At the April 2015 Ready Chesapeake meeting, members of this nonprofit group discussed ways to build business continuity within Annapolis-area communities and created a survey to reach out to other jurisdictions for suggestions. Practitioners (149 public sector, 80 private sector) from 47 U.S. states, Washington, D.C., Canada, and Martinique shared their insights from both the public and private sector perspectives.
Business continuity is important not only for the businesses themselves, but also for the public sector agencies that depend on private sector resources, such as critical infrastructure to maintain continuity of government. As such, there is significant value in bridging the current information gaps that exist between the two sectors. Although public and private sector responders are in agreement on the top answer to each of the survey questions, a closer look reveals some significant discrepancies in the value placed on certain resources.
Resources for Obtaining Business Continuity Information
As shown in Figure 1, the majority of private sector respondents believe that trade associations are the best resource for obtaining business continuity information, with governance agencies as the second highest response at just over one-quarter. Public sector respondents, though, were almost equally divided between these two categories.
This shows that perhaps there is a gap between the value public sector agencies place on their resources and how the target audience (the private sector) perceives these resources. Another interesting observation is the difference in value placed on social media for business continuity information. If the private sector depends on trade associations and governance agencies for critical information, then that is where the public sector focus in distributing such information also should be.
Of course, there is no single solution to such complex issues, and a combination of all of the above is necessary, with some being more effective than others at certain times and under certain circumstances. In any case, though, there needs to be a collaborative continuity effort between the public and private sectors. Some suggestions from respondents for sharing continuity information include:
Annual conferences for both private and public sectors
Direct engagement with businesses
Emergency management/preparedness partnerships
Federal Emergency Management Agency resources
Local Emergency Planning Committees
Local and state government-business informational meetings
Outreach through media
Private sector solution providers
Related business associations
Standards organizations – for example, International Organization for Standardization (ISO)
Workshops for businesses
Each private sector company or organization is different, with different combinations and levels of risks and vulnerabilities, which require continuity of operations documents specific to their needs and requirements. However, direct contact between sectors would go a long way in bridging the information gap and improving business (and government) continuity. One public sector respondent suggested the “use of authorizing federal international agreements as leverage for the private sector to share their successful security methodologies with the federal government.” By sharing best practices and lessons learned among the jurisdictions and sectors, the benefits of collaboration and their resulting fiscal efficiencies and effectiveness can become more apparent.
Engaging Small Business in Continuity Planning
Small businesses are valuable assets that cannot be forgotten within communities. In the second question, survey participants were asked about the best way to engage small business in continuity planning (Figure 2). Again, the public and private sector respondents agreed on the top answer as the Chamber of Commerce and other community-based organizations and the bottom answers as printed and electronic material, but disagreed on other ways to engage the private sector. Private sector respondents reported almost equal weight between community-based organizations and seminars. A much lower percentage on seminars for public sector respondents shows that perhaps it would be beneficial to invest more public sector resources into seminars.
Once again, there is no single silver bullet to reach the small business community. A combination of these and other avenues may be needed to reach the diverse private sector target audience, which may not have knowledge of or access to the full range of resources available. Through direct contact and interaction within the business community, the public sector can help build a stronger culture of preparedness.
Gaps in and/or Barriers to Continuity Planning
Responses from the public and private sector respondents were in agreement with regard to identifying the greatest gaps in and/or barrier to continuity planning for the private sector. The bottom line is that the need for continuity planning is not well understood (Figure 3). Competitive advantage (including trust and legal concerns), emergency plans, risk identification, and insurance requirements and coverage are all topics that must be addressed within the public-private sector communication efforts.
Time, costs – both real and perceived – and complacency were listed by both sectors as barriers to continuity planning. Resource allocation can be particularly challenging in small businesses with few personnel available to create, implement, and regularly update a business continuity plan in addition to the daily responsibilities required to maintain profitability – thus, business continuity in nonemergency operations. In the public sector, having the personnel and time to reach out to the large business community may be difficult. Even the businesses that are aware of the importance may “not place disaster preparedness high on their ‘to do list’,” as stated by one public sector respondent.
Cost is another big concern for businesses. Planning, implementation, training, and insurance are some of the costs associated with business continuity. The long-term benefits for costs – such as hardening assets against cyberintrusion – in the short-term may be difficult to foresee or to explain to stockholders. One public sector respondent suggested that, “To be successful, you must have short-term benefits [e.g., insurance rate drop]. If short-term benefits do not exist, a company will continue to be penny wise and pound stupid.” To justify costs beyond insurance, a cost-risk analysis would be helpful.
Complacency is another gap expressed by respondents from both sectors. “It won’t happen to me.” Or, “The other guy is not doing it, so why should I when I need the resources somewhere else?” Businesses need to be incentivized to invest resources into preparedness. “Many businesses don’t understand some of the basic risks and costs. If they understand the basic risks and costs, some basic support such as planning seminars and best practices can provide significant value,” stated one private sector respondent.
However, perhaps an even bigger incentive came from a respondent in the public sector, who stated that, “The private sector does not understand how ill prepared the public sector is. Or how they need to collaborate before an event.” The public and private sectors need to find common ground in terminology, trust, and communication to ensure overall community resilience. To address the complexities and contingencies related to a disaster, it is important to change the “government interference” mindset into a “government partner” relationship by “identifying and communicating how [continuity of operations] and preparedness (resiliency initiatives writ large) can be used to bolster normal operations and ultimately provide a competitive advantage.”
Overcoming Public-Private Sector Barriers
As one respondent stated, “A few dramatic real-life examples provide more incentives than all the professional [public relations] material available.” Respondents shared methods they have used to overcome some of these barriers. Face-to-face meetings, seminars, and joint trainings have proven to be successful for some public and private sector respondents, whereas others still see many existing barriers. Public sector respondents who have found success did so by:
Identifying small business champions;
Sponsoring training seminars and inviting local resources to participate in planning and emergency response training;
Providing supportive information and messages from top leaders;
Working with individual businesses to develop their own plans;
Creating a private sector portion for the operational area emergency operations center;
Having a government business liaison;
Identifying the gatekeepers in the community and getting them involved in the planning process;
Understanding the needs of the community from the community instead of assuming what the needs are;
Working with InfraGard as well as holding regional meetings in the state with emergency management and homeland security partners;
Gaining executive buy in while working with risk safety and emergency management professionals;
Making preset agreements with companies needed for operations such as mass fatality, hotels for families, refrigerated trucks, etc.;
Using examples of local businesses that have suffered a catastrophic loss without a plan;
Working with organizations to understand how they fit into the continuity of operations plan and how they fit into the entire Continuity of Operations/Continuity of Government concept; and
Engaging and recruiting businesses through the Chambers of Commerce to work on continuity planning and disaster risk reduction projects.
Private sector respondents have found success by:
Participating in Homeland Security Exercise and Evaluation Program (HSEEP) and national-level exercises to identify flaws in existing plans;
Attending and making personal contacts at business continuity seminars and meetings hosted by the Fire Department, Office of Emergency Management, Local Emergency Planning Committee, Association of Contingency Planners, or local Chambers of Commerce;
Offering training to key government officials and leaders;
Reaching out to county emergency responders and engaging them in training to help support onsite teams;
Meeting with offices for personal consultations and explaining insurance and regulatory requirements, as well as identifying risks and competitive advantage;
Embracing the need for a continuity plan, placing vital continuity documents in the hands of key personnel, on web-based-sites, and in paper form in Standard Operating Procedure manuals at several sites;
Understanding the requirements, developing the skills to implement the requirements, and maintaining the program;
Designating a staff person to build the plan and hold everyone else accountable, which took the decision out of management’s hands and created an environment where everyone understood they would be affected;
Teaching emergency management to private sector companies;
Communicating the financial/economic value of preparedness efforts through modeling and simulation tools using actual numbers from business owners;
Including all employees in identifying potential risks, researching other community and area risks, and searching for potential solutions;
Creating a culture of preparedness and hiring smart and experienced people;
Developing public-private partnerships through emergency management associations; and
Realizing the return on investment.
In some cases, public sector respondents expressed frustration with making many outreach efforts, but with little return. “We have not overcome the barrier but we continue to educate small business owners and those organizations that work with small businesses. It may take them 4 or 5 times of hearing the importance before taking even one small step to creating a plan.” However, another public sector respondent offers the following encouragement, “Just keep putting the word out (over and over again, for years) and offering freely available tools and tips. Those who understand the cost benefit will come around eventually.”
Regulations & Laws That Encourage Business Continuity
Depending on the infrastructure and industry involved – as well as local codes, laws, and regulations – the amount of regulations and continuity planning guidance may vary.
Although current laws do not require many private sector businesses to have continuity plans, there are laws, codes, regulations, and programs in place to help promote more resilient private sector operations. These include, but are not limited to:
- Business Continuity Management Systems: Requirements with Guidance for Use (ANSI/ ASIS/BSI BCM.1-2010)
- Consumer Credit Protection Act
- Disaster Resiliency and National Fire Protection Association (NFPA) codes and standards,
- more specifically NFPA 1600
- Federal Communications Commission (FCC) guidelines
- Federal Continuity Directive 1 (FCD 1)
- Federal Continuity Directive 2 (FCD 2)
- Federal Preparedness Circular 65
- FEMA’s Business Continuity Plan
- Foreign Corrupt Practices Act
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- Hospital Preparedness Program (HPP)
- IRS Procedure 86-19
- Occupational Safety and Health Standards Laws and Regulations
- Presidential directives including:
- Project 2014-04 Physical Security (CIP 014)
- Public Health Emergency Preparedness (PHEP) cooperative agreements
- Sarbanes-Oxley Act of 2002
- Service Organization Control (SOC) Reports
- Superfund Amendments and Reauthorization Act (SARA) of 1986
- Telecommunications Act of 1996
- The Joint Commission Standards
- The Voluntary Private Sector Preparedness Program – PS-PrepTM and Small Business Preparedness
- U.S. Food and Drug Administration’s Food Safety Modernization Act (FSMA)
- U.S. Securities and Exchange Commission (SEC) laws
With so much at stake, whether they like it or not, the public and private sectors are dependent on each other for building resilient communities. Respondents from both the public and private sector offered the following suggestions for encouraging private sector businesses to develop viable and sustainable continuity plans:
- Ask vendors and suppliers to provide their business continuity plans when they make bids for contracts.
- Develop contractual relationships to build supply chain security.
- “Require continuity of operations planning to be completed as a condition of full insurance coverage and benefits. Less planning results in reduced benefits. More planning results in better benefits and reduced rates.”
- Understand that, although “some laws and regulations are necessary, they do not correct problems. They merely guide private activities in preferred directions. Finding real solutions requires a much better understanding of human nature.”
True business continuity and resilience efforts require more than a simple “check the box” process. It requires collaborative, long-term public-private relationships and communication. Community resilience takes a whole community approach. When disaster strikes, some businesses may not recover. A well-planned business continuity plan, coupled with established public-private relationships, offers an added level of insurance. After all, “No law says you have to stay in business.”
Catherine L. Feinman
Catherine L. Feinman, M.A., joined Domestic Preparedness in January 2010. She has more than 30 years of publishing experience and currently serves as editor of the Domestic Preparedness Journal, DomesticPreparedness.com, and the DPJ Weekly Brief, and works with writers and other contributors to build and create new content that is relevant to the emergency preparedness, response, and recovery communities. She received a bachelor’s degree in international business from the University of Maryland, College Park, and a master’s degree in emergency and disaster management from American Military University.