Michele L. Guido, CBCP, MBCI, is the business assurance principal for Southern Company. She is responsible for advising the business assurance program, which addresses resiliency across all facets of the company. She has worked at Southern Company since 2004.
Aris: Southern Company is a leading producer of electricity in the U.S., with more than 4.4 million customers and more than 43,000 megawatts of generating capacity. It also has several major subsidiaries in nuclear power, telecom, and wireless, with total assets of nearly $60 billion, and 26,000 employees. With this in mind, who do you consider your key stakeholders and what are the business continuity needs of each group?
Guido: Customers are at the center of everything we do. They are the first filter for developing our strategy and tactics and in measuring our business results. We define ourselves through reliability, price, and customer satisfaction. Business continuity has a key role in the “reliability” component of this culture.
We must provide high reliability, and we do. Our statistics for transmission, distribution, and generation are among the best in the industry. We’ve been able to maintain that level of service even when we’ve been hit with catastrophic system failures around us – the blackouts in the Midwest and the Northeast – as well as natural disasters within our own territory like Hurricane Katrina. Our delivery of clean, safe, reliable, and affordable electricity to customers leads to constructive regulation which in turn results in healthy capital spending. It’s what we refer to as our “Circle of Life.”
At a high level, Southern Company has adopted the concept of all-hazard planning for both electric and corporate operations. This approach to planning ensures understanding of critical process, associated business infrastructure (technology, personnel, data, facilities, etc.) and interdependencies, both internal and external. Needs may be unique for a group, but the approach provides viability, sustainability, and consistency.
As an example, Southern Company’s operating subsidiaries maintain detailed and dynamic disaster recovery plans for storms along the Gulf Coast. These plans are graduated based on the expected damage from the five categories of hurricanes, with specific responses and actions identified for each. Our plans provide for flexible and decentralized authority to make decisions as close as possible to the disaster.
Aris: Southern Company has a reputation as one of the most reliable and stable power providers in the U.S. It also provides power to residents in an area covering 120,000 square miles across four states. So there are both corporate and professional reasons as well as very practical reasons to maintain a high level of service. Why is your business assurance program so important to your organization, and how is it influenced by the fact that you are a key part of the infrastructure of the U.S.?
Guido: “Keeping the Lights On” is at the CORE of our business. Being part of our nation’s critical infrastructure outlines the need for the prioritization of critical functions and services. Our restoration plans define the priority for repairing critical facilities and equipment based on the need to establish stability to the electric system and to restore service to critical customers like hospitals, emergency responders, and water systems. Public health and safety take priority. Our program is a business issue, managing risk across the enterprise along with stakeholder expectations.
Aris: In an organization as large and as diverse as yours, executive leadership obviously has a lot of concerns on a day-to-day basis, from operations to efficiency to revenues. How do you achieve “buy-in” from executives in prioritizing the business assurance program, and how do you demonstrate its value back to the business, e.g. show gaps in RTO?
Guido: Business assurance is defined as “the confidence in our ability to maintain business-critical operations during an unexpected disruption.” Preparedness is institutionalized across Southern Company and its operating companies. We are evolving from project to program to culture. The business assurance program reports to an executive council that sets prioritization of work, ranging from policy to engagement. The council meets on a quarterly basis.
Aris: A number of standards and regulations are widely used in business continuity, such as PS Prep, BS25999 and NFPA 1600, and in addition, Southern Company has very strong governance and policies internally related to business continuity. What are the elements that help you manage a program like this across a large enterprise?
Guido: The business assurance program has three key elements: protect, prepare, and respond. The elements focus on minimizing or eliminating the impact of events that have the potential to disrupt critical business operations, functions, or services. We use business continuity management software as well to help us manage our business and IT challenges and adapt as changes occur. There are many owners and vehicles to support the program, from evacuation, safety, storm, business continuity, crisis communication, and compliance. Our business assurance department is the enabling arm of the program. However, ownership exists across the company from executives, business unit managers, information technology, enterprise risk, compliance, facilities, and security.
Aris: Business continuity and disaster recovery planning is always influenced by external changes —global economic change, environmental forces, and advances in technology — as well as internal shifts in performance measurements and goals. How do you ensure your business assurance plan is up-to-date, scalable, and flexible?
Guido: We learn from every event – our own and others. We practice and routinely revise the plan as we gain new experience, whether a natural, man-made, or technological event. BCM software also helps us make risk assessments and identify gaps. As a regulated industry for reliability of the bulk power system, we continuously work with our industry and government (federal, state, local) to improve our situation awareness and information sharing. Specifically, we work with the Department of Homeland Security and Sector Specific Agency, Department of Energy on public-private sector partnerships, the National Infrastructure Protection Plan (steady state), and the National Response Framework Plan (crisis state). Electric companies are part of the nation’s critical infrastructure key resource sectors (CIKRs); with all mentioned, and others, we strive to keep our plans reliable and resilient.
Kathleen Aris, CMP, is a senior manager of events marketing for SunGard Availability Services.