Glenn F. Epier
Science Applications International Corporation
1213 Jefferson Davis Highway, Suite 1500
Arlington, Virginia 22202
ABSTRACT: U.S. federal and state regulations requireindus-try to develop and maintain detailed crisis and emergency response plans. These plans are, for the most part, well thought out and detailed. As a result, along with extensive training and exercise programs, industry preparedness is better than it has ever been to respond to and manage an emergency. But how well prepared is industry to handle the business or operational
continuity aspects of a crisis or emergency? What plans are in place to deal with the requirement for continuing essential
business functions in the face of a disaster? If a major incident occurs to a refinery, terminal, or offshore production platform that requires it to be taken off-line, or damages it beyond repair, are there plans in place to minimize the impacts on the rest of the organization and on the downstream customers? How will this be done simultaneously while managing the response?
This paper addresses those needs and discusses the require-ments that companies in the oil and chemical industry should consider in developing business and operational continuity plans. It explains a multi-step planning process that is being used by many companies around the world to maintain their business edge when a crisis or disaster strikes. This planning process in-cludes such functions as conducting a risk analysis and business impact analysis, developing mitigation and recovery strategies, drafting a continuity plan, developing an awareness program, and building a training and exercising program. The paper also looks at the similarities between business and operational conti-nuity plans and a company 's emergency or crisis management plan and address ways in which the plans may be integrated.
Introduction
Managers and executives at all levels of a company are paid very well to manage crises and disasters and often do so on more occasions than they care to remember. While not all of these incidents are newsworthy, industry is no stranger to incidents with the potential to disrupt an organization's income sources, operating expenses, stock price, competitive position, and ongo-ing business, not to mention potential governmental intervention and regulatory changes. The refinery, pipeline, offshore platform, or oil terminal is a profit center in today's business world, yet many corporations do not focus business continuity planning efforts in these locations. Many corporations today that rely on their particular facilities to generate and maintain a certain level of business are overlooking the importance of business continuity planning for facilities and other infrastructure. This problem primarily is due to most plants and facilities not having experi-enced the level of crisis or disaster where long-term business viability and success are called into question.
So how well prepared are most organizations to handle the business and operational aspects of a crisis? How much training and exercising in the area of business continuity and business resumption is being conducted by these organizations? In every major environmental incident, there is always the constant tug between the regulators and the stockholders—each pulling the organization in a different direction to satisfy their own particular needs. When responding to a major refinery explosion and fire, or a major oil spill into one of the region's most environmentally sensitive areas, when will business issues be addressed? How should customers learn of a crisis? How will those contracts affected by the loss of that product or service be handled? Who is responsible for these issues? If customer and stakeholder needs are not met in a timely manner, will they turn on the company or abandon it? The business continuity message presented here is that it is nothing short of due diligence on the part of management to develop a mechanism that responds to major environmental disasters without losing the ability to continue the core business. Business continuity process
Business continuity can be defined simply as a good business practice—an effort to assure that the capability exists to continue essential company functions across a wide range of potential emergencies. Developing a business-operational continuity plan may seem like a huge task, but in actuality, it is a common-sense document that offers valuable insight into business operations. It involves identifying those functions and processes that are critical to business, then designing contingency plans to deal with the potential disruption of one or more of those functions and processes. Business continuity planning is not new. Most companies and organizations developed and exercised Year 2000 plans. Now those companies and organizations need to apply those principles and practices to potential oil and petro-chemical industry business disruptions, such as a major vessel grounding and spilling oil or refinery explosion and fire. The continual reliance on computers, databases, and other electronic informa-tion transferences will cause the concept of business-operainforma-tional continuity planning to become the basis for crisis management in the twenty-first century.
Government regulations motivate most companies to conduct field- or facility-level planning. For the most part, the regulations are adequate for dealing with emergencies, but adding informa-tion on continuing business operainforma-tions certainly could enhance the planning effort. Most companies do not want to go beyond the planning required by those government regulations for various reasons, one of which is the higher costs associated with the additional planning effort. Not only does a company have to deal with environmental cleanup costs and liabilities associated with a 903
major oil spill and the cost of repairs to rebuild the facility and infrastructure, but it also has to deal with potential impacts to its customer base (revenue streams) because of non-performance of existing contracts and the ability of competitors to quickly pick up this business. A well thought out plan to continue business becomes a necessity.
So what is a business continuity plan (BCP)? It is a manage-ment strategy and set of procedures that defines how a business or corporation will continue its critical functions in the event of an unplanned disruption to its business activities. As with develop-ing any type of crisis management and emergency response plan, business-operational continuity plans start with the process of defining the organization's vulnerabilities to business disruptions and eventually developing contingencies to handle those vulner-abilities (if they cannot be removed or mitigated in some fashion).
The risk of potentially disastrous losses from business interrup-tions compels planners to use a common methodology to business resumption planning. This common approach includes ten basic steps under a program developed by the Disaster Recovery Institute International (DRII). This program has been in existence for a number of years and has proven effective in many major business disruption responses. The process outlined below by DRII is similar to the process used by the oil industry in developing crisis and emergency management plans, as explained later in this paper. These ten steps include:
1. Project initiation establishes the need for a BCP, which includes obtaining management support and organizing and managing the project to completion within established time and budget limits.
2. Risk evaluation and control determine the events and environmental surroundings that can affect an organiza-tion and its facilities adversely, the damage such events may cause, and the controls needed to prevent or minimize the effects of potential loss.
3. Business impact analysis identifies the potential impacts resulting from disruptions or facility losses that can affect a company, and the techniques that can be used to quantify and qualify such impacts. Critical functions are identified, their recovery priorities established, and interdependencies determined so that recovery time objectives can be set.
4. Developing business continuity strategies will determine and guide the selection of alternate business recovery operating strategies for a business while maintaining the company's critical functions. This shows how a company will continue to operate after an explosion and destruction of a large refinery or while responding to a major oil spill. 5. Emergency response and operations involves the devel-opment and implementation of procedures for responding to and stabilizing the incident. Human safety and health are always the first concern in any crisis or emergency situation. When an incident or disaster occurs, these crisis or emergency plans should be implemented immediately, with the business concerns and issues being a secondary priority. In the oil and chemical industry, these plans normally already exist, but the BCP plan should be compatible with the procedures in the response plans. 6. Developing and implementing BCPs involve the
development and implementation of a BCP that provides for recovery within the recovery time objectives devel-oped during the business impact analysis.
7. Awareness and training programs create corporate awareness of a BCP and its associated procedures, and enhance skills required to develop and implement a BCP. 8. Maintaining and exercising BCPs help to plan and
coordinate exercises, and evaluate and document exercise
results. This also allows for the development of a process to maintain the response capabilities and the plan document in accordance with the company's strategic direction. Major exercises often involve both BCP and emergency response plans.
9. Public relations and crisis coordination provide guidance to work with the media during a crisis or emergency situation. This also outlines information on how to provide crisis communications, such as dealing with key customers, critical suppliers, stockholders, employees and their families, and corporate management during a crisis. It also deals with crisis counseling for those employees or non-employees as required.
10. Coordination with public authorities establishes applica-ble procedures and policies for coordinating continuity and restoration activities with local authorities while en-suring compliance with applicable statutes or regulations. The above described business continuity process is similar to the process commonly used to develop crisis and emergency management plans. The two can be combined to develop and maintain a truly integrated and comprehensive contingency plan that includes information mandated not only by regulatory authorities, but by fiduciary responsibilities as well.
General planning guidelines
A crisis is an event or series of events that threaten to funda-mentally alter the way an organization conducts business. It can be a significant business disruption that stimulates extensive news media coverage with the resulting public scrutiny having a large effect on the organization's normal operations. The crisis could also have a political, legal, financial, and governmental impact on a business. There are four basic causes of a business crisis:
• Acts of God, such as earthquakes, storms, volcanoes, etc. • Mechanical problems, such as ruptured oil/gas pipelines,
tank and valve failures, vessel groundings, etc.
• Human judgment or errors, such as opening the wrong valve, miscommunication or navigating a vessel aground, etc. • Management decisions/indecisions, such as a problem that
is perceived as not being very serious and that nobody will discover
All could have huge impacts on the way an organization responds to and continues to conduct business. And without an adequate crisis and emergency management plan, as well as business continuity planning guidelines in place, the organization will surely struggle to exist.
In many cases where the crisis already has occurred, or it is inevitable that the crisis will impact key stakeholders, a BCP will minimize the disruption and financial damage. A crisis or emer-gency management plan that does not address continuity planning is unlikely to achieve these results. Maintaining essential opera-tions while responding to a disaster is a strategic, moral, and legal obligation to one's company and its stakeholders. Just as industry spending billions of dollars each year on technology to maintain a competitive edge is viewed as being prudent, not having a BCP to continue operations is an indication of corporate negligence. Standards of care and due diligence are required of all companies; not having a plan violates fiduciary standard of care.
What basic elements are needed in a plan? Every good re-sponse-planning document should contain three sections/areas of information on how to deal with a catastrophic incident. These areas include:
• Crisis and emergency management procedures • Crisis communications procedures
As an integrated plan is being developed, the difference be-tween crisis management, crisis communications, and business continuity needs to be clarified. And where should the line between management, communications, and business concerns be drawn in a crisis? That line should not be drawn. In fact, one should do everything possible to coordinate management, opera-tional, and communications response to any major environmental incident. In reality, response efforts should all work in parallel. The crisis and emergency response teams are working toward resolving the life, health, and safety issues; the communications team is providing the media and key stakeholder groups pertinent information; and the business continuity team is dealing with maintaining the company business and profitability.
In addition, while building an integrated plan, other questions will surely be asked. At what level does the oil spill become a crisis? When should the crisis communications plan be imple-mented? When should one become concerned with business issues? What are the trigger points for making this decision? On this subject, trigger points should be clearly defined and well understood by all response team members. Criteria that describe the severity of the problem should be used to determine the type of response that will be provided. These criteria should also be an integral part of business continuity planning and be built into both crisis management and crisis communications sections of a plan. The importance of these criteria is that they will trigger separate responses by:
• Response team members who have to get the oil spill under control as quickly as possible so normal business can be resumed
• Top management who have to allocate resources, handle stockholders, deal with legal issues, maintain company image, and make other critical decisions needed to maintain the company business
• Communications personnel who have to proactively get the company's message out while making sure all stake-holder and media interests are met
As indicated above, the process for developing crisis and emergency management plans is similar to developing BCPs. The planning process used in developing any type of crisis and emergency management plans may be consolidated into the following phases:
• Project initiation phase: The problem initially is identi-fied and detailed. The objectives and the scope of the plan are laid out, budget and resources identified, and final approval given by management.
• Functional requirements phase: Details of a risk assess-ment are obtained and alternatives identified during this fact-gathering phase. A business impact analysis and risk assessment is conducted, along with a process for identifying mitigation strategies and acceptable risks. • Plan development phase: The plan becomes a reality, a
written document. Not only is a company looking at crisis and emergency response procedures, but it also should be considering plan components such as alternate Emergency Operation Center site locations, handling of vital records, escalation and de-escalation procedures, and business continuity, resumption, and restoration procedures. The integrated contingency planning guidelines developed by the National Response Team provide a good framework and meet their conceptual objectives, but they do not go far enough in the planning model to provide for business-operational continuity information.
• Training and exercising phase: Once the plan is devel-oped, personnel need to be trained on its contents. As a final link to the planning process, the plan needs to be exercised on a regular basis to determine its validity and
effectiveness. Once deficiencies are determined, the plan then needs to be refined.
• Plan maintenance phase: While this appears self-explana-tory, this phase often is neglected. All plans should be reviewed at least annually or whenever new policies and procedures are developed. A plan review schedule should be developed and a budget assigned, with reviews being conducted periodically, such as after conducting an exercise or responding to an actual incident.
Organizational responsibilities
Crisis situations typically require managers to make critical business decisions under extreme pressure and in most cases using incomplete and insufficient information. By defining in advance what core crisis management and business continuity steps need to be taken and how they should be conducted, corporations can reduce some stress on their staff during a crisis. This advance work may increase the efficiency of their response and may reduce the financial impacts on the company. Previ-ously, a definition for a crisis was presented; however, this will vary from company to company, as the types of events or incidents that can alter the way a company chooses to do business vary. A specific event that may have a substantial impact on a small company may have little impact on a large company working in the same business line. How a company responds to a crisis event may make all the difference when the stock prices come out the next day.
Prevention and preparation are two key areas where a company can make huge impacts when responding to a disaster or crisis event. They also will have large impacts on the cleanup and even-tual litigation costs when responding to an incident. Anything that can first be prevented from occurring—through such programs as enhancing safety standards, inventory control, or engineering design—is always the first step in risk reduction. If the potential incident cannot be prevented from occurring, then the company must be prepared to respond to it. The question is not if, but when, the crisis will occur.
A standard rule of thumb of crisis management is to influence the course of the crisis, not just respond to it. By being proactive, a company's crisis management team often can prevent a situa-tion from escalating into a crisis, or can mitigate its financial impacts. Being prepared to handle the potential business impacts of such an event is as important as dealing with the emergency aspects of the response. And in most cases, the company should be able to respond to and deal with both (emergency and business continuity) responses simultaneously. Having an experienced and trained response organization in place is necessary to maintain that business edge once a crisis or disaster strikes.
All too often, companies emphasize developing crisis and emergency management plans as the cure-all for responding to an incident. Granted, a good plan is very important, but in the long run. companies should be engaging in a process for developing an overall capability to manage the crisis or disaster, then document-ing that capability in a suitable plan. Plans should reflect current capabilities, not desired capabilities. The plan and ultimate response are only as good as the organization managing the incident. That response organization should be designed so that it will be able to satisfy the overall response objectives of the company.
There are many different types and levels of crisis and emer-gency management organizations throughout the oil industry, each with its own set of company objectives and goals. No matter how large or small the company, however, certain response objectives must always be met. In any incident, response issues
such as human health and safety, logistics, personnel and equipment support, financial, legal, human resources, and communications will always need to be addressed. However, at what level, and by whom should these be handled?
In most cases, a tiered approach to respond to a potential crisis or disaster is recommended. At the field location, the emergency response organization responds to the crisis event and is usually organized in an incident command structure of some type. Here is where the tactical planning for the response is being conducted. The facility response team will be focused on dealing with the emergency, and once that phase is over, its focus will then be on rebuilding the facility or repairing the damage caused by the incident; commonly referred to as business resumption. Addi-tional company support in such areas as finance, personnel and equipment, legal, human resources, media, and business continu-ity should come from either the company headquarters or the business unit headquarters, depending on the size and makeup of the corporation.
For many larger companies, a three-tiered approach is common with an incident support team (mid-level team) managing the crisis or disaster at the business unit level and a crisis manage-ment or executive managemanage-ment team (senior-level team) at the headquarters level. The incident support team would be responsible for providing assistance to the field-level team in such areas as legal, financial, human resources, crisis commu-nications, and marketing, as well as focusing on the continuing business concerns for the business unit. The crisis management or executive management team would consist of very senior-level managers at the corporation headquarters tasked with handling the impacts of the crisis on the overall corporation and its stockholders, as well as continuing those strategic business functions not impacted by the incident. For smaller companies, these two senior-level teams (incident support team and crisis management team) easily can be combined into one crisis management team that would then be tasked with not only providing assistance to the field-level response, but also dealing with the business continuity issues and strategic response plans for the corporation and its stockholders.
It is important that each individual responder understands how he/she fits into the response organization, what his/her respon-sibilities are, and what the roles and responrespon-sibilities are of each group in the corporation. Otherwise, overlaps or shortfalls will occur, and the response will not be managed as effectively or efficiently as the stockholders and general public would expect. It is also important that the members of the response teams understand the distinction between crisis and emergency manage-ment and how the business continuity issues need to be addressed during the early stages of the response operation.
Plan comparison
The following planning matrix (Table 1 ) outlines and compares the plan requirements of four commonly accepted standards— Area Contingency Plans (ACPs), local emergency planning committee plans (LEPCs), facility response plans (FRPs), inte-grated contingency plans (ICPs)—for oil spill response plans to those generally found in BCPs.
What a comprehensive contingency plan needs
The integrated contingency plan (as outlined by the National Response Team guidance) is an excellent model for creating an emergency response plan and covers all aspects of responding to a major oil spill. A local facility manager, however, needs to be aware of business continuity issues and priorities, and what his/her roles and responsibilities are to maintain the business when a crisis or disaster strikes. Some of these concerns and decisions will center on such areas as upstream suppliers and downstream customers, decision to rebuild or replace, work status of employees, production level changes, procedures modifica-tions, etc.
The focus of this plan comparison is on developing compre-hensive response plans, from both a field-level and an incident support team perspective. There are many different concepts on how to develop a contingency plan and many more formats for writing the actual plan. It does not matter whether the plan is required by law, regulation, or company policy; most response plans should contain overall planning elements such as preven-tion, response, business continuity, and restoration. The plan should be able to address all aspects of dealing with a crisis or emergency ranging from prevention practices to getting the company back into normal operation. In addition, plans should be user friendly and, in many cases, should include information on responses to any type of hazard (e.g., fire, explosion, oil spill, natural disaster, terrorism, etc.).
A comprehensive response plan should include information in the following areas:
• Scope and background information • Risk Analysis
• Business impact analysis • Prevention programs • Health and safety plan
• Initial assessment and mobilization • Notification procedures
• Forecasts of oil movement • Resources at risk
• Response strategies and techniques • Recovery teams and procedures • Investigation procedures • Contractor/support listings • Alternate site location and setup • Demobilization
• Response management organization • Roles and responsibilities
• Crisis communications/public affairs • Facility specific information • Product information
• Training and exercising requirements • Business continuity procedures • Documentation requirements • Concept of operations • Humanitarian assistance • Post incident review • Waste management
• Evacuation/shelter in place requirements • Communications
Table 1. Planning matrix.
Plan components ACP LEPC (SARA) FRP ICP BCP Applicability, purpose and scope
Background, geographic boundaries and other policy
information
Listing of facilities subject to rules
Facility identification information
Transportation routes for hazmat
Identification of at risk facilities and locations
Identify critical functions; develop recovery strategies
Risk/hazard analysis and mitigating factors
Business impact analysis
Planning organization
Emergency response levels
Product information (MSDS)
Potential scenarios and action plans
Trajectory modeling
Listing of response equipment, support facilities and
personnel (private and government)
Health and safety
Assessment/discovery
Notification procedures (internal and external)
Response operations (during emergency phase)
Response management system/organization
Identify recovery teams
Alternate site location and setup, off-site storage
retrieval
Response techniques
Recovery and demobilization (after emergency phase)
Waste management
Communications procedures (internal and external)
Public Affairs information
Humanitarian assistance concerns (injuries, deaths, etc.)
Training and exercising plans, schedules and programs
Plan maintenance and review procedures
Accident review and investigation
Incident Documentation (administrative and financial)
Prevention
X
X
X
X X X X X X X X X X X X X X X X X XX
X
X
X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X XNote: ACP, Area Contingency Plan, LECP, local emergency planning committee plan; FRP, facility response plan; ICP, integrated contingency plans; BCP, business continuity plan.
Granted, the particular facility being impacted by the incident may not be the main provider of all information or services mentioned above, but specific information needs to be available on how to obtain additional assistance and advice from corporate management teams. Most oil spill response plans, however, do not contain these elements since they usually are developed in accordance with regulatory requirements that rarely require a corporation to plan for its continuing business success.
Contingency planning, including business continuity, is a necessity that has turned out to be beneficial in more ways than expected. Beyond ensuring a business function's viability during and after a crisis or disaster, contingency planning efforts have led to significant improvements in the daily operations of many
business units. In addition, no other process does a better job of making a corporation assess its operations and processes than the structured process of planning what to do when your refinery or vessel, the full staff, information systems, and communications are no longer available.
Contingency planning for the long-term business success of a company is traditionally a primary responsibility of senior management at a headquarters location. But over the past decade, the trend has been to move this decision making to strategic business units. And in many companies, those strategic business decisions are being delegated to plant, terminal, and facility man-agers. These are the people that are not only responsible for safeguarding their existing operation, but they also need to have
plans in place to protect business processes and procedures when a crisis occurs. After all, this is where the company makes its money and is of primary interest to all stockholders, so naturally this should be the level where business continuity begins. The goal is to develop one plan that covers all incidents, from a small spill that could have partial impacts on business profitability to a major incident where the entire business operation comes to a halt. How well this is planned for will dictate the success of the company.
Biography
Glenn F. Epier has over 24 years of experience in planning, training, exercising, and response, 18 of which were with the U.S. Coast Guard. He worked extensively in the emergency manage-ment field, in both preparing for and responding to maritime incidents. Mr. Epler reviewed and developed numerous crisis management and emergency response plans dealing with natural and man-made disasters.
