130 likes | 328 Views
NorthEast Disaster Recovery Information X-Change Annual Conference. Emergency Management for a Mobile Workforce. Newport, Rhode Island October 21, 2008. Overview of Booz Allen’s Business Assurance Program A Recent Case Study: Hurricane Ike Our response Lessons Learned
E N D
NorthEast Disaster Recovery Information X-Change Annual Conference Emergency Management for a Mobile Workforce Newport, Rhode Island October 21, 2008
Overview of Booz Allen’s Business Assurance Program A Recent Case Study: Hurricane Ike Our response Lessons Learned Questions/Discussion Agenda NEDRIX Annual Conference 2008
Privately-held, strategy and technology consulting firm Approximately 21,000 employees world-wide 150 offices in US, South America, Europe, Asia, Middle East, North Africa, and Australia $4.6B annual revenue Headquartered in McLean, VA Incident Management Business Continuity Planning Business Resumption Planning Situation Awareness Consolidated Crisis Management Enterprise-Wide Business Continuity Vital Records Management Decision Support Business Assurance Enterprise Risk Management Operations Risk Management IT Disaster Recovery Integrated Security Financial Risk Management IT Security Personnel Security Physical/ Facilities Security About Booz Allen Hamilton • July 2008, company split into 2 separate entities (gov and commercial consulting practices) • In 2004, the Business Assurance program was established to coordinate the firm’s crisis/emergency management, business continuity, and enterprise risk management functions NEDRIX Annual Conference 2008
The Business Assurance Office (BAO) leads the firm’s internal crisis/emergency management and business continuity activities Corporate Business Assurance Team HR Finance IT Security Acquisitions Treasury Travel Facilities Law Dept Marcom Pre-Incident/Ongoing • Monitor, advise on, and mitigate risks to the firm • Prioritize and direct preparedness and planning efforts throughout the firm • Help local offices develop/ maintain plans/capabilities • Develop/maintain decision support architecture and tools • Lead corporate BC program During/After Incident • Advise/assist local office leadership • Lead corporate response/recovery • Account for/communicate with/assist staff Firm Leadership Team CEO Strategic Executive Business Assurance Team Business Assurance Office Global/ Corporate Local Office Incident Command Teams (ICT) Local Response Level NEDRIX Annual Conference 2008
Operating an emergency management program in a global, privately-held consulting firm presents certain advantages and challenges Advantages • Little reliance on fixed assets (facilities, IT, other property) • Few external supply chain dependencies • Intrinsic business continuity capacity – consultants just need a laptop and internet access • Few external compliance drivers Challenges • Very rapid growth (>13% annual growth for past 15 yrs) • High degree of employee turnover • Strong emphasis on billability – little time or attention for non-billable activities • Staff change projects, team, and locations frequently • Cultural, regulatory, and technical differences among countries and clients • Few external compliance drivers NEDRIX Annual Conference 2008
Our approach was to develop a layered program to meet our business assurance objectives Employee Headquarters Local Office Project Team • Business Continuity • BC plans for each HQ department • Critical processes defined (w/RTOs) • DR site for critical core applications • Crisis Management • Corporate crisis management plan • Executive crisis management team • Emergency Operations Center • Emergency notification service • Risk Management • Global risk monitoring vendors • Information sharing with public and private sector organizations • Business Continuity • Incident management plan (addresses crisis management and BC) • Minimal IT infrastructure onsite; able to be managed remotely • Arrangements w/local hotels for emergency space • Crisis Management • Incident Command Team (ICT) • Emergency Operations Center (basic capability) • Emergency notification service • Evacuation/Stay-in-place plan • Disaster support kits (shipped to office immediately before or after an incident) • Business Continuity • Incident management plan (addresses crisis management and BC) • Crisis Management • Team leader briefs staff on basic safety/security measures and tracks staff • Team leader coordinates with client’s safety/security POC • Security/crisis management plans and security vendor support for higher risk locations • Business Continuity • Web-based backup for laptops • Telework program • Crisis Management • 24/7 emergency hotline • Staff tracking (on business travel) • Medical evacuation coverage • Communication and accountability via emergency notification service • Risk Management • Online safety/security information • Country risk ratings • Hard drive encryption NEDRIX Annual Conference 2008
Case Study Hurricane Ike – Houston, Texas September 2008 NEDRIX Annual Conference 2008
Cat 2; predicted track south of Houston Cat 3 over Cuba; predicted track into the Gulf Landfall at 0210 in Galveston; strong Cat 2 Ike TD Ike moves north through Missouri Cat 2 in Gulf; predicted track southern Texas Cat 2; predicted track Houston Staff make personal preparations; update contact info Final person accounted for Office reopens for normal business; welcome back party for all staff Office closes at noon Houston Office ICT enters office and assesses damage ICT briefs staff on office hurricane plan Corp HQ (Business Assurance Office) Hurricane Ike – Incident Timeline Sun Sep 7 Wed Sep 10 Thu Sep 11 Fri Sep 12 Sat Sep 13 Sun Sep 14 Mon Sep 15 Wed Sep 17 Fri Sep 19 Mon Sep 22 ID, contact travelers in area 1600: send message to staff EOC Operations Conference call with ICT to coordinate post-storm actions 1700: conference call with ICT NEDRIX Annual Conference 2008
Hurricane Ike – Our Response • Saturday and Sunday (Sep 13 and 14) • BAO sends automated message to Houston staff to start locating/accounting process after the storm • BAO conference call with Houston ICT each day to share information and coordinate next steps • Monday – Friday (Sep 15 – 19), BAO operates our Emergency Operations Center (EOC) in McLean, VA and staffs the following roles: • Incident Commander – Manage overall corporate response and set response priorities, advise local ICT, set EOC operations schedule, brief executive team • Operations – Track progress of actions assigned to local and HQ staff, prepare sitreps • Information Management – Gather available information about the local situation, provide situational awareness to team and local ICT, create maps and other information products • Administration/Logistics – Maintain journal and lessons learned throughout the response, post guidance to affected staff on internal website and hotlines, send messages to staff using emergency alert system, monitor news for other threats or incidents, procure any necessary EOC equipment or materials • Our daily operational schedule • 0800: Initial situation briefing • 1200: Mid-day situation update • 1700: Conference call with Houston ICT • 1800: Send daily status update message to Houston staff and sitrep to executive team • 1900: End of day wrap-up, capture lessons learned, and prep for next day NEDRIX Annual Conference 2008
Hurricane Ike – Our Response • We activated several support programs to assist Houston staff and manage the incident • Office Closure Leave – provides a charge number for employees to use while office or client site is unavailable • No-interest loans were provided to several staff to help cover home repair expenses • Leave donation – allows staff throughout the firm to donate vacation hours to Houston staff who may have ongoing home repair demands or other longer-term recovery issues • Employee Assistance Program (EAP) – access to crisis counselors via phone 24/7; also, onsite counselors were made available once the office reopened • Priority access to Marriott hotels for staff needing temporary lodging before or after the storm • Needs Registry – Internal company program to match needs of staff impacted by the storm with donors across the firm (clothes, small appliances, children’s toys, pots/pans, etc.) • Satellite phones for ICT, wireless cards and cell phone chargers for staff • Crisis Hotline – Toll-free number staff by live operators 24/7 • Facilities Status Line – Toll-free number to hear recorded updates and guidance from the firm • BAO website – we posted information about office status and support programs, guidance from FEMA and local authorities, shelter locations, school re-opening schedules, etc. • Corporate donor match program was implemented for Red Cross contributions NEDRIX Annual Conference 2008
Hurricane Ike – Our Response Fortunately, the storm had relatively minor impacts in terms of business continuity and disaster recovery • Steps taken before the storm • Remotely shut down servers on Friday • Moved computers and equipment into interior offices • Secured documents in locked cabinets • Each employee prepared his/her own office and posted a completed checklist on door • Established special charge number to use if needed to capture disaster-related expenses for insurance claim • Impacts after the storm • Office and main client site were closed for 6 business days (Friday-Friday) • Office suffered very minor damage – main delay in reopening the office was lack of access to the immediate area and power outages • Most employees were able to work remotely as long as they had power at their location • We coordinated for alternate space in hotel if needed (this wasn’t required) • Restoration vendors were available if needed to repair damage to equipment or paper records NEDRIX Annual Conference 2008
Hurricane Ike – A few lessons (re)learned • When communicating with staff, use a combination of active (phone, email, SMS, etc.) and passive (websites, hotlines) methods to deliver the same message – staff may have access to one method but not another • During an emergency, human nature and emotional reaction may trump training and written procedures/schedules – as planners, we must anticipate and account for this in advance where possible and expect to be flexible during the response • The effectiveness of office emergency and BC plans hinges on the effectiveness of staffpersonalpreparedness and planning • Staff not involved in the emergency or BC program are often uninformed about the office’s plans; be sure to brief them beforehand on what the firm expects them to do after an incident • During response operations, force frequent internal status/situation updates for personnel in the EOC or managing the response – in an emergency, personnel become narrowly focused on their specific roles/assignments and this can inhibit effective information flow • Research and document websites that may be needed in an emergency beforehand for each company location (include local news stations, property management companies, utilities, local government sites, etc.) • The human element is by far the most critical part of the response • You cannot fully move beyond crisis management until all of your employees are accounted for • If your employees went through an emotionally trying experience, make crisis counselors available in-person when staff return to work – people are much less inclined to speak to someone over the phone • Managing a response effectively and with empathy can produce a great sense of community and company loyalty among your employees and lead to a stronger, closer, more cohesive office NEDRIX Annual Conference 2008
Questions? Ray Thomas • Office phone: 703.377.4232 • Email: thomas_ray@bah.com NEDRIX Annual Conference 2008