The purpose of this analysis is to develop a risk management/business contingency plan for a client. The legal department and IT department have both expressed concerns regarding ethical use and protection of sensitive data, customer records, and other information system content. In the interest of creating confidence and job satisfaction in this new position, my new employer has decided to allow me to select your first client.
In this task the following will occur:
A. Create a risk register with eight risks currently facing the business to include the following:
1. Explain how one of the identified risks emanates from an aspect of the company’s global marketplace activities.
2. Discuss the sources of each risk.
3. Evaluate the risk level for each risk in terms of severity of impact, likelihood of occurrence, and controllability.
4. Develop an appropriate risk response for each risk to reduce the possible damage to the company.
B. Create a business contingency plan (BCP) that the company would follow if faced with a major business disruption which would include the following: 1. Analyze strategic pre-incident changes the company would follow to ensure the well-being of the enterprise. 2. Analyze the ethical use and protection of sensitive data. 3. Analyze the ethical use and protection of customer records. 4. Discuss the communication plan to be used during and following the disruption. 5. Discuss restoring operations after the disruption has occurred. C. Create an implementation plan in which you recommend ways of implementing, monitoring, and adjusting the BCP.
B.A.Medical Design and Manufacturing (the company) is one of the fastest growing global manufacturers of durable medical equipment. The company has a global presence in North America, South America, Central America, Europe, The Middle East, and Asia and. distributes and markets its products in these regions. The company offers a complete line of durable medical equipment and is dedicated to its customers by offering the best quality and most functional products for its broad spectrum of health care providers and customers. The company’s motto is “B.A. Medical is always on the move”. A risk is or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and a probability that may be avoided through preemptive action.(“Risk definition,” n.d.).
The company is seeking to avoid potential risk by identifying risks, quantifying risks, categorizing risks by sources, likelihood of occurrence, severity of impact, controllability and the proper response in case the risk does occur. A risk register is a document containing the results of the qualitative risk analysis, quantitative risk analysis, and risk response planning. The risk register details all identified risks, including description, category, cause, probability of occurring, impact on objectives, proposed responses, owners, and current status.(Risk Register Template, n.d.). On the following page of this document is the risk register established for the company.
Risk Register for B.A. Medical Design and Manufacturing
Likelihood of Occurrence*
Severity of Impact*
Private information for patient sent over the internet
Director of HIPPA
Data entry technician sending information over internet versus intranet Medium- Data entry technicians often move between internet and intranet. Technician performance is measured by quantity of entries along with accuracy. High-Violations can cause fines up to $50,000 per occurrence. Willful neglect can be cause for termination of employee and imprisonment. Fines can be imposed up to $1,500,000 annually to company. High- New hire training in regards to HIPPA . Annual training for all employees. Companywide notification to all employees of all violations.
Hurricane hits and causes massive physical damage
High-Asian market area has a high incidence of hurricanes and tropical storms High- Despite facilities being soundly constructed, the unpredictability of storms intensity can still cause severe damage Low- no control over weather
Supplies unable to be delivered to South America facility
Political and social unrest has caused transportation to be blocked. CEO logistics department
Low- South American country where facility is located is dealing with elections and civil unrest Medium- Government in power has strong military and police forces and backing of the U.N Low- keeping in communication with country’s commerce secretary for status and reassurance
Loss of confidential company information
Disgruntled employee has leaked confidential information
Company security department
Low-company’s employee agreement states any release of confidential material without consent will lead prosecution and termination High- the company has patented products and agreements with suppliers which stipulate confidentiality in regards to pricing Medium- auditing and IT security constantly monitor communications Production stoppage because of machinery breakdown
Older machinery has potential to fail
Director Facility/Production department
Medium-The original North American facility located in New York is approaching twenty years in existence. Medium-any production delay can cause issues with deliverables. The company has the capacity to increase production at other locations. High- company can actively inspect and repair or replace equipment and update equipment systematically Private patient information compromised
Theft of patient data by computer hackers
Director, IT Security
Medium- the company is constantly monitoring any unusual activity and has a number of firewalls in place High- any breach of patient confidentiality is a violation of federal laws in all jurisdictions where the company does business Medium-External manipulation is hard to stop, but measures are in place to block and detect occurrences Loss of communication
Server crash has halted ordering, communication, and processes
Director IT Department
IT Business continuity
Medium- the company has additional servers at each facility and all information is constantly backed up High- any breakdown in technological ability would be detrimental to the company High- the company has the ability to retrieve any information centrally and from outside data storage specialist. Emergency servers can offset problems quickly Discrimination Title VII of the Civil Rights Act
Employee feels they were denied a new position based on a physical disability Human Resources Director
Low- job descriptions list task requirements for positions High- Any
incident looked upon as discriminatory is illegal and give negative perception by customers of the company High- The company has strong hiring and promotional procedures in place to ensure a fair and equitable work environment
A1. Global Risk:
The company has experienced phenomenal growth since its inception nearly twenty years ago in 1995. It has grown from a distributor of durable medical equipment to a manufacturer and supplier of the products. The company now has patented a number of products and continues to seek more innovative ways to improve rehabilitation and quality of life for patients. It also has developed a strong relationship with distributers and providers by consistently delivering outstanding products. Expansion has now reached some four different continents and twelve different countries. Columbia, where one of the company’s three facilities in Latin America is located, is dealing with political and social unrest.
The Royal Bank of Canada released a report where it ranks countries by political and social unrest. Columbia was the only country outside of Africa and the Middle East in the top ten. (Mejia, 2011) In seeking to continue its global growth, the country must always do its research and due diligence in seeking areas that are safe and socially and politically stable. Colombia has a rapidly growing economy and the recent study suggest issues and not political ones could cause concern. Global risks will continue to rise in areas of social and political issues as the company continues to expand worldwide. A2. Discuss the source of each risk:
The source of the first risk, a HIPPA violation, is a potential entry error by data entry clerk. The data entry clerks have access to both intranet and internet on their computers. Some functionality is similar in order for processes to occur externally and internally. The source of the second risk, a hurricane, is a natural disaster. Whether its climate change or standard historical cyclic shifts in the weather, Natural disasters have been on the increase worldwide. Our Asian facility in Taiwan appears to be the most at risk because of tropical storm and hurricane history of region. However, a hurricane can hit anywhere, especially along coastal regions. The third risk was discussed in A1. The fourth risk involves a disgruntled employee leaking classified or proprietary business information. The company has grown exponentially and continues to add employees and business partners and clients. The way the company does business continues to evolve, so concerns of information protection are highly relevant. The fifth risk involves machinery breakdown, a mechanical source.
The company is approaching its twentieth year, having been founded in 1994. About thirty percent of the machinery used in production was purchased in the first five years of the company’s existence. All machines have the potential to breakdown or fail, that being said, dated machinery has even a greater potential. A great example is an older automobile. Even with low mileage, older vehicles are subject to rust, corrosion, or the drying out of rubber based components. Even lubricates, dry out over time. The sixth risk involves patient private information being compromised, which is an IT security source. A hacker is someone who gains unauthorized access to a computer or a computer system. The intention is to gather information or to cause damage. (“Hacker,” n.d.) Whether actually trying to gather information or the thrill of gaining access or the sick joy gained from corrupting or destroying others hard work, there are a great number of hackers in the world.
Once a computer or computer systems have been hacked, the integrity of the system cannot be guaranteed. The seventh risk involves a communication or data system failure. This is an IT business continuity source. A server is a computer that provides data to other computers. Servers are the brains that drive or command other computers. They send out the commands thru software programs that dictate the operations set forth by the company. Servers also help to store data, collect and send information, and develop a level of continuity throughout a network system.
A server or servers crashing or breaking down can cause minimal or massive interruptions of business activities, depending on the role or roles that the server or servers play. The eighth risk involves a Title 7 discrimination issue. The source of the risk is human resources. An employee who feels he or she is being discriminated against for a physical disability is protected by Title 7 of the Civil Rights Acts of 1964. This Act prohibits discrimination in employment on the basis of sex, race, color, national origin, and religion. It applies to employers with 15 or more employees, including federal, state, and local governments.
A3. Evaluate Risk level of each risk:
Risk levels are evaluated on three parameters:
Their likelihood of occurrence
Their severity of impact
These parameters are ranked as low, medium, and high. All parameters are connected and relevant to one another in evaluating the risk. Example: A risk with a high severity of impact but a low risk of occurrence and a high controllability would cause minimal damage to a company. Conversely, again a risk with a high severity of impact and likelihood of occur, but a low controllability would have a significant negative effect on a company. Analysis will now look at each risk. A HIPPA violation has medium likelihood of occurrence, a high severity of impact, and a high level of controllability. As the register states severe fines are imposed by the federal government on companies in regards to HIPPA violations. HIPPA stands for The Health Insurance Portability and Accountability Act of 1996. The violation of HIPPA in this risk involves an individual’s protected health information (PHI).
Privacy is important especially in regardless to health information, so to reinforce this point the government has formulated guidelines that companies and government agencies must comply with or face fines upwards of $1,500,000 for repeat offenders. The likelihood of occurrence is at a medium level because human error can occur at data entry. The severity of impact is high because of the fines imposed and the negative impact violations could have on the company in regards to lost sales and negative public perception. Controllability is high with proper training and monitoring. The risk of a hurricane has a high likelihood of occurrence in the hurricane regions where the company has locations. Severity of impact can be high depending on the strength of the hurricane. Controllability is minimal because natural disasters, such as hurricanes, are not in man’s control.
The risk of supplies not being delivered to the South American facility has a low likelihood at this time because of stability within Columbia’s government despite some social unrest. Severity of impact is medium because Columbia’s government has issued documented reassurance that supply lines will not be broken, Controllability is low because controlling the risk lies in the hands of Columbia’s government. The risk of loss confidential company information through a disgruntled employee has a low likelihood of occurrence because the company’s employee agreement clearly states the consequences of such an event including termination and prosecution. The severity of impact can be particularly high in that it could lead to the company losing its competitive advantage in product design and supplier raw material pricing. Auditing and IT security constantly monitoring employee activities has made this risk moderately controllable.
The risk of a machine or machines break downs have a medium likelihood of occurrence due to fact that first the machinery is constantly being serviced and inspected. It is not low due to the age of some of the machinery. There is a medium potential of impact due to the fact that any production stoppage has a negative impact, despite the fact the company has the ability to ramp up production at other locations. Controllability is high is that the company can replace old and antiquated machinery. The risk of PHI being compromised by hackers has a medium likelihood due to aforementioned reasons stated of constant monitoring by IT department and the firewalls in place to prevent by IT to prevent this from occurring. The severity of impact is the same as the aforementioned HIPPA risk.
Controllability is medium because despite all precautions in place, external hackers are unpredictable. The risk of loss of communications due to a server crash has a medium likelihood of occurrence. The company has stop gap measures in place such as back up servers at all facilities and an integrated backup system in place to store and retrieve vital information. The severity of such an occurrence would be substantial. Inability to communicate could harm production, supplies, and filling orders.
The controllability is high because the company’s systems in place, such as cloud data storage and additional servers, has the company in a position to react quickly in the event of a crash The risk of a violation of Title VII of the Civil Rights act has a low likelihood of occurrence due to the fact that the company clearly states in its job descriptions all requirements of its individual job descriptions. An employee must be able to perform all functions of job description to eligible for the position. The severity of impact of the risk is high because it includes possible government fines, civil suits, and negative public perception. Controllability is high because the company has procedures in place to ensure its hiring process is fair and equitable to all potential candidates.
A4. Risk Response:
A notice of a HIPPA violation requires immediate notification to the Director of HIPPA. An investigation is conducted which examines the cause of the violation conducted by a local agent generally a manager or director above the direct manager or supervisor. Any parties that may be harmed by violation are notified in writing of potential disclosure of information. The Director should notify the Legal Department immediately and forward full facts of investigation. Any violations validated must follow federal guidelines in disclosing violation. Depending on the extent of violation and history of any prior violations, the employee can be subject counseling notices, reprimands, retraining, and termination. A hurricane requires an Emergency Response Team to do an immediate assessment of damage and ascertain whether the facility in question has proper supplies and has initiated the disaster plan. A Disaster Recovery site will be set up as quickly as possible and within 48 hours.
Food, water and backup generators will be airlifted to site and coordination with federal and local agencies will be initiated immediately. Loss of confidential company information calls for immediate response from management. Security and IT security should be immediately notified of events. All company property should be seized and employee’s credentialed removed in order to block any further access. The employee should be isolated from any confidential information. Employee should be interviewed extensively and if necessary, local law enforcement should be immediately notified. Employee should be placed on leave pending full investigation. If it is proven information has been leaked, employee should immediately be terminated. Analysis of leaked documents should be made and company should seek to regain any retrievable information. The breakdown down of a machine calls for immediate notification of supervisory management.
Then facilities are notified quickly so the department can analyze nature of mechanical failure. If repairs can be made quickly then facilities will initiate repair with an estimate of time required. If more time consuming or parts needs to ordered or machine replaced, supervisory management will notify upper management. A decision will be made on where increases can be made in other production facilities to offset the loss of the machine. In the event that hackers have compromised the company’s database IT security should be notified immediately. The severity of risk and potential of HIPPA violations all PHI must be secured immediately. IT security should secure in and around the infrastructure to ensure the information access has been blocked to the hackers. The monitoring systems already in place should focus on the area that has been compromised to pinpoint the source and hopefully ascertain the amount of information the hacker has accessed.
Law enforcement should be notified to investigate situation and help in identifying and apprehending the hacker. Loss of communication by a server crash would require an immediate call to IT help desk. IT would troubleshoot the problem to see if server could be bought back up. In the event server cannot be bought back up. Backup server should replace crashed device. Crashed server should be evaluated immediately by a technician if one is local. If not, server should be shipped quickly to IT support or manufacturer of server. In the event of system failures of servers, Communication should initiated using landlines and internet capabilities via computers and smart devices. Relayed information should be sent through email contact groups to all parties involved or broadcast messages through telephone call centers.
Data storage though cloud technology with continue backup functionality ensures all pertinent data will be protected and retrievable. In the event of an employee feeling he or she was denied a position based on a physical disability, the hiring manager or employee’s immediate manager should immediate contact the legal department. The legal department should document the potential case and contact current manager and recommend a meeting with employee, the immediate manager, the hiring manager, and the regional supervisor. The job description should be reviewed by all parties together and the hiring manager should review their interview notes and share the basis unto which the decision was made to select the candidate that was hired. If employee is still not satisfied with decision, legal should become involved and recommend a conference with employee and his or her legal counsel. B. Business contingency plan if faced with a major disruption:
A business contingency plan is a plan of action to respond appropriately and effectively to an unplanned event. A natural disaster, such as a hurricane, is most certainly an unplanned event. It can have immediate devastating effects. Loss of lives, homes, personal effects, and the feeling of hopelessness often are part of a hurricane striking. Long term effects, just as devastating, such as loss of infrastructure through the devastation they can cause can have far more lingering effects.
Local economies can be severely damaged by hurricanes as business are destroyed or rendered inoperable in their wake. National and local resources are severely tested as many different areas of concern have to addressed and properly managed. Most businesses are not prepared for such natural disasters Financial statements and balance sheets of most of these companies don’t appropriate funds for these occurrences. Even if properly insured, companies often find themselves at the mercy of the insurance companies, who also have to properly manage and appropriate their resources. Insurance companies’ prioritization of relief efforts and assistance often times don’t coincide with those of the individual companies.
B1. Analyze pre-incident strategic changes:
The company’s facilities in Taiwan are in a tropical region that is known hurricanes. The company’s facilities meet or exceed all building codes of the local government. Additionally, the company in an effort to further protect its resources should fortify all exterior walls of facilities with a steel bracing system around lower levels and connected to the foundation. Storm shutters should also be installed to prevent potential wind or window shattering damage. The company shall also perform biannual inspections of facilities to ensure all structures are secure. The company shall also solicit information on natural disaster protocols of the local government agency to comply with any requirements.
The company’s shall implement an emergency response team that will help coordinate the safety efforts of the employees. Several options for short term living arrangements and basic food, clothing, water and supplies should be sourced so the items can be quickly retrieved if necessary. Employee safety has to be the company’s top priority. The senior regional manager is to supervise all activities and have a direct link to corporate offices in New York.
A Regional Data Center Resource Plan is to be established to define the responsibilities, actions, and procedures necessary to recover all company data including all confidential company information and PHI. The plan will establish the coordinated steps in order to ensure all possible physical data is retrieved.
Historically, when hurricanes occurred the company has lost large amounts of important data, through destroyed computers, communication lines compromised and general mayhem in which critical data has sometimes been damaged or destroyed during evacuation or cleanup efforts. The changes that have been instituted to minimize these occurrences have been the move to cloud servers. The cloud servers constantly back up data and will not be affected by hurricanes. The IT Department and auditing should perform a review and audit to ensure all historical data has been converted to the cloud servers.
The company shall change its communication procedures pre-incident to improve the potential of positive outcomes. Multiple sources of communications should be established such as internet, intranet, smartphones, and all communication’s information of the local agencies to have the most up to date information available on status of the facility and the region.
The company shall require all employees, regardless of geographical location, read, and review and sign the company’s policy in regards to responses in emergency situations. These policies will include basic concepts of evacuation procedures, logging of electronic systems, and being accounted for in case of an emergency or natural disaster. The company shall institute a policy which calls for initial training and annual training and signatures to be kept on all employee files.
The company shall have location specific training in case of a natural disaster or an emergency. This training shall include responsibilities of employees’ roles in regards to protecting data, evacuation routes, and practice drills conducted anywhere from annually in areas of low incidences of natural disasters to semi-monthly in areas with high incidences.
B2. Analyze the ethical use and protection of sensitive data:
The sensitive data for the company refers to information such as our operating policies, personnel records, vendor information, trademarks, patents, contract, etc. The company’s employee agreement clearly states the employees’ responsibilities in regards to use of sensitive data. Any misuse of sensitive data will result in termination. It is the responsibility of every employee to report any misuse of sensitive data to his or her manager or by calling the company’s corporate hotline. Monitoring of activities on our computer systems by IT security help ensure that sensitive data is not being inappropriate used or accessed. The ethical use of this data limits its use to the functions required in business operations. Employees of the company should access only data that is required in their job scope and responsibilities.
Protection of sensitive data requires that information is not shared outside of the company without approval of management. No information should be copied or used outside of company operations without consent from the company. Using our cloud technology, the company has the capability to constantly back up and store all data. Additionally, the company has used the same technology to archive and store all historical data which is significant and vital to the company. Functionality of the system that is in place, with upgraded, integrated software, allows two keystrokes from a terminal to immediately backup all data and signal that an adverse event has just occurred. In less than 2 seconds, the company is made aware centrally that an adverse event has occurred.
Electronic data is further protected by encryption and coding which is monitored by the IT Security Department.
In the event of a hurricane, data recovery capabilities have improved dramatically over the last decades. Gone now are the backup tapes that were once the standard and were subject to damage or destruction in the event of a natural disaster. In their place now with cloud technology is a continual data storage backup system that can be retrieved remotely. Any paper documents, which by company standards are scanned and stored electronically, that have not properly stored because of the disaster will be recovered as quickly as possible. Safety of employees is more important than retrieving any sensitive data. The company will not put its employees at risk.
B. Analyze the ethical use and protection of customer records:
As important as the ethical use and protection of sensitive data is the same ethical use and protection of customer records is imperative. The company not only has customer records which include data from offices from physicians, hospitals, nursing homes, etc., but also PHI of patients that includes disease states, diagnosis and treatments. Additional customer data includes social security information, insurance information, mailing addresses, etc.
The ethical use and protection of customer records means that all information is used within the scope of business operations. No customer records will be shared with outside vendors, representatives of other companies seeking to solicit business, or the use of customer information for individual gain by an employee. Any misuse of customer records is punishable by law to the company and individual employee. The ethical standard of the company restricts the use of customer records for only their intended purposes.
The company protects customer records by locking all paper documents with access by only authorized personnel of the company. Electronic customer information is limited to being accessible to the company’s employees only to the extent that the employees’ can fulfill their job responsibilities. In the event of a hurricane, as previously mentioned, customer records are stored utilizing cloud technology. Any paper records will be retrieved as quickly as possible without putting the company’s employees at risk.
B4. Communication plan to be used during and following disruption:
Communication is vital in the event of a natural disaster. The BCP calls for protocol in communications in order to use every possible means to ensure effective means of communication. In the communication plan a chain of command is established. The local senior manager shall take the lead in the local chain of command. Senior local management is ultimately responsible for accounting for each employee and their status in the event of a hurricane. The emergency response team shall triage all communication to the CEO of the company and all upper management including the board of directors. Means of communication implemented in the event of a hurricane is dependent on the damage sustained by the company. Communication options should include:
Satellite communication using a shared provider
Local government agencies in hurricane area
Our Federal government as a resource
Communication will be set up via call centers to relay updated information to all stakeholders in the company. The communications sent via the call centers will not be generalized but specific to the call recipients’ risk or stake in the natural disaster. Examples include but are not limited to: Family members of employees should be notified immediately of the disaster and given status of their loved ones so as to not limit their information to media. Employees should be informed via broadcast messages of current status of the local facility and the relief effort. Community leaders and local government agencies in the area where stakeholders are concentrated should be kept abreast of the status of affected facility Vendors and suppliers should be notified to halt any orders into affected area.
Customers should be notified of possible delays in fulfillment of orders Financial transactions to the affected facility and banking institutions in the affected area. Redundancy is not necessarily a bad thing. It is important that all stakeholders are notified and kept up to date of status. Failure to communicate is a much greater much greater risk to the company. As recovery efforts are instituted, communication methods should be altered to improve efficiency and performance.
B5. Restoring operations:
Once the hurricane has passed or dissipated, restoring operations is essential. The company’s leadership in conjunction with the emergency response team must effectively facilitate the restoration of the facility following the hurricane. First all employees must be accounted for and given any assistance they made whether physical or mental health or support for the employee or family through the employee assistance program (EAP). Next, damage assessment must be made by the company’s recovery team. The company’s insurance may want to do their own assessment as well. This assessment requires coordination with local authorities to ascertain the condition of infrastructure in the regional affected by the hurricane. Depending on the severity of the storm roads and utilities may have sustained consider damage.
Next the facility must be fully inspected. Close inspection should be made to any substantial structure damage which may render the facility inoperable. If this is the case, the company should look at other options for temporary facility operations until construction of a new facility is completed. Next the company must seek to restore the data system. This is essential to help reestablish communications with corporate, suppliers, and vendors. The IT Department along with construction engineers must evaluate the damage to the electrical and data system. The IT Department should also inventory all computers, servers, and phones to evaluate and then facilitate the restoration of power. One power has been restored, the company should use its remote data systems to bring servers and computers back on line.
The systems that become operational should be able to function at an acceptable level in order to begin operations. Once facilities and systems are operational, managers should evaluate the individual employees to determine if they are fit, physically and emotionally to return to work. The primary goal at this point is to become operational versus operational at an optimal level. Full capability, especially if original structure has been deemed beyond repair could take a considerable amount of time. The integrity of the company’s assets, including sensitive data and private customer information, must be secured. Vendors, suppliers, and customers should be kept informed of the progress of recovery, so they may have a timeline to resume regular business with the affected facility.
C. Implementing, Monitoring, and Adjusting the BCP:
1. Implementation Plan
There will several stages to implementation the BCP, they are as follows: a. An executive committee consisting of the CEO, the COO, and Chairman of the Board of Directors will convene to outline a plan of action to include timelines, goals, and objective. The committee will assign a task force to head each team of the BCP. The teams consist of logistics, communications, IT (with a sub-team in charge of data recovery, preservation, and re-installment), human resources, security, engineering, and finances. b. The team leaders will receive formal ownership of responsibilities and given the necessary tools and resources in order to carry out their duties and responsibilities.
c. An executive order will be carried out via communications announcing the BCP with the declaration of more information to follow, additional training mandated, and scheduled training as part of employees’ continue education. d. The team leaders will do assessments to report to the executive committee outlining various levels of resources and support necessary depending on damage caused by the natural disaster. Assessments should include risks, hazard and vulnerability mitigation, recovery strategies, employee training and support, data recovery and security protection, and HIPPA security requirements.
e. The executive team will review assessments, recommend adjustments, and finalize the BCP. f. The final BCP will be sent to all employees so that there is a clear understanding of procedures in case of a hurricane or any natural disaster. g. Training will begin immediately regarding procedures and roles and responsibilities of employees in the BCP. Training will be performed at corporate offices, regionally through the company’s intranet system, and locally through training sessions, and drills.
The monitoring of the BCP will include the following:
a. Review of training documentation on all employee files by human resources. These reviews will be conducted on a quarterly basis. All current employees will require recertification of training on an annual basis. All new employees will have to complete all training prior to starting work. b. Regular drills such as evacuation routes and procedures will be conducted semi-annually to ensure employees know appropriate routes to take and actions in the event of a natural disaster. c. IT and communications will perform routine system checks to ensure that all systems are operating properly in the event of an emergency. d. Monitoring shall include pertinent information such as time necessary for evacuation, data storage, recovery and storage, and communication channel verification. e. Employees should be encouraged to update their files if there are any changes in address, contact persons, and health requirements. f. Local officials should be contacted on a semi-annual basis to ascertain if there are any changes to emergency procedures, such as new roads or hospitals.
Any adjustments to the BCP such as changes in hospitals in affected area or in IT capabilities, such as enhancements, should be communicated through the intranet of the company via email. Bulletins should also be posted in employee lunch areas of by time clocks. Any changes that have immediate impact should also require broadcast messages sent via phone, internet, and intranet. Any changes that affect the BCP should be documented and made in the plan with the prior procedure kept separately in documents for historical and legal reasons.
Any changes in the BCP that involve direct employee impact will initiate adjustments in the training protocol which should be initiated as quickly as possible. All existing must read, documented, and signed by all employees. The BCP should be reviewed and analyzed by the executive team on a semi-annual basis to ensure that all procedures are understood and concise. A natural disaster is unplanned, unpredictable, and hard to quantify before the said event. However, with careful planning the reaction to such a disastrous event can be well organized and orchestrated.
Hacker definition. (n.d.). In Meriam dictionary. Retrieved from http://www.merriam-webster.com/dictionary/hacker Mejia, P. (2011, May 11). Columbia: The only risk for investors is social unrest. Columbia Reports. Retrieved from http://colombiareports.co/colombia-the-only-risk-for-investors-is-social-unrest/ Risk Register-Introduction. (n.d.). Retrieved from http://www.tpsgc-pwgsc.gc.ca/biens-property/sngp-npms/ti-it/rgtenjx-rsklg-eng.html: risk definition. (n.d.). In . Retrieved from http://www.businessdictionary.com/definition/risk.html