CHAPTER 17
BUSINESS PREPAREDNESS, CONTINUITY, AND RECOVERY
Private Sector Response

Business owners invest a tremendous amount of time, money and resources to make their ventures successful, so it would seem natural for owners to take steps to protect those investments. While the importance of emergency planning may seem self-evident, the urgency of the task is often blunted by the immediate demands of the workplace.

“Ready Business Mentoring Guide,” Department of Homeland Security

CHAPTER OVERVIEW

When the role of the private sector in homeland security arises, many people think of big office towers, sprawling industrial facilities, and major corporations. But disasters, including terrorism, can strike any business no matter how small. In addition, because the private sector employs most Americans and controls the bulk of critical infrastructure, every citizen has a major stake in its preparedness. This chapter surveys measures that companies can take to protect their operations, facilities, and employees, as well as federal programs that address concerns of small and medium-size businesses.

CHAPTER LEARNING OBJECTIVES

After reading this chapter, you should be able to

1. Understand how September 11 changed private sector perceptions toward preparedness.

2. Describe what is meant by disaster recovery and continuity of operations.

3. Summarize legal implications of preparedness planning.

4. List steps in preparedness planning.

NEW WORLD OF DISORDER

Terrorists strike more than nations and people; companies, both large and small, fall victim as well. An estimated 1,200 to 2,000 small businesses, including about 600 in the Twin Towers, were wiped out by the 9/11 attack, which also affected over 15,000 enterprises in the area and 13.4 million square feet of real estate. Lower Manhattan lost more than 100,000 employees to death, relocation, or unemployment. Companies disrupted by the collapse of World Trade Center buildings ranged from rich, multinational corporations to small mom-and-pop stores. Robert Garber’s Bits, Bites and Baguettes, operating in the shadow of the Twin Towers, was a typical casualty. On September 10, 2001, Bits and Bites had its busiest day ever, revenues were up 35 percent, and the staff had quadrupled since the small restaurant and caterer opened in 1997. After September 11, the business was barricaded for two months, pushing Garber’s company to the edge of insolvency.¹

Acts of terrorism are far from the only threat to private enterprise; businesses also suffer more common natural and technological (human-made) disasters, including fires, floods, earthquakes, tornadoes, and industrial accidents. Many practices and precautions for preventing, responding to, and mitigating these events are equally applicable for terrorist strikes, along with additional measures required against deliberate acts targeting everyday commerce.

Part of Modern Businesses Practices

Failure to prepare could have a dramatic impact on business practices. For example, a terrorist attack on the New York City electric system disrupting electrical supply for just 20 hours could cause $1.2 billion in business costs and loss of life, according to a 2005 study.² A breakdown in the credit card sales authorization system would cost $2.6 million per hour.³ Disasters such as these would hit small businesses hardest, as have previous emergencies. DHS quotes an estimate that a quarter of companies do not reopen after a major disaster and other estimates are even higher.⁴ The experts are unanimous: No business should risk operating without a disaster plan.

Even before 9/11, continuity and disaster response and recovery planning were becoming an integral component of modern business practices. In the 1980s, as companies became increasingly dependent on computers, disaster recovery emerged as a formal discipline, foused on protecting data. Over time the emphasis expanded to include supply chain management, physical security of property and personnel, and protection of information networks.

Part of Modern Businesses Practices

Companies from a handful of employees to a few hundred make up over half of the American workforce and are the backbone of the U.S. economy. They create on average about two-thirds of all new jobs each year. In many cases, they provide crucial support to critical infrastructure. About half the contracts that supply goods and services to the Department of Defense are with small and medium-size businesses.

These enterprises are not only vital to the U.S. economy, but in a disaster are most vulnerable. Small enterprises often have only one, location with no backup facilities. They don’t store files, records, or other critical data off-site. They don’t have cash reserves to weather long disruptions.

Many small and medium-size businesses have not planned to ensure continuity of operations if they have to close temporarily, can’t get supplies, have channels to customers disrupted or receivables delayed.

Small business owners often believe that if disaster strikes they’ll be back in operation after two or three days. But experience shows that’s unlikely. According to government statistics, small firms typically are unable to resume normal work until weeks or months after a catastrophe. Despite this reality, insurance and liability issues have failed to prompt disaster preparation by many small businesses. As for regulations, the federal government has in general elected to encourage rather than mandate best practices for owners of critical infrastructure and other key businesses.

DEFINITIONS AND STANDARDS

Business continuity involves developing measures and safeguards that allow an organization to produce or deliver goods or services under adverse conditions. In contrast, is aster response and recovery includes responding to, mitigating, and recovering or reconstituting personnel, infrastructure, and business capabilities in the wake of an event. The main difference between the two is that continuity planning is meant to prevent business interruptions if disaster strikes, while disaster planning involves dealing with interruptions if they happen. Collectively, these activities are often referred to as contingency planning.

There are no universal standards for preparedness in the private sector. Many groups, however, have endorsed standards promulgated by the National Fire Protection Association, NFPA 1600, as an appropriate model. The NFPA offers descriptions of a comprehensive program that addresses disaster recovery, emergency management, and business continuity.

CHANGING BUSINESS ENVIRONMENT

There are still significant gaps and great disparities in how companies prepare for future contingencies. The larger the company, in terms of revenue and employees, the more likely it is to have plans in place and test them annually. The general trend, especially for medium-size and large companies, is that commercial enterprises increasingly recognize the need to pay greater attention to continuity of their business practices. Preparedness on the part of small companies remains a concern.

VOLUNTARY PRIVATE SECTOR PREPAREDNESS

The 2007 Implementing Recommendations of the 9/11 Commission Act required the Department of Homeland Security to establish a voluntary program of accreditation and certification to promote private sector preparedness.

Private Sector Preparedness Coordinating Council

The administrator of FEMA chairs the Private Sector Preparedness Coordinating Council, which includes representatives from the Science and Technology Directorate, Office of Infrastructure Protection, and Office of the Private Sector. In addition to overseeing adoption of private sector preparedness standards, the council advises on efforts to promote the business case for preparedness.

Certification and Monitoring

In response, DHS developed the Voluntary Private Sector Preparedness Accreditation and Certification Program (PS-Prep). The program, managed by FEMA, awards private entities an emergency preparedness certification through an accreditation system organized with the private sector.

First implemented in 2010, the standards for PS-Prep drew from guidelines developed in the United States and overseas. They include the NFPA 1600 (Standard on Disaster/Emergency Management and Business Continuity Programs), the British Standards Institution BS 25999: 2006–1 (Code of Practice for Business Continuity Management) and BS 25999: 2007–2 (Specification for Business Continuity Management), and the ASIS International SPC.1–2009 (Organizational Resilience: Security Preparedness and Continuity Management System—Requirements with Guidance for Use). Participation in the program is voluntary. By law, small businesses receive special consideration.

As of 2011, FEMA was still establishing certification and monitoring process for implementing PS-Prep. The agency selected the American National Standards Institute (ANSI) and the American Society for Quality (ASQ), two nonprofit private sector entities, to accredit qualified third parties to issue certifications. PS-Prep also requires periodic assessment and auditing.

Ready Business

This program is part of the DHS’s Ready campaign, an effort to promote voluntary preparedness. The Ready Business campaign focuses on small and medium-size business activities.

Ready Business includes a number of initiatives, such as Ready Business Mentoring, which offers guides for business owners and managers detailing affordable ways to better protect their businesses. The effort also includes a collaborative relationship with the Extension Disaster Education Network (EDEN) to provide materials for workshops and training sessions. EDEN is a multistate education delivery network established through the land-grant university system. Managed by Purdue University, the network provides educational resources for assisting communities in facing disasters.

FEDERAL REQUIREMENTS

Sound business practices and concern over safety of employees, the surrounding community, and the environment are not the only motivation for contingency planning. Federal, state, and local laws may also require them. Occupational Safety and Health Administration (OSHA) regulations offer a case in point. OSHA Standard 29 CFR 1910.38 requires plans with actions employers and employees must take to ensure safety in fire and other emergencies.”⁵

In addition, other legal requirements may impact the need for contingency planning. A number of federal laws that regulate hazardous materials, including the Superfund Amendments and Reauthorization Act of 1986 (SARA), the Resource Conservation and Recovery Act of 1976, the Hazardous Materials Transportation Act, the Occupational Safety and Health Act, the Toxic Substances Control Act, and the Clean Air Act. SARA, for example, regulates packaging, labeling, handling, storage, and transportation of hazardous materials. It requires a facility to furnish information about quantities and health effects of materials used there and to notify local and state officials promptly when a significant release occurs.

OSHA has also established equipment and training requirements for fire brigades and other response teams that might deal with hazardous materials. Some employee training, such as fire drills, is also mandatory.⁶ Detailed definitions as well as lists of hazardous materials and training and equipment requirements can be obtained from the Environmental Protection Agency and OSHA.

PLANNING FOR THE WORST

Most specialists agree the centerpiece of preparations for any company is the development of a business continuity/disaster recovery program built around a sound contingency plan. A contingency plan is a comprehensive statement of actions for before, during, and after a disaster. It must achieve three goals: (1) create awareness of potential disasters, (2) define actions and activities to minimize disruptions of critical functions, and (3) develop the ability to reestablish business operations. For the plan to be effective, it must be documented, tested, and updated periodically as part of a comprehensive program.

Costs for contingency planning vary with the size of the business and the scope of its resources, risks, and vulnerabilities. Small and medium-size businesses may face a number of challenges in developing and implementing plans, such as limited employee time available for such tasks.⁷

Continuity and disaster recovery professionals generally recommend a sequential planning process applicable to most companies regardless of size and workforce, many aspects of which apply equally to business, nonprofit and government organizations. The basic elements: obtain management commitment, establish a planning committee, perform a risk assessment, establish operational priorities, determine continuity and recovery options, develop a contingency plan, and implement the plan.⁸

Obtain Management Commitment

Senior management should be responsible for coordinating planning. Among management’s most critical activities are ensuring the plan is a priority and that sufficient time and resources (such as a budget for research, printing, seminars, consulting services, and other expenses) are committed.

Establish a Planning Committee

Since a disaster could well affect every aspect of a company’s business practices, from acquisition of raw materials to public relations and advertising, representatives from every facet of the company need be involved. A committee should be appointed to develop and implement the business continuity/disaster recovery plan, headed by the CEO or plant manager. Committee members might include operations managers; union representatives; information technology (IT) or data-processing managers; legal, purchasing, and financial management representatives; engineering and maintenance personnel; public information and human resources personnel; safety, health, and environmental affairs representatives; sales and marketing and community relations representatives; suppliers; and service providers. A critical but sometimes overlooked requirement, for both planning and execution of programs, is ensuring the roles and concerns of suppliers, customers, family members and other critical stakeholders from outside the company are included in the planning process.

The committee’s purpose is to develop and document the contingency plan. Its duties would include drafting a mission statement, budget, work plan, and time line for various planning activities. The committee would also be responsible for research, engaging consultants, meeting with outside groups, and supervising planning.

Perform a Risk Assessment

Most specialists consider this the most vital task for establishing an effective plan. Typically, the risk assessment will comprise an evaluation of threats, vulnerabilities, and costs.

Threats are things that can go wrong or that can “attack” a company’s personnel, property, products, or systems. They include natural disasters such as earthquakes and floods and human-made disasters such as industrial accidents, fraud, and sabotage, or even the sudden loss of a key supplier or customer. An assessment includes not only what threats a company might face, but also how likely they are.

Vulnerabilities are things that make the company more likely to face a disaster and be damaged by it. For example, being located in Kansas might increase the chances of facing a tornado. Should it strike, the presence of hazardous materials in the facility could increase possibilities of a dangerous spill or fire, another significant vulnerability.

Costs include assessment of the financial impact of various disaster scenarios. An assessment should consider both direct costs, such as losses due to an interruption in sales, and indirect costs, such as a devaluation of a company’s stock from loss of confidence by shareholders. This part of the risk assessment is often called the business impact analysis.

Evaluations of threat, vulnerability, and cost are used not only to determine dangers to prepare for and how to meet them, but also to prioritize. As part of planning, leaders have to decide which threats are most likely and dangerous, and consequently where they should invest time and effort in preparation.

Traditionally, fire is the most common disaster experienced by businesses, but depending on geographical location, enterprises might be particularly vulnerable to floods, tornadoes, wildfires, and earthquakes, among other threats (see chapter 15). Accurate and fairly complete information on likely hazards can be obtained through local and state organizations, such as emergency management offices, floodplain management, public or commercial geospatial information services, geological surveys, and universities and colleges.

Determining whether a company is especially susceptible to terrorist attack is more problematic. Location and activity may be two indicators. For example, given the number of terrorist incidents involving commercial aviation, businesses involved in this sector, including tourism, travel services, and airport vendors, may have greater concern over how their practices could be affected by an attack. Organizations involved in politically controversial activities might also consider their potential for becoming victims of terrorists. Sources of information for conducting a terrorist risk assessment might include local law enforcement, industry associations, or a business sector ISAC.

As part of risk assessment, each area of an organization (such as billing, shipping, advertising, utilities, and IT services) should be evaluated to determine potential consequences of different kinds of disasters. Effects to be considered include costs of repairing or replacing equipment, loss of worker productivity and the expense of replacing and training new personnel, impact on customers, violations of contractual agreements, imposition of fines and penalties or legal costs, and interruption of supplies or distribution of products.

Establish Operational Priorities

Before the planning team decides how best to prepare for different threats and mitigate vulnerabilities, it must first identify the critical needs of each element within the company. These are those resources, leadership, or capabilities whose loss would stop or significantly degrade essential business activities, such as the delivery of goods or services. The analysis should determine the maximum amount of time the organization can operate without each critical element. This step is essential for ensuring the most important parts of the business are addressed first. An assessment might include determining essential activities and systems, key personnel, and vital records and documents. Examples of critical operational priorities include sole-source vendors; lifeline services, such as water, oil, and gas; and irreplaceable equipment. The assessment usually ranks individual or groups of personnel, facilities, and services as essential, important, or nonessential.

Determine Continuity and Recovery Options

Planners must then determine practical options for protecting the identified critical operational priorities.

As part of this process, the committee should collect data needed to respond to a disaster, including personnel listings; essential telephone numbers; inventories of equipment, office supplies, and documents; lists of vendors and customers; storage locations; software and data file backup/retention schedules; and important contracts.

The committee should also review existing plans, policies, and programs, including evacuation and fire plans, safety and health programs, environmental policies, security procedures, finance and purchasing procedures, employee manuals, hazardous materials plans, capital improvement programs, and mutual aid agreements.

In particular, any assessment should include a rigorous evaluation to determine if insurance policies are adequate to meet liabilities that might be incurred from a disaster. Most small-business insurance policies include basic property and liability insurance, which generally covers losses from fire or a lightning strike. Additionally, small-business policies often cover windstorms, hail, explosions, riots and civil commotions, plus destruction caused by vehicles or vandalism. Coverage against earthquakes, floods, and building collapse is usually optional. Liability insurance protects business assets in the event the company is sued.

After 9/11, many insurance providers began refusing to cover terrorism in their policies. The federal government responded in 2002 by instituting the Terrorism Risk Insurance Act (TRIA), which creates a government “backstop” for insurance claims from terrorism. Later extended through 2014, the program is overseen by the Secretary of the Treasury. In effect, the law requires that insurers offer terrorism insurance, but provides government funding in the event of major losses.

[Another federal law that can prove beneficial to certain businesses is the Support Anti-terrorism by Fostering Effective Technologies Act of 2002, or SAFETY Act, which provides insurance and liability benefits for companies developing and using approved anti-terrorist technologies or services.]

In addition to examining pertinent documents, the planning committee should review the status of internal assets available for response. These might include materials response teams, emergency medical services, security, and the company’s public information officer. The committee should also be aware of any specialized equipment or facilities, for example, fire protection and suppression equipment, communications equipment, first aid supplies, emergency supplies, warning systems, emergency power equipment, decontamination equipment, shelter areas, and first aid stations. Finally, the committee should know what backup services are available in areas such as payroll, customer service, shipping and receiving, and IT systems.

As part of this process, the committee should review applicable federal, state, and local regulations to ensure plans are consistent with law, regulations and the company’s stated policies. Such concerns include occupational safety and health regulations, environmental regulations, fire codes, seismic safety codes, transportation regulations, zoning regulations, and corporate policies.

Meetings should also be held with outside groups to determine what support and resources may be available and what coordination required in a disaster. Sources of information might include the community emergency management office; office of the mayor or a community administrator; local emergency planning committee; fire and police departments; emergency medical services organizations (such as an ambulance service); public works department or local planning commission; telephone, electric, and other local utilities; hospitals; contractors; neighboring businesses; American Red Cross; and National Weather Service. This can even include coordinating with nearby businesses to create an informal “mutual aid” agreement for sharing security information, such as a “heads up” on suspicious activities in the neighborhood, and providing shelter or other resources in an emergency. Finally, options for processing data and conducting business activities in case of a disaster should be researched and evaluated.

There are four types of preparedness measures to reduce the risk of a disaster. Deterrent measures lessen the likelihood of a disaster or deliberate attack. Preventive measures protect vulnerabilities and make an attack unsuccessful or reduce its impact. Corrective measures reduce the effect of an attack. Detection measures discover attacks and trigger preventive or corrective controls. These measures may require new practices, personnel, or equipment. As part of the planning process, the committee should determine the costs and benefits of implementing them.

Develop a Contingency Plan

Once the committee has decided what measures should be incorporated, they must be documented in a comprehensive written product. The plan should include detailed procedures for before, during, and after a disaster, with specific responsibilities assigned to a management team. Once completed, the plans should be approved by management.

The plan should establish an emergency management group, including company leaders responsible for managing the “big picture” and controlling all incident-related activities. It is headed by the company’s designated emergency director, who is often the firm’s day-to-day facilities manager.

During a disaster, the mission of the emergency management group is to support the incident commander, whose task is overseeing technical aspects of the response. The incident commander is responsible for frontline management, making decisions on the scene regarding how to respond and relaying requests for required resources. The management group supports the incident commander by allocating resources and by interfacing with the community, the media, outside response organizations, and regulatory agencies.

Plans may also require establishing an emergency operations center (EOC), by the emergency management group to coordinate the response to a disaster. It should be located in a facility not likely to be involved in an incident.

Business contingency plans normally include an executive summary, the facility’s emergency management policy, authorities and responsibilities of key personnel, types of emergencies that could occur, and where response operations will be managed. A second portion of the plan should briefly describe how core elements of emergency management will be organized within the organization. These include communications; safety; property protection; community outreach; recovery and restoration of systems, operations, and facilities; administration; and logistics. The third portion of the plan spells out how the organization will respond to emergencies.

In addition to the basic plan, support documents should be developed. They include building and site maps with utilities and shutoff locations, floor plans, escape routes, emergency equipment inventories and location, alarm system plans, and the location of hazardous materials and critical items. Other documents that might be included are emergency procedures, personnel lists, and emergency-call rosters.

Implement the Plan

Once drafted, plans should be tested. Procedures should also be established for maintaining and updating them, including regular review by key personnel.

Finally, means for exercising and training must be established. Exercises can include everything from “tabletop” exercises, in which the disaster management team reviews their responsibilities, to full-scale drills.

Training plans should include worker orientations and periodic classes that offer information on individual roles and responsibilities; threats, hazards, and protective actions; notification, warning, and communications procedures; means for locating family members in an emergency; emergency response procedures; evacuation, shelter, and accountability procedures; location and use of common emergency equipment; and emergency shutdown procedures.

The importance of training cannot be overstated. Research shows that employees who have participated in drills and classroom training respond faster and make better decisions when responding to an emergency.⁹

SUPPLY CHAIN SECURITY

Attracting increasing global focus is the challenge of supply chain continuity. To reduce high costs of maintaining large inventories of products, many companies have adopted the concept of just-in-time delivery of goods and services. Quick and responsive delivery eliminates the need to have large stockpiles on hand, thus reducing operating costs.¹⁰ Consequently, supply chains have become increasingly fragile. Unexpected delivery delays can negate the advantages of inventory optimization. For instance, in the wake of 9/11, border security was significantly upgraded. As a result, many truckers were delayed at border crossings for several hours. Since truckers are only permitted to drive 10 hours per day, the delays often ended up adding a day to delivery time. As a result, the Ford Motor Co. had to idle five U.S. manufacturing plants because of slow delivery from parts suppliers in Canada.¹¹ Similar problems emerged after the 2011 Japanese earthquake and tsunami.

Visibility and Control

Two issues regarding supply chain management are particularly problematic. Companies often have reduced visibility and control over the delivery of goods. Visibility represents the capacity to know where goods are and when they will be delivered. Control reflects the ability to change how and when goods are delivered. A study conducted by Michigan State University identified four key components for supply chain continuity.¹²

Risk Assessment

The first is a thorough risk assessment that identifies the supply chain’s susceptibility to potentially crippling disruption. This assessment should include steps in the supply chain internal to the company, as well as the role of customers and suppliers. A common technique is supply chain mapping. Mapping helps identify bottlenecks, important transportation nodes, and critical suppliers within the supply chain.

Reducing and Monitoring Risks

The second key effort is developing measures for reducing and monitoring risks. These lessen the likelihood or impact of supply chain disruptions. Monitoring includes watching changes in supply that may increase or decrease risks, such as sudden shifts in the availability of raw materials or the cost of transportation. It can also involve technology to monitor goods in transit, from location to temperature and tampering (which can also reduce theft, counterfeiting, and diversion).

Contingency Plans

Third, contingency plans should include remediation plans for recovery from disruptions that do occur. Measures might include shortening the period of disruption or minimizing the impact on business practices.

Knowledge Management

The fourth component of effective supply contingency planning is establishing “knowledge management,” or learning from previous disruptions in the supply chain. This includes post-event audits and analysis to determine lessons that can be applied to future activities.

PHYSICAL SECURITY

Concern over terrorism and theft have made physical security an increasingly relevant concern and an important factor in mitigating risks and vulnerabilities.¹³ Most experts cite three basic means for controlling physical security risks. The first includes mechanical systems, such as access control systems (electronic card or biometric readers and door locks), video and other surveillance and monitoring systems (including video analytics), emergency call boxes, intrusion alarms, and command and control systems, including workstations capable of monitoring security systems and responding to events, such as by limiting access or initiating reactions. A second category of mitigating measures covers improvements in organization, including security staff and procedures, as well as policies governing management, tenants, and employees. The third element of security mitigation is sometimes referred to as “natural” security, referring to architectural elements of facilities and surrounding areas. Such elements include removing trash cans during alerts to prevent them from being used as drops for improvised explosive devices, or placing planters to prevent vehicles from getting near the facility.

Also essential are developing easily understood policies and procedures, conducting training, and performing regular tests, surveys and assessments. For example, only about 1 percent of triggered automatic alarms represents actual emergencies or intrusions. The remainder results from mechanical faults, human error, or disregard of established security procedures. Thus, establishing effective maintenance and education programs reduces the number of false alarms and ensures that security personnel appropriately respond to automatic warnings.

INFORMATION TECHNOLOGY CONTINUITY AND RECOVERY

Protecting data and the IT systems that support businesses has grown ever more important (see Chapter 21 for a detailed discussion of cybersecurity). The current trend in IT continuity and recovery is to focus on “survivability” of systems. Survivability, similar to resilience, is usually defined as the capability of a system to fulfill its mission in the presence of cyberattacks, physical disruptions, failures, or accidents.¹⁴ Rather than protecting the computer system per se, contingency planning concentrates on security of information and capability to conduct specific mission-critical business practices, such as billing and inventory control.

Businesses of all sizes will find a multitude of vendors, consultants, and support services offering assistance in IT contingency programs. For example, some vendors provide hot sites, an operationally ready data center that could serve as an alternative computer center for key business activities. The use of hot sites, particularly for financial firms, continues to grow.

Another increasingly popular tool is quick shipping, the rapid shipment of computers from third-party leasing vendors to replace lost equipment. Some companies also contract for delivery of small portable computer sites or mobile emergency office suites to the work location. Finally, many vendors offer various PC-based continuity and disaster recovery planning tools or consulting services to assist in the development and implementation of plans.

Finally, the explosive growth of “cloud computing” offers substantial benefits for continuity of operations, as well as business processes. “The essence of cloud computing,” writes Armando Fox from the University of California, “is making data center hardware and software available to the general public [and governments for that matter] on a pay-as-you-go basis.”¹⁵ While “clouds” allow users to access services without the costs of buying and maintaining hardware and software, this approach also creates dependencies that might raise reliability and security risks. Companies that employ cloud computing must assess risks and benefits for both business continuity and disaster response plans and procedures.

CHAPTER SUMMARY

This chapter emphasizes the importance of business contingency planning. Good planning is based on a disciplined process directed by key leaders and managers. As with critical infrastructure protection activities, risk management is an important tool for business preparedness. For businesses, the difference between effective planning and none at all may be as severe as unnecessary death and bankruptcy.

CHAPTER QUIZ

1. Why should companies undertake contingency planning?

2. What effect did the September 11 attacks have on how businesses view the importance of contingency planning?

3. What is the most important step in contingency planning? Why?

4. Why is risk management important?

5. What is PS-Prep?

NOTES

1. National Community Capital Association, ′2 Years after 9/11: A Report on the Unique Role Community Development Financial Institutions Are Playing in the Rebuilding of Lower Manhattan” (October 15, 2003), 4.

2. Rae Zimmerman, Jeffrey S. Simonoff and Lester Lave, “Risk and Economic Costs of a Terrorist Attack on the Electric System (presentation),” Center for Risk and Economic Analysis of Terrorism Events, August 19, 2005.

3. Michael Peterson and Kirs Newton, “DATABASE OPERATING PRACTICES: High Availability and Data Protection,” Executive Summary, 2 Strategic Research Corporation, 1998. http://www.sresearch.com/oper_prac98.htm.

4. Ready Business Mentoring Guide: Working With Small Businesses to Prepare for Emergencies, Department of Homeland Security, April 25, 2006, 6 at: http://www.ready.gov/business/_downloads/mentor_guide.pdf

5. For more details, see Guy Colonna, ed., Introduction to Employee Fire and Life Safety (Quincy, MA: National Fire Protection Association, 2001), 2–8.

6. Ibid., 10.

7. For estimates of the time and resources required for small and medium-size business contingency planning, see Norm Koehler, “The Small and Medium Size Businesses Guide to a Successful Continuity Program,” 2002.drj.com/special/smallbusiness/article1–01.html.

8. See, for example, Federal Emergency Management Agency, Emergency Management Guide for Business and Industry (2002), www.fema.gov/pdf/library/bizindst.pdf.

9. Colonna, op. cit., 13.

10. For an introduction to just-in-time supply management, see B. Modarress and Abdolhossein Ansari, Just-in-Time Purchasing (New York: The Free Press, 1990).

11. Joseph Martha, “Just-in-Case Operations,” Warehouse Forum 17/2 (January 2002), www.warehousing-forum.com/news/2002_01.pdf.

12. George A. Zsidisin et al., “Effective Practices in Business Continuity Planning for Purchasing and Supply Chain Management,” Michigan State University (July 2003), http://www.bus.msu.edu/msc/documents/AT&T%20full%20paper.pdf.

13. Building Owners and Managers Institute, “BOMI Institute Corner: Building an Effective Security Program,” Today’s Facility Manager (October 2001), www.facilitycity.com/tfm/tfm_01_10_news3.asp.

14. Howard F. Lipson and David A. Fisher, “Survivability—A New Technical and Business Perspective on Security,” Proceedings of the 1999 New Security Paradigms Workshop, Ontario, Canada (September 22–24, 1999), p. 1.

15. Armando Fox, “Opportunities and Challenges in Cloud Computing,” in National Academy of Engineering, Frontiers of Engineering (Washington, DC: National Academies Press, 2011), p. 5.