Archive for June, 2010

Back in 2007, the 9/11 commission established a number of recommendations for the public and private sector that would help both the government and private businesses be prepared for a disaster.   Title IX of the Implementing Recommendations of the 9/11 Commission Act of 2007 (the Act.) directed the Department of Homeland Security (DHS) to develop and implement a voluntary program that would accredit and certificate private businesses have established a program using a set of standard processes that will “enhance nationwide resilience in an all hazards environment”.  This program officially known as “The Voluntary Private Sector Preparedness Accreditation and Certification Program”.  Known as PS-Prep in the business world (which I think is a heck of a lot better than VOPSPAC that sounds more like a drug to reduce upper lip sweat caused by a government initiative), it is similar to the ISO standards many companies embrace to demonstrate to their customers and potential customers an adherence to process and procedure standards designed to maintain and improve quality products and services.

Similar to ISO9000, this program is not mandatory, and does not direct the specific processes and procedures that prepare a business for a disaster.  The program does provide three different standards to be used in establishing the program and measuring the successful implementation for accrediting and certifying the program is in place and in order.  The three standards selected were determined by DHS in June of 2009 after public input to meet the comprehensive needs in the event of a disaster and can be applied to the majority of businesses. 

They are:

  • ASIS International SPC.1-2009 Organizational Resilience: Security Preparedness, and Continuity Management System – Requirements with Guidance for use (2009 Edition). Available at no cost.
  • British Standards Institution 25999 (2007 Edition) – Business Continuity Management.(BS 25999:2006-1 Code of practice for business continuity management and BS 25999: 2007-2 Specification for business continuity management) The British Standards Institution is making both parts available for a reduced fee of $19.99 each.
  • National Fire Protection Association 1600-Standard on Disaster / Emergency Management and Business Continuity Programs, 2007 and 2010 editions. Available at no cost.

Embracing PS-Prep early may be a very good thing for several reasons.

  1. Utilizing the evaluation standards can identify any holes in your business continuity program and help to plug them.
  2. It differentiates you from your competition who are not participating.
  3. The focus on risk management from the board level due to SOX and other factors will be supported.
  4. While not mandatory, it can be a contributing factor in the securing business from government and other businesses during the bid process.
  5. If you do not have a continuity or disaster recovery program, it provides frame work for developing one.

For more information on PS-Prep, visit the FEMA site, or click here.

REPUTATION – while a company is known for the products and services it provides, one of the major reasons a purchase is made is based on the reputation of a company.   A company’s reputation is a wispy thing.  It’s made up of various bits and pieces, the quality of the product, the professionalism of the staff and management team, the contributions to the community, the handling of problems and issues that arise, the “trueness” of the company actions to the marketing image created.    A small mis-step can cause a stock price to fluctuate, and a large one, or several combined can cause a business to cease operations.

The oil situation in the Gulf of Mexico is a prime example of how perceived mishandling of a disaster affects the reputation of a company and the adverse effects it has on that organization.  In April of this year, BP stock was trading near the 52 week high of $62.50 per share.  This morning, the stock was trading below $32.00 and trending downward.  The disaster in the gulf and the subsequent handling of this catastrophic incident is a primary cause for the nearly 50% drop in stock pricing.

When the oil spill first happened,  I viewed it as a “Black Swan” event, an event that is unpredictable, carries a massive impact and after the fact (and in this case, once we get to after the fact) can be explained in a way that makes it less random and more predictable.  However, when I put this thought to a recent meeting of Business Continuity Professionals, an expert in the profession explained that oil company’s and those businesses associated in the industry are well aware of the hazards and risks related to deep oil exploration and would/should have plans in place for these types of events.  From my experience in building continuity programs, plans for irregular events and catastrophic issues are tested and improved through testing and tweaking.  These exercises are designed to help reduce the impact of the situation, and maintain a positive light on the reputation of the organization by showing:

  1. We have designed the process/program/product to be as safe as possible.
  2. In the event of an incident, we understand what is wrong and how to fix it.
  3. We are in control of the situation and are doing everything to return to normal as soon as possible.

A major part of the continuity event is communicating a common message for the organization and making sure all parties of the organization are in line with that message, in other words say what you are going to do, then do it.  If you make a promise, you need to be sure it is kept.  It’s not only important to manage the message and deliverables, but make sure the perception of what is happening is in line with what is actually occurring.

BP has made many positive commitments to the clean up and economic recovery to the individuals and companies that are being affected.  They have promised to promptly pay all authentic claims associated with the oil spill, they have promised to donate the net profits from the recovered oil to wildlife resuce organization, they have promised to pay for all the authentic claims associated with the spill and not be capped by the Government established level of responsibility.  These are all very positive things that would go a long way towards rebuilding the brand and reputation of the company.

It’s important for companies to remember that just saying something doesn’t make it happen.  People remember what was said (or what they thought they heard) and then measure a company against that point. 

Unfortunately it appears that there may be issues in the promise made and the actual delivery.  In a Bnet article posted on June 11th, Kristen Korosec, highlighted an issue with the oil spill claims that have been filed with BP and outsourced to a third party “BP Risk Management Firm is Really Good at Screwing OverOil Spill Claimants“.  The perception among claimants is that the comments Tony Hayward made concerning the claims process and appropriate payment (See Bnet posting) are not being met. 

From a disaster recovery perspective, it is important to monitor these issues and make the course corrections to keep from further eroding the reputation of the organization.  Additionally, I believe BP needs to get ahead of the curve to make sure these continual mis steps (be they perceived or real) stop happening.  Prompt positive action is needed to stop the downward spiral.