While electric and gas utility companies have developed business continuity and disaster recovery plans in the past, the challenging economic environment of recent years has caused utilities to both accelerate new plan development and strengthen existing plans. With increasing threats such as pandemic, natural disasters and physical and cyber security attacks, the changing landscape created by these drivers highlights the need to revisit business continuity management.
Michele Guido answered a series of questions posed by marcus evans before the forthcoming Business Continuity & Organizational Resilience Conference, July 16-18, 2013, in Atlanta, GA. Michele shares how to effectively utilize the incident command system.
How was the business assurance program with Southern Company originally initiated and implemented? How long did it take to get where you are today, and what were some of your challenges along the way?
Michele Guido: Business Assurance is defined as “the confidence in our ability to maintain business-critical operations during an unexpected disruption.” Preparedness is institutionalized across Southern Company and its operating companies. Over the past 10 years, we have transformed from project to program to culture.
The Business Assurance program supports this transformation through three key elements: Protect, Prepare, Respond. The elements focus on minimizing or eliminating the impact of events that have the potential to disrupt critical business operations, functions or services. There are many owners and vehicles to support the program from evacuation, safety, storm operations, business continuity, risk management, crisis communication and compliance. Many of these programs have been established and operationalized across Southern Company over many years. This represents our culture.
An opportunity presented itself to place “all” of what we do under one umbrella called the Business Assurance program. Another was to develop supporting policies to ensure compliance. Ongoing executive support was another critical path to implementation. The Business Assurance program reports to an executive council that sets prioritization of work, ranging from policy to engagement. The council meets on a quarterly basis. Advisory and working committees meet on a regular basis to support policy implementation during steady state and as needed during an incident. Our Business Assurance department is the enabling arm of the program. However, ownership is across the company from executives, business unit managers, information technology, enterprise risk, legal, compliance, facilities and security.
With all of Southern Company’s subsidiaries and vast operations, how do you ensure each group, department, etc. stays up to speed with their individual business assurance plans?
MG: Southern Company is focused on providing our customers clean, safe, reliable and affordable electricity. In the context of reliability, being part of our nation’s critical infrastructure emphasizes the need for the prioritization for critical functions and services. Our program is a business issue. It’s managing risk across the enterprise along with stakeholder expectations.
At a high level, Southern Company has adopted and institutionalized the concept of all-hazard planning for both electric and corporate operations. This approach to planning ensures understanding of critical process, associated business infrastructure (technology, personnel, data, facilities, etc) and interdependencies; both internal and external. Needs may be unique for a group but the approach provides viability, sustainability and consistency. Policy and procedures have ensured this across the enterprise. An example is the annual exercises that must be conducted at many levels to stay in compliance with the policy.
What types of exercises, drills, or dry runs do you perform for the multitude of potential disasters that could affect Southern Company’s operations?
MG: Plans are developed, maintained and exercised on all levels throughout the enterprise. Plans include continuity of operations, incident response, crisis management, storm response, emergency management (fire/tornado/hostile intruder/etc) and disaster recovery for our business infrastructure (technology, network and data).
As an example, Southern Company’s operating subsidiaries maintain detailed and dynamic disaster recovery plans for storms along the Gulf Coast. These plans are graduated based on the expected damage from the five categories of hurricanes, with specific responses and actions identified for each. Our plans provide for flexible and decentralized authority to make decisions as close as possible to the disaster. Hurricane season begins June 1st, but planning and exercising is year round.
Education and awareness are vital to success. We practice and routinely revise the plans as we gain new experience, whether that be through a hurricane, tornado or technology failure. Continuous learning in an organization is a critical component to achieving superior performance. Lessons learned are captured through a root-cause analysis and post mortem meetings.
How do you manage the various public-private partnerships Southern Company has during the stages of the business assurance plan (protect, prepare, respond)?
MG: Southern Company is an industry leader in all facets of reliability and resilience. Southern Company’s leadership and active participation in significant forums and initiatives with the Homeland Security Enterprise (HSE)[i] continues to be a priority as Southern Company is an important member of the nation’s critical infrastructure.
Our HSE objective is to support the shared mission of resilience and national preparedness. Resilience for HSE refers to the ability to adapt to changing conditions and withstand and rapidly recover from disruption due to emergencies. National Preparedness refers to the actions taken to plan, organize, equip, train, and exercise to build and sustain the capabilities necessary to prevent, protect against, mitigate the effects of, respond to and recover from those threats that pose the greatest risk to the security of the Nation.
This strategy is also shaped by external bodies through FERC, NERC, DOE, EPA, for example, as well as future and existing Federal legislation and State regulations through our Public Service/Utility Commissions.
Continued participation clearly promotes Southern Company’s commitment to preparedness and to bridge existing gaps between the public-private sectors. Commitment to bridge gaps is proactive and demonstrates partnership, while supporting the National Infrastructure Protection Plan (steady state) and National Response Framework (crisis state).
[i] HSE includes public sector entities; DHS, DOE, DOD, FEMA and the nation’s critical infrastructure owners (public and private).