INTRODUCTION
The
traditional role of security in the contingency planning process has been to
develop emergency evacuation plans forthe business and to respond to emergency
or crisis situations. Acting as the eyes and ears for an organisation,
business, or facility and maintaining a 24-hours-a-day, 7 days-a-week presence,
the Corporate Security Manager's (CSM) security department at IWC
(International Widget Corporation) is the most prepared and capable
function for emergency response..
CONTINGENCY
PLANNING PROGRAM
The
purpose of contingency planning is to better enable security department to
maintain continuity of the business. Should disruptions occur, and they do all
too often. Security department must be able to resume normal business
activities as quickly as possible.
The
inability to restore normal operations will have an adverse economic impact on
security department. The extent of the impact will correspond to the extent of
the disruption or damage. If the damage is severe and the mitigation of such
damage has not been properly planned for, the effect could be catastrophic.
Essentially, the business could fail.
Having a
security policy on contingency planning is the basis for a sound and functional
program. It is also an integral part of the security department. Contingency
planning is generally not considered part of the normal daily operation for
most employees, departments, or organisations. Therefore, it is not
automatically or even normally addressed. Employees and management tend to
focus on the priorities of their specific jobs and departments. Seldom do they
consider the potential effects of a contingency occurrence. A contingency
planning program is required by security department policy, and specific
responsibilities are identified and assigned. Ultimately, to become completely
effective, contingency planning must become part of security department’s
profession and company culture.
Contingency
planning is a continuous process. It is not something that can be done once and
put away, only to be retrieved when needed. It is a continuous process
requiring periodic updates and revisions as appropriate to, and consistent
with, changing security department’s professional’s conditions. It also
involves implementing and maintaining awareness or training element. The
process of contingency planning is focused to achieve the following:
o Secure and protect people: In the event of a crisis, people must
be protected.
o Secure the continuity of the core elements of the business: the
infrastructure and critical processes-minimize disruptions to the business.
o Secure all information systems that include or affect supplier
connections and customer relationships.
CONTINGENCY
PLANS
Contingency
plans formally establish the processes and procedures to protect employees, core
business elements, information systems, and the environment in the event of an
emergency, business disruption, or disaster. These plans, also incorporated
specific types of emergencies and disasters and address the mitigation,
preparedness, and response actions to be taken by securities, management, and
the organisations charged with specific response and recovery tasks. These
plans contain basic guidance, direction, responsibilities, and administrative
information. The CSM's project team concluded that plans must also be
developed, maintained, and shared with management and employees in writing
(hardcopy and/or electronic). It was also determined that, this is a standard
requirement of Occupational Safety and Health Administration (OSHA). The project
team decided that to develop contingency plans, the preparedness process must
include the following considerations and elements:
Assumptions: Basic
assumptions need to be developed in order to establish contingency planning
ground rules. It is best to use as a baseline for planning several possible
"worst-case" scenarios relative to time of event, type of event,
available resources, building occupancy, evacuation of personnel, personnel
stranded on site, and environmental factors such as weather conditions and
temperature. Furthermore, consideration should be given to establishing
response parameters for emergency events. Define what constitutes a minor
emergency, a major emergency, and a disaster.
Risk assessment and vulnerability analysis: A crisis management team was recommended by the project
team and subsequently formed and assigned the responsibility to identify known
and apparent vulnerabilities and risks associated with the type of business
and geographical location of the enterprise. An assessment of risk and vulnerabilities
would be made prior to upgrading contingency plans. All planning would be
accomplished in accordance with a thorough understanding of actual and
potential risks and vulnerabilities. For example, IWC has one office building that
is very old and constructed completely of wood and other combustible materials;
therefore, it is vulnerable to fire. That same building happens to be located
in an arid geographical area where there is a high risk of fire; consequently,
planning needs to be done to address the hazard of fire. Here the likelihood
of fire is high and the vulnerability to fire is high. Therefore, the risk of
potential damage is high.
Incident management and crisis management: The project team determined that as an incident escalates,
the crisis management team should assume the responsibility of managing the
crisis. How this process works and who has what responsibilities must be
clearly stated in the contingency plans. In the event of an actual emergency,
there will be people who will attempt to manage the incident or participate in
crisis management; however, they should not have a role whatsoever in this
process unless they were previously identified and trained as part of the
crisis management team. Without established and well-defined incident
management protocols and procedures, chaos is likely to occur.
Incident/event analysis: When
an emergency Incident or event occurs, interrupting or disrupting the security
business process, the security department personnel will be charged with
responding to and managing the scene. They will also be responsible for
conducting an Incident/event analysis. This analysis will be conducted to
determine the immediate extent of damage and the potential for subsequent additional
damage. The appropriate resources must be notified and activated to assist in
damage mitigation.
Business resumption planning: The project team decided that the process of planning to
facilitate the recovery of designated critical processes and the resumption of
business in the event of an interruption to the business process must be
performed in two parts. The first part focuses on business recovery in the
short term, while the other part focuses on business restoration in the long
term. This process will also include establishment of priorities for
restoration of critical processes, infrastructure, and information systems.
Post-event evaluation: An
assessment of preceding events to determine what went well, what went less well
than planned, and what improvements to existing plans should he made is also
part of the process. Real events can present an opportunity to learn. There is
no better way to learn how to handle an emergency than to actually handle one.
Unfortunately, experiencing an emergency may cause damage to IWC.
