Disaster Preparedness I Lessons Learned Don Hall Thomson Prometric 2006 Annual ConferenceAlexandria, Virginia Council on Licensure, Enforcement and Regulation

Disaster Preparedness ILessons Learned

Don HallThomson Prometric

2006 Annual Conference

Alexandria, Virginia

Council on Licensure, Enforcement and Regulation

Expect the Unexpected: Are We Clearly Prepared?

Presented at the 2006 CLEAR Annual ConferenceSeptember 14-16 Alexandria, Virginia

Thomson Prometric

Thomson Prometric is the leading global provider of comprehensive testing and assessment services. We deliver standardized tests for 600 client programs, in 26 languages, over the Web or through a global network of 3,200 testing centers in 135 countries.


Continuity Management at Prometric

Thomson Prometric has defined a comprehensive Business Continuity Management (BCM) program that provides for contingency operations that will ensure the continuity of services provided to our clients, candidates, and channel testing partners using established “best practices” to safeguard the interest of our clients, reputation, brand, and revenue.


Best Practices• Disaster Recovery Institute Int’l (DRII) • Business Continuity Institute (BCI)

– Promote a common knowledge and standards for BCM

– Certify individuals in the discipline– As such, in 1997, DRII, together with BCI,

published the Professional Practices for Business Continuity Planners as the industry's international standard.


Professional PracticesPre-Planning

• Project Initiation and Management• Risk Evaluation and Control• Business Impact Analysis

Planning• Developing Business Continuity Strategies• Emergency Response & Operations• Develop and Implement Business Continuity Plans

Post-Planning• Awareness and Training Programs• Maintenance and Exercising Business Continuity

Plans• Public Relations and Crises Communications• Coordination with Public Authorities


Professional Practices

Pre-planning• Project Initiation and Management• Risk Evaluation and Control• Business Impact Analysis


Project Initiation and Management• Define Scope, Objectives, Policies and Critical

Success Factors• Establish the need for BCP• Communicate the need for BCP• Involve Executive Management• Establish a Steering Committee or Task Force• Develop the Budget• Identify Planning Team(s) and Responsibilities• Develop and Coordinate Action Plans• Develop Ongoing management and

documentation requirements for BCM• Report to Senior Management Team


Risk Evaluation and Control

• Identify the threats• Eliminate threats, if possible• Estimate probability of threats• Perform Risk Analysis• Identify costs to reduce risks

– Spend resources on risks most likely to occur 80/20 Rule (1897, Vilfredo Pareto)

• Implement controls to reduce risks• Exercise, evaluate, and make changes

as needed to reduce the impact of risks


Business Impact Analysis (BIA)

• Establish the value of each organizational resource as they relate to the function of the whole

• Provide the basis for identifying the critical resources required to develop your business recovery strategy

• Establish order of priority for restoration



Planning• Developing Business Continuity

Strategies• Emergency Response & Operations• Develop and Implement Business

Continuity Plans (BCP/COOP)


Develop Business Continuity Strategy

• Identify the Enterprise Requirements• Identify strategies, costs, advantages,

and disadvantages for each– Compare internal and external

• Identify strategies for functional areas• Assess strategies using BIA results• Perform Costs/Benefits Analysis• Consolidate Continuity and Recovery

Strategies Across the Enterprise– Consolidate workspace recovery sites– Enterprise-level plans for media and

communications


Emergency Response and Operations• Identify Types of Emergencies and the Response

– Fire, Flood, HAZMAT, etc…• Identify Components of Emergency Response

– Reporting procedures (internal/external)– Pre-incident preparation– Emergency Actions (evacuation, firefighting, notifications,

etc…)– Facility Stabilization– Damage mitigation– Testing procedures and responsibilities

• Develop Detailed Emergency Response Procedures– Protection of Personnel– Containment of the Incident– Assessment of effect– Decide optimum actions


Emergency Response and Operations• Identify Command and Control Requirements

– Design and equip the Emergency Operations Center (EOC)– Define Command and Decision Authority roles– Communications vehicles (radio, e-mail, messengers, etc)– Logging and documentation methods

• Develop Command and Control Procedures– Opening the EOC– Security for the EOC– Scheduling the EOC teams (24 hour operations)– Management of the EOC– Closing the EOC

• Emergency Response and Triage• Salvage and Restoration


Develop Business Continuity Plans • Advanced planning that is necessary to ensure

the continuity of critical functions for an organization

• Putting in place supporting infrastructure and resources to respond to a disaster event

• Implement procedures to reduce the risk of identifiable threats

• Develop plans that cover all events that result in the total or partial destruction of a facility, or create an inability to perform essential functions

• Create plans that include procedures, equipment, and personnel for both automated and manual procedures.



Post-Planning• Awareness and Training Programs• Maintenance and Exercising

Business Continuity Plans• Public Relations and Crises

Communications• Coordination with Public Authorities


Awareness and Training

• Components of the COOP/BCP• Why is BCP important to them!• Who is the Business Continuity

Coordinator• Where to find more information• When is it exercised• How is the COOP activated


Maintenance and Exercising BCPMaintenance

• Monthly– Call-trees– Personnel data

• Quarterly– Plan review

• As needed– Organizational Change– Process Change– Technology Change

• Exercise– Before (exercise preparation/plan review)– After (lessons learned)

• Annually– BIA– Corporate Strategic Direction


Maintenance and Exercising BCPExercise

• Validate your plans• Familiarity with BCP procedures

– Reduce decisions, confusion, and recovery time– Reduced costs at time of recovery!

• Exercise Types– Walk-through (paper-based)– Simulation– Operational

• Exercise Guidance– Start small– Detailed procedures should be followed closely– Should include backup data (restores) and call-trees– Conduct surprise tests (very risky, only a few)– Use “actual” but not “live” data


Crises Communications• Escalation

– Disaster declaration criteria– Problem Identification and Escalation

• when is it a disaster– Contact Lists– Initial Response Items

• Primary Notifications– BC Coordinator, SMT, CMT/IMT– BC Teams– Damage Assessment Teams

• Secondary Notifications– Other employees– Customers– Public– Suppliers


Crises Communications• Public Relations

– Issue initial Press Release“canned response”

– Establish a schedule for Press Conferences

– Communicate the name of “official” spokesperson

– Be prepared for all “audiences” (internal, external, media, agencies)


Coordination with External Agencies

• Identify applicable laws and regulations and determine impact

• Identify statutory industry requirements• Ensure your plans meet all statutory and

regulatory requirements– work with statutory agencies as appropriate

• Identify and coordinate with agencies supporting BCP aims– Identify and develop procedures with external

agencies providing disaster assistance (financial and resources)

• Develop exercises with external agencies– Establish exercise objectives– Coordinate and execute exercises– Debrief and report on exercises to include action

plans


Speaker Contact Information

Don Hall, Director Business ContinuityThomson Prometric1000 Lancaster Street, Baltimore, MD 21202Phone 443-923-8000E-mail [email protected] www.prometric.com

Documents

Disaster Preparedness I Lessons Learned Don Hall Thomson Prometric 2006 Annual ConferenceAlexandria, Virginia Council on Licensure, Enforcement and Regulation