve, shifting from a focus on technical aspects to a broader understanding of risk and resilience. Understanding how an organization functions from a business, operational, and risk perspective is essential to leading a business continuity program. Every organization has different operational and technical requirements, so it's impossible to have the technical skillset in every discipline. Knowing the right questions to ask and where to go to find the answers is the most important skill.
The most successful business continuity professionals understand that they are advisors, not auditors. While certain industries required compliance with specific laws and regulations, business continuity professionals should seek to advise rather than mandate. This approach will help build buy-in throughout the organization, and stakeholders (who you often rely on) will be more eager to partner with the business continuity team.
Conclusion: Sometimes complicated technical approaches tend to get in the way of progress. By taking a step back and carefully crafting a strategic business continuity program rather than pages and pages of complex details, we can be more agile in our planning and response. Afterall, who has the time to read 300 pages of documentation in the midst of a crisis? Sometimes simplicity is best. In the words of Leonardo da Vinci and Steve Jobs, "Simplicity is the ultimate sophistication."
About the author:
Bryan Weisbard, CPA, CFE, is Head of Security Analysis, Investigations & Business Continuity at Twitter. In this capacity, Weisbard's team identifies, analyzes, and mitigates risks posed to the company from a geopolitical and corporate security perspective. Weisbard also leads all business continuity and crisis management functions globally. Prior to joining Twitter, Weisbard served in a variety of national security roles with the U.S. Government, both in the Washington D.C. area and overseas. Weisbard holds an MBA from the University of North Carolina at Chapel Hill, a Bachelor of Business Administration from the University of Miami, and a Certificate in Forensic Accounting from Georgetown University. Weisbard is a Certified Public Accountant (CPA) and a Certified Fraud Examiner (CFE). Weisbard serves on the Membership Committee of the CSO Center for Leadership & Development and is a member of The Pacific Council on International Policy and OSAC's Pan-Asia Regional Council (PARC) and Media & Entertainment Working Group (MEWG). Weisbard also serves as President of the Board of Directors for Up On Top School Program, a 501(c)(3) charity providing free educational programs to children from low-income families.
@BryanWeisbard on Twitter or
Connect with him on LinkedIn.
Response and Recovery Resources for Natural Disasters
ASIS Crisis Management and Business Continuity Council has provided links to helpful resources to assist recovery for those affected by Hurricane Harvey.
Information Resources Center (IRC) Security Databases & Library Catalog
Security Database & Library Catalog (members only)
Security Database & Library Catalog of the IRC has hundreds of records on the subjects of travel security and safety, including references to books, Security Management articles, government reports, Annual Seminar recorded sessions, and other documents. Print items are available for use onsite in the O.P. Norton Information Resources Center (IRC) by ASIS International members. Some items have links to electronic versions accessible via the Internet.
To access the IRC,
sign-in to the ASIS website, then
go to the library webpages to navigate to the
Security Database & Library Catalog. Search using the term “preparedness.”
You may also review the
ASIS IRC Reference Guide on Preparedness, which lists a comprehensive review of the Standards and Guidelines, books,
Security Management articles, recorded Webinars, and recorded Annual Seminar Educational Sessions available through ASIS that can assist security professionals as they prepare for and respond to emergencies in their companies and communities.
National Preparedness Month Toolkit
The National Preparedness Month Social Media Toolkit contains key marketing and preparedness messaging to print or share on your social media channels throughout the month of September and beyond.
2017 Voluntary Organization Partnership Day
The Federal Emergency Management Agency (FEMA) hosted more than 30 non-profit organizations at its headquarters July 26,2017, for Voluntary Organization Partnership Day, to promote and recognize the services voluntary, community and faith-based organizations provide to disaster survivors.