Business Continuity Planning in the Mountain Parks The only thing harder than planning for an emergency is explaining why you didn't Objectives • General overview of Business Continuity Planning (BCP) • Why we do it • Barriers • Approach • Lessons learned What is a Business Continuity Plan? • It is a proactive planning process that ensures critical services are delivered during a disruption. • Continuous Service Delivery Assurance (CSDA). • Provides a framework for building resilience • Not an emergency management plan Critical Services Critical Services – A service whose compromise in terms of availability or integrity would result in a high degree of injury to the health, safety, security or economic well being of Canadians, or to the effective functioning of the Government of Canada (including credibility). • CNPA: what are we obliged to do? • If we don’t do it, what will happen? • 24 hours. Business Continuity Planning Comes down to being able to answer three questions: 1. What could go wrong? (The Risk Assessment) 2. If something went wrong, how would it affect our services? (Business Impact Analysis) 3. How would our essential services be continued/resumed? (Business Continuity Plan) Why Do It? Every organization is at risk from potential disasters that include: • Natural disasters - floods, blizzards, fire • Accidents • Power and energy disruptions • Communications, transportation, sector failure • Environmental disasters – pollution, hazardous materials spills • Cyber attacks and hacker activity. No Really Why Do It? • Because we have to? • Because we want to? • This is just good business. Good Business Value • Corporate knowledge • Knowing what you have, where it is, how it is stored – various formats and readily available • Do you have alternate work locations arranged? • Procedures, protocols, contact lists, dependencies? – Are they up to date, where are they? • If you are incapacitated, can someone else readily do your job? • Getting our “house” in order • Better to have a business continuity plan and not need it, than to need the plan and not have it. • Needed it and not had it. – In 2005, a severe ice storm closing all highways for several days isolated communities and cut off fuel and other critical supplies. – Several years ago, in the winter, Jasper lost power and heat for many days when a main utility (gas) line was cut. – In 2008, a water main broke in the Revelstoke office causing the building to be rendered unusable for several days. The Flooded Basement File Room PC Storage in Friends Area Mountain Park Context • Not everyone knew what a Business Continuity Plan was (Disaster Recovery) • Those that did – mixed reaction • PCA attempted to complete these for all NP’s – Intensive support required – Uneven penetration into the workplace Mountain Park BCP • Mountain Parks decided to leverage the experience of National Office to do our own. – 7 National Parks – Test the plans – 18 months • No previous experience in BCP is required • knowledge of park operations and a good dose of common sense Barriers • Sr Mgmt support – governance #1 success factor • Volumes and volumes of technical documentation – appears to be a complex and messy corporate project. • Perception/attitude • Maintenance Time To Make Peace Private sector approach Government Requirements What we did What’s Involved? 1. Identify critical services (VS, highways, communications) 2. Identify all the critical assets that support these. – HR, infrastructure, technology, hard goods 3. Risk assessment 4. Document it – Develop user friendly tools to pull it together. What’s involved? • Risk assessment process –evaluating resiliency using various threat scenarios (impact centric). • Gap analysis: comparison of what types of procedures should be implemented to recover and maintain normal operations, versus what currently exists. • The difference between the two highlights risk exposure. • Reducing risk to an acceptable level. Readiness Exercises • While no plan can guarantee success, inadequate plans are proven contributors to failure (US Department of Homeland Security Nationwide Plan Review Phase 2 Report June 16, 2006). • An untested plan is only a strategy and we have enough of those. Readiness - Exercises • We created scenarios – based on real events with imaginative enhancements to challenge all the critical services. • Table top exercises. • Evaluations Table Top Exercises • Multi-disciplinary teams (not EM teams) • Adapted to realities of the park • Test more than the BCP (ICS, integration of colleagues) • Relevant but low pressure and highly engaging. • Take people with a low level of engagement to a high level and wanting more. What did you like most about the exercise? Related to all functions/level of experience, learning role of other functions in an emergency response Helped in understanding gaps in emergency preparedness within the organization Engaging, Interesting, useful 2% 1% 1% 4% 1% 3% 4% 42% 6% Helped identify ICS and other training needs,importance of ICS and a shared understanding of how it works. Realistic events scenario 7% Increased confidence in team 8% Well facilitated, organized and good timing 21% People who had training/experience were leading-Helped identify key resources and staff that would address the scenario Reassuring that we can react appropriately Learning about partnership with other agencies Keep ICS disussions Hypothetical for a 3 hrs session Helped build consensus that training and practice for managers is important The exercise provided a good test and validation of the Business Continuity Plan. Strongly Agree 1.60% 18.00% 27.00% Agree Neutral Disagree 53.00% Strongly Disagree no answer Final Products - BCP 1. Plan overview • Structure, how it works. 2. Operational response • • • • Resources (ICS, PSC) Flow charts Initial communications Alternate work locations 3. New templates for critical services and recovery strategies • • Recovery options Internal/external dependencies (call lists) Products: Innovation • Searchable database – Linked to files on main server for automatic updating. – Protected Keys (all key personnel) – Downloaded to mobile devices • Mobile application (under review) Lessons learned • Writing a BCP is staff time, exercising a BCP is fun - having Sr Management oversight is priceless! • Keep it simple • "If it's stupid, but it works - it isn't stupid” ( Murphy's Laws of Combat) • Take a personal approach. • Make it fun and be creative! • Maintenance – provide tools (keys). Recommendations • • • • • Sr Management support Top of organization paying attention Engage people Be inclusive – go beyond EM people Right size it – doesn’t have to be complex Thanks for your time and interest Ian Brown Resource Conservation Manager Mount Revelstoke and Glacier N.P.’s ian.brown@pc.gc.ca 250 837-7500