Positing* Business Continuity as a Strategic Initiative [Nov 18 06]--For the vast majority of business continuity professionals the process of defining business continuity has largely focused on analysis (Business Impact Assessment), Plan development, Plan Validation (testing) and Plan maintenance. This is a familiar cycle that we all have used for services that our clients have requested. This article is designed to provide some ideas that will provoke an exchange amongst peers, some conceptualizations based on the evolution of enterprise risk management and some thought leadership (this hopefully will be the end result) regarding where we need to focus business continuity.

My basic argument expressed herein, is quite simple; “If we as continuity planners, claim to address business continuity, shouldn’t the plans we have created be comprehensive enough to ensure the survival of the business that is implementing the plan?” If the answer is “well, we already have “all hazards” plans”; then I am concerned that we as practitioners are missing some critical aspects of business continuity planning. If we have created plans that we claim are “business continuity plans”, “all hazards plans”, and plans that ensure operational resilience, are we confident that these plans will actually accomplish their intended objective? Or, have we only partially address the spectrum of planning that is required for assurance of full continuity? Are we assuring our clients, our companies the comparative advantage that they need to survive a disruptive event of crisis proportions?

As you reflect on this question and the generous amount of information on the subject of continuity planning that is available, you should begin to note that the vast majority of the articles and information is oriented toward a tactical approach/framework for continuity. We conduct Business Impact Assessments (BIA) to determine “mission critical” assets, however, with the event of H5N1 (Avian influenza) we suddenly hear from many practitioners that we must now include the “human assets” as part of our assessment and planning effort. Did we miss something over the years of touting business continuity as a corporate necessity? Perhaps human assets not part of the equation when we did our BIA and listed all those mission critical assets?

Three legal constructs should become part of every business continuity practitioner’s vocabulary.

 The first is, “Constructive Knowledge” and is defined in Black’s Law dictionary thus: If one by the exercise of reasonable care would have known a fact, he is deemed to have constructive knowledge of such fact; e.g. matters of public record.

 The second is, “Constructive Notice” defined in Black’s as: “Such notice as implied or imputed by law, as in the case of notice of documents which have been recorded with the appropriate registry of deeds or probate. Notice with which a person is charged by reason of the notorious nature of thing to be noticed, as contrasted with the actual notice of such thing.”

 Third, is “Negligence” defined in Black’s as: “The omission to do something which a reasonable man, guided by those ordinary considerations which ordinarily regulate human affairs, would do, or the doing of something which a reasonable and prudent man would not do.”

These three legal constructs will play a critical role in the argument that I am about to put forth on business continuity strategy and why I feel that it is imperative that the business continuity profession develop a strategic vision that embraces the concept of comparative advantage as it can be applied to the continuity of business; in addition to the tactical approach to continuity planning that we have fostered since the evolution and melding of disaster recovery, emergency response and crisis management. Today when there is a discussion of the business impact of an event, the orientation is focused on the response to the event, a tactical approach. We need to begin to think strategically. As an example, here is a very simple point of fact: we are not going to be able to stop a pandemic from occurring. Applying a first responder model to a pandemic situation that could last 500 – 800 days could be devastating for any organization.

As you read the next paragraph, you may start wondering to yourself, has the writer gone off the deep end? What does the concept and theory of comparative advantage have to do with business continuity? Bear with me and I will explain.

Comparative advantage was first described by Robert Torrens in 1815 in an essay on the corn trade. He concluded that it was to England's advantage to trade various goods with Poland in return for corn, even though it might be possible to produce that corn more cheaply in England than Poland. However, the theory is usually attributed to David Ricardo who created a systematic explanation in his 1817 book The Principles of Political Economy and Taxation using an example involving England and Portugal. In Portugal it is possible to produce both wine and cloth with less work than it takes in England. However, the relative costs of producing those two goods are different in the two countries. In England it is very hard to produce wine, and only moderately difficult to produce cloth. In Portugal both are easy to produce. Therefore, while it is cheaper to produce cloth in Portugal than England, it is cheaper still for Portugal to produce excess wine, and trade that for English cloth. Conversely, England benefits from this trade because its cost for producing cloth has not changed but it can now get wine at closer to the cost of cloth.

What does this have to do with business continuity? Simply put, everything. We as continuity planners should be seeking opportunities and options for our companies, clients and practice to ensure the continuum of operations that today’s modern business is involved in. We cannot afford to silo the efforts of business impact analysis (BIA), continuity plans, training, drills and exercises into a narrowly defined perspective that focuses on systems continuity.

Figure 1, entitled, “Positing Business Continuity as a Strategic Initiative” provides some perspective on the breadth that continuity planning must address in order to truly integrate the three levels (tactical, grand tactical, strategic) where our practice should focus.
 

Business Continuity Planning: A Strategic Tool

In today’s demanding business environment Senior Management needs tools that will help it with strategic issues that will define and ultimately protect their markets.  Business Continuity can be that strategic tool.  As a former strategic planner for a corporation told me, “we did not have IT at our strategic planning meeting every year.  It was at that meeting that we outlined new strategies and reviewed the effectiveness of existing strategies given the changes that regularly and rapidly occur in markets, competitive products and international competitors.” 

In the normal cycle of business continuity plan development we accomplish, through the Business Impact Assessment, an identification of “Mission Critical Assets”.  Generally these are in the form of systems and applications that are considered essential.  Figure 2, entitled, “Miss-Assessed?” highlights the general BIA areas of assessment.  Please note all the areas that are not highlighted!  Assets are only useful when intellect is applied.  For example, all the information about a company’s financial assets is only useful if one has the intellect to apply that information in such a manner as to benefit the user.  It was posited at a recent presentation, “Would you rather have $500 or a 256 meg thumb-drive?”  Initial reactive responses were “I’ll take the $500.”  With some thought, many answered the question, “Well it depends on what is on the thumb-drive.”  My perspective is this; it does not matter what is on the thumb-drive unless you can use it to your benefit.  
 

Developing a strategic plan for a company will focus on all the areas in figures 1 and 2, so if business continuity planning is supposed to ensure the resilience of the business, why do we not include in the business impact assessment these other areas to any great degree? 

That is “Business Continuity”

Speed, intangibles and connectivity, according to the authors of “Blur” published in March 1998, were going to be the driving force in the economy beyond 2000.  Speed, is the first critical characteristic.  Our highly mobile society operates at greater speed, allowing us to conduct business worldwide.  Speed also impacts an organization’s ability to develop, implement and manage strategic initiatives.  So if we are basing our business continuity plan on an incomplete or limited analysis of the business can we expect it to be valid?

Connectivity is the second critical characteristic.  Supply chains, outsourcing, etc. are interdependent systems (utilities for example).  We in the United States import more of our daily necessities that we produce domestically.

The third critical characteristic is Intangibles.  Today’s business environment is the product of thousands of years of forces acting on it.  The worldwide economy.  In economics, arbitrage is the practice of taking advantage of a state of imbalance between two or more markets: a combination of matching deals are struck that capitalize upon the imbalance, the profit being the difference between the market prices.  Why not take advantage of imbalance – a crisis – as an essential element of your business continuity strategy?  Companies regularly invest their capital in the markets.  Shouldn’t part of the BIA, the plan and the implementation of the plan during a crisis involve strategically directed investing (hedging, derivatives, arbitrage, etc.) as a part of the business continuity toolbox?  Strategic investing, Options, Arbitrage, Short-Selling, Derivatives, etc. have long been part of the CFO’s risk management conceptual framework.

Let us look at the business continuity cycle and reflect on how the three legal constructs relate and potentially impact current business continuity practices.

q      The first is, “Constructive Knowledge” and is defined in Black’s Law dictionary thus: If one by the exercise of reasonable care would have known a fact, he is deemed to have constructive knowledge of such fact; e.g. matters of public record.

When we do a BIA have we not created a roadmap of constructive knowledge?  We identify “Mission Critical” assets.  We diligently produce volumes of planning material to support how we are going to protect these “Mission Critical” assets.  Why have we not developed sophisticated strategies for investing during a crisis?  Perhaps it is because we have not truly identified “Mission Critical” assets, even though we have constructive knowledge by the exercise of reasonable care (due diligence) in our BIA and planning efforts. 

q      The second is, “Constructive Notice” defined in Black’s as: “Such notice as implied or imputed by law, as in the case of notice of documents which have been recorded with the appropriate registry of deeds or probate.  Notice with which a person is charged by reason of the notorious nature of thing to be noticed, as contrasted with the actual notice of such thing.”  

We seek to comply with regulatory requirements, ISO standards, best practices, standard of care concepts, etc. as part of the business continuity planning cycle.  We have therefore addressed constructive notice in our continuity plans (Sarbanes-Oxley, Basel II, etc.).  Are we putting ourselves on notice by not developing strategies that address all of the “Mission Critical” assets instead of only those that are focused on systems and applications recovery? 

q      Third, is “Negligence” defined in Black’s as: “The omission to do something which a reasonable man, guided by those ordinary considerations which ordinarily regulate human affairs, would do, or the doing of something which a reasonable and prudent man would not do.”  

"That it is logically true need not be argued before a mathematician; that it is not trivial is attested by the thousands of important and intelligent men who have never been able to grasp the doctrine for themselves or to believe it after it was explained to them." — Paul Samuelson  

Prudence is occasionally an actual test, but it usually refers to a set of criteria used to measure an investment or enterprise against specific standards.  The objective is to determine whether the investment or enterprise is worth pursuing or investing in by judging how well it meets the challenge established by the judgment criteria.  Prudency testing in business continuity should refer to the ability of the business continuity plan to stand up to public scrutiny before it is allowed to continue beyond a conceptual phase.  It should also refer to testing and validating that a company sets for itself before deciding whether to proceed with a particular business activity.  Can we actually say that we are not negligent as continuity planners, when we fail to identify strategic options that will ensure the capability of the enterprise to continue as a “going concern”?  Or, that we fail to understand the intricacies of business interruption insurance and contingent business interruption riders?  Or, that we do not consider strategic scenarios, but rather sell tactical level response as a strategy? 

In his book, “The Collapse of Complex Societies”, Joseph A. Tainter states, “Human societies and political organizations, like all living systems, are maintained by a continuous flow of energy.”  He further states, “More complex societies are more costly to maintain that simpler ones, requiring greater support levels per capita.”  If the business continuity plan purports to provide resilience, continuity of operations, “all hazards”, etc., then we need to ensure that all options are available to decision-makers when the plan has to be activated.   

Concluding Thoughts – Business Continuity Myth or Magic?

Current research indicates a small portion (5%) of businesses today, have continuity plans, but virtually all realize they are at risk of something bad happening.  Do the 95% of businesses that do not have continuity plans know something that the 5% that do have continuity plans do not know?  Or are they relying on other options that they feel will give them greater flexibility, more protection and the assurance of continuing as a going concern?

In today’s demanding business environment Senior Management needs tools that will help it with strategic issues that will define and ultimately protect their markets.  Business Continuity is that strategic tool.  As a colleague, John Stagl, a former strategic planner for a corporation said, “I can tell you we did not have IT at our strategic planning meeting every year.  It was at that meeting that we outlined new strategies and reviewed the effectiveness of existing strategies given the changes that occurred in markets, competitive products and international competitors”.  That is “Business Continuity”.  The Center for Resilience at The Ohio State University defines a resilient enterprise as: 

“A resilient enterprise has the capacity to overcome disruptions and continually transform itself to meet the changing needs and expectations of its customers, shareholders and other stakeholders.”

Center for Resilience, Ohio State University

We as continuity planners have a responsibility to protect the organizations we develop plans for by facilitating continuity planning and preparedness efforts that avail themselves of all creative mechanisms that will ensure “resilience”.  Using their status as “leaders,” senior officials, senior management and board members can and must deliver the message that survivability depends on being able to find the opportunity within the crisis – and that may well include strategies and options that we currently do not include the business continuity plan, not because they do not exist, because we have chosen to limit our understanding of what continuity means.  Today we cannot merely think about the plannable or plan for the unthinkable, but we must learn to think about the unplannable and we must begin to incorporate risk reduction strategies that include the ability to quickly and efficiently implement, as an example, investment strategies as an integral element of the business continuity practice.

* 1 put forward as fact or as a basis for argument. 2 put in position; place.   — ORIGIN Latin, ‘placed’, from ponere. from the Oxford English Dictionary

References

q   Drabek TE, Tamminga HL, Kilijanek TS, Adams CR. Managing multi-organizational emergency responses: emergent search and rescue networks in natural disaster and remote area settings. Natural Hazards Research and Applications Information Center. University of Colorado, Boulder CO, 1981 

q   Meyer, Gerald C., "When it Hits the Fan: Managing the Nine Crises of Business," 1986 

q   Davis, Stanley M., Christopher Meyer, Blur: The Speed of Change in the Connected Economy, 1998 

q   Mitroff, Ian, I., Avoid "E3" Thinking, Management General, 1998 

q   Mitroff, Ian, I., Smart Thinking for Crazy Times: The Art of Solving the Right Problems, 1998 

q   Sikich, Geary W., The Financial Side of Crisis, 5th Annual Seminar on Crisis Management and Risk Communication, American Petroleum Institute, 1994 

q   Sikich, Geary W., Managing Crisis at the Speed of Light, Disaster Recovery Journal Conference, 1999 

q   Sikich, Geary W., Business Continuity & Crisis Management in the Internet/E-Business Era, Teltech, 2000

q   Sikich, Geary W., What is there to know about a crisis, John Liner Review, Volume 14, No. 4, 2001 

q   Sikich, Geary W., The World We Live in: Are You Prepared for Disaster, Crisis Communication Series, Placeware and ConferZone web-based conference series Part I, January 24, 2002  

q   Sikich, Geary W., September 11 Aftermath: Ten Things Your Organization Can Do Now, John Liner Review, Winter 2002, Volume 15, Number 4 

q   Sikich, Geary W., Graceful Degradation and Agile Restoration Synopsis, Disaster Resource Guide, 2002 

q   Sikich, Geary W., "Integrated Business Continuity: Maintaining Resilience in Times of Uncertainty," PennWell Publishing, 2003 

q   Sikich, Geary W. “It Can’t Happen Here: All Hazards Crisis Management Planning,” PennWell Publishing 1993. 

q   Sikich Geary W., "The Emergency Management Planning Handbook", McGraw Hill, 1995. 

q   Sikich Geary W., “A new planning paradigm: Economic Consequences of a Pandemic,” Continuity Central, 2005 (also published in Disaster Resource Guide and Continuity Forum, 2005). 

q   Sikich, Geary W., Stagl, John M., “Are we missing the point of pandemic planning?”; Continuity Central, December 2005. 

q   Sikich, Geary W., “Continuity of Leadership: Repopulating Your Chain of Command”; XBHR Newsletter, December 2005. 

q   Sikich, Geary W., “Supply Chain Continuity”; Supply & Demand Chain Executive, February 2006.

q   Tainter Joseph A., “The Collapse of Complex Societies,” Cambridge University Press, 1988; Eleventh reprint 2004.

Integrating Business Continuity Criteria into Your Supply Chain [Jun 4 06]--Introduction. Most organizations have a supply chain that is a mix of competencies, from manufacturing to professional advisory services. Developing business continuity strategies and embedding business continuity processes into an organization’s procurement process can enhance the organization’s ability to actively assess vendor capabilities. By creating a flexible framework for augmenting, retaining, or shedding vendor competencies in order to assure supply chain integrity, the organization can meet customer demand, customer expectations and generate consistent performance.

No one company can deliver end-to-end products and/or services in today’s complex business environment. Your company,  like other companies is most likely dependent on vendors of various types (manufacturing, profession services, software, transportation, etc.) to meet customer expectations. Four basic assumptions form the underlying premise for this article:

Complexity: Companies today are complex and their procurement processes are complex management systems operating within multiple networks

Touchpoints: All of a company’s touchpoints (downstream & upstream) within its networks must be considered to effectively evaluate risks, threats, hazards and vulnerabilities to determine the effects and consequences of degradation on the entire system

Responsiveness: Actions at any given level within the network may be inadequate unless the entire network responds in kind

Resource Constraints: Most levels and groups within the company and the supply networks supporting the company lack the resources and specialized skills to know what to do to maximize operational resilience within the network

The integration of vendor business continuity capability as part of the procurement process is becoming an integral part of company strategy.  Effective business continuity strategies, like supply chain assurance, need to be designed.  Integrating business continuity principles and concepts into the a company’s business portfolio planning process and at each stage of product/service life cycle can provide opportunities to enhance the procurement process, allowing your company to deliver superior products and/or services solutions to its customers.

Structure – a key element

Identifying procurement touchpoints (internally and externally) needs to be one of the first steps in the process. Developing a custom fitted questionnaire for vendors as well as internal stakeholders can provide a basis for moving forward. Applicable policies, procedures, recognized “best practices” and regulatory requirements set the benchmarks from which metrics for assessing vendor business continuity capabilities can be developed.  Integration criteria should be contained in the vendor’s contract; spelled out in specific terms.

Touchpoints – Internal and External

Identifying procurement touchpoints should be undertaken to assure that key continuity concerns are adequately addressed.  Internal touchpoints may include any part of the organization that has direct and/or indirect interface with the procurement process.  This would include customer relationship/service touchpoints, strategic planning, quality assurance, operations, human resources, legal, audit and, in some instances, the officers and board of directors of the enterprise.  Identifying external procurement touchpoints may seem simple, but when you begin to identify vendors, you have to realize the components that allow the vendor to get their product or service to you are also touchpoints.  Therefore, identifying external procurement touchpoints becomes more complex.  In addition, due to the popularity of outsourcing today, we are finding that vendors are also outsourcing.  A tiered approach to identifying external procurement touchpoints can facilitate organizing the process.   

Vendor Continuity Capability Questionnaire

Developing the vendor continuity capabilities questionnaire needs to be carefully thought through.  You are, in essence, creating a legal document that could contain sensitive information and must be protected.  You are also creating a potential liability document for yourself.

Let me explain; the legal term, constructive knowledge is defined in Black’s Law Dictionary thus, “If one by the exercise of reasonable care would have known a fact, he is deemed to have constructive knowledge of such fact; e.g. matters of public record.”  Constructive notice is defined in Black’s Law Dictionary thus, “Such notice as implied or imputed by law, as in the case of notice of documents which have been recorded with the appropriate registry of deeds or probate.  Notice with which a person is charged by reason of the notorious nature of thing to be noticed, as contrasted with the actual notice of such thing.”   Negligence is defined in Black’s Law Dictionary thus, “The omission to do something which a reasonable man, guided by those ordinary considerations which ordinarily regulate human affairs, would do, or the doing of something which a reasonable and prudent man would not do.” 

With the type of information that you will collect in order to assess vendor continuity capabilities, your organization could be held liable, under the concepts of negligence (foreseeability), constructive notice, and/or constructive knowledge, for NOT taking action to mitigate potential losses.

The questionnaire that we have most often utilized consists of eight parts as highlighted below.

Part 1: Governance Provisions & Management Commitment

Part 2: Business Continuity Strategies: Developing and Implementing BCP

Part 3: Business Impact Analysis, Risk Evaluation & Control Mechanisms

Part 4: Maintaining Continuity: Training, Awareness, Exercising & BCP Updates

Part 5: Incident Response Operations

Part 6: Crisis Communications

Part 7: Coordination (External Entities)

Part 8: Vendor Certification 

The length of vendor questionnaires will vary with the industry group represented and the depth of initial analysis that the procurement group chooses to perform.  Generally, the questionnaires that have been developed for clients have contained approximately fifty questions.  The questions are designed to require the vendor to provide quantifiable answers. Should the procurement group assessing the adequacy of the answers determine that there is a need for further analysis; a formal audit team is assembled to determine how to resolve the concern over vendor continuity capability.

Vendor Continuity Capability Assessment

During the course of assessment data will be collected, analyzed and developed into assessment findings and recommendations regarding vendor continuity capabilities.  The data should be organized by Essential Element of Analysis (EEA) criteria that the organization establishes and uses to conduct data collection, analysis and evaluation.  Examples of typical EEA are summarized below.

      Organization: As defined herein refers to the current procurement process, vendor roles/responsibilities and deliverables during the procurement process life-cycle and current criteria for the organization’s business continuity programs and plans.   

      Vulnerability Identification and Control: As defined herein refers to establishing minimum acceptable criteria    for vendor vulnerability identification and control methodologies as these methodologies relate to vendor       business continuity programs and plans and the ability of the vendor to integrate its methodologies on a sustainable basis with the client’s business continuity management strategy.   

      Continuity Strategy and Approach: as defined herein refers to the metrics developed and used to verify vendor integration of business continuity management program and plans with the client’s business continuity management strategy.   

      Documentation:  As defined herein refers to the documentation of vendor business continuity management program and plan capabilities.   

      Resource Management and Development: As defined herein refers to the metrics for vendor validation of staffing (Business Continuity staffing) and associated vendor integration of continuity planning, resource development and awareness of continuity. 

      Continuity Maintenance: As defined herein refers to the procedures used to assure resilience of the vendor continuity process. 

Objectives

The overall objective of integrating business continuity criteria is to facilitate the ongoing development and implementation of enhancements to the procurement process including program management (normal operations and incident management operations), stakeholder communication and knowledge transfer associated with vendor business continuity management programs for vendors operating within your company’s procurement system.

In developing the overall design objectives careful consideration should be given to ease of use by procurement staff, other personnel and external parties (as appropriate). Three elements associated with enterprise assurance apply:

      Strategic Element consisting of support for compliance efforts, communications to stakeholders (vendors, customers, internal groups, etc.) and strategic active analysis processes.

      Grand Tactical Element consisting of support for implementation efforts, sustaining business operations, communicating upwards (internal focus), and grand tactical active analysis processes.

      Tactical Element consisting of direct specific implementation steps, communication upwards (internal focus), external communications (vendor interface), mitigation of noncompliance/nonconformance and tactical active analysis processes (scorecards, vendor continuity questionnaire, etc.).

As with any process negotiating continuity commitments may need to be addressed on a case-by-case basis. Once the evaluation process has been completed, it must be managed, enforced and monitored to assure continuity of operations compliance.

Procurement Planning Considerations

Procurement planning considerations will generally consist of the normal day to day functioning of the procurement process.  Supply Chain Business Continuity integration elements should consist of a tiered evaluation structure focused on four aspects as presented in Figure 1, Supply Chain Business Continuity Elements.  These elements consist of: 

      Comprehending and describing supply chain continuity requirements 

      Conducting business continuity capability assessments 

      Evaluating business continuity capabilities 

      Identifying actions to be taken 

Each phase of the procurement process can be designated an Essential Element of Analysis (EEA), as defined previously.  We recommend that each EEA incorporate in the scorecard process a tiered analysis structure consisting of Measures of Effectiveness (MOE) and Measures of Performance (MOP) to provide metrics for facilitating the scoring of vendor and  potential vendor business continuity capabilities.   A Measure of Effectiveness (MOE) is a metric that forms subgroups of information relating to specific areas encompassed by an Essential Element of Analysis.  A Measure of Performance (MOP) is a data structure.  Measures of Performance answer a specific question.  Measures of Performance are grouped to form Measures of Effectiveness.  Measures of Performance are measurable and observable, that is, they provide a quantitative basis for evaluation of a specific area. For example, a Measure of Performance might be, “What is the current credit rating for the Vendor under consideration?"  Illustrative examples of the EEA – MOE – MOP structure are provided and discussed later in this report.  Figure 2, Vendor Business Continuity Metrics, provides an illustrative example of these structural components. 

Your company faces a variety of risks that have a potential impact on its supply chain assurance. These can be articulated as either internal or external as depicted in Figure 3, Internal and External Vulnerability Drivers. 

These drivers and the ability to manage them (put into place contingency measures) often are interconnected.  Understanding this potential interconnectedness is a key factor in assessing vendor business continuity capabilities.  Internal and External vulnerability drivers can materialize in a variety of ways.  Making vertical, horizontal and diagonal connections between drivers can provide a conceptual understanding and potentially reduce unexpected outcomes as you identify how risk is uniquely embedded in your company’s supply chain. 

Risk can be context sensitive, as risk elements interact in different ways depending on the situation.  Understanding the potential interaction of risk factors facilitates the ability to measure business continuity capabilities and plan for offsets that can be implemented should a disruptive event occur. 

Figure 4, entitled, “Sample Roadmap for assessing vendor capabilities” is an illustrative example of a roadmap for the  process of assessing vendor capabilities.  The assessment process has been designed to provide a phased approach with progressively more detail accumulated at each phase of the procurement process.  This assessment process can be easily embedded into your company’s procurement scorecard system, enabling you to incorporate vendor business continuity evaluation as an integral component of the procurement process. 

As depicted in Figure 5, “Typical Procurement Process” the integration of recommended business continuity metrics in the procurement process should be related to the key elements of the procurement process.  Incorporating the recommended business continuity capability assessment at each phase of the procurement process can help identify vulnerabilities, develop consequence management strategies, plans and implement mitigation strategies. 

Upon conclusion of assessment at each phase of the procurement process you can evaluate vendor business continuity capabilities allowing a “go/no go” decision based on measurable criteria.  Prior to proceeding to the next stage in the procurement process the vendor will have been vetted and the next stage evaluation can allow you to continue to refine the vetting requirements and gather more detail on vendor continuity capabilities.  Having an in-depth understanding of vendor capabilities at each phase of the procurement process can allow critical decision-making at earlier stages of procurement and can thus can enhance communications between you and your vendors regarding business continuity issues. 

Embedding into the procurement process specific business continuity objectives, guidelines and assessment metrics can enhance decision-making, communications (vertical/horizontal) and resource management.  In addition to the Vendor Continuity Questionnaire, you can develop worksheets that can be incorporated into each phase of the procurement process to further facilitate the assessment of vendor business continuity capabilities.  The benefit of having vendor continuity capabilities catalogued and indexed is threefold.  First, the company can begin to assess and quantify the risk impact of an event.  Second, a determination of how long the risk exposure will last before the event is mitigated and/or the exposure is rectified.  Third, a determination of potential recovery costs in terms of emergency actions can be estimated.

Early assessment and quantification of vendor, supplier, etc. business continuity capabilities is essential.  In addition to the Vendor Continuity Questionnaire we have developed a set of nine Risk Analysis Worksheets.  These worksheets are structured to build on the evaluation criteria in the form of Essential Elements of Analysis, Measures of Effectiveness and Measures of Performance. They are listed below. 

      Worksheet 1: Describe the Supplier  

      Worksheet 2: Determine Demand Risk

      Worksheet 3: Determine Supply Risk

      Worksheet 4: Determine Process Risk

      Worksheet 5: Determine Control Risk

      Worksheet 6: Determine Environmental Risk

      Worksheet 7: Evaluate Implications

      Worksheet 8: Identify Actions

      Worksheet 9: LMSCARVER^tm Supply Chain Risk Analysis

We recommend that your company and its vendors negotiate periodic assessments of sub-tier vendors (vendor’s suppliers) to further assure business continuity capabilities.  This can be accomplished through contractual requirements executed at the initial stages of vendor engagement.  Your company can utilize the Vendor Continuity Questionnaire and Risk Analysis Worksheets to facilitate consistency of the vendor’s depth analysis. Figures 6, 7 and 8 provide illustrative examples of depth analysis determination criteria. 

Procurement Incident Management Considerations

The second part of the procurement process relating to vendor continuity should address incident management considerations.  A vendor can complete the vetting process (Vendor Continuity Questionnaire, Risk Analysis Worksheets, Scorecard, etc.) and still experience a disruption that could affect you company’s ability to meet customer requirements (i.e., Philips, Ericcson, Nokia).  Having an incident management system as a component of the procurement process can allow your company to respond, recover and restore supply chain operations with less potential for massive disruption.  Incident management can range from assessing and classification of a vendor incident to implementation of response actions, such as sending your personnel to vendor facilities to assist in incident mitigation processes.  

Contingency alternatives can range from having backup response plans to alternative sources of supply.  Once the connected risk themes are identified and evaluated, actions to address consistent themes throughout the procurement process can be taken.  Identification of consistent risk themes across a number of risk dimensions can help to determine where your company should place significant effort to mitigate the risk exposure. 

Disruptive events (figure 9) as they occur need to be classified by their level of severity in order to determine the potential impact they may have.  A classification system can provide a consistent framework for evaluation; enhance the communication process allowing ease of communication between internal and external groups and facilitate response, management, recovery and restoration efforts.

In addition to the event classification system the incorporation of an event assessment form that would be used in conjunction with the Event Classification System for determining the event classification level and for facilitating discussion within your company and with the affected vendor(s).  As depicted in figure 10, the degree of degradation of service minus the level of preparedness equals the time for recovery.  The less prepared an organization is for service disruption the longer it takes the organization to recover its operations and restore service levels.  Having a classification system can enhance the ability to identify potentially disruptive situations early and determine how to respond effectively to minimize the level of service impacts.

The procurement process represents the first line of direct contact with vendors, suppliers, etc.  Detection by procurement personnel at any stage of the procurement cycle of potential disruption and classification of severity can allow your company to implement its BCP plan and coordinate with the affected vendor to assure continuity of operations and to mitigate the disruptive event. 

Early detection, classification and response can lead to less of a drop in service; a potential reduction in the chaos associated with a disruptive event and shorter recovery and restoration timeframes.  Figure 11, depicts the typical functions performed at various levels within an organization as it moves from response to restoration.  This figure also depicts the focus for an organization at the tactical, grand tactical and strategic levels.  At the tactical level the focus is generally on event response and mitigation.  The focus at the tactical level should be on response and mitigation while the need at the tactical level is for support from the next level (grand tactical).  At the grand tactical level the focus should be on support for the tactical response.

Additionally, at the grand tactical level the focus should be on the prevention of cascade and containment of cascade effects on the organization.  At the strategic level the focus should be on management oversight, coordination and facilitation of restoration of services.  It is important to note that a key element in this vertical and horizontal process of detection, classification, response, management, recovery and restoration is seamless communications.  Seamless communication is based on the adoption of common terminology and in the functions represented at each level, as shown in figure 11.   

Phased Development and Integration

With any large scale project, such as the integration of vendor business continuity criteria into the procurement process, attempting to implement on a grand scale can lead to chaotic results.  A phased approach to implementation and integration would generally consist of five phases:

      Phase 1: Assessment & Vendor Continuity Questionnaire – deliverable: letter report with executive summary that will include discussion and recommendations based on the results of the review of Essential Elements of Analysis (Report). 

      Phase 2: Procurement Integration (vertical/horizontal) – deliverables: Procurement Management System Vendor Business Continuity Management Program and Plan Integration Criteria Guide (Tools) and    Procurement Management System Vendor Business Continuity Management Program and Plan Integration Criteria Guide training program materials (Knowledge Transfer).

      Phase 3: Monitoring & Enforcement – deliverable: Procurement Management System Vendor Business Continuity Management Program and Continuity Plan Integration Criteria Guide maintenance criteria (Sustainability).

      Phase 4: Sustainability – deliverable: periodic metrics, event response reports.

      Phase 5: Maturity Model Evaluation – deliverable: metrics for maintaining the process, change management procedures.

Conclusion

Assuring supplier continuity capabilities are of paramount concern today.   Realizing that most business processes today extend beyond the boundaries of a single entity, awareness of critical supply chain interdependencies has risen sharply. Simply having profiles of potential high risk suppliers, while extremely important, is by itself not enough.  Developing capabilities to assess and monitor vendors to facilitate the active analysis process, providing predictive metrics to supplement the initial assessment process performed during the early stages of the procurement process.  Active Analysis is a process that utilizes predictive metrics to identify potential problems before they occur.

Today business leaders have the responsibility to protect their organizations by facilitating continuity planning and preparedness efforts.  Using their status as “leaders,” senior management and board members can and must deliver the message that survivability depends on being able to find the opportunity within the crisis.

Many people feel that the world has changed as a result of the events that took place on September 11, 2001; that we need to rethink our concepts of continuity and crisis management.  Today we cannot merely think about the plannable or plan for the unthinkable, but we must learn to think about the unplannable.

Market research indicates that only a small portion (5%) of businesses today have a viable plan, but virtually 100% now realize they are at risk.  Seizing the initiative and getting involved in all the phases of crisis management can mitigate or prevent major losses.  Just being able to identify the legal pitfalls for the organization of conducting a crisis management audit: can have positive results. 

References and Endnotes:

“Key developments in the Firestone tire case.” (www.accidentreconstruction.com.).

Levene, Lord, "Changing Risk Environment for Global Business.”  Union League Club of Chicago, April 8, 2003.

Meyer, Gerald C., When it Hits the Fan: Managing the Nine Crises of Business. (1986).

Mitroff, Ian, I., Avoid "E3" Thinking, Management General. (1998).

Mitroff, Ian, I., Smart Thinking for Crazy Times: The Art of Solving the Right Problems. (1998).

Palmer, Pamela, “When Is It Safe To Shred Unwanted Documents After Sarbanes-Oxley?”  Wall Street Lawyer, Vol. 6, No. 8, Pgs. 15-19.

Perera, Valerie C. and Sikich, Geary W., “Controlling Crisis Will Determine Corporate Survival.”  The Corporate Lawyer, Illinois State Bar Association, November, 2002.

Sikich, Geary W., “Managing Crisis at the Speed of Light.” Disaster Recovery Journal Conference (1999).

Sikich, Geary W., “Business Continuity & Crisis Management in the Internet/E-Business Era.” Teltech (2000).

Sikich, Geary W., “What is there to know about a crisis.” John Liner Review, Volume 14, No. 4 (2001)

Sikich, Geary W., “The World We Live in: Are You Prepared for Disaster?”  Crisis Communication Series, Placeware and ConferZone web-based conference series –  Part I, January 24, 2002.

Sikich, Geary W., “September 11 Aftermath: Ten Things Your Organization Can Do Now.” John Liner Review, Winter 2002, Volume 15, Number 4.

Sikich, Geary W., “Graceful Degradation and Agile Restoration Synopsis.” Disaster Resource Guide (2002).

Sikich, Geary W., “Aftermath September 11^th, Can Your Organization Afford to Wait.” New York State Bar Association, Federal and Commercial Litigation, Spring Conference, May 2002.

Sikich, Geary W., "September 11^th, Can Your Organization Afford to Wait?" GlobalContinuity.com, May 2002.

Sikich, Geary W., Integrated Business Continuity: Maintaining Resilience in Times of Uncertainty.  PennWell Publishing, (2003).

Understanding Supply Chain Risk; prepared by LCP Consulting in conjunction with the Centre for Logistics and Supply Chain Management, Cranfield School of Management, Cranfield University, United Kingdom, 2003.

Legislation, Regulations and their impact on BCP: “How to think globally while acting locally” [May 22 06]--Copyright© Geary W. Sikich 2006. World rights reserved. Published with permission of the author.

“Let us begin by setting aside the facts, for they do not affect the matter at hand” (Rousseau)

Overview

At its beginning, we have no doubt about the sources of authority.  Will today’s all-encompassing anthill of international legislation and regulation give meaning, structure and order to businesses?  Will business continuity as a profession evolve to take aim at the wide array of legislation and regulation that has combined to make such authority function?  Or will we, like Voltaire’s six kings, claim attention through the assertion of our powerlessness?

Sarbanes-Oxley will probably be one of the most far-reaching pieces of legislation that has yet to be enacted.  The essence of Sarbanes is quite simple; compliance with all Federal regulatory matters.  But, how do you know what compliance is or what it ought to be?  What about such international precedents as BASIL or the ISO standards?  The gap between “is” and “ought” is not accidental but systematic.  It’s a gap that may leave us permanently torn. 

Legislation, Regulations and their impact on the BCP profession 

The myriad of compliance initiatives that organizations have to contend with today can leave one dazed and confused.  Starting in the late 1960’s with environmental, health and safety regulations having requirements for emergency preparedness, through today; the ever expanding requirements for greater preparedness seem without end.  Today regulations, such as NYSE rule 446 require firms to develop, maintain, review and update business continuity and contingency plans that establish procedures to be followed in the event of an emergency or significant business disruption. 

The pursuit of understanding the legislative and regulatory morass often seems to lead us to the judgment that the regulators of the world exist to drive us mad.  The search for compliance with new regulations often reveals the vices of the old; should we analyze them in sufficient detail.  Let us look at the “morass” of legislative and regulatory initiatives from a few different perspectives.  Table 1, “Regulations with BCP Implications,” depicts the legislative and regulatory impact on business continuity as a profession.  I have attempted to simplify the tables by using three vertical levels, strategic, grand tactical and tactical representing compliance in theory; and six horizontal levels representing compliance in practice as related to continuity requirements.  Before we get into a discussion of the first table, some definitions of the terms used it in this article are necessary. 

Business Continuity, "All initiatives taken to assure the survival, growth and resilience of the enterprise." 

Strategic Level, “Mission, vision, values; the direction the enterprise takes in order to achieve business continuity.” 

Grand Tactical Level, “All initiatives taken to fulfill the strategy of the enterprise by a major element of the enterprise (i.e., business unit, operating division, etc.)” 

Tactical Level, “The primary point of implementation of compliance initiatives.”  

Table1, “Regulations with BCP Implications” 

In his book, "When It Hits the Fan, Managing the Nine Crises of Business," Gerald C. Meyers, former chairman of American Motors lists nine forms of crisis: 

§         Public Perception

§         Sudden Market Shift

§         Product Failure

§         Top Management Succession

§         Cash Crisis

§         Industrial Relations

§         Hostile Takeover

§         Adverse International Events

§         Regulation - Deregulation 

Note that the final form of crisis that Meyers lists is “Regulation – Deregulation”; I think that this is critical for understanding the strategic, grand tactical and tactical axis.  A new study by PricewaterhouseCoopers and the Economist Intelligence Unit has revealed that too many financial institutions continue to fall short of first-class compliance and leave themselves extremely vulnerable to reputational damage with their customers, the regulators and other stakeholders.  As part of the study, entitled 'Compliance: a gap at the heart of risk management', 160 executives responded to an in-depth global survey on the subject of compliance. Alarmingly, less than a fifth of survey participants considered awareness of compliance-related risks to be high across all parts of the business and fewer than a quarter were very confident with regulatory requirements and internal codes and policies.  

As part of the study PricewaterhouseCoopers identified three key attributes that mark out an institution in the vanguard on compliance risk management:  

• Board and senior managers must clearly articulate a vision of compliance that goes well beyond the compliance function itself and then drive the process of delivering on that vision. Clear and accessible policies and procedures must be deeply rooted in all business units and functions within financial institutions. Responsibility for compliance should be embedded throughout the enterprise from the most junior to the most senior person.

• An infrastructure must be put in place to allow management to track current and emerging compliance issues and to communicate these to internal and external stakeholders. A comprehensive system of internal controls and audit must create an environment of continuous improvement in managing compliance risk. Part of the strategic process should be to review emerging trends in order to get 'ahead of the game' and anticipate new issues before they become embedded and difficult to address. Technology plays a critical role in this area.

• Compliance must be used to drive value. Good compliance involves understanding and delivering on the expectations of customers and other stakeholders, thereby improving the quality of key relationships.

Table 2, “Compliance Matrix,” depicts three levels on a vertical axis and six applications on a horizontal axis.  At the Strategic level, business continuity planning needs to be viewed as an integral element of the overall strategy of the enterprise.  For example, the popular “Balanced Scorecard” and strategy mapping are ideal vehicles to begin to assess strategic implications for the enterprise when evaluating legislative and regulatory compliance initiatives.  At the Strategic Level we should accomplish the following:

·        OBJECTIVES: What is the goal of your compliance program? How can a continuity program benefit your organization and its key stakeholders? 

·        FOCUS: Which regulations specifically will your continuity program focus on? What capabilities are required to assure compliance? How will they be coordinated across the enterprise?

·        VALUE: What metrics will you employ to measure the results and demonstrate the value of the compliance process?

 

The Grand Tactical level should be involved in the information gathering portion of compliance and the implementation of “checks and balances” to assure that compliance is being adhered to.  The Grand Tactical level provides an excellent opportunity to interview and receive input from others that you may not often interact with.  This will give you exposure with those executives while allowing these executives to participate in the development of the continuity program and “buy in” to the ultimate outputs of the Strategic level initiatives because they have a vested interest in seeing it successful.

At the Tactical Level you are forced to rationalize your current and future continuity activities in relation to compliance requirements.  In my experience, business continuity professionals that have taken the time to go through the process of identifying regulatory compliance requirements that impact continuity are much more successful getting their programs supported; and they are better able to articulate the need, value, and return on investment of the continuity program to the executive team.

With the above definitions as a starting point, let us venture to the first table.  Table 1, depicts three levels on a vertical axis and six applications on a horizontal axis.  At the Strategic level, business continuity planning needs to be viewed as an integral element of the overall strategy of the enterprise.  For example, the popular “Balanced Scorecard” and strategy mapping technique are ideal vehicles to begin to assess strategic implications for the enterprise when evaluating legislative and regulatory compliance initiatives.   

Table 2, “Compliance Matrix” 

What does all this mean for the business continuity profession?  The proliferation of regulations at the Federal, State and local level should mean that the business continuity profession will have to expand.  These regulations should mean that business continuity professionals will have a greater influence on the organizations that they are employed by or that they provide consultation to.  They also mean that business continuity professionals will have to become more educated in their chosen profession.  They mean that business continuity, as it is variously defined, will have to rethink its basis and redefine itself.

For the business leaders they mean that an “integrated” approach to business continuity; one that makes business continuity planning an integral part of the business process should be a priority.  Today business leaders cannot afford to let regulatory compliance go unanswered.  Sarbanes-Oxley and other legislation have elevated compliance initiatives to the senior management and board of director levels. 

Concluding Thoughts

U.S. regulations and legislation, such as, The Patriot Act, Vital Interdiction of Criminal Terrorist Organizations Act, HIPAA and privacy regulations will have far reaching impacts on everyone.  Add to the mix, international regulations and legislation and you have a volatile combination.  Business leaders should ask, “In a world of earthquakes, can we count on contingency to work in our favor?”  Business continuity professionals need to ask, “Can I afford not to know what compliance means?”

When developing a strategic continuity plan to address legislative and regulatory initiatives for your enterprise, make sure you consider the following areas.

• Establish scope. You need to set parameters for your program and for the planning process.  What are the legal requirements to be addressed?  Who owns responsibility for assuring that the legal requirements are met?
• Assess current requirements. You must be able to clearly describe what compliance requirements must be met and the potential impact of not being met.
• Visualize the future.  Articulate current regulatory trends.  Where does your organization need to be?  What are the consequences to your organization if you don't do these things?
• Delineate strategic, grand tactical and tactical goals and initiatives.  What is there to achieve and how to get there.  Establish measurable objectives for the program.  Communicate the benefits.
• Strategy Mapping Implementation.  Develop a strategy map for implementation.  The strategy map has to demonstrate that you have thought things through.  What are the “unintended consequences”?
• Audit. Measure performance against set standards to demonstrate the value of understanding the interrelationship of regulatory requirements.  Where do you currently stand? Where do you need to be (compliance trigger dates) in order to demonstrate compliance?  Business Judgment Rule in case law now is "Was the risk process reasonably adequate to provide senior management with information to make decisions."

A new planning paradigm: Economic Consequences of a Pandemic [Feb 19 06]--Copyright© Geary W. Sikich 2005. World rights reserved. Published with permission of the author.

Introduction

At the time of this writing H5N1, known as Avian Flu, is spreading throughout Asia with one of the highest mortality rates of any flu virus of the previous century. Even the Influenza (Spanish Flu) of 1918 did not have as high a morbidity and mortality rate as H5N1 (Avian Flu). We are seeing almost daily some revelation from the World Health Organization (WHO) or Centers for Disease Control (CDC) or the popular media.

I recently wrote an article on the parallels that can be drawn between the impact of Hurricane Katrina and the aftermath of a manmade ‘dirty bomb’ attack. Viruses mutate in order to adapt. It is the nature of a virus to survive and mutating is a virus’ defense mechanism against manmade antibiotics. When H5N1 mutates to allow human to human transmission the stage will be set for a global pandemic.

In the aftermath of Hurricanes Katrina and Rita, New Orleans has been reeling from the devastation. In spite of significant warnings ahead of time, the city, the State of Louisiana and the Federal Government were overwhelmed by the impact of the direct hit by Katrina and the cascade effect of the rains from Hurricane Rita. Katrina, a category 4 hurricane, rendered effective allocation of resources and rapid response totally ineffective. Hurricane Rita’s rains re-flooded an already devastated city.

The consequences of a rapid spread of H5N1 from a continuity planning perspective cannot be overlooked. If hurricanes Katrina and Rita put the people of New Orleans and the Gulf Coast in a fight for their very survival, what would a pandemic do?

Why is so much attention being paid to H5N1?
 

At present the transmission of H5N1 has been limited to animal/human transmission. This has limited the number of people who have become infected by the virus. Mortimer B. Zuckerman writes in the New York Daily News on 20 June, 2005, in his article entitled, “A Nightmare Scenario – H5N1 Pandemic” the following excerpt:

Should we sound the alarm for a worldwide epidemic that might not occur? There is no choice with the avian flu emerging from Asia. Should it adapt to be able to be transmitted from human to human, international health experts warn, bird flu could spark a global pandemic, infecting as much of a quarter of the world's population and killing as many as 180 million to 360 million people - at least seven times the number of AIDS deaths, all within a matter of weeks.

This is utterly different from ordinary flu, which kills between 1 million and 2 million people worldwide in a typical year. In the worst previous catastrophic pandemic, in 1918, more than 20 million died from the Spanish Flu. That's more than the number of people who died from the Black Death in the Middle Ages, and more people killed in 24 weeks than AIDS killed in 24 years.

There are three elements to a pandemic. First, a virus emerges from the pool of animal life that has never infected human beings, meaning no person has antibodies to fight it. Second, the virus has to make us seriously ill. Third, the virus must be capable of moving swiftly from human to human through coughing, sneezing or just a handshake.

For avian flu, the first two elements are already with us. Well over half the people who have contracted it have died. The question now is whether the virus will meet the third condition: mutating so that it can spread rapidly from human to human.

Table 1 reflects the latest statistics on H5N1 as of April 2005. The forecast, issued by the World Health Organization that accompanies the statistics reads:

The outbreak in Asia is not expected to diminish significantly in the short term. It is likely that H5N1 infection among birds has become endemic to the region and that human infections will continue to occur. So far, no sustained human-to-human transmission of the H5N1 virus has been identified, and no evidence for genetic re-assortment between human and avian influenza virus genes has been found.

Bird flu by the numbers
Number of human cases of H5N1 since January 2004: 88
Number of human deaths: 51
Number of suspected human-to-human transmissions: 2
Since December 2004 number of countries affected: 12
Number of countries with human fatalities: 3
Estimated number of international airline passengers per year: 1.6 billion
Types of antivirals that may be effective against bird flu: 2
Number of known bird flu types: 15
Number that can be fatal to humans: 1
Number of global dead in a best case pandemic scenario according to WHO: 2 – 7 million
Estimated global deaths during 1918-19 Spanish Flu: 40 - 50 million
Source: World Health Organization

It should be noted that the types of antiviral drugs that may be effective against H5N1 (bird flu) may have been diminished since April as the result of giving Tamifu, one of the antiviral drugs, to infected birds in Asia. This should be of concern, as Tamiflu is being stockpiled by many countries as their first line of defense against H5N1.

It should also be noted, that of those who have become ill with H5N1, approximately half (50%) have died. The eventual mutation of H5N1 virus into a form that can be transmitted easily from human to human has experts around the world worried due to the high mortality rate. When this mutation occurs, the current worst case forecast is for a worldwide pandemic even worse than the Spanish Flu. Note that Table 1 provides an estimate of the global deaths that resulted from the Spanish Flu at 40 – 50 million. Recent worst case scenario figures for a H5N1 are in the range of 180 – 360 million. Table 1 give a “best case” scenario figure of 2 – 7 million deaths worldwide. Please take note, the figures are for deaths, not those who get infected and are able to survive. An H5N1 pandemic could affect between 20 – 50% of the total world population.

If H5N1 has a mortality rate even half of its current rate, estimates of the deaths worldwide will range from 40,000,000 to 100,000,000. Even more important experts are predicting that the morbidity rate will be around 33% of the population. In the United States, current medical facilities would be overwhelmed having to support over 80 million sick individuals.

But the World Health Organization issues these warnings all the time

Why should we as business continuity planners be concerned? The World Health Organization (WHO) issues many warnings, for example a recent WHO advisory stated:

The World Health Organization has warned of the rapid spread of an atypical strain of pneumonia which appears to be resistant to conventional treatments. Reports of the illness have been received from Canada, China, Hong Kong Special Administrative Region of China, Indonesia, Philippines, Singapore, Thailand, and Viet Nam. Businesses should be aware of the risk to staff, especially those that have recently traveled to any of the affected countries. The new disease could be the cause of a global pandemic.

A recent Reuters story entitled, “Bird flu 'resistant to main drug'”, reveals that H5N1 is showing resistance to Tamiflu. The Lancet carried an article entitled, “H5N1 influenza pandemic: contingency plans” (The Lancet 2005; 366:533-534 DOI: 10.1016/S0140-6736(05)67080-8) written by Drs. Kenneth WT Tsang, University Department of Medicine, University of Hong Kong, Queen Mary Hospital, Pokfulam, Hong Kong SAR, China, Philip Eng, Department of Respiratory and Critical Care Medicine, Singapore General Hospital, Republic of Singapore, CK Liam, Department of Medicine, University of Malaya Medical Centre, Kuala Lumpur, Malaysia, Young-soo Shim and Wah K Lam, Department of Internal Medicine, Seoul National University College of Medicine, Korea, is highlighted below:

The current epidemic of the highly pathogenic H5N1 strain of avian influenza, with a mortality of 58%, appears relentless in Asia, particularly in Vietnam and Thailand.1 Although inefficient, there is some evidence of human-to-human transmission for the H5N1 virus.2 A possible catastrophic pandemic could, therefore, emerge should re-assortment of viral antigens occur resulting in a highly infectious strain of H5N1. Influenza pandemics in 1917–18, 1957–58, and 1968–69 have already caused approximately 15, 4, and 0·75 million deaths worldwide, respectively.

A vaccine for H5N1 will not be available in the foreseeable months. Even if pharmaceutical manufacturing begins soon after an outbreak, there would not be a sufficient supply for the countries most in need—ie, the Asian nations. Antiviral drugs are consequently the only specific treatment, pending availability of effective vaccines.

Governments and health agencies should also consider planning for clinical trials, for instance a combination of both neuraminidase inhibitors, with or without other potential novel drugs, such as short interfering RNAs and interferon.3 These trials, if initiated at the early stages of a pandemic, could provide useful information for further patient and outbreak management in later stages. The geographic location of vaccine manufacturers in developed countries would also delay poorer Asian nations from obtaining the updated influenza vaccine. Perhaps vaccine and neuraminidase inhibitor manufacturing activities should also begin in Asia to deal with such deficiencies. The ethics of maintaining drug patents in a potential worldwide catastrophe is questionable. Epidemiological modelling suggests that influenza is more infectious than severe acute respiratory syndrome, and that severe acute respiratory syndrome infection control measures might not be adequate for a pandemic of influenza.17 There will, therefore, be an overwhelming strain on health-care workers and hospitals in an H5N1 pandemic, and staff could be rapidly demoralised and degenerate into deserters, if colleagues develop hospital-acquired H5N1 infection, especially if not given adequate intensive-care unit treatment.18 Protection of core personnel should also be planned to underpin recovery in the aftermath, when many key players in health care and governmental institutions would have perished.

Gardener Harris of the New York Times writes in his article of October 7, 2005:

A plan developed by the Bush administration to deal with any possible outbreak of pandemic flu shows that the United States is woefully unprepared for what could become the worst disaster in the nation's history. A draft of the final plan, which has been years in the making and is expected to be released later this month, says a large outbreak that began in Asia would be likely, because of modern travel patterns, to reach the United States within "a few months or even weeks."

If such an outbreak occurred, hospitals would become overwhelmed, riots would engulf vaccination clinics, and even power and food would be in short supply, according to the plan, which was obtained by The New York Times.

The 381-page plan calls for quarantine and travel restrictions but concedes that such measures "are unlikely to delay introduction of pandemic disease into the U.S. by more than a month or two."

The plan's 10 supplements suggest specific ways that local and state governments should prepare now for an eventual pandemic by, for instance, drafting legal documents that would justify quarantines. Written by health officials, the plan does yet address responses by the military or other governmental departments.

Pandemic – Business Continuity Planners what are you doing?

We, as business continuity planners seem to be wary of addressing the issue of a pandemic as a viable scenario for planning. I recently did a tabletop simulation for a client and a presentation on pandemics at a business continuity summit for another client. The tabletop participants reflected on the experience and uniformly expressed to me that the tabletop was one of the most stressful and frustrating experiences that they had participated in. The business continuity summit attendees and many of the speakers who followed me, continued to comment on the material presented, stressing that they needed to rethink their plans. Participants in both events expressed the hope that a pandemic would not materialize.

Pandemics cause major economic losses due to absenteeism. Experts predict that during a pandemic up to 30% of the global workforce could either be off work due to sickness or stay away due to fear. Absence levels at the expected rates would cause severe problems.

The economic impact of H5N1 will be felt around the world. The impact will initially appear in two primary aspects of business. The first will be the availability of the workforce, the second and more unique impact will be in the market place.

Helen Branswell of the Canadian Press wrote on August 17, 2005 in her article entitled, “Flu pandemic could trigger second Great Depression, brokerage warns clients”:

A major Canadian brokerage firm has added its voice to those warning of the potential global impact of an influenza pandemic, suggesting it could trigger a crisis similar to that of the Great Depression.

Real estate values would be slashed, bankruptcies would soar and the insurance industry would be decimated, a newly released investor guide on avian influenza warns clients of BMO Nesbitt Burns.

"It's quite analogous to the Great Depression in many ways, although obviously caused by very different reasons," co-author Sherry Cooper, chief economist of the firm and executive vice-president of the BMO Financial Group, said in an interview Tuesday.
 

"We won't have 30-per-cent unemployment because frankly, many people will die. And there will be excess demand for labour and yet, at the same time, it will absolutely crunch the economy worldwide."
 

A leading voice for pandemic preparedness said the report is evidence the financial and business sectors - which have been slow to twig to the implications of a flu pandemic - are finally realizing why public health and infectious disease experts have been sounding the alarm.

"I think that this particular report really signifies the first time that anyone from within the financial world, when looking at this issue, kind of had one of those 'Oh my God' moments," said Michael Osterholm, director of the Center for Infectious Disease Research and Policy at the University of Minnesota.

"The financial world is finally waking up to the fact that this could be the boulder in the gear of the global economy," he said, suggesting a pandemic could trigger an implosion of international trade unlike anything seen in modern history.