Questions? Call us: 1-800-214-7060

Business Continuity

Assessing Business Continuity Preparedness

February 12, 2015 - Kestrel Management

Business Continuity Management (BCM) is moving rapidly up the Boardroom agenda. With the increase of incidents and disasters over the past few years—both natural and man-made—BCM has assumed a much higher profile. Corporate governance requirements and industry standards have insisted that both Board members and Senior Management take BCM seriously. Insurance is also a key driver, with many insurers now insisting that organizations demonstrate that they have reasonable risk reduction measures and a working BCM Program implemented.

Examining the Risks

Organizations must examine all the risks and threats to which they are exposed and consider how best to deal with them should an incident occur. BCM is not concerned with plans and procedures for the everyday things that go wrong; rather, BCM involves managing the significant (and unplanned) incidents that may considerably impact the core activities of the organization, and ensuring response in a planned and rehearsed manner. This encompasses planning; engaging appropriate personnel; writing, accepting, and owning a Business Continuity Plan; and conducting thorough testing—all of which are essential prerequisites of an appropriate response.

Evaluating Readiness

Regardless of the type of threat, the goal of Business Continuity Planning is to ensure the safety of personnel and assets during and after a disaster. With this in mind, one of the first steps in preparing a Business Continuity Plan is to conduct a Business Continuity Assessment to evaluate the “readiness” of the organization’s current BCM efforts. A Business Continuity Assessment is designed to help companies understand the business continuity work that has been done thus far and to identify potential gaps and opportunities to complete/improve, standardize, and document the needed processes.

The ten questions below provide a starting point for organizations to establish where they fall in relation to their BCM readiness:

  1. Does the company have a written Business Continuity Policy and Plan?
  2. Has a Risk/Threat Assessment been performed to identify potential threats to the organization and the likelihood of the occurrence of the threat?
  3. Has a Business Impact Analysis (BIA) been conducted to determine which critical functions and/or operational processes need to be restored in the event of an incident?
  4. Have the critical resources that support critical functions and/or operational processes (i.e., people, supplies, equipment) been identified?
  5. Have alternate office/processing facility(s) where business operations can resume in the event of an onsite incident been identified and documented?
  6. Have specific roles and responsibilities of various recovery teams (e.g., IT, crisis management, critical functions, critical support) been defined in the Business Continuity Plan?
  7. Is there a training plan for new/existing employees regarding the BCM Program to explain roles and responsibilities in the event of a disaster?
  8. Has the process for communicating to employees, customers, suppliers, and the general public in the event of a disaster been defined and documented?
  9. Is the Business Continuity Plan tested on an annual basis (at a minimum)?
  10. Does a third party audit the Business Continuity Plan to determine its effectiveness?

These initial questions will allow a company to get a preliminary idea of the status of their existing BCM efforts. Completing a more detailed Business Continuity Assessment should help in pinpointing specific areas needing improvements. This Assessment then paves the way for creating a robust BCM Program that can help companies to:

  • Identify the human, property, and operational impacts of potential business threats.
  • Evaluate the potential severity of associated risks.
  • Estimate the likelihood of business threats occurring.
  • Create strategies that proactively mitigate the most pressing business threats, take advantage of opportunities that lie ahead, and provide for a more resilient and sustainable future.

 Submitted by: Ted Bleifuss

Business Continuity Planning: Building a Resilient Learning Organization

August 4, 2014 - Kestrel Management

When business is disrupted, the costs can be substantial. Unfortunately, every organization is at risk from potential operational disruptions—natural disasters, fire, sabotage, information technology (IT) viruses, data loss, acts of violence. Recent world events have further challenged organizations to prepare to manage previously unthinkable situations that may threaten the future of the business.

Securing Company Assets

This goes beyond the mere Emergency Response Plan or disaster recovery activities that have been previously implemented. Organizations must now engage in a more comprehensive process to secure their companies’ assets (e.g., people, technology, products, and services). Today’s threats require implementation of an ongoing, interactive process that assures the continuation of the organization’s core business activities and data center(s) before, during, and, most importantly, after a major crisis event.

Creating a Resilient Organization

Business continuity planning helps ensure that companies have the resources and information needed to maintain service, reliability, and resiliency under adverse conditions. While companies can’t plan for everything, they can take steps to understand and effectively manage events that might compromise their products/services, supply chain, quality, security, and future as an organization.

A Business Continuity Plan ensures that all involved parties understand who makes decisions, how the decisions are implemented, and what the roles and responsibilities of participants are when an incident occurs. Through business continuity planning, companies are able to:

  • IDENTIFY the human, property, and operational impacts of potential business threats
  • EVALUATE the potential severity of associated risks
  • ESTIMATE the likelihood of business threats occurring
  • CREATE timelines for restoration and strategies that proactively mitigate the most pressing business threats, take advantage of opportunities that lie ahead, and provide for a more resilient and sustainable future

Systematic Approach

A sound Business Continuity Program relies on a systematic approach to identify and critically evaluate risks/opportunities, as outlined below. This approach broadens the scope of issues beyond mere emergency response and allows companies to budget for and secure the necessary resources to support critical business activities before, during, and after a major crisis event. Ultimately, following this process helps companies to stay in business through a time of crisis.

Business_Continuity

Sustaining Business for the Long Term

Sustainability is about staying in business for the long term, and today, business continuity is key to sustaining business over time. That is because a well-developed and implemented Business Continuity Plan:

  • Keeps employees and the community safe when an incident occurs
  • Protects the organization’s important assets (e.g., people, technology, products, services)
  • Reduces disruption to critical functions in order to limit financial impacts due to loss of product/service
  • Reduces adverse publicity, loss of credibility, and loss of customers
  • Reduces legal liability and regulatory exposure
  • Reduces the risk of losing critical business data (e.g., historical, operational, customer, regulatory compliance)
  • Provides for an orderly and timely recovery by allowing critical decisions to be made in a non-crisis mode
  • Helps companies mitigate risks and focus on the future


*****
Guiding Standards

ISO 22301: Societal Security – Business Continuity Management Systems is specifically designed to help organizations protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise. Like other ISO standards, ISO 22301 applies the Plan-Do-Check-Act/Adjust model to developing, implementing, and continually improving a Business Continuity Management System. Following this internationally recognized standard allows organizations to leverage their existing management systems and ensure consistency with any other ISO management system standards that may already be in place (e.g., ISO 14001 – environment, ISO 9001 – quality, ISO 22000 – food safety).

The American Society for Industrial Security (ASIS) Business Continuity Management System Standard, National Fire Protection Association (NFPA) 1600: Standard on Disaster/Emergency Management and Business Continuity Programs, and Office of the Comptroller of the Currency (OCC) federal banking requirements for business continuity provide further industry-specific guidance on business continuity management.

 Submitted by: Ted Bleifuss

New Report Released: Actions to Improve Chemical Facility Safety and Security

June 17, 2014 - Kestrel Management

On August 1, 2013, President Obama issued Executive Order (EO) 13650, Improving Chemical Safety and Security, to improve the safety and security of chemical facilities and to reduce the risks of hazardous chemicals to facility workers and operators, communities, and responders. That EO brought together a Working Group comprised of representatives from the Environmental Protection Agency, Department of Labor, Department of Homeland Security, Department of Justice, Department of Agriculture, and Department of Transportation. Over the past 10 months, the Chemical Facility Safety and Security Working Group has been working to reduce the risks associated with the handling and storage of chemicals.

On June 6, 2014, that Working Group released its status report, Actions to Improve Chemical Facility Safety and Security—A Shared Commitment, to summarize the Group’s progress and short- and long-term priority actions. A thorough analysis of the current operating environment, existing regulatory programs, and stakeholder feedback resulted in immediate actions and a consolidated Federal Action Plan to further minimize risks in five specific thematic areas:

  • Strengthen community planning and preparedness
  • Enhance federal operational coordination
  • Improve data management
  • Modernize policies and regulation
  • Incorporate stakeholder feedback and develop best practices

The report describes many activities undertaken to improve chemical facility safety and security. It also makes it clear that much additional work is necessary to implement the action plan moving forward.

Strengthening Community Planning and Preparedness

Communities need to know where hazardous chemicals are used and stored, how to assess the risks associated with those chemicals, and how to ensure community preparedness for incidents that may occur.

Actions Taken

Future Actions

  • DHS and EPA engaged with LEPCs and first responders to identify and discuss potential methods to increase first responder preparedness and share lessons learned.
  • EPA continued to upgrade its Computer-Aided Management of Emergency Operations (CAMEO) suite to provide more useful/accurate information.
  • FEMA educated state administrative agencies on how the Homeland Security Grant Program allows planning and preparedness training for chemical incidents.
  • Strengthen SERCs, TERCs, LEPCs, and TEPCs.
  • Improve first responder and emergency management preparedness and response training.
  • Identify and coordinate resources for SERCs, TERCs, LEPCs, and TEPCs to sustain planning and response efforts.
  • Expand tools to assist SERCs, TERCs, LEPCs, and TEPCs in collecting, storing, and using chemical facility information.
  • Enhance awareness and increase information sharing with communities around chemical facilities.

Enhancing Federal Operational Coordination

The chemical community is comprised of many stakeholders. Communicating and coordinating across this diverse landscape requires an integrated effort to ensure activities are executed effectively and efficiently.

Actions Taken

Future Actions

  • The Working Group initiated a pilot project, bringing together federal, state, and local agencies to confirm lessons learned, collect best practices, inform other initiatives under EO 13650, and develop solutions to address safety and security challenges.
  • The Working Group engaged the CSB to identify possible updates to existing MOUs with EPA, OSHA, and the Bureau of Alcohol, Tobacco, Firearms, and Explosives.
  • Coordinate EO implementation activities.
  • Establish SOPs for federal coordination at the national and regional levels.
  • Cross-train federal chemical facility safety and security field personnel to provide awareness of related regulatory programs.

Improving Data

The EO charged the agencies with developing a coordinated, flexible data-sharing process to address the need to optimize available information. Currently, there is no chemical security and safety data clearinghouse that contains all of the data points germane to all federal agency regulations.

Actions Taken

Future Actions

  • EPA updated its Substance Registry Service (SRS) and Facility Registry Service (FRS) to include relevant OSHA PSM and EHS CFATS data.
  • The Working Group is engaged in data sharing across regulatory programs to help locate potential non-compliant facilities by identifying facilities that had registered with one program but not the other.
  • EPA Region 8 tested a new Emergency Response (ER) Planner system that aggregates chemical facility and infrastructure and displays it on a GIS application.
  • DHS worked with all state Homeland Security Advisors to show them how to access information on CFATS facilities.
  • DHS engaged trade associations to foster outreach to potentially non-compliant facilities that have not been engaged in the past.
  • Establish a dedicated cross-agency team of experts to standardize data and develop a common facility identifier.
  • Aggregate data from across the federal agencies and establish a single web-based interface for data collection.
  • Improve information tools for regulated chemicals.

Modernizing Policies and Regulations

EO 13650 directs the Working Group to modernize key policies, regulations, and standards. The Group has reviewed existing programs, recommendations from the safety and security communities, feedback from the EO listening sessions, and investigative reports from major incidents.

Actions Taken

Future Actions

  • The Working Group published a solicitation of public input on options for policy, regulation, and standards modernization.
  • OSHA published an RFI on the PSM standard and other related chemical standards to determine, among other things, whether these standards can be expanded to address additional regulated substances/types of hazards.
  • The Working Group agencies developed and disseminated various guidance materials across federal program areas to inform and support communities.
  • EPA expanded its inspector training curriculum to include advanced process safety training courses.
  • DHS conducted over 100 compliance assistance visits to assist CFATS-regulated facilities in meeting risk-based security standards.
  • Modernize OSHA’s PSM standard to improve safety and enforcement.
  • Modernize EPA’s RMP regulation.
  • Enhance ammonium nitrate safety and security.
  • Promote safety technology and alternatives.
  • Build a stronger CFATS program.
  • Develop guidance and outreach programs.
  • Work with states to improve Safe Drinking Water Act measures.
  • Work with Congress to strengthen and increase OSHA monetary and criminal penalties.
  • Work with Congress to pursue statutory amendment to the Safe Explosives Act.
  • Improve process for notification of stored explosives to fire authorities.

Incorporating Stakeholder Feedback and Developing Best Practices

To gather the concerns of stakeholders, establish best practices, and collect lessons learned from a broad spectrum of stakeholders, the Working Group organized listening sessions across the nation.

Actions Taken

Future Actions

  • The Working Group solicited feedback via listening sessions, Webinars, meetings with stakeholder groups, attending stakeholder conferences, collecting information from public dockets, and engaging nearly 1,800 participants.
  • The Working Group launched an online repository for stakeholders involved with chemical facility safety and security can submit and access best practices.
  • Continue to solicit stakeholder feedback and conduct regular outreach as actions in the report are pursued.
  • Capture and share best practices with all stakeholders.

Blueprint for Action

Ultimately, the goal of these actions is to realize improved coordination structures, enhanced information sharing technologies/mechanisms, updated/streamlined regulations, and more effective enforcement. The Working Group will continue to build upon previous efforts and put in place actions that will help minimize the occurrence of incidents, reduce their severity, and enhance the ability to respond. Many of these actions will be instituted in the next year and will continue well into the future as the industry evolves.

Stakeholders are encouraged to contribute to the ongoing dialog via the Chemical Facility Safety and Security online best practices forum at https://www.llis.dhs.gov/topics/chemical-facility-safety-and-security.

You can download the complete report at https://www.osha.gov/chemicalexecutiveorder/final_chemical_eo_status_report.pdf


Sustainability Presents Big Potential for Metalcasters

May 20, 2014 - Kestrel Management

In the May 2014 issue of Modern Casting, Kestrel Senior Consultant Sarah Burton talks about how metalcasters can tell their own story when it comes to business sustainability. Check out the article on page 15.

Submitted by: Sarah Burton

Crisis Management Planning Provides Broad Business Benefits

April 9, 2014 - Kestrel Management

Recently, Kestrel teamed up with the North American Die Casters Association (NADCA) to assess crisis management in the die casting industry. For comparison, several die casting manufacturing locations were reviewed to assess crisis management planning and prevention and related loss prevention planning and strategy. The focused case study that revealed less than sixteen percent of companies in high-risk industries has a formal crisis management plan.

OSHA Compliance & Worker Safety

OSHA compliance and worker life safety provide an important element to crisis management planning and prevention. When accidents happen without crisis management plans, prioritization goes from the organization to the moment, which is where mistakes in planning and response occur. In order to help companies better prepare for crisis planning and reduce life safety risk, OSHA-compliant procedures are an important prerequisite.

Eliminating Reactionary Decision Making

The case study assessment of loss prevention plans and strategies to compliment the crisis management area provided a broader understanding of enterprise risk factors and improvements. Industry experts recommend taking a holistic approach to addressing these areas, as one level of planning and prevention supports the other. Independently, solid programs will only provide mutually exclusive benefits; when combined, they serve to protect the overall viability of the company, employees, and the public.

The goal of planning is to prioritize these factors well before a crisis event may occur and to provide a formal means for accomplishing this. Prioritizing well before there is a crisis eliminates reactionary decision making. This way, if and when a crisis occurs, it can be dealt with in a more organized way with a well-organized, 48-hour plan broken down into logical and executable steps. A well-organized process should provide an outline of everything a company would need to do (including the areas of federal and state compliances) in a scripted and orchestrated timeline.

Benefits of a Well-Developed Plan

The case study looked at companies with well-developed crisis management plans supported by up-to-date OSHA programs and found that the level of accidents, incidents, and worker’s compensation costs were significantly lower than those companies operating without crisis management plans. In this comparison, accident/incident levels were less than 10% for a company with a formal crisis management plan compared to companies without a plan. Workers’ compensation costs were less than 25% for the company with the plan.

Prevention and planning leads to lower risk potential, lower insurance costs, a better workers’ compensation experience, and sustained overall benefits.

Developing a Crisis Management Plan

To achieve these benefits and establish a well-founded crisis management plan, companies need to assess prerequisite prevention safety and health programs required by OSHA and a formal loss prevention practice. The ultimate goal is enterprise risk management and business value protection.

The following provides a list of some key elements of a well-developed crisis management plan:

  1. Crisis management planning, program participation, implementation, and plan maintenance/update responsibility at various levels of the company management team
  2. Completion of crisis management prerequisite program development, including life safety, OSHA accident prevention, and emergency response
  3. Development and implementation of crisis management and business continuity plans based on the ISO 9001, National Fire Prevention Association (NFPA), and ASIS standards
  4. Incorporation of the seven key steps, including threat assessment, business impact, emergency response, business recovery, crisis management training, plan evaluations, and plan maintenance
  5. Definition and planning of disaster scenarios, including tornado/severe weather, flood, hurricane/storm surge, earthquake, snow and ice event, fire onsite, fire offsite, lightning, chemical emergency, terrorist acts, explosion or transportation accidents (plane, rail, trucking/automobile), etc.
  6. Consideration of business process functions, including assessments for manufacturing/equipment, raw materials, product inventory, logistics, information technology, finance, customer information, safety, environmental releases and utilities
  7. Prioritization to rate and rank incidents and for management to determine mitigation plans and criteria as part of a crisis management plan
  8. Breakdown of business recovery with established goals every two hours and specific time-phased goals (e.g., two hours, six hours) for at least a 48-hour period through the crisis mitigation and beyond
  9. Training for all potential disaster situations, including employee response and goals
  10. Consistently established crisis management plan audits, evaluations, verifications, trials and drills
  11. Corrective and preventative action (CAPA) implementation and plan maintenance update on a prescribed schedule of at least annually
  12. Drills and communication, including specific event communication and disaster communication to the general public, customers, and the marketplace
  13. Continuous Improvement through a required Plan-Do-Check-Act cycle to ensure a well-established program is kept up-to-date and current

 Submitted by: Randy Block

The Importance of Exercises to Effective Incident Response

January 9, 2014 - Kestrel Management

Effective incident response is all about preparedness. The management guidance created through the Incident Command System (ICS), Incident Action Plans, Business Continuity Plans, and Emergency Response and Preparedness Plans are all fundamental elements of planning and preparedness. Training on the Incident Command System (ICS) and related plans, then, ensures that participants understand their roles and responsibilities.

Exercises take preparedness one step further by providing a safe alternative to “work the plan,” practice the response before an Exercises_graphicincident occurs, document strengths, and identify areas of improvement in the incident response process.

What Are Exercises?

Exercises provide the opportunity to work through a set of emergency conditions in a learning environment, where the emphasis is on the decision-making process. There is no right answer when conducting an exercise; rather, exercises offer participants hands-on practice when it comes to handling incidents and help evaluate whether incident response procedures operate as intended based on the objectives established for the incident.

There are several types of exercises—tabletop, enhanced tabletop, drill, functional, full-scale. Terminology differs, as does the definition of what each of these types of exercises entails. Some tabletop exercises are simply facilitated, discussion-based activities, where personnel meet to discuss roles, responsibilities, coordination, and decision-making of a given scenario. More enhanced, functional exercises involve a coordinated response to an emergency situation in a time-pressured, realistic simulation that involves several businesses and agencies.

All exercises are essentially a focused practice activity that places participants in a simulated situation, requiring them to function in the capacity that would be expected in a real event. And while exercises vary in complexity and level of effort, the basic goals remain the same:

  • Promote preparedness by testing policies and plans and by training personnel
  • Elicit constructive discussion as participants examine and resolve problems based on existing operational plans and identify where those plans need to be refined
  • Improve the coordination, integration, and interaction of a businesses or organization’s policies, procedures, roles and responsibilities before, during, or after simulated events

Evaluating Results

Evaluation is the cornerstone of an exercise. It is critical to leveraging the outcomes of the exercise and ensuring the overall success of the incident response program. Effective evaluation assesses performance against exercise objectives, documents strengths, and identifies areas for improvement in the incident response process.

Participants should be actively engaged in debriefings to discuss key outcomes and observations for things that worked well and things that could be improved throughout the exercise. The corrective actions identified during individual exercises must then be tracked to completion to ensure that lessons learned are incorporated into future incident response efforts.

Benefits of Exercises

Many successful responses to emergencies over the years have demonstrated that exercising pays huge dividends when an emergency occurs:

  • A well-designed exercise provides a low-risk environment to validate plans, test capabilities/new ideas, explore new technology, and familiarize personnel with roles and responsibilities.
  • Participants get to meet counterparts from different businesses/organizations/agencies, foster meaningful interaction, and form relationships before having to work together in an emergency situation.
  • Businesses/Organizations/Agencies have the time to take corrective actions that will improve plans, build and sustain capabilities, and maintain readiness for a potential incident.
  • An effective exercise program maximizes efficiency, resources, time, and funding by helping the organization to build, sustain, and deliver core incident response capabilities.
  • Exercises create an appreciation for the roles and management process of the Incident Command System (ICS) and how it functions in practice.

Your Incident Command System (ICS) and Business Continuity Resource

Kestrel’s core team comprises senior consultants with extensive EHS, quality management, operational risk management, and emergency response experience. We add to that expertise an industry leader with hands-on experience developing and establishing the Incident Command System (ICS), serving as an Incident Commander, instructing the complete Incident Command System (ICS) training coursework, and facilitating incident response exercises.

Our team can help you develop the systems and plans you need to effectively manage your business risks–no matter the size or complexity. For more information, contact us at 608-226-0531.

 Submitted by: Tom Kunes

Aligning the Incident Command System with Existing Business Management Systems

December 12, 2013 - Kestrel Management

Many companies are becoming more familiar with aligning management systems for quality, environment, health & safety, and food safety. An aligned management system brings together all of a company’s existing systems into one management structure, allowing businesses to efficiently and effectively improve performance, satisfy regulatory requirements, and reach organizational objectives.

The Incident Command System (ICS), a nationally and internationally recognized and standardized process of leadership and management of incident response, can—and should—also be part of an aligned business management system.

Leveraging Common Elements

The Incident Command System contains a number of elements in common with emergency plan requirements for the various management system standards (i.e., ISO 9001, ISO 14001, OHSAS 18001, FSSC 22000)—from assessing risks and defining roles and responsibilities, to establishing specific operating controls, to communicating and conducting ongoing training. It is in the company’s best interest to align its contingency plans with these common elements, rather than establish independent plans that may have conflicting responses. Having alignment creates consistency and improves overall reliability, no matter the area.

There are two primary components of emergency response that are enhanced by the Incident Command System (ICS): 1.) emergency preparedness and planning, and 2.) business continuity planning. These components relate directly to many other management system requirements.

Emergency Response

When it comes to emergency response, environmental, health & safety, food safety, and even quality management standards and applicable regulations require some level of emergency planning. For example, the Clean Air Act requires Risk Management Plans (RMP) for organizations that handle threshold quantities of hazardous materials; one of the 14 elements of OSHA’s Process Safety Management (PSM) regulation is emergency planning and response; and food safety standards (e.g., FSSC 22000, BRC, SQF) require recall contingency planning.

Business Continuity Plan

The business continuity plan focuses on how to stay in business after an incident. Quality management standards under ISO 9001 emphasize processes and procedures for maintaining equipment, facilities, and suppliers during normal operations, but also through the incident response, stabilization, and restoration cycle. The U.S. EPA further has many restoration and remediation guidelines and requirements to factor into business continuity planning.

Overlapping Responsibilities

A large part of the Incident Command System involves defining roles and responsibilities and making sure that they are maintained through adequate training. Similarly, other management systems rely on defining roles and responsibilities to ensure the reliability of the system. Overlapping roles need to be consistent across the different systems. In addition, OHSAS 18001 and ISO 14001 both have communication and training requirements that are consistent with those in the Incident Command System. Annual training plans should align and harmonize all required training, whether for the Incident Command System, health & safety, environmental compliance, or quality management.

Advantages of Alignment

A management system provides the framework that enables companies to achieve their operational and business objectives. Reliable and effective regulatory compliance is commonly an outcome of consistent implementation of an aligned management system.

An aligned system must still conform to the requirements of the individual standards in order to maintain a high level of credibility and effectiveness. But a truly aligned system is able to take advantage of the elements of the standards that are similar or the same. It then becomes a matter of making the system continually better. This not only reduces the effort and costs of conforming to applicable standards, it helps companies align objectives to improve the reliability of their management systems.

Your Business Continuity & Incident Command System (ICS) Resource

Kestrel’s core team comprises senior consultants with extensive EHS, quality management, operational risk management, and emergency response experience. We add to that expertise an industry leader with hands-on experience developing and establishing the Incident Command System, serving as an Incident Commander, and instructing the complete Incident Command System training coursework.

Our team can help you develop the systems and plans you need to effectively manage your business risks–no matter the size or complexity. For more information, contact us at 608-226-0531.

Submitted by: Tom Kunes

Scaling the Incident Command System to Other Business Needs

November 14, 2013 - Kestrel Management

The Incident Command System (ICS) is a nationally recognized process of leadership and management of incident response for all emergency response situations. Beyond emergency management, the Incident Command System also provides an effective organization structure for efficiently managing internal projects and events, such as merger and acquisition integration and operational expansion.

Applying ICS to Acquisition Integration

Let’s take acquisition integration as an example. Acquisitions are complex and impact every aspect of the business—financial, human resources, operations, logistics, marketing, risk management.

The pre-acquisition phase includes a large amount of due diligence and analysis to ensure that that acquisition candidate is a good fit. This includes reviewing environmental liabilities and compliance, financial statements, cost structure and claims, customer relationships, intellectual property, equipment, cultural compatibility, staff/management team, and quality and risk management processes. This pre-acquisition due diligence is critical to a successful acquisition.

Just as critical, however, is the post-acquisition integration work that must be done. Post-acquisition integration must be actively planned, managed, and guided. The Incident Command System creates a framework for doing just that.

Post-acquisition integration is the time to harvest the opportunities and benefits that stem from the acquisition. Many organizations create a plan for integration, but that plan is often static and not updated to reflect the ongoing integration needs.

By definition, the Incident Command System is not a static process. The Incident Command System is all about:

  • Clear definition of roles, responsibilities, and functions
  • The ongoing planning and re-planning process

Both are critical components of an integration plan and an acquisition’s overall success.

Active Management

Under the Incident Command System, one of the first steps in the integration process is to appoint an Incident Commander (i.e., integration manager), who is charged with actively managing the integration. This individual is not necessarily the person who “signs the deal,” but rather an individual who understands all facets of the integration and can bring departments and individuals together to create a smooth transition.

The Incident Management Team (i.e., integration team) is appointed and has clearly defined responsibilities under the Incident Command System framework to carry out in support of the acquisition. Team members may include individuals from the following departments:

  • Human resources
  • Logistics
  • Finance
  • Risk management
  • Operations
  • Communications

Dynamic Plan

As in an emergency response situation, the Incident Management Team develops an Incident Action Plan (integration plan) for a certain operational period that clearly defines objectives and actions to be taken. At the end of the operational period, the team creates a briefing summary report to track what has been accomplished and what needs to be updated in the plan for the next operational period. This is an ongoing cycle that continues throughout the integration period, which can last from several weeks to several years, depending on the magnitude of the acquisition. Following the Incident Command System approach adds ongoing life and dynamism to the integration process and helps ensure its ongoing success.

It is this active management, ongoing review, and continual updating that makes the Incident Command System such an effective tool for managing both incidents and internal projects.

Your Business Continuity & Incident Command System (ICS) Resource

Kestrel’s core team comprises senior consultants with extensive EHS, quality management, operational risk management, and emergency response experience. We add to that expertise an industry leader with hands-on experience developing and establishing the Incident Command System, serving as an Incident Commander, and instructing the complete Incident Command System training coursework.

Our team can help you develop the systems and plans you need to effectively manage your business risks–no matter the size or complexity. For more information, contact us at 608-226-0531.

Submitted by: Tom Kunes

Taking Charge when Incidents Occur

October 16, 2013 - Kestrel Management

Who is in charge when your Business Continuity Plan is activated?

If your company has an internal emergency, does your Business Continuity Plan state who is in charge? If emergency responders (e.g., police, fire) arrive to assist, then who is in charge? When the responders leave and your company is now working with the insurance company, who takes the reins? Once the insurance company leaves and you are repairing the damages, who is leading the efforts?

During all of these response phases—starting with your company’s initial response, to mitigating life safety issues, to returning your business to normal operations—someone needs to be “in charge.”

Taking Command under the Incident Command System (ICS)

The Incident Command System (ICS) defines that a person is established as the Incident Commander from the beginning until the end of an incident. This is so important to effectively managing an incident that three of the thirteen essential principles of the Incident Command System deal with command issues as to who is in charge.

Principle 1. Establishment of Command must be clearly defined from the beginning of an incident. The Business Continuity Plan must establish who will be in charge when an incident occurs and what authority they have to manage the incident. When command is transferred, the process must capture essential information for continuing safe and effective operations.

Principle 2. Chain of Command is established to clearly state the reporting relationships of the personnel working on the incident management team and to eliminate confusion caused by conflicting directives. Chain of command refers to the orderly line of authority within the incident management team. Following the chain of command ensures that every individual has a designated supervisor to report to at the scene of the incident.

Principle 3. Unified Command allows internal company personnel, personnel outside the company (e.g., insurance company), and government agencies (e.g., police and fire) with different legal, geographic, and functional responsibilities to effectively work together without affecting individual agency authority, responsibility, or accountability in incidents involving multiple jurisdictions or agencies.

Because of the different players that have responsibility for managing an incident, the unified command principle should be used from the beginning of the incident until the company has fully recovered and is able to meet customers’ needs. Here’s how it works:

  • When a company has an incident, it establishes command through an Incident Commander based on the Business Continuity Plan. If needed, the company Incident Commander can activate other positions on the incident management team to manage tasks. Further, the Incident Commander may pull in existing company personnel (e.g., planning, logistics, finance, EHS, operations & maintenance, purchasing, public relations, customer service) and leverage staff skill sets to perform similar duties as defined by the Incident Command System’s eight Command and General Staff positions. For example, the company public relations manager would take on the responsibilities of the Incident Command System Information Officer; the company production manager would take on the responsibilities of the Operations Section Chief.
  • If the incident goes beyond the company’s capabilities to necessitate assistance from police, fire, etc., the public responders should be brought into a unified command setting to work together on the incident.
  • When the first responders leave, the unified command then includes the company and the insurance company representative until the claim is satisfied.
  • Once the insurance claim is addressed, unified command brings in other contractors until the company has returned to normal operations and is able to meet customer needs.

Following the above principles of the Incident Command System to make sure that the right person is in charge throughout an incident will help ensure that the incident is resolved as efficiently and effectively as possible so the company can get back to business as usual.

Your Business Continuity & Incident Command System Resource

Kestrel’s core team comprises senior consultants with extensive EHS, quality management, operational risk management, and emergency response experience. We add to that expertise an industry leader with hands-on experience developing and establishing the Incident Command System, serving as an Incident Commander, and instructing the complete Incident Command System training coursework.

Our team can help you develop the systems and plans you need to effectively manage your business risks–no matter the size or complexity. For more information, contact us at 608-226-0531.

Submitted by: Tom Kunes

Creating an Incident Action Plan

October 3, 2013 - Kestrel Management

What is an Incident Action Plan (IAP), as defined in the Incident Command System (ICS)? How is the IAP incorporated into a company’s existing Emergency Action and Response Plan?

In most cases, a company’s Emergency Action and Response Plan (which is part of the Business Continuity of Operations Plan) references a planned response that the company team follows to manage defined targeted events. The purpose of the IAP is to establish objectives (priorities), define response strategies and tactics, and to articulate what is to be accomplished within a defined period of time (i.e., operational period) to manage targeted incidents/events.

Generally speaking, personnel that will be implementing some of the IAP may have never been to the area where the event is occurring. These individuals often provide relief to the initial response personnel so work can continue in the future. The IAP briefs incoming personnel on their roles, assignments/responsibilities, and supervisor for the operational period so they understand what is expected of them to help meet incident goals and objectives.

The Planning Section

In smaller events, the Incident Commander is responsible for planning. He/she will follow what the company has established in its Emergency Action and Response Plan, which identifies those events that may necessitate a company response.

When the incident escalates beyond what the Emergency Action and Response Plan has identified as the initial response to the event, the Incident Commander establishes the company Incident Management Team, which includes a Planning Section. The Planning Section is then responsible for creating the IAP for the Team. The Incident Commander makes the final determination regarding which Incident Command System (ICS) forms, documents, and attachments will be included in the IAP.

Incident Action Plan Components

Even though the IAP is considered a “plan,” it is actually a consolidated document designed to provide guidance on how to manage the event/incident. The written IAP consists of a series of five to seven standard Incident Command System (ICS) forms and supporting documents that convey the Incident Commander’s intent for accomplishing the planned objectives for the defined operational period for the event or incident.

 The IAP is made up of the following sections:

  • IAP Cover Sheet: Provides a quick overview of the contents of the IAP and serves as a checklist to indicate which forms and supporting documentsIAP_Image are part of the IAP
  • Incident Objectives – ICS 202: Describes the basic strategy and objectives for use during each operational period
  • Organization – ICS 203: Provides information on the response organization and personnel staffing
  • Assignment List – ICS 204: Informs personnel of their assignments after the Incident Command/Unified Command approves the objectives for the event/incident
  • Incident Communications Plan – ICS 205: Provides information on the assignments for all radio/phone communications equipment for each operational period for the Command and General Staff functions down to the Division/Group level in the Operations Section
  • Medical Plan – ICS 206: Provides information on incident medical aid stations, transportation services, hospitals, and medical emergency procedures for the personnel working on the event/incident
  • Incident Organization Chart – ICS 207: Provides a chart depicting the ICS organization position assignments for the event/incident
  • Safety Messages, Maps, Forecasts (not ICS forms): Provides additional supporting guidance to personnel staffing the event/incident

Because incident parameters evolve, IAPs must be revised on a regular basis (at least once per operational period) to maintain consistent, up-to-date guidance across the Incident Command System.

Your Business Continuity & Incident Command System (ICS) Resource

Kestrel’s core team comprises senior consultants with extensive EHS, quality management, operational risk management, and emergency response experience. We add to that expertise an industry leader with hands-on experience developing and establishing the Incident Command System, serving as an Incident Commander, and instructing the complete Incident Command System training coursework.

Our team can help you develop the systems and plans you need to effectively manage your business risks–no matter the size or complexity. For more information, contact us at 608-226-0531.

Submitted by: Tom Kunes

Insights & Updates

  • Categories

  • Archives