Within a Business Continuity Assessment process, are there any special consideration that should be factored into the Emergency Response Plan?
By law, organizations must take into consideration the safety needs and requirements of all employees. This includes preparations for the health and safety of individuals who may require special assistance during a crisis. The Chief Compliance Officer recommends that the question of special assistance be included as part of new employee orientation. In this way, those who may require additional assistance can voluntarily identify themselves. Each time the ERP is reviewed and updated, this issue should be readdressed and incorporated into the business continuity disaster recovery plan(s).
Is it important to assign responsibility for the Emergency Response Plan (ERP) to a specific individual?
A Business Continuity Risk Program along with its Emergency Response Plan component cannot succeed without responsibilities being clearly defined. This is particularly true when it comes to management of the ERP. For this reason it is critical to identify one or more individuals who, at the time of a crisis, could fulfill this role. Because of the seriousness of this responsibility it is best to recruit volunteers willing to deal with uncomfortable situations and disturbing sights. In addition, the Chief Compliance Officer recommends that this role be empowered with emergency authority to assign critical sub-tasks to others outside the team. Examples might include purchasing of replacement items or issues related to human resources.
What considerations go into the use and management of a crisis communication system?
Even if a fully functioning ERP is not in place, establishing some type of communications systems which can work during an emergency should be an early ERP business compliance priority. Intercoms, pre-programmed cell phone numbers, inexpensive walkie-talkies, even fog horns can provide some rudimentary communications capabilities.
What is the best technique for reducing confusion during a crisis?
Confusion in crisis situations is to be expected and the best way to reduce it is through training and practical exercises. However, having an awareness of the need for business continuity training for your employees before a crisis along with regularly scheduled compliance audit to verify against a compliance checklist that this training is being implemented will greatly reduce the confusion level in these crisis situations as well.
Are there other, often overlooked areas of the crisis communications plan to which an organization should be sensitive?
A crisis communications plan is a complex and important element of a business continuity plan and compliance monitoring along with the compliance procedures most applicable to crisis management requirements are often overlooked when preparing a business continuity template for that plan. For example, determining the organization’s requirements as they apply to individuals with special needs is vitally important and may be a legal requirement of that plan. The same is true regarding communications with non-English speakers.
What is a Key Control System and how does it factor into a Security Analysis Process in a Business Continuity Plan?
Key control is an organized and formal security system which addresses control of master keys within a building or facility. It prevents unauthorized access to the facility. Through the use of documentation and status reporting, critical elements in the master key system can be controlled. Gather answer to questions such as: What are your keying systems? What keys do you have? What keys have you issued? What keys are not accounted for? Where are the keys? Who has them now? Can you account for all keys? Controlling access to facilities requires understanding who has access, when, and under what conditions. This is even a greater problem when employees leave. For example, electronic security systems can be hacked if improperly secured.
It is a good practice to have an individual assigned to this task.
Are there other commonly overlooked security issues that a security risk assessment process should address in the security compliance sections of a business continuity plan?
A common risk overlooked in security training and security audits but still allowed in many organizations both large and small, is permitting delivery staff to enter and then move around the facility with little or no monitoring of their activities. Everyone in a UPS brown coverall carrying a box is not necessarily a safe individual and may not even be a UPS employee. However, once inside a facility, the image of a uniform of some type will tend to discourage further attention or scrutiny. This sense of trust may allow certain individuals access to areas when normally they should be challenged.
A risk management plan including specific security audit functions, policies and procedures should also be in place to track when and where employees and contractors are working at any specific time.
Is the risk of workplace violence increasing?
The short answer to this question is “Yes!” The increase in workplace violence suggests that every organization should have a clearly defined policy which states that no violence, of any type, is tolerated. Risk from violence comes not only from outside the organization but also from threatening behavior among employees or from supervisors. Escalation of violence from verbal to physical is well documented. All too often these increased levels of risk should be matched with stronger compliance risk management and compliance risk assessment policies and procedures within an organization. Maintaining a corporate security awareness attitude among all employees is necessary defense against this risk as well.
Name some other “best practices” associated with a compliance methodology to support proper levels of security within an organization.
- Keep a record of visitors to the facility
- Issue security badges to all employees and contracts
- Issue visitor badges to all others
- Conduct a background check on independent contractors
- Instruct employees to “challenge” anyone not displaying a badge of some type
- Conduct and annual inspection of all locks
- Conduct an annual security inspection with the help of an outside party.
Is having a relationship with one’s neighbors considered part of the business continuity or general security plan?
Having cordial relations with neighbors is always desirable. One way of establishing this type of relationship is by setting up a mutual aid agreement built around evacuation plans. This will assist the continuity potential of your organization to survive a crisis situation. Having a reciprocal agreement that allows the sheltering of employees at an adjacent facility in an emergency promotes both better Life Safety and a close working relationship. Such arrangements also lead to the development of a more resilient community. However, with such mutual agreements also come additional security considerations since your facility may become inundated with non-employees in times of emergency and thus should have a security assessment and evaluation procedure always at the ready to signal cause for alarm if necessary.