Business Continuity Planning in the Mountain Parks

advertisement
Business Continuity Planning
in the Mountain Parks
The only thing harder than planning for an
emergency is explaining why you didn't
Objectives
• General overview of Business Continuity
Planning (BCP)
• Why we do it
• Barriers
• Approach
• Lessons learned
What is a Business Continuity
Plan?
• It is a proactive planning process that ensures
critical services are delivered during a
disruption.
• Continuous Service Delivery Assurance (CSDA).
• Provides a framework for building resilience
• Not an emergency management plan
Critical Services
Critical Services
– A service whose compromise in terms of availability
or integrity would result in a high degree of injury to
the health, safety, security or economic well being of
Canadians, or to the effective functioning of the
Government of Canada (including credibility).
• CNPA: what are we obliged to do?
• If we don’t do it, what will happen?
• 24 hours.
Business Continuity Planning
Comes down to being able to answer three
questions:
1. What could go wrong? (The Risk Assessment)
2. If something went wrong, how would it affect
our services? (Business Impact Analysis)
3. How would our essential services be
continued/resumed? (Business Continuity Plan)
Why Do It?
Every organization is at risk from potential
disasters that include:
• Natural disasters - floods, blizzards, fire
• Accidents
• Power and energy disruptions
• Communications, transportation, sector failure
• Environmental disasters – pollution, hazardous
materials spills
• Cyber attacks and hacker activity.
No Really Why Do It?
• Because we have to?
• Because we want to?
• This is just good business.
Good Business Value
• Corporate knowledge
• Knowing what you have, where it is, how it is stored
– various formats and readily available
• Do you have alternate work locations arranged?
• Procedures, protocols, contact lists, dependencies?
– Are they up to date, where are they?
• If you are incapacitated, can someone else readily
do your job?
• Getting our “house” in order
• Better to have a business continuity plan and not
need it, than to need the plan and not have it.
• Needed it and not had it.
– In 2005, a severe ice storm closing all highways for
several days isolated communities and cut off fuel
and other critical supplies.
– Several years ago, in the winter, Jasper lost power
and heat for many days when a main utility (gas) line
was cut.
– In 2008, a water main broke in the Revelstoke office
causing the building to be rendered unusable for
several days.
The Flooded Basement
File Room
PC Storage in
Friends Area
Mountain Park Context
• Not everyone knew what a Business
Continuity Plan was (Disaster Recovery)
• Those that did – mixed reaction
• PCA attempted to complete these for all
NP’s
– Intensive support required
– Uneven penetration into the workplace
Mountain Park BCP
• Mountain Parks decided to leverage the
experience of National Office to do our
own.
– 7 National Parks
– Test the plans
– 18 months
• No previous experience in BCP is required
• knowledge of park operations and a good
dose of common sense
Barriers
• Sr Mgmt support – governance #1 success
factor
• Volumes and volumes of technical
documentation – appears to be a complex
and messy corporate project.
• Perception/attitude
• Maintenance
Time To Make Peace
Private sector
approach
Government
Requirements
What we did
What’s Involved?
1. Identify critical services (VS, highways,
communications)
2. Identify all the critical assets that support
these.
– HR, infrastructure, technology, hard goods
3. Risk assessment
4. Document it
– Develop user friendly tools to pull it together.
What’s involved?
• Risk assessment process –evaluating
resiliency using various threat scenarios
(impact centric).
• Gap analysis: comparison of what types of
procedures should be implemented to
recover and maintain normal operations,
versus what currently exists.
• The difference between the two highlights
risk exposure.
• Reducing risk to an acceptable level.
Readiness Exercises
• While no plan can guarantee success,
inadequate plans are proven contributors to
failure (US Department of Homeland Security Nationwide Plan
Review Phase 2 Report June 16, 2006).
• An untested plan is only a strategy and we have
enough of those.
Readiness - Exercises
• We created scenarios – based on real events
with imaginative enhancements to challenge all
the critical services.
• Table top exercises.
• Evaluations
Table Top Exercises
• Multi-disciplinary teams (not EM teams)
• Adapted to realities of the park
• Test more than the BCP (ICS, integration
of colleagues)
• Relevant but low pressure and highly
engaging.
• Take people with a low level of
engagement to a high level and wanting
more.
What did you like most about the exercise?
Related to all functions/level of experience,
learning role of other functions in an
emergency response
Helped in understanding gaps in
emergency preparedness within the
organization
Engaging, Interesting, useful
2% 1% 1%
4%
1%
3%
4%
42%
6%
Helped identify ICS and other training
needs,importance of ICS and a shared
understanding of how it works.
Realistic events scenario
7%
Increased confidence in team
8%
Well facilitated, organized and good timing
21%
People who had training/experience were
leading-Helped identify key resources and
staff that would address the scenario
Reassuring that we can react appropriately
Learning about partnership with other
agencies
Keep ICS disussions Hypothetical for a 3
hrs session
Helped build consensus that training and
practice for managers is important
The exercise provided a good test and validation of the
Business Continuity Plan.
Strongly Agree
1.60%
18.00%
27.00%
Agree
Neutral
Disagree
53.00%
Strongly Disagree
no answer
Final Products - BCP
1. Plan overview
•
Structure, how it works.
2. Operational response
•
•
•
•
Resources (ICS, PSC)
Flow charts
Initial communications
Alternate work locations
3. New templates for critical services and
recovery strategies
•
•
Recovery options
Internal/external dependencies (call lists)
Products: Innovation
• Searchable database
– Linked to files on main server for automatic
updating.
– Protected Keys (all key personnel)
– Downloaded to mobile devices
• Mobile application (under review)
Lessons learned
• Writing a BCP is staff time, exercising a BCP is
fun - having Sr Management oversight is
priceless!
• Keep it simple
• "If it's stupid, but it works - it isn't stupid” ( Murphy's
Laws of Combat)
• Take a personal approach.
• Make it fun and be creative!
• Maintenance – provide tools (keys).
Recommendations
•
•
•
•
•
Sr Management support
Top of organization paying attention
Engage people
Be inclusive – go beyond EM people
Right size it – doesn’t have to be complex
Thanks for your time and interest
Ian Brown
Resource Conservation Manager
Mount Revelstoke and Glacier N.P.’s
ian.brown@pc.gc.ca
250 837-7500
Download