Oil Industry Business Continuity Plan

Document Sample
Oil Industry Business Continuity Plan Powered By Docstoc
                                                         Glenn F. Epler
                                         Science Applications International Corporation
                                           1213 Jefferson Davis Highway, Suite 1500
                                                   Arlington, Virginia 22202
ABSTRACT: U.S. federal and state regulations require indus-                     So how well prepared are most organizations to handle the
try to develop and maintain detailed crisis and emergency                    business and operational aspects of a crisis? How much training
response plans. These plans are, for the most part, well thought             and exercising in the area of business continuity and business
out and detailed. As a result, along with extensive training and             resumption is being conducted by these organizations? In every
exercise programs, industry preparedness is better than it has               major environmental incident, there is always the constant tug
ever been to respond to and manage an emergency. But how well                between the regulators and the stockholders—each pulling the
prepared is industry to handle the business or operational                   organization in a different direction to satisfy their own particular
continuity aspects of a crisis or emergency? What plans are in               needs. When responding to a major refinery explosion and fire, or
place to deal with the requirement for continuing essential                  a major oil spill into one of the region’s most environmentally
business functions in the face of a disaster? If a major incident            sensitive areas, when will business issues be addressed? How
occurs to a refinery, terminal, or offshore production platform              should customers learn of a crisis? How will those contracts
that requires it to be taken off-line, or damages it beyond repair,          affected by the loss of that product or service be handled? Who is
are there plans in place to minimize the impacts on the rest of the          responsible for these issues? If customer and stakeholder needs
organization and on the downstream customers? How will this be               are not met in a timely manner, will they turn on the company or
done simultaneously while managing the response?                             abandon it? The business continuity message presented here is
   This paper addresses those needs and discusses the require-               that it is nothing short of due diligence on the part of management
ments that companies in the oil and chemical industry should                 to develop a mechanism that responds to major environmental
consider in developing business and operational continuity plans.            disasters without losing the ability to continue the core business.
It explains a multi-step planning process that is being used by
many companies around the world to maintain their business
edge when a crisis or disaster strikes. This planning process in-            Business continuity process
cludes such functions as conducting a risk analysis and business
impact analysis, developing mitigation and recovery strategies,                 Business continuity can be defined simply as a good business
drafting a continuity plan, developing an awareness program,                 practice—an effort to assure that the capability exists to continue
and building a training and exercising program. The paper also               essential company functions across a wide range of potential
looks at the similarities between business and operational conti-            emergencies. Developing a business-operational continuity plan
nuity plans and a company’s emergency or crisis management                   may seem like a huge task, but in actuality, it is a common-sense
plan and address ways in which the plans may be integrated.                  document that offers valuable insight into business operations. It
                                                                             involves identifying those functions and processes that are critical
                                                                             to business, then designing contingency plans to deal with the
Introduction                                                                 potential disruption of one or more of those functions and
                                                                             processes. Business continuity planning is not new. Most
   Managers and executives at all levels of a company are paid               companies and organizations developed and exercised Year 2000
very well to manage crises and disasters and often do so on more             plans. Now those companies and organizations need to apply
occasions than they care to remember. While not all of these                 those principles and practices to potential oil and petro-chemical
incidents are newsworthy, industry is no stranger to incidents               industry business disruptions, such as a major vessel grounding
with the potential to disrupt an organization’s income sources,              and spilling oil or refinery explosion and fire. The continual
operating expenses, stock price, competitive position, and ongo-             reliance on computers, databases, and other electronic informa-
ing business, not to mention potential governmental intervention             tion transferences will cause the concept of business-operational
and regulatory changes. The refinery, pipeline, offshore platform,           continuity planning to become the basis for crisis management in
or oil terminal is a profit center in today’s business world, yet            the twenty-first century.
many corporations do not focus business continuity planning                     Government regulations motivate most companies to conduct
efforts in these locations. Many corporations today that rely on             field- or facility-level planning. For the most part, the regulations
their particular facilities to generate and maintain a certain level         are adequate for dealing with emergencies, but adding informa-
of business are overlooking the importance of business continuity            tion on continuing business operations certainly could enhance
planning for facilities and other infrastructure. This problem               the planning effort. Most companies do not want to go beyond the
primarily is due to most plants and facilities not having experi-            planning required by those government regulations for various
enced the level of crisis or disaster where long-term business               reasons, one of which is the higher costs associated with the
viability and success are called into question.                              additional planning effort. Not only does a company have to deal
                                                                             with environmental cleanup costs and liabilities associated with a


major oil spill and the cost of repairs to rebuild the facility and             results. This also allows for the development of a process
infrastructure, but it also has to deal with potential impacts to its           to maintain the response capabilities and the plan
customer base (revenue streams) because of non-performance of                   document in accordance with the company’s strategic
existing contracts and the ability of competitors to quickly pick               direction. Major exercises often involve both BCP and
up this business. A well thought out plan to continue business                  emergency response plans.
becomes a necessity.                                                        9. Public relations and crisis coordination provide guidance
   So what is a business continuity plan (BCP)? It is a manage-                 to work with the media during a crisis or emergency
ment strategy and set of procedures that defines how a business or              situation. This also outlines information on how to
corporation will continue its critical functions in the event of an             provide crisis communications, such as dealing with key
unplanned disruption to its business activities. As with develop-               customers, critical suppliers, stockholders, employees and
ing any type of crisis management and emergency response plan,                  their families, and corporate management during a crisis.
business-operational continuity plans start with the process of                 It also deals with crisis counseling for those employees or
defining the organization’s vulnerabilities to business disruptions             non-employees as required.
and eventually developing contingencies to handle those vulner-             10. Coordination with public authorities establishes applica-
abilities (if they cannot be removed or mitigated in some fashion).             ble procedures and policies for coordinating continuity
   The risk of potentially disastrous losses from business interrup-            and restoration activities with local authorities while en-
tions compels planners to use a common methodology to business                  suring compliance with applicable statutes or regulations.
resumption planning. This common approach includes ten basic                The above described business continuity process is similar to
steps under a program developed by the Disaster Recovery                 the process commonly used to develop crisis and emergency
Institute International (DRII). This program has been in existence       management plans. The two can be combined to develop and
for a number of years and has proven effective in many major             maintain a truly integrated and comprehensive contingency plan
business disruption responses. The process outlined below by             that includes information mandated not only by regulatory
DRII is similar to the process used by the oil industry in               authorities, but by fiduciary responsibilities as well.
developing crisis and emergency management plans, as explained
later in this paper. These ten steps include:
   1. Project initiation establishes the need for a BCP, which           General planning guidelines
         includes obtaining management support and organizing
         and managing the project to completion within established          A crisis is an event or series of events that threaten to funda-
         time and budget limits.                                         mentally alter the way an organization conducts business. It can
   2. Risk evaluation and control determine the events and               be a significant business disruption that stimulates extensive news
         environmental surroundings that can affect an organiza-         media coverage with the resulting public scrutiny having a large
         tion and its facilities adversely, the damage such events       effect on the organization’s normal operations. The crisis could
         may cause, and the controls needed to prevent or                also have a political, legal, financial, and governmental impact on
         minimize the effects of potential loss.                         a business. There are four basic causes of a business crisis:
   3. Business impact analysis identifies the potential impacts             • Acts of God, such as earthquakes, storms, volcanoes, etc.
         resulting from disruptions or facility losses that can affect      • Mechanical problems, such as ruptured oil/gas pipelines,
         a company, and the techniques that can be used to                       tank and valve failures, vessel groundings, etc.
         quantify and qualify such impacts. Critical functions are          • Human judgment or errors, such as opening the wrong valve,
         identified, their recovery priorities established, and                  miscommunication or navigating a vessel aground, etc.
         interdependencies determined so that recovery time                 • Management decisions/indecisions, such as a problem that
         objectives can be set.                                                  is perceived as not being very serious and that nobody will
   4. Developing business continuity strategies will determine                   discover
         and guide the selection of alternate business recovery             All could have huge impacts on the way an organization
         operating strategies for a business while maintaining the       responds to and continues to conduct business. And without an
         company’s critical functions. This shows how a company          adequate crisis and emergency management plan, as well as
         will continue to operate after an explosion and destruction     business continuity planning guidelines in place, the organization
         of a large refinery or while responding to a major oil spill.   will surely struggle to exist.
   5. Emergency response and operations involves the devel-                 In many cases where the crisis already has occurred, or it is
         opment and implementation of procedures for responding          inevitable that the crisis will impact key stakeholders, a BCP will
         to and stabilizing the incident. Human safety and health        minimize the disruption and financial damage. A crisis or emer-
         are always the first concern in any crisis or emergency         gency management plan that does not address continuity planning
         situation. When an incident or disaster occurs, these crisis    is unlikely to achieve these results. Maintaining essential opera-
         or emergency plans should be implemented immediately,           tions while responding to a disaster is a strategic, moral, and legal
         with the business concerns and issues being a secondary         obligation to one’s company and its stakeholders. Just as industry
         priority. In the oil and chemical industry, these plans         spending billions of dollars each year on technology to maintain a
         normally already exist, but the BCP plan should be              competitive edge is viewed as being prudent, not having a BCP to
         compatible with the procedures in the response plans.           continue operations is an indication of corporate negligence.
   6. Developing and implementing BCPs involve the                       Standards of care and due diligence are required of all companies;
         development and implementation of a BCP that provides           not having a plan violates fiduciary standard of care.
         for recovery within the recovery time objectives devel-            What basic elements are needed in a plan? Every good re-
         oped during the business impact analysis.                       sponse-planning document should contain three sections/areas of
   7. Awareness and training programs create corporate                   information on how to deal with a catastrophic incident. These
         awareness of a BCP and its associated procedures, and           areas include:
         enhance skills required to develop and implement a BCP.            • Crisis and emergency management procedures
   8. Maintaining and exercising BCPs help to plan and                      • Crisis communications procedures
         coordinate exercises, and evaluate and document exercise           • Business continuity procedures
                                                                                        POLICY PLANNING CAPACITY                       905

   As an integrated plan is being developed, the difference be-               effectiveness. Once deficiencies are determined, the plan
tween crisis management, crisis communications, and business                  then needs to be refined.
continuity needs to be clarified. And where should the line              •    Plan maintenance phase: While this appears self-explana-
between management, communications, and business concerns be                  tory, this phase often is neglected. All plans should be
drawn in a crisis? That line should not be drawn. In fact, one                reviewed at least annually or whenever new policies and
should do everything possible to coordinate management, opera-                procedures are developed. A plan review schedule should
tional, and communications response to any major environmental                be developed and a budget assigned, with reviews being
incident. In reality, response efforts should all work in parallel.           conducted periodically, such as after conducting an
The crisis and emergency response teams are working toward                    exercise or responding to an actual incident.
resolving the life, health, and safety issues; the communications
team is providing the media and key stakeholder groups pertinent
information; and the business continuity team is dealing with          Organizational responsibilities
maintaining the company business and profitability.
   In addition, while building an integrated plan, other questions        Crisis situations typically require managers to make critical
will surely be asked. At what level does the oil spill become a        business decisions under extreme pressure and in most cases
crisis? When should the crisis communications plan be imple-           using incomplete and insufficient information. By defining in
mented? When should one become concerned with business                 advance what core crisis management and business continuity
issues? What are the trigger points for making this decision? On       steps need to be taken and how they should be conducted,
this subject, trigger points should be clearly defined and well        corporations can reduce some stress on their staff during a crisis.
understood by all response team members. Criteria that describe        This advance work may increase the efficiency of their response
the severity of the problem should be used to determine the type       and may reduce the financial impacts on the company. Previ-
of response that will be provided. These criteria should also be an    ously, a definition for a crisis was presented; however, this will
integral part of business continuity planning and be built into both   vary from company to company, as the types of events or
crisis management and crisis communications sections of a plan.        incidents that can alter the way a company chooses to do business
The importance of these criteria is that they will trigger separate    vary. A specific event that may have a substantial impact on a
responses by:                                                          small company may have little impact on a large company
   • Response team members who have to get the oil spill               working in the same business line. How a company responds to a
        under control as quickly as possible so normal business        crisis event may make all the difference when the stock prices
        can be resumed                                                 come out the next day.
   • Top management who have to allocate resources, handle                Prevention and preparation are two key areas where a company
        stockholders, deal with legal issues, maintain company         can make huge impacts when responding to a disaster or crisis
        image, and make other critical decisions needed to             event. They also will have large impacts on the cleanup and even-
        maintain the company business                                  tual litigation costs when responding to an incident. Anything that
   • Communications personnel who have to proactively get              can first be prevented from occurring—through such programs as
        the company’s message out while making sure all stake-         enhancing safety standards, inventory control, or engineering
        holder and media interests are met                             design—is always the first step in risk reduction. If the potential
   As indicated above, the process for developing crisis and           incident cannot be prevented from occurring, then the company
emergency management plans is similar to developing BCPs. The          must be prepared to respond to it. The question is not if, but
planning process used in developing any type of crisis and             when, the crisis will occur.
emergency management plans may be consolidated into the                   A standard rule of thumb of crisis management is to influence
following phases:                                                      the course of the crisis, not just respond to it. By being proactive,
   • Project initiation phase: The problem initially is identi-        a company’s crisis management team often can prevent a situa-
        fied and detailed. The objectives and the scope of the plan    tion from escalating into a crisis, or can mitigate its financial
        are laid out, budget and resources identified, and final       impacts. Being prepared to handle the potential business impacts
        approval given by management.                                  of such an event is as important as dealing with the emergency
   • Functional requirements phase: Details of a risk assess-          aspects of the response. And in most cases, the company should
        ment are obtained and alternatives identified during this      be able to respond to and deal with both (emergency and business
        fact-gathering phase. A business impact analysis and risk      continuity) responses simultaneously. Having an experienced and
        assessment is conducted, along with a process for              trained response organization in place is necessary to maintain
        identifying mitigation strategies and acceptable risks.        that business edge once a crisis or disaster strikes.
   • Plan development phase: The plan becomes a reality, a                All too often, companies emphasize developing crisis and
        written document. Not only is a company looking at crisis      emergency management plans as the cure-all for responding to an
        and emergency response procedures, but it also should be       incident. Granted, a good plan is very important, but in the long
        considering plan components such as alternate Emergency        run, companies should be engaging in a process for developing an
        Operation Center site locations, handling of vital records,    overall capability to manage the crisis or disaster, then document-
        escalation and de-escalation procedures, and business          ing that capability in a suitable plan. Plans should reflect current
        continuity, resumption, and restoration procedures. The        capabilities, not desired capabilities. The plan and ultimate
        integrated contingency planning guidelines developed by        response are only as good as the organization managing the
        the National Response Team provide a good framework            incident. That response organization should be designed so that it
        and meet their conceptual objectives, but they do not go       will be able to satisfy the overall response objectives of the
        far enough in the planning model to provide for business-      company.
        operational continuity information.                               There are many different types and levels of crisis and emer-
   • Training and exercising phase: Once the plan is devel-            gency management organizations throughout the oil industry,
        oped, personnel need to be trained on its contents. As a       each with its own set of company objectives and goals. No matter
        final link to the planning process, the plan needs to be       how large or small the company, however, certain response
        exercised on a regular basis to determine its validity and     objectives must always be met. In any incident, response issues

such as human health and safety, logistics, personnel and              What a comprehensive contingency plan needs
equipment support, financial, legal, human resources, and
communications will always need to be addressed. However, at              The integrated contingency plan (as outlined by the National
what level, and by whom should these be handled?                       Response Team guidance) is an excellent model for creating an
   In most cases, a tiered approach to respond to a potential crisis   emergency response plan and covers all aspects of responding to
or disaster is recommended. At the field location, the emergency       a major oil spill. A local facility manager, however, needs to be
response organization responds to the crisis event and is usually      aware of business continuity issues and priorities, and what
organized in an incident command structure of some type. Here is       his/her roles and responsibilities are to maintain the business
where the tactical planning for the response is being conducted.       when a crisis or disaster strikes. Some of these concerns and
The facility response team will be focused on dealing with the         decisions will center on such areas as upstream suppliers and
emergency, and once that phase is over, its focus will then be on      downstream customers, decision to rebuild or replace, work status
rebuilding the facility or repairing the damage caused by the          of employees, production level changes, procedures modifica-
incident; commonly referred to as business resumption. Addi-           tions, etc.
tional company support in such areas as finance, personnel and            The focus of this plan comparison is on developing compre-
equipment, legal, human resources, media, and business continu-        hensive response plans, from both a field-level and an incident
ity should come from either the company headquarters or the            support team perspective. There are many different concepts on
business unit headquarters, depending on the size and makeup of        how to develop a contingency plan and many more formats for
the corporation.                                                       writing the actual plan. It does not matter whether the plan is
   For many larger companies, a three-tiered approach is common        required by law, regulation, or company policy; most response
with an incident support team (mid-level team) managing the            plans should contain overall planning elements such as preven-
crisis or disaster at the business unit level and a crisis manage-     tion, response, business continuity, and restoration. The plan
ment or executive management team (senior-level team) at the           should be able to address all aspects of dealing with a crisis or
headquarters level. The incident support team would be                 emergency ranging from prevention practices to getting the
responsible for providing assistance to the field-level team in        company back into normal operation. In addition, plans should be
such areas as legal, financial, human resources, crisis commu-         user friendly and, in many cases, should include information on
nications, and marketing, as well as focusing on the continuing        responses to any type of hazard (e.g., fire, explosion, oil spill,
business concerns for the business unit. The crisis management or      natural disaster, terrorism, etc.).
executive management team would consist of very senior-level              A comprehensive response plan should include information in
managers at the corporation headquarters tasked with handling          the following areas:
the impacts of the crisis on the overall corporation and its              • Scope and background information
stockholders, as well as continuing those strategic business              • Risk Analysis
functions not impacted by the incident. For smaller companies,            • Business impact analysis
these two senior-level teams (incident support team and crisis            • Prevention programs
management team) easily can be combined into one crisis                   • Health and safety plan
management team that would then be tasked with not only                   • Initial assessment and mobilization
providing assistance to the field-level response, but also dealing        • Notification procedures
with the business continuity issues and strategic response plans          • Forecasts of oil movement
for the corporation and its stockholders.                                 • Resources at risk
   It is important that each individual responder understands how         • Response strategies and techniques
he/she fits into the response organization, what his/her respon-          • Recovery teams and procedures
sibilities are, and what the roles and responsibilities are of each       • Investigation procedures
group in the corporation. Otherwise, overlaps or shortfalls will          • Contractor/support listings
occur, and the response will not be managed as effectively or             • Alternate site location and setup
efficiently as the stockholders and general public would expect. It       • Demobilization
is also important that the members of the response teams                  • Response management organization
understand the distinction between crisis and emergency manage-           • Roles and responsibilities
ment and how the business continuity issues need to be addressed          • Crisis communications/public affairs
during the early stages of the response operation.                        • Facility specific information
                                                                          • Product information
                                                                          • Training and exercising requirements
Plan comparison                                                           • Business continuity procedures
                                                                          • Documentation requirements
   The following planning matrix (Table 1) outlines and compares          • Concept of operations
the plan requirements of four commonly accepted standards—                • Humanitarian assistance
Area Contingency Plans (ACPs), local emergency planning                   • Post incident review
committee plans (LEPCs), facility response plans (FRPs), inte-            • Waste management
grated contingency plans (ICPs)—for oil spill response plans to           • Evacuation/shelter in place requirements
those generally found in BCPs.                                            • Communications
                                                                          • Plan maintenance and review
                                                                                         POLICY PLANNING CAPACITY                      907

                                                        Table 1. Planning matrix.
     Plan components                                                 ACP            (SARA)         FRP         ICP          BCP
     Applicability, purpose and scope                                X              X                          X            X
     Background, geographic boundaries and other policy              X                                         X
     Listing of facilities subject to rules                                         X              X           X
     Facility identification information                                                           X           X
     Transportation routes for hazmat                                               X
     Identification of at risk facilities and locations                             X                          X
     Identify critical functions; develop recovery strategies                                                               X
     Risk/hazard analysis and mitigating factors                     X              X              X           X            X
     Business impact analysis                                                                                               X
     Planning organization                                           X
     Emergency response levels                                                                     X           X
     Product information (MSDS)                                                     X
     Potential scenarios and action plans                            X                                                      X
     Trajectory modeling                                                            X                          X
     Listing of response equipment, support facilities and           X              X              X           X            X
        personnel (private and government)
     Health and safety                                               X                             X           X
     Assessment/discovery                                                                          X           X            X
     Notification procedures (internal and external)                                X              X           X            X
     Response operations (during emergency phase)                    X              X              X           X            X
     Response management system/organization                         X                             X           X            X
     Identify recovery teams                                                                                                X
     Alternate site location and setup, off-site storage                                                                    X
     Response techniques                                                                           X           X
     Recovery and demobilization (after emergency phase)                                           X           X            X
     Waste management                                                                              X           X
     Communications procedures (internal and external)               X                             X           X            X
     Public Affairs information                                      X                                         X            X
     Humanitarian assistance concerns (injuries, deaths, etc.)                                                              X
     Training and exercising plans, schedules and programs           X              X              X           X            X
     Plan maintenance and review procedures                          X              X              X           X            X
     Accident review and investigation                                                                         X
     Incident Documentation (administrative and financial)                                                     X            X
     Prevention                                                                                                X            X
Note: ACP, Area Contingency Plan, LECP, local emergency planning committee plan; FRP, facility response plan; ICP, integrated
contingency plans; BCP, business continuity plan.

   Granted, the particular facility being impacted by the incident       business units. In addition, no other process does a better job of
may not be the main provider of all information or services              making a corporation assess its operations and processes than the
mentioned above, but specific information needs to be available          structured process of planning what to do when your refinery or
on how to obtain additional assistance and advice from corporate         vessel, the full staff, information systems, and communications
management teams. Most oil spill response plans, however, do             are no longer available.
not contain these elements since they usually are developed in              Contingency planning for the long-term business success of a
accordance with regulatory requirements that rarely require a            company is traditionally a primary responsibility of senior
corporation to plan for its continuing business success.                 management at a headquarters location. But over the past decade,
   Contingency planning, including business continuity, is a             the trend has been to move this decision making to strategic
necessity that has turned out to be beneficial in more ways than         business units. And in many companies, those strategic business
expected. Beyond ensuring a business function’s viability during         decisions are being delegated to plant, terminal, and facility man-
and after a crisis or disaster, contingency planning efforts have        agers. These are the people that are not only responsible for
led to significant improvements in the daily operations of many          safeguarding their existing operation, but they also need to have

plans in place to protect business processes and procedures when       Biography
a crisis occurs. After all, this is where the company makes its
money and is of primary interest to all stockholders, so naturally        Glenn F. Epler has over 24 years of experience in planning,
this should be the level where business continuity begins. The         training, exercising, and response, 18 of which were with the U.S.
goal is to develop one plan that covers all incidents, from a small    Coast Guard. He worked extensively in the emergency manage-
spill that could have partial impacts on business profitability to a   ment field, in both preparing for and responding to maritime
major incident where the entire business operation comes to a          incidents. Mr. Epler reviewed and developed numerous crisis
halt. How well this is planned for will dictate the success of the     management and emergency response plans dealing with natural
company.                                                               and man-made disasters.

Shared By:
Description: Oil Industry Business Continuity Plan document sample