Seven Steps to Preparedness for Businesses

There are many elements to a successful business continuity and life safety program. The most resilient organizations make sure that their people, teams and response efforts are aligned and resourced.  This article will help you take the right steps to begin your journey to preparedness.

Conduct a Risk Assessment

To be prepared, it is vital for your organization to understand the threats that your locations could face. There are four key perspectives to consider for each of your organization’s locations:

Geographical

Location-based threats, which can be natural or man-made. The location of an office near a fault line or a flood zone would increase the threat of hazards from earthquakes and severe weather, for example. Proximity to regional conflict or the value of your city as a target for terrorism would also factor into a geographical assessment.

Internal

Threats that stem from the nature of your business or from specific situations that originate inside of your organization. Examining your organization through this lens can show how working in a high-stress work environment or working with valuable or sensitive information can leave your organization vulnerable to new threats. A particularly stressful “busy season” or an organization restructuring involving lay-offs can increase your risk for workplace violence, for example.

External

Threats that are precipitated by circumstances beyond your control. A violent group may be protesting a nearby business or government building, causing a significant disruption to your business. Nearby construction or special events (like large sporting events or concerts) can open your locations up to threats including from business disruption, industrial accidents and terrorism.

Historical

Examine past threats and disasters in the area in order to understand possible present and future threats. This can range from physical threats like a fire at the location to cyberthreats like a security breach. Historical threats can show where an organization has been weak in the past, predict where criminals may try to take advantage again or illustrate threats that an organization is particularly sensitive to.

Once you have this data, you can create a Business Impact Analysis (BIA), which serves as an inventory of functions that would be impacted or lost if an office location became inaccessible and is an important first step in creating business continuity plans.

Develop Emergency Plans

Once it is clear what types of threats you should be prepared for, develop a plan to protect the safety and security of employees and the business. This ensures that when a disaster strikes, you are not forced to “wing it” and hope for the best. You will have a plan and guidelines to follow which will help direct you through the crisis. It is crucial to have plans to ensure employee safety, keep the organization in business and communicate with clients and the public. The plans that cover these activities are:

An emergency response plan (ERP)

This primarily deals with employee safety during and immediately following the disaster; however, steps taken here can also serve to prevent your building and equipment from major damage. An ERP should include instructions for an evacuation and a shelter-in-place and should designate roles and responsibilities of members of the organization. It is important to integrate building management into your organization plans as well as other groups you may need to work with (security, maintenance, subtenants, etc.).

A business continuity/disaster recovery plan (BCP/DRP)

A BCP is a roadmap for maintaining and restoring your organization’s level of productivity while a DRP details how your organization will restore data, applications and technology services as quickly as possible. The BCP includes procedures for your organization acquiring extra equipment and temporary workspace/remote work capabilities during the interim period between the disruption and resumption of business. The DRP describes the protocol for data and application backup, fail-over and restoration.

A crisis communications plan

This allows your organization to manage your brand and reputation. The plan should designate which individuals are responsible for communicating with the media, the local authorities, clients, vendors and partners. Your plans should include instructions on what to say and what to avoid saying, both during and after the crisis. The crisis communication plan helps you get ahead of the emergency and direct the conversation all while keeping the public informed and your brand safe.

Establish and Train a Crisis Team

To successfully enact the carefully built plans, your organization needs to select and properly train a functional crisis team. Having the correct people in place with the proper training and the right tools can be crucial to successfully navigating a crisis. Key aspects of creating the crisis team are:

Defining roles and responsibilities

Decide which roles you will need and detail requirements for each role.

Choosing suitable personnel

Job title is not the issue when deciding who would be a good crisis team member. You want individuals who are good decision makers, show leadership skills and are on site almost all the time. Team members should be distributed evenly throughout your building and should comprise 5 to 7 percent of your total workforce.

Training your team

Make sure the team is aware of the structure, roles and responsibilities of the entire crisis team as well as his or her individual roles. Educate members on how to follow protocols, procedures and the plans that you have built. Members should be trained on when and how to activate the crisis team, how to utilize all tool and systems and any specific procedures that various threats may require.

Share Access to Critical Plans

Ensure that all of your critical documents are stored electronically and easily accessible. ERPs, BCPs, crisis communications plans, floor plans and emergency contact lists must all be accessible to members of the crisis team and others who may need to see the plan. When examining possible solutions for critical document management:

• Make sure your documents are stored off site electronically. Storage in “the cloud” allows for the greatest accessibility and assurance that a crisis at your location will not cause your organization to lose your plans. The “big binder” approach is useless if you are not near it during a crisis or if it is destroyed during a disaster.
• Best practices call for mobile access to your documents. During a disaster it is very likely that you will not have access to your organization intranet or a desktop computer. You need to be able to access your documents from wherever you are with whichever electronic device you have.
• Your document management system should be secure and “permission based.” Some plans may contain sensitive information. It is important to balance accessibility with security when managing your documents. Permission-based access allows your organization to restrict access to certain documents for certain users. This enables the organization to increase document accessibility while making sure sensitive information does not fall into the wrong hands.

Set up an Emergency Notification System

During and after a crisis, communication is absolutely critical in ensuring employee safety. Your organization must have the ability to communicate with employees, crisis team members and executives in a timely and reliable manner. Best-in-class emergency notification systems will include several features:

• An emergency notification system should include several methods for sending the message, including SMS text, email and voice messaging. Maximum redundancy increases the coverage of your message and increases the likelihood that recipients will see the message.
• The system should allow for each office location to send messages locally. Not all emergencies require an organization-wide message. On-location crisis leaders need to be able to send a message during a disaster.
• Messaging should have two-way capabilities, so that people can respond and those responses can be collected and sorted to prioritize aid. Two-way capabilities provide crisis teams with detailed information on the status of employees at a location that can be shared with emergency responders.
• Emergency notification systems should be simple and easy to use, requiring no prior training. During a crisis, even a properly trained individual may have trouble working an advanced complex communication system. The messaging system should be simple and intuitive, with little chance of user error.
• An emergency messaging system is only as good as the data in it. Make sure that your employees’ contact information is up to date and all email addresses and phone numbers are audited frequently.

Practice Regularly

All of the steps above can be for naught if nobody remembers what to do. Ingrain emergency preparedness into the culture of your organization by practicing regularly. An annual fire drill is not enough for a fully realized emergency preparedness program. Make sure your organization’s program includes:

• Regular exercises and refreshers for crisis team members and building management. Go over the crisis team roles and responsibilities regularly, as well as threat-specific protocols. Make sure preparedness is top of mind and your team is up to date with regular training.
• Tabletop drills for training your crisis team. Gather your crisis team, decision makers and building management representatives for a scenario walk-through. In a tabletop, the group is given a crisis scenario and asked to work talk through how they would use the emergency program and plans to respond to the situation. As the situation unfolds, new information changes how the team responds. At the end of the scenario, the team discusses how they did and establishes goals and identifies changes that need to be made. These tabletops are not testing your people; they are testing your plans and finding any gaps or areas that can be improved.
• Full-scale, office-wide evacuation and shelter-in-place drills. These annual or semi-annual drills are an educational tool for all employees. Work with property management and organize your business’ evacuation and shelter practice. These drills are not only required by law in most areas, they can really help in the event of a disaster and are a good way of giving your employees confidence in your crisis team and the ability of your organization to respond to a crisis effectively.

Use Technology to Bring it All Together

An all-in-one technology platform can be a cost-effective way to build and maintain an emergency preparedness program for your organization. The proliferation of web-enabled devices and the ubiquity of smartphones has opened the opportunity for using technology to prepare for, manage and recover from disasters. Technology can support an effective emergency preparedness program by providing:

• Online training and certification. This can help managers and crisis teams make the right decisions during a crisis.
• Document sharing. It is possible to store and share key plans and other documents in the “cloud,” and access them from any computer, tablet or mobile device.
• A user-friendly emergency notification system. Systems can communicate with text, email and voice capabilities and have the ability to create easy-to-use two-way messaging.
• Expert content and response protocols. Subject matter expert knowledge is available for a range of events and can be accessed at a moment’s notice.
• Reporting and assessment tools, letting you benchmark the effectiveness of your organization-wide initiatives.