Why Plan for a Pandemic – Some History
Written by Barbara Davi
It started, harmlessly enough, with a cough drowned out by the raging world war. It was known as Spanish influenza only because censorship by the warring governments wouldn’t allow reports of the spreading illness for fear it would damage morale.
However, Spain, being neutral, allowed its press to publicize what was happening. The first cable read, “A STRANGE FORM OF DISEASE OF EPIDEMIC CHARACTER HAS APPEARED IN MADRID.” Because of the censors, even as millions were dying around the globe, the world press was apt to report little about the pandemic beyond what the Spanish King Alfonzo’s temperature was that morning.5 In Spain, they called it the French flu.
“The year 1918 has gone,” the editors of the Journal of the American Medical Association wrote in the Christmas issue, “a year momentous as the termination of the cruelest war in the annals of the human race; a year which marked the end, at least for a time, of man’s destruction of man; unfortunately a year in which developed a most fatal infectious disease….” That most fatal diseases killed about 10 times more Americans than did the war. In fact, according to the World Health Organization (WHO), “The 1918 influenza pandemic killed more people in less time than any other disease before or since,”9 the “most deadly disease event in the history of humanity.”
The word “epidemic” comes from the Greek epi, meaning “upon,” and demos, meaning “people.” The word “pandemic” comes from the Greek word pandemos, meaning “upon all the people.” Most outbreaks of disease are geographically confined, just like most disasters in general. Wars, famines, earthquakes, and acts of terror, for example, tend to be localized both in time and space. We look on in horror, but may not be affected ourselves. Pandemics are different. Pandemics are worldwide epidemics. They happen everywhere at once, coast to coast, and can drag on for more than a year. “With Hurricane Katrina, people opened their homes, sent checks and people found safe havens,” writes a global economic strategist at a leading investment firm, but with a pandemic, “there is nowhere to turn, no safe place to evacuate.”
Those who suffer anaphylactic reactions to bee stings or food allergies know the power of the human immune system. In their case, exposure to certain foreign stimuli can trigger a massive overreaction of the body’s immune system that, without treatment, could literally drop them dead within minutes. Our immune systems are equipped to explode at any moment, yet there are layers of fail-safe mechanisms that protect most people from such an overreaction. The influenza virus has learned, though, how to flick off the safety.
Both the 1918 virus and the threat, H5N1 with variants, seem to trigger a “cytokine storm,” an over-exuberant immune reaction to the virus. In laboratory cultures of human lung tissue, infection with the H5N1 type virus led to the production of ten times the level of cytokines induced by regular seasonal flu viruses. The chemical messengers trigger a massive inflammatory reaction in the lungs. “It’s kind of like inviting in trucks full of dynamite,” says a lead researcher who first discovered the phenomenon with H5N1.
While cytokines are vital to antiviral defense, the virus may trigger too much of a good thing. The flood of cytokines overstimulates immune components like Natural Killer Cells, which go on a killing spree, causing so much collateral damage that the lungs start filling up with fluid. It actually turns your immune system on its head, and it causes that part to be the thing that kills you. All these cytokines get produced and call in every immune cell possible to attack yourself. It’s how people die so quickly. In 24 to 36 hours, their lungs just become bloody rags.
People between 20 and 40 years of age tend to have the strongest immune systems. You spend the first 20 years of your life building up your immune system, and then, starting around age 40, the system’s strength begins to wane. That is why this age range is particularly vulnerable because it’s your own immune system that may kill you. A new dog learning old tricks, H5N1 may be following in the 1918 virus’s footsteps.
Either we wipe out the virus within days or the virus wipes out us. The virus doesn’t care either way. By the time the host wins or dies, it expects to have moved on to virgin territory—and in a dying host, the cytokine storm may even produce a few final spasms of coughing, allowing the virus to jump the burning ship. As one biologist recounted, the body’s desperate shotgun approach to defending against infection is “somewhat like trying to kill a mosquito with a machete—you may kill that mosquito, but most of the blood on the floor will be yours.
Professor Kennedy Shortridge, the virologist who first identified H5N1 in Hong Kong’s chickens, describes influenza as being caused by an “unintelligent, unstable virus.” A fellow colleague put it bluntly: “Flu’s not clever. Forget this idea that the virus is clever. The virus is clumsy. It makes lots of mistakes when it’s copying itself, the ones that have an advantage get selected, and that’s why it’s successful.” No other human respiratory virus has this kind of mutation rate.
Minnesota, the “land of 10,000 lakes,” is the largest brooding area for aquatic birds in the United States. More wild waterfowl hatch there every year than anywhere else in the country. In addition, it’s a central flyway for migratory waterfowl flying south from Canada in the fall. Minnesota also happens to be the nation’s number-one turkey-producing state. That combination gave the state the dubious distinction of avian influenza “capital of the world”.1
Fast Forward to May 2015
US - There have been four more outbreaks of H5N2 highly pathogenic avian influenza (HPAI) confirmed in the US, as the epidemic continues. The outbreaks are added to the rising number of avian flu detections in the hardest-hit states of Minnesota and Iowa.
- There have now been 174 detections of avian flu in the US since it was first found in December, and the total number of birds affected now stands at 38,946,573.
- These four detections of the disease occurred on two commercial turkey farms, one commercial chicken farm and one backyard flock of mixed poultry.
- The latest outbreaks were confirmed by the US Department of Agriculture's Animal and Plant Health Inspection Service.
- The locations of these confirmed avian flu cases are:
- Minnesota, Kandiyohi County - 42,600 commercial turkeys;
- Minnesota, Renville County - 625,500 commercial chickens;
- Iowa, Sac County - 28,400 commercial turkeys;
- Iowa, Sioux county - backyard mixed poultry, number pending.
- These cases all occurred in the Mississippi flyway.
- The two latest outbreaks bring the number of detections in Iowa to 51, affecting 26,634,900 birds.
The Iowa State Department of Agriculture and Land Stewardship has announced that they are also looking into several unconfirmed outbreaks of HPAI. The unconfirmed cases include commercial turkey and pullet farms as well as egg laying operations. They were found in Sioux, Buena Vista, Sac and Calhoun counties.
These additional detections are likely to take the tally in Iowa to 62. The Department said they have quarantined the premises and once the presence of the disease is confirmed, all birds on the properties will be humanely euthanized to prevent the spread of the disease. Minnesota has detected 84 outbreaks, affecting 5,116,260 birds.
The latest outbreaks were found some days before confirmation, but the Minnesota state government said that it has not received any new reports of presumed avian flu cases for five straight days, as of 20 May. The state government also stated that the first round of backyard flock surveillance, testing, and observation in all control areas is complete, with nearly 4,000 backyard flocks now tested for avian influenza or monitored for signs of the disease.2
Pandemic Planning Considerations
“By failing to prepare, you are preparing to fail.”
If this is the first time planning for a Pandemic then understanding the seriousness of this threat can be gleaned from understanding the following facts. These viruses can spread quickly and explosively worldwide, as did the influenza pandemics in 1918, 1957, 1968, and 2009; they can cause limited outbreaks, such as the influenza A (H3N2) variant (H3N2v) virus in the United States associated with agricultural fairs in the summer months of 2011, 2012, and 2013; or continue causing limited animal-to-human transmission of virus, such as the influenza A (H5N1) and influenza A (H7N9) viruses in Asia.
Furthermore, novel influenza A viruses, even when transmissible in a closed setting, do not always result in a pandemic, such as the 1976 influenza A(H1N1) outbreak in Fort Dix, New Jersey, and the 2011–2013 H3N2v outbreak in the United States.
Identifying and responding to this wide range of situations require systematic frameworks that describe the progression of events; weigh the risk of emergence and potential public health impact of the novel virus; evaluate the potential for ongoing transmissibility, antiviral resistance, and disease severity; and can be used to develop time-sensitive decisions about interventions (e.g., community mitigation measures, medical countermeasures, and vaccines).
Preparedness and response frameworks provide a common basis for planning across different jurisdictions and ensure transparency in decisions made and actions taken.
Significant progress has been made toward developing pandemic plans, as well as preparedness and response frameworks, during the past decade. Efforts by the World Health Organization (WHO), CDC, other U.S. government agencies, and state and local jurisdictions have addressed pandemic preparedness planning.
Lessons regarding gaps in U.S. influenza decision-making frameworks have become evident with each event and exercise. The recent emergence of human disease caused by H3N2v in the United States and H7N9 in China has demonstrated the need to align existing documents and frameworks into one useful tool that can be used to guide ongoing planning and response efforts.3
The 4 Pandemic Planning Pillars—surveillance, vaccine and antiviral drug delivery, emergency response, and communication—are a solid foundation for pandemic preparation. Although state pandemic plans may have different structures, reliance on these pillars has remained more or less constant over time.
The World Health Organization (WHO) has developed an alert system to help inform the world about the development of the different stages towards a pandemic. The alert system is comprised of six phases.
The current situation with the HPAI-H5N1 virus in animals and humans places the world in pandemic alert phase 3. This means that H5N1 is currently causing disease (and deaths) in humans, but is not yet spreading efficiently from human to human. The situation with the ‘Mexican flu’ H1N1 virus placed the world in Pandemic alert phase 6. This means that there are large clusters of infection with extensive and sustained human-to-human spread in the general population at different continents.
Long before a Pandemic occurs it is the responsibility of businesses to have planned and prepared. A formal Business Continuity Plan for the organization will be planned and tested along with individual departmental pandemic plans as a component of the Business Continuity Plans. Below are the standard phases for these plans. In addition, HR will require some changes to absenteeism policies.
Regular awareness activities will be communicated to staff such as pay and benefits during pandemic and some other considerations such as:
- Sick leave policy changes
- Social distancing (i.e. meetings / restaurants / etc.)
- Develop an illness identification checklist
- Illness notification process
- Inability to turn up for work (sick relatives / closed schools / etc.)
- Fear of returning to work policies
- Extended absence from work policies
- Forced absence from work policies
- Trauma/bereavement services
- Travel policy
- Return to work policy
- Quarantine when returning from travel policy
As part of the Business Continuity plan knowing the phases of a pandemic is necessary to begin the escalation to a full pandemic response. Adding these and policy differences are important for all Business Continuity Plans. By using the standard escalations used by the World Health Organization (WHO) and the Center for Disease Control (CDC). It is possible to sign up for email updates from this organizations to help with regular monitoring. The News agencies should not be relied upon for information about these escalations.
- Phase 1: No new influenza virus subtypes have been detected in humans. An influenza virus subtype that has caused human infection may be present in animals. If present in animals, the risk of human infection or disease is considered to be low.
- Phase 2: No new influenza virus subtypes have been detected in humans. However, a circulating animal influenza virus subtype poses a substantial risk of human disease.
Pandemic alert period
- Phase 3: Human infection(s) with a new subtype, but no human-to-human spread, or at most rare instances of spread to a close contact.
- Phase 4: Small cluster(s) with limited human-to-human transmission but the spread is highly localized, suggesting that the virus is not well adapted to humans.
- Phase 5: Larger cluster(s) but human-to-human spread still localized, suggesting that the virus is becoming increasingly better adapted to humans but may not yet be fully transmissible (substantial pandemic risk).
- Phase 6 Pandemic: increased and sustained transmission in general population. Recently it has been recognized that a very crucial event in the emergence of a pandemic virus is the transition from phase 3 to phase 4, which may go much faster than previously supposed. This is an important insight, since, at this transitional stage, major intervention strategies can still be initiated and implemented successfully in countries with a well-developed pandemic preparedness plan. This proved to be the case with the emergence of the ‘Mexican flu’ pandemic in 2009. It took three days between phase 4 and 5, and six weeks between phase 5 and 6.
Financial Institutions, Technology Service Providers and/or other vendors and providers to financial institutions will want to pay close attention to the FFIEC Booklet, Appendix D which explains the requirements for Pandemic Planning3 which specifically explains that there are distinct differences between pandemic planning and traditional business continuity planning. When developing business continuity plans, financial institution management typically considers the effect of various natural or man-made disasters that differ in their severity. These disasters may or may not be predictable, but they are usually short in duration or limited in scope. In most cases, malicious activity, technical disruptions, and natural/man-made disasters typically will only affect a specific geographic area, facility, or system. These threats can usually be mitigated by focusing on resiliency and recovery considerations.3
Typical Errors in Planning for Pandemic
Appendix D: FFIEC Pandemic Planning
Traditional business continuity and pandemic planning require management to follow a cyclical process of planning, preparing, exercising, responding, recovering, and continuous improvement. However, pandemic planning requires additional actions to identify and prioritize essential functions, employees, and resources within the institution and across other business sectors. The issues discussed below highlight the specific challenges faced by management and the mitigating controls that should be considered when developing a pandemic plan.
Board and Senior Management Responsibilities
As with other BCP activities, pandemic planning should not be viewed as solely an Information Technology (IT) issue, but rather as a significant risk to the entire business. As such, an institution's pandemic planning activities should involve senior business management from all functional, business and product areas, including administrative, human resources, legal, IT support functions, and key product lines.
An institution's board of directors is responsible for overseeing the development of the Pandemic plan. The board or a committee thereof should also approve the institution's written plan and ensure that senior management is investing sufficient resources into planning, monitoring, and testing the final plan. Senior management is responsible for developing the pandemic plan and translating the plan into specific policies, processes, and procedures.
Senior management is also responsible for communicating the plan throughout the institutions to ensure consistent understanding of the key elements of the plan and to ensure that employees understand their role and responsibilities in responding to a pandemic event. Finally, senior management is responsible for ensuring that the plan is regularly tested and remains relevant to the scope and complexity of the institution's operations.
Employee Protection Strategies
Employee protection strategies are crucial to sustaining an adequate workforce during a pandemic. Institutions should promote employee awareness by communicating the risks of a pandemic outbreak and discussing the steps employees can take to reduce the likelihood of contracting a pandemic virus. The following risk management strategies should be considered:
- Publicize the Centers for Disease Control and Prevention “Cover Your Cough” and “Clean Your Hands” programs or other general hygiene programs;
- Encourage employees to avoid crowded places and public transportation systems;
- Implement “social distancing” techniques to minimize typical face-to-face contact through the use of teleconference calls, video conferencing, flexible work hours, telecommuting, encouraging customers to use online or telephone banking services, ATMs, and drive-up windows; and
- Review and consider the use of other non-pharmaceutical interventions developed by the Centers for Disease Control and Prevention (more information is available at http://www.pandemicflu.gov/plan/community/commitigation.html).
Despite the unique challenges posed by a pandemic, there are control processes that management can implement to mitigate risk and the effects of a pandemic. For example, to overcome some of the personnel challenges, management should ensure 9 of 10 that employees are cross-trained and that succession plans have been developed. The institution may be able to leverage plans already established as part of traditional business continuity planning.
During a pandemic, there may be a high reliance on employee telecommuting, which could put a strain on remote access capabilities such as capacity, bandwidth, and authentication mechanisms. Moreover, employees who typically work onsite may not have remote access authority or the necessary technology infrastructure to work at home. Analysis of remote access capabilities, mapping of related technology infrastructure to employee needs during a pandemic, assessing the infrastructure at the neighborhood level and considering internal and external capacity are necessary to help ensure telecommuting strategies will work during a pandemic.
Risk Monitoring and Testing
As information from medical and governmental experts about the causes and effects of a pandemic continues to evolve, an institution’s pandemic plan must be sufficiently flexible to incorporate new information and risk mitigation approaches. As a result, risk monitoring and testing of the pandemic plan is important to the overall planning process. A key challenge for management is developing a testing program that provides a high degree of assurance that critical business processes, including supporting infrastructure, systems, and applications, will function even during a severe pandemic.
A robust program should incorporate testing:
- Roles and responsibilities of management, employees, key suppliers, and
- Key pandemic planning assumptions;
- Increased reliance on online banking, telephone banking, and call center services; and
- Remote access and telecommuting capabilities.
- Test results should be reported to management, with appropriate updates made to the pandemic plan and testing program.
Testing for a pandemic may require variations to the scope of traditional disaster recovery and business continuity testing, as potential test scenarios will most likely be different.
Alternatives for pandemic testing can include:
- Well-orchestrated “work at home” days for critical and essential employees to test remote access capabilities and infrastructure;
- Crisis management team communication exercises;
- Tabletop exercises that test various scenarios related to escalated absenteeism rates;
- Additional or modified call tree exercises; and
- Community, regional or industry-wide exercises with members of the financial services sector to test the financial sector’s ability to respond to a pandemic-like crisis.5
Incorporating Pandemic Risk into the Business Impact Analysis (BIA)
The potential effects of a pandemic should be a part of a financial institution's overall BCP business impact analysis (BIA). The BIA should:
- Assess and prioritize essential business functions and processes that may be affected by a pandemic;
- Identify the potential impact of a pandemic on the institution's essential business functions and processes, and supporting resources;
- Identify the potential impact of a pandemic on customers: those that could be most affected and those that could have the greatest impact on the (local) economy;
- Identify the legal and regulatory requirements for the institution's business functions and processes;
- Estimate the maximum downtime associated with the institution's business functions and processes that may occur during a pandemic;
- Assess cross training conducted for key business positions and processes; and
- Evaluate the plans of critical service providers for operating during a pandemic.
- Financial institutions should evaluate the plans and monitor the servicers to ensure critical services are available. Financial institutions may wish to have backup arrangements to mitigate any risk. Special attention should be directed at the institution's ability to access leased premises and whether sufficient internet access capacity is available if telecommuting is a key risk mitigation strategy.
Incorporating the impact of pandemic risk into the institution's Business Continuity Plans involves additional complexity since typical disaster or emergency response mechanisms and methods may not be feasible. For example, moving employees to an alternate facility that is typically used during a natural disaster or other emergencies, may not be an appropriate or feasible way to continue operations in a pandemic. There may be a shortage of available staff to relocate and it is possible that the alternate site might be affected by the pandemic. DHS provides a list of twelve planning assumptions that institutions should consider when developing the impact analysis.
The pandemic issues considered in the Business Impact Analysis also should involve forecasting employee absenteeism and consider family care issues that may affect business operations. DHS believes rates of absenteeism will depend on the severity of the pandemic. In a severe pandemic, absenteeism attributable to illness, the need to care for ill family members and fear of infection may reach 40 percent during the peak weeks of a community outbreak, with lower rates of absenteeism during the weeks before and after the peak. Certain public health measures (e.g. closing schools, quarantining household contacts of infected individuals, or altering or ceasing public transportation schedules) are likely to increase the rate of absenteeism.
A key part of an institution's BIA that addresses pandemics is to examine external factors. For example, assessing the impact of critical interdependencies will involve making planning assumptions regarding the availability of external services and prioritizing the effect of possible disruptions. In addition, potential travel restrictions imposed by health and emergency management officials may limit access to those services, even if they are still operating.
Beware of Pandemic and Infectious Disease Planning Mistakes
Michael T. Osterholm, PhD, MPH
No discussion of Pandemic and Infectious disease planning is complete without warnings of how a planning program can go wrong. Dr. Michael Osterholm from the center for Infectious Disease and Research Policy asks that we are reminded of the following mistakes that will affect planning for Pandemic and Infectious disease.
- Mistake: Build the plan then forget about it is one of the worst of these mistakes.
Reviewing the plan, doing walkthroughs and functional exercises build improvement. The pandemic plan like the Business Continuity plan and other contingency plans are living documents. Threats change, environment changes and priorities change. These require looking over your plan and making sure it still can protect the environment. Ask yourself if there are there new and better approaches to the way you are planning to allocate staffing. Has the company bought a notification system that can be utilized during the Inter-Pandemic and later Phases? Having at the minimum a walk-through of the plan each year will highlight needed changes.
- Mistake: Planning for Pandemic will not help.
Planning always helps. Planning alone will not help everyone. Using a methodology of preparing, exercising, responding, recovering, and continuous improvement will make the difference.
- Mistake: Avoiding communications so as not to stimulate fear.
Providing the right message will which includes the safeguards that are in place will instill confidence.
- Mistake: Perfectionism
Trying to make the perfect plan is not possible. There will be unknowns. Using the resources available for Pandemic Planning, such as Flu.gov, the CDC, and the WHO to monitor and upgrade the plan along with the recommendations in this whitepaper will help to create an actionable plan.
- Mistake: Considering your plan finished
Like number one remembering that a Pandemic Plan is a living document that improves over time with exercises and experience will prevent this mistake.
- Mistake: Leaving out critical staff
Critical staff and cross-training are especially important during a pandemic as this is a time when resources may be more limited than any other time.
- Mistake: Using an all-hazards approach
Using and all hazards approach for a Business Continuity Plan will not work because assumptions for this approach involves several unknowns about the type of incident that may happen. However, a lot is known when planning for a pandemic. Reduced staffing levels over a long-term are the most obvious.
- Mistake: Depending on news media to sound an alarm early enough
Waiting for the news media to warn us of a Pandemic outbreak will undoubtedly be a mistake. Pandemic monitoring is the most effective approach to staying engaged in the stages of the Pandemic.
Crisis Management Lessons Learned
Contributing Reference: Alan Hilburg, president, and CEO of Hilburg
A Crises can be a reputation killer, brand killer, and trust killer … or not. These five key focus areas differentiate those institutions that mitigate and rebound from a crisis intact, from those that don’t.
- Commitment to business continuity. Crisis management is foremost about business continuity, protecting the brand and galvanizing trust.
- Commitment to being responsive versus reactive. A crisis responsive institution responds from the existence of a plan. A crisis reactive institution reacts from the absence of a plan. At first sign of crisis, the ignorant don’t panic because they don’t know what’s going on, and then later they panic precisely because they don’t know what’s going on, in the absence of a plan.
- Commitment to a culture of values. Values define decision-making, promote “good behavior” and help to mitigate risk in a crisis.
- Commitment to protecting brand resonance. Brand loyalty is earned by making daily deposits into the goodwill bank.
- Commitment to defending the relevance and pride of the institution’s character. Who you are is more important than what you do.
Crisis management is not resolvable through conventional public relations strategies, tactics or approaches where crises are viewed organically and resolvable through ‘good’ communications. For example, in real crises, there is always more than the ‘event’, the catalyst of the issue.
There are real ‘back issues’, and even more threatening, real visible and less-visible opponents. These are always the overt and covert adversaries who are at the genesis of the crisis. They work in opposition to your crisis team. They are trying to keep the crisis alive, fan the flames of fear, and, they wake up every day trying to undermine your credibility and the confidence of those who are essential to your success.
They can include competitors, trial lawyers, the traditional and new media, regulators and politicians, those looking to leverage stock prices, well-resourced NGO’s, and even disgruntled and very disengaged employees.
At its essence, crises are a war. And effective, experienced crisis management is similar to a high-stakes chess game whose objective is to protect the integrity of the brand, the pride of the employee family and the trust of the marketplace. But most importantly, experienced and skilled crisis management veterans understand that, at its root, crisis management always strives to protect the institution’s character.
An institution’s ‘character’ is an extension of how organizations make decisions. Crises normally involve accentuated, exaggerated and news-making demonstrations of ‘outrage’. Outrage increases the stakes and amplifies the emotional component of the crisis. What does this suggest?
One of the first objectives in effective crisis mitigation and management is removing the emotion. Emotion lies in the victim. The news media needs victims in order to have the theater that makes for great journalism. Like in all great theater, there must be a protagonist and an antagonist. Guess who is the antagonist? You. Remove the emotion and we remove the magnet that attracts media attention.
There are many effective strategies for managing and eliminating the emotional drivers in a crisis. Here are ten that reflect what I’ve learned from 35 years of experience and some very smart professionals who I had the privilege of working with. They represent a directional understanding of how experienced crisis management thinks.
- Focus on addressing the apparent and less apparent human needs of the perceived victim.
- Unless you know for sure, don’t over-reassure.
- Put reassuring information in subordinate clauses.
- Acknowledge uncertainty but the commitment to finding answers no matter how hard they try to hide.
- Share dilemmas and challenges. Show your character and showcase your values.
- Acknowledge diverse opinions and transition to your ‘must airs’. These are the issues you highlight in interviews.
- Tolerate early over-reactions, don’t minimize public emotion but through your humanity and values migrate toward balance.
- Let communities know what to expect.
- Acknowledge errors, mistakes, deficiencies in the context of values/decision-processes.
- Engage your ‘hidden’ army.
The Chinese use two brush strokes to write the word ‘crisis.’ The one stroke represents danger while the other represents an opportunity. In a crisis, be aware of the danger, but always be cognizant of the opportunity.
Every crisis is an opportunity. Yes, “every crisis is an opportunity”. To be effective in mitigating a crisis, inspired leadership recognizes this reality. A crisis is a stage. Your ‘audience’ are your employee family, your customers, their customers, your shareholders, your financial partners, your shareholders, the media, the regulatory and legislative communities, your neighbors and family. There are also dozens of obvious and not-so-obvious ‘audiences’. How you respond to a crisis presents multiple stages and the opportunity of multiple appearances allowing the face and voice of the brand to remind your key communities why they trust you, or should.
Author Paul Brunton once said, “Every crisis successfully met is rewarded by some growth in intuitive knowledge, strengthening of character, or initiation into a higher consciousness.’ Brilliant and inspired strategies such as the successful management of the Johnson & Johnson Tylenol crises have these key learnings.5
"It is essential to have the right resources on the team who can manage a crisis. Having a complete crisis plan that has been socialized throughout the organization and is reviewed annually is as important as having insurance."6
CASE STUDY - GOOD PRACTICE GUIDELINE (GPG)
Based on: The Good Practice Guidelines (GPG) the independent body of knowledge for good Business Continuity practice worldwide. They represent current global thinking in good Business Continuity (BC) practice and now include terminology from ISO 22301:2012, the International Standard for Business Continuity management systems.
Contributed by: Avalution.com- Overview of GPG Professional Practice 1 (PP1) – Policy and Program Management, the first of the six professional practices, and discusses the importance and recommendations in establishing the foundation for a repeatable and scalable business continuity program.
When organizations decide to implement a business continuity program, many tend to jump straight into tactical program elements (such as conducting a business impact analysis and developing plans), thus ignoring the need to first set a strong program foundation on which to build those program elements. While tactical elements are often the most visible, there are multiple reasons why an organization should put in the effort to follow the guidance provided in PP1.
Consider the following case study that illustrates why organizations benefit from establishing a repeatable program and a policy before jumping straight to implementing tactical elements of the business continuity lifecycle.
Company X’s Board of Directors issued a directive for the organization to implement a business continuity program. To comply with the directive, the organization charged an internal resource as the business continuity coordinator to begin this process. After reading a number of web articles, the coordinator decided, to begin with performing the business impact analysis and writing business continuity plan documentation. After plan documentation was finalized, the coordinator realized a few major concerns:
- She didn’t know if the organization could really meet management’s expectations if a disruptive incident were to actually occur
- She realized that her efforts were a point-in-time evaluation, and didn’t know how the efforts would continue after the initial effort
- She didn’t think the organization was actually in a much better position than it was before her efforts because it had not invested any resources into having actual recovery capabilities (e.g. alternate workspace or IT disaster recovery)
- The people that she originally wanted to participate in the efforts did not actually participate as they delegated down to lower levels of the organization
Due to these concerns, the business continuity coordinator began performing more research and talking to industry groups. This additional research made her realize that she did not establish a program before performing business continuity-specific activities. Therefore, she did not gain the results she was hoping to accomplish. The coordinator then took a step back and implemented the following actions:
- Developed, presented, and received endorsement from top management for her business continuity policy, which was published and communicated to the organization
- Developed standard operating procedures, which outlined the process by which she implemented the business continuity activities in order to ensure the process would keep occurring on a recurring basis
- Chartered a steering committee who provided input on the program’s scope and downtime tolerances, reviewed and approved findings and investments, provided leadership, and ensured the ‘right’ level of participation and support
Following these actions, the coordinator found that the program was aligned to the organization’s strategic objectives, supported by the appropriate levels of the organization’s senior management, and could actually meet internal and external stakeholder expectations during an actual disruptive incident.
Department of Health and Human Services (DHHS)
Business Pandemic Influenza Planning Checklist (DHHS)
Avian Flu Website (DOD)
Centers for Disease Control (CDC)
World Health Organization (WHO)
U.S. Department of Veterans Affairs (VA)
Department of Agriculture (USDA)
Department of Labor Occupational Safety and Health Administration (OSHA)
Department of State
U.S. Agency for International Development (USAID)
Security and Prosperity Partnership of North America (The North America Plan for Avian & Pandemic Influenza)
About the author
VP Business Continuity Services
Barbara Davi, MBCP, MBCI, PMP is a Business Resiliency Expert. She has the highest level certifications in this knowledge space. She has crafted and led numerous enterprise programs from varied business environments including those in Software and SaaS, Cloud Operations, Utilities, Finance, Retail, Hardware, Networking, Media and Health Services. She is a world class expert in developing end-to-end, audit-ready programs for industry. Her work products include developing Policies, Standards, program Frameworks, Gap Assessments, Vendor Assessments, Business Impact Analysis’ (BIA), Disaster Recovery Plans, Business Continuity Plans, Crisis Management plans, Emergency Management, and Pandemic Planning. Barbara has built and chaired Governance Steering Committees. She is familiar with multiple planning tools and the NIMS/Incident Command System (ICS) methodology. Barbara has led hundreds of tests to practice recoverability. She has presented her services to the highest levels of Executive Management and the Board. Barbara is a published author and is available for speaking engagements.