Avoiding Business Closed: Your ABCs of Pandemic Planning – 40% of your staff is out

The Swine Flu / H1N1 influenza A arrived on the scene suddenly during this past Spring. The flu and pandemic information became the leading news story for several weeks and then slowly disappeared to an occasional fill story. As the virus evolves in the southern hemisphere, it is possible that a major and severe outbreak can occur this Fall/Winter and again next Spring as H1N1 continues to mutate.

Regardless of the pandemic, its level, or its severity, there are several key areas that your business should review to assess your preparedness. The five areas below, as suggested by the WHO and DHS, are not all-inclusive but will give your business a good base on which to compliment your other recovery, continuity, security, management, and HR plans.

Planning and Coordination - Provide leadership and coordination to multiple resources to mitigate the business, societal, and economic impacts.
1. Conduct a threat and risk assessment to determine your exposures and the business impact
2. Review your business resiliency plans and adjust or create where needed
3. Anticipate a mushroom effect with no preparation time and a long recovery time, possibly 6-8 weeks
4. Evaluate alternative work arrangements and locations and begin to cross-train employees
5. Anticipate supply chain and distribution channel reductions or interruptions
6. Forecast reductions and workforce impacts of up to 40%
7. Understand your HVAC system and know how to confine the air handlers
8. Gather all contact information for employees, suppliers, distributors, etc.

Situation Monitoring and Assessment - Actively monitor and assess the evolving pandemic and its impacts and mitigation measures.
1. Identify employees and key customers with special needs
2. Test your continuity plans to ensure they will work when activated
3. Establish and communicate policy changes regarding compensation and sick-leave absences that are unique to a pandemic
4. Establish and communicate policy changes for flexible worksite/hours, exposed employees, evacuations, and returning employees
5. Identify community sources for timely and accurate information and resources for obtaining counter-measures (e.g. vaccine and antiviral)
6. Understand that if you are seeing workforce reductions your key suppliers (e.g. utilities) and customers are most likely seeing the same

Communications - Continue providing updates to the public and all stakeholders on the state of the pandemic and your measures to mitigate the risk
1. Establish a central point for all incoming and outgoing messages
2. Be open, honest, and proactive with all communications
3. Ensure that languages and cultures are identified and correct
4. Prevent and correct rumors
5. Draft different but similar communication updates to the public, employees, suppliers, distributors, shareholders, etc. to prevent mixed messages and other communication errors
6. Anticipate communication method changes (e.g. no e-mail access from home)
7. Be specific and consistent from your initial communication through the post-event summary

Reducing the Spread of Disease - Implement individual, societal, and pharmaceutical measures
1. Provide workplace cleaning and infection-control supplies throughout all your facilities
2. Educate employees on the importance of hand washing and using the cleaning supplies
3. Use keyboard covers with shared computers and wipe them between uses
4. Reduce the frequency of face-to-face communications
5. Anticipate workforce reductions: building quarantine, bus stoppage, illness, parental issues
a. Ohio will close schools and daycares if an outbreak occurs; the CDC had recommended a 14 day closure. The same closure may be mandated by locality.
6. Educate employees on home protection and planning

Continuity of Healthcare Provision - Implement contingency plans for health systems at all levels
1. Identify the symptoms and educate your employees
2. Evaluate employee leave policies and adjust for the situation
3. Educate employees on their healthcare, mental health, counseling, and/or social services benefits and options
4. Assure employees regarding illness absences, quarantines, public transportation closures, etc.
5. Provide information for the at-home care of ill employees and family members

More information is available from the WHO, DHS, CDC, and State websites and general Internet searches. You can also request additional information or submit questions to

Planning@TPComps.com.

Reference: On June 11, the World Health Organization (WHO) raised the H1N1 pandemic alert to a 6, the highest rank. The pandemic level is not a measure of its severity, but they can be related. As of this writing (June 22, 2009), the statistics fir H1N1 are: 99 countries with 52,160 confirmed cases and 231 deaths worldwide; 19 states with 21,449 confirmed and probable cases and 87 deaths in the US; 129 confirmed and probable cases and 0 deaths in Ohio. (On May 01 the numbers were 11 countries with 331 confirmed cases and 9 deaths worldwide; 19 states with 141 confirmed cases and 1 death in the US; and 5 confirmed and probable cases in Ohio.) Despite these increased numbers, the severity of the pandemic has remained moderate. Even though the severity may be moderate, an outbreak that can affect 80% of the population will have significant business impacts.
http://www.who.int/csr/disease/swineflu/en/index.html
http://www.cdc.gov/h1n1flu/
http://www.pandemicflu.gov/
http://www.odh.ohio.gov/landing/phs_emergency/swineflu.aspx

Avoiding Business Closed: Your ABCs of the new FACTA Red Flags Rule

In this month’s segment, we will review the new sections of the FACTA law and their potential impact on your business. FACTA, or The Fair and Accurate Credit Transactions Act, is a FTC law scheduled to expand on August 1 with the addition of the Red Flags Rule. Originally adopted in 2003, the law’s sections have expanded over the years. The law’s design is to assist consumers in fighting identity theft and providing for better control over their personal information that businesses collect or maintain.

Some of the sections of FACTA you may already be familiar with include the annual free credit report, fraud alerts on credit reports, and the truncation of credit card numbers on receipts. The new Red Flags Rule will accompany these provisions. “The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program to detect the warning signs – or “red flags” – of identity theft”, according to the FTC’s website. The Red Flags Rules apply to “financial institutions” and “creditors” with “covered accounts”.

According to the FTC materials, “under the Rules, a financial institution is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a “transaction account” belonging to a consumer. A transaction account is a deposit or other account from which the owner makes payments or transfers. Transaction accounts include checking accounts, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts. A creditor is any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Accepting credit cards as a form of payment does not in and of itself make an entity a creditor. The definition also includes businesses or organizations that regularly defer payment for goods or services or provide goods or services and bill customers later and a business that regularly grants loans, arranges for loans or the extension of credit, or makes credit decisions. Creditors include finance companies, automobile dealers, real estate agents, mortgage brokers, utility companies, telecommunications companies, and retailers that offer financing or help consumers get financing from others. This can also apply to landlords with renters. Where non-profit and government entities defer payment for goods or services, they, too, are to be considered creditors. A covered account is an account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions. Covered accounts include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts. A covered account is also an account for which there is a foreseeable risk of identity theft – for example, small business or sole proprietorship accounts.”

To comply with the new rules, businesses “must develop a written Program that identifies and detects the relevant warning signs – or “red flags” – of identity theft. These may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. The program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program. The program must be managed by the Board of Directors or senior employees of the [company], include appropriate staff training, and provide for oversight of any service providers”. This means that if your business must comply, you also must ensure compliance of the Rules by the companies you use for operations. Even if you are not a “financial institution” or a “creditor” and do not have “transaction accounts” or “covered accounts” and do not need to have any written Program you must still conduct a periodic risk assessment to help you determine if you’ve acquired any covered accounts through changes to your business structure, processes, or organization. Failure to comply with the new rules can result in FTC fines and mandated long-term remediation plans in addition to negative publicity and possible loss of business.

More information is available from the FTC websites and general Internet searches. As with any new regulation, proper legal advice is advised. You can also submit questions to Planning@TPComps.com.

References:
http://www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm
http://www.ftc.gov/bcp/edu/microsites/redflagsrule/more-about-red-flags.shtm

Avoiding Business Closed: Your ABCs of Keeping your Business Running During a Disaster

Avoiding Business Closed
Your ABCs of Keeping your Business Running During a Disaster

Your business could be closed tomorrow and it will not be due to the economy. As much as you would like to open, you may not be able to. The closure is not even due to something you did; it is what you did not do. The cause of your closure may be due to a neighboring business, your customers, suppliers, or even employees. It can come from severe weather, flood, sabotage, blackouts, or a loss of equipment. Whatever the cause, the failure to plan for situations can seriously cripple your ability to reopen your business after an unexpected interruption.

Statistics show that

• Businesses without a Business Continuity plan have less than 10% survival rate after a disaster (Touche Ross)


• 1 out of 5 companies reported having had a major business disruption within the last five years (Source CSA)


• Of companies that suffer a significant data loss, 93% are out of business within five years (U.S. Bureau of Labor)


• Of companies experiencing a catastrophe or extended system outage, 2 out of 5 never resume operations; and, of those that do, 1/3 go out of business within two years (Gartner Group)


• In the U.S., 43% of businesses never re-open after a disaster, and 29% (more) close within two years (University of Wisconsin)

So, how does your business avoid becoming a statistic? Follow the over-simplified process of plan, test, revise, and repeat to create your Disaster Recovery (DR) and Business Continuity (BC) plans. In the coming months, we will introduce these topics further. The whole process will create for you a Business Resiliency (BR) program that puts your business into the top 10% quartile for survivability.

Another part of this article series will address your questions. You can send questions to Planning@TPComps.com. Here are some of the more common questions with short answers to get us started.

1. Why should my business create a DR and BC plan?
   a. Excluding the risk of becoming a statistic, state and federal regulations and industry frameworks require planning. Companies also lose business when customers ask for proof of a plan or file suit when interruptions affect their ability to conduct business.


2. I have a backup of my data, isn’t that enough?
   a. Having a backup is part of DR and BC planning but it is not everything. The backup is like the color of paint when you want to paint a wall. Other items make a successful paint job like wall prep, paint type, roller or brush, etc.


3. I have insurance, isn’t that business continuity?
   a. No, an insurance policy or check is not business continuity. A check may allow you to cover the expenses associated with recovering, but the piece of paper will not tell you what to do and when to do it. Side note: some insurers may offer discounts when you create and test your plan.


4. Where can I get more information?
   a. There are many sources of information available through your business network, local associations, government agencies, and the Internet. Review your local Chamber of Commerce member directory for businesses that may provide you more information. To find other sources of information, ask your business contacts and IT support. Lastly, a Google (or other) search will provide many pages of links for information.


5. What should I look for in a planner?
   a. Aside from a good reputation and working relationship, several industry-recognized certifications may assist with finding a planner. Each of the following certifications require at least 5 years of relevant, proven, and verified experience along with passing an exam. The first is CBCP (Certified Business Continuity Planner) by DRII. Others include CISM (Certified Information Security Manger) by ISACA and CISSP (Certified Information Systems Security Professional) by (ISC)2.


6. What is the cost for a plan?
   a. Although there is an outflow of cash, this is really an investment in your business. There is not a fixed answer to this common question. The cost is usually determined by the scope and amount of work. To create business value, the plan cost should be less than the financial loss the business will experience. Depending on the chosen planner, it may be an hourly charge, a daily rate, or a fixed fee.


7. How long does it take to complete a plan?
   a. Just like the cost, there is no fixed date. A good planner will maximize your time to compress timeframes and reduce the overall project. The average smaller enterprise should expect a plan to take 1 month if all the resources are dedicated at all times. Since this is not practical, it may take upwards of 3 months with part-time efforts.


8. What makes a successful Business Resiliency plan?
   a. From a high-level, a successful BR plan has three parts: recovery, continuity, and security. Just like a three-legged stool, you can do one part (leg) without the others but, you will be always off balance and may eventually fall over.


9. What is the usual process to start a plan?
   a. The plan usually starts with a Business Impact Analysis (BIA). This is an evaluation of key areas of your business. A good BIA will cover points like emergency preparedness, functional impacts, personnel, vital records, applications, computers, operations, locations, security, and regulations. The BIA can show what factors are most critical to your business and then provide the order for planning.


10. We created a plan several years ago, do we still need to go through this process?
    a. Yes and No. If nothing has changed (same equipment, same neighbors, same address, same staff, same suppliers or customers, etc.) in your company since you created the plan, you probably do not need to worry. It is a good practice to review your plan annually to make sure that you’ve addressed all the potential impacts. If anything has changed (new equipment, new neighbors, new address, new staff, new suppliers or customers, etc.) then you probably need to revise your plan.


11. Are there any things to think about when starting a plan?
    a. There are three components of DR and BC. RTO is your Recovery Time Objective. This is the amount of time you can be without your ‘X’ (i.e. computers, paper files, office, building, etc.) before business is seriously impacted or recovery becomes impossible. Can you afford to be without ‘X’ for 3 hours, 3 days, or 3 weeks? RPO is your Recovery Point Objective. This is a measure of how old your recovered ‘X’ can be and still be useful to you. Once you get ‘X’ back, can it be 1 day, 1 week, or 1 month old? RCO is your Recovery Capacity Objective. This is some value of how much of ‘X’ to recover and who will be available to help you recover ‘X’. Do you need the whole office recovered and will the whole staff be available during the recovery?