DRJ's Spring 2019

Conference & Exhibit

Attend The #1 BC/DR Event!

Winter Journal

Volume 31, Issue 4

Full Contents Now Available!

With the business press and financial markets reflecting deep concern this spring over the long-term effects of the Tohoku earthquake in Japan, companies around the world are asking: What are some of the best practices we can deploy now to cope with future catastrophic events?

Companies with operations, customers and suppliers in Japan are working to address the immediate challenges faced by their employees, colleagues and vendors; many others are participating in grassroots relief efforts. In addition to these fundamental initiatives, companies around the world can best address their employees, customers and stakeholders’ concerns by focusing on their own preparedness – including a detailed policy audit of their business interruption coverage, available extensions of coverage, exclusions and business interruption values.

Most business owners and senior risk executives have an understanding of their property and liability insurance needs and dollar limits and are comfortable purchasing coverage that protects their companies from a loss due to an insured peril. However, it has been my experience their comfort level drops dramatically when it comes to business interruption coverage and limits. The uncertainty surrounding business interruption coverage, extensions of coverage, and respective limits of coverage consistently results in many middle-market organizations finding themselves underinsured and short of cash when faced with a major loss.

Even the fortunate business owners who have not experienced a major loss may eventually discover they have been significantly overinsured for business interruption losses and paying unnecessarily higher premiums for their coverage. Of course, the more devastating situation is finding out after a shutdown of operations from a loss that company management has not mitigated the company’s risk of lost profits and now has insufficient coverage to protect profits and cash flow during a potentially long period of restoration.

Actionable Steps

A detailed policy audit responds directly to many of the concerns of the people at the heart of every business. Conducting a policy audit now enables companies to reassure employees, clients and other stakeholders that business interruption coverage will be available and sufficient to replace lost profits, reimburse extra expenses incurred and provide the cash flow required to fund the entity’s survival in the event of a disaster – thus making the difference between rebuilding and coming back to work versus shutting down. Specifically, the Tohoku earthquake highlights the importance of considering several factors during a policy audit even for companies with no current operations in Japan:
  • Developing scenarios that might have been overlooked or minimized during a theoretical “drill” over possible disaster outcomes by comparing those prior plans to the range of actual outcomes which have played out in real time for many companies.
  • Focusing on the importance of supply chain disruption and the benefits of naming specific attractions and dependent properties as part of contingent claims coverage.
  • Identifying additional types of extensions of coverage to consider with the company’s insurance broker, such as contingent business interruption, extended period of interruption, claim preparation fee coverage, service interruption/power outage (including off-premises service and overhead transmission lines), extra expense, expediting expense, finished goods inventory selling price, walked guest expense and loss of attraction (primarily for the hospitality industry), ingress/egress, sue and labor, and civil authority. See below for more details on some specific extensions of coverage.
  • Moving quickly to modify business interruption policies due to a need for increased or enhanced coverage and possible changes in the business before that coverage becomes more expensive or difficult to obtain (including for reasons beyond the control of any one insured entity, such as a revision of computerized models used by carriers to predict the impact of disasters).

Below I have outlined a few additional keys steps for business owners, financial executives, or risk managers to take in order to avoid that day of reckoning when their companies cannot afford the economic consequences of an underinsured loss:

1. Understand what kind of catastrophic events could cause a major loss

It must be recognized that a shutdown of operations can be caused by many events other than a natural disaster. Additionally, even if companies do not suffer physical damage, they can experience a business loss. A few examples would be:

  • A company’s major component supplier has a fire and it is not able to procure the component from an alternate source
  • A majority of a hotel’s bookings are derived from a nearby convention center that is shut down as a result of roof collapse from heavy snow
  • A manufacturer shuts down due to an explosion, causing its suppliers to lose half their sales until the customer repairs or replaces its facility
In all these examples, companies would not have a direct property loss from a catastrophic event, but they would certainly experience a business income loss because of their supplier, feeder property or customer’s loss.

2. Set a meeting with an insurance broker to review the company’s policy

Focus on the company’s reported or insured values for its business interruption coverage, as well as the numerous extensions of coverage that are available based on the organization’s specific operations and needs. Calculating the appropriate business interruption values, whether through reevaluation or assessment for the first time, is fundamental to selecting the proper coverage and respective limits and will enable executives to better manage and minimize financial risk.

3. Prepare a Maximum Loss Scenario (MLS) analysis

An MLS analysis is the process of simulating an occurrence in which an organization experiences a catastrophic loss event. The financial impact of this simulated loss event is quantified and addressed in a report to underwriters that provides a more comprehensive analysis and understanding of the risk that they are evaluating and underwriting. Senior management benefits from the MLS analysis because it may identify critical path weaknesses and interdependencies in an organization which may then be used to update their strategic and disaster recovery plans. The MLS analysis should also include an assessment of potential extra expenses that could be incurred as a result of the simulated risk, in addition to the business interruption losses.

4. Navigate the numerous extensions of coverage that are available to mitigate risk

While this step is a daunting part of the process, it’s important that business owners and senior management understand these additional extensions, especially as many of the time-element coverages may be critical to safeguarding potential lost profits from a catastrophic event, and therefore must be individually analyzed and addressed with a broker. Below are details about some additional coverages to consider:
  • Contingent business interruption
    This provides additional coverage as a result of a covered loss to suppliers and receivers of goods and services. Without this coverage extension, companies that have critical suppliers, customers, or feeder-type properties may find themselves at the mercy of a supplier’s or customer’s rebuilding schedule. In the worst-case scenario, companies may have to shut down due to a supplier’s or customer’s physical loss.
  • Ordinary payroll coverage
    Managerial and salaried employees are normally covered as a continued expense. However, any hourly non-managerial employees may not be covered. If a company has hourly skilled labor or is located in a tight labor market and cannot afford to lose trained workers from lack of payment during a business interruption, it can purchase an extension of coverage that will allow it to pay these workers for a specified period of time while the company is shut down. Generally, the coverage is purchased for a specific number of days (e.g., 30, 60, 90, and up to 365 days). To determine how many days of coverage a company may need to purchase, management must determine the skill level of its workforce and evaluate the risk that they will not return to work after a closure.
  • Extended period of indemnity
    Business interruption coverage indemnifies a company through the period of interruption, which is also referred to as the period of indemnity or restoration. This period is often defined as the time it takes to rebuild or restore the damaged property to its pre-loss condition using due diligence and dispatch. An extension of coverage allows for continued indemnification from a company’s insurance coverage for the time necessary to ramp up its business to pre-loss levels following the physical restoration. This is an important coverage for businesses in a highly competitive environment, such as the hospitality industry.
Strategic Takeaways

Business owners, financial executives, and risk managers should meet with their brokers to closely examine their business interruption values, limits and available extensions of coverage in their current policies. The critical takeaway is that properly calibrated business interruption coverage can be one of the most valuable assets for providing the critical working capital needed to survive a catastrophic event.

As I have seen firsthand during the aftermaths of the recent earthquakes in Chile as well as after Hurricane Katrina, other natural disasters and industrial incidents, people want to get back to work. When insurance coverage is not adequate for the scale of a disaster or has not been purchased for specific types of business interruption, entities do not recover as quickly or at all. At a time when the human suffering and financial losses in Japan are in our minds, employees and management at insured entities throughout the world welcome the opportunity to feel as though they are doing something concrete now that may help preserve jobs and enable their companies to get back to work more quickly in the event of a disaster.

Bob Glasser is a managing director at BDO Consulting, a division of BDO USA, LLP, in the New York office focusing on business interruption and insurance claims services. Glasser is a certified public accountant, a certified fraud examiner, certified in financial forensics, and a certified insolvency and reorganization accountant, with more than 30 years of diverse financial management and accounting experience at public and private companies.

Certification Links

  • BCI: http://www.thebcicertificate.org/
  • BRCCI: www.brcci.org
  • DRII: http://www.drii.org
  • ICOR: http://www.theicor.org/
  • Sentryx: http://www.sentryx.com/

Business Continuity Management has made considerable progress in recent years and is now a recognized profession in most private and public sector organizations, often including the Board Room and the Executive Suite. With this recognition has come an influx of those seeking to build their careers in Business Continuity Management. These new arrivals come from a variety of disciplines, including Information Technology, Audit, Human Resources, Emergency Management, and Information Security, to name a few of the background disciplines commonly found in BC Practitioners. And some come almost directly from college with discipline-specific courses under their belts, but little hands-on experience. Professional certification is the established mechanism, in BC as well as in many other professions, to distinguish experienced practitioners from new entrants to the field. As with any “proof of professional status,” certification within the business continuity profession exists to provide an indication of baseline education in a knowledge base of accepted best practices in our industry. The more advanced levels of certification attest to greater levels of experience in the field, and the highest certifications (such as FBCI, Fellow of the Business Continuity Institute) may indicate peer acceptance of thought leadership and contribution to the advancement of the profession.

And so you may ask yourself: “Why should I be certified in BC? What’s in it for me?” We are now at a level of development in the BCM profession where baseline certification is usually a requirement for even entry-level positions. For positions with wide scope and management responsibility, more advanced certifications are often requested, And so the answer to the career development question is short: certification provides increased professional opportunities. For a BC professional, certification is public recognition of professional qualifications. Whether you are the BC Manager for your company, or a member of a large BC consulting organization, or an independent consultant, certification can hold a variety of wide-ranging benefits for your professional development, including access to positions with greater responsibility and a higher compensation.

The certification requirement for ongoing education is also an incentive to increase the level of your professional knowledge on a continuing basis: This is a requirement in many professions, but is especially important in Business Continuity Management, where the profession is changing rapidly as it goes through accelerated growth stages. Most serious professions that are governed by certification or licensing allow professionals to attain higher certification levels as they build the depth and breadth of their experience within their chosen field: BCM is now one of those professions.

Additionally, some certification organizations offer significant membership benefits, including journals and a full array of internet communications and news services. More recently, social networks are offering members the opportunity to network with their peers in discussion groups sponsored by certification organizations as well as other important entities in the field.. In addition, some certification organizations offer special training classes before or after industry conferences.

When an organization wishes to build or improve its BC program, it must ensure that its business continuity efforts are well designed and effectively managed. An organization with certified BC professionals on its staff can be confident that the business continuity program is properly focused and will provide the organization with what it needs. When an incident occurs, those certified BC professionals will coordinate response activities using the comprehensive plans that have been developed. When a BC program has been built with the guidance of certified BC professionals, an organization can be confident in its ability to successfully manage a significant disruption incident.

Kathleen Lucey, FBCI, is the president of Montague Risk Management. She is the vice chair, BCI Global Membership Council, elected to the BCI International Board of Directors, and founding president of BCI-USA Chapter. She was selected as IBM BC Practitioner of the Year in 1998

John Copenhaver, MBCI, is chief executive officer of the Contingency Management Group and a senior advisor at BCI. Copenhaver is has served in a number of senior executive roles, including as a presidential appointee to FEMA and as president and CEO of the DRI International.

Over the years you have read in this column examples of how public/private partnerships can enhance an organization’s response and recovery from a disaster. PPBI has been showing the value of public/private partnerships and how an organization can take the public/private partnership concept to enhance their own organization’s response and recovery through our workshops and courses. But on a larger scale it has always been difficult to get over that first hurdle, bringing the right people and organizations together and keeping that momentum going. The CDC Foundation (an independent, nonprofit organization that helps connect the Centers for Disease Control and Prevention with private-sector organizations and individuals) has developed the “Meta-Leadership Summit for Preparedness” to address just these issues.

I just recently had had the honor to be on the host committee for the Los Angeles Meta-Leadership Summit for Preparedness. As a member of the Host Committee (made up of local leaders) we worked under the guidance of the CDC Foundation to host a Meta-Leadership Summit for Preparedness for our region. The CDC Foundation puts on the Summit while the host committee ensures that the right leaders across business, government, and nonprofit sectors are in attendance and that the event addresses preparedness issues that are unique to the location, giving the event a local flavor.

Being active in public/private partnerships for many years I knew most of the players in the area (so I thought). When I come to the networking reception the night before the all day summit I saw many a familiar face but I also saw many new faces. By the end of the next day of the summit, I made many new connections and learned the concept of a meta-leader - a leader of leaders, who mobilizes people and organizations to collaborate in times of crisis. The Los Angeles Meta-Leadership Summit for Preparedness drew 162 participants all with the same goal in common to be better prepared to respond to a crisis.

Through the summit, leaders learn skills needed for effective action during times of crisis and build organizational connections to strengthen community preparedness for responding to and recovering from emergencies. One of the goals of the Meta-Leadership Summit for Preparedness is to develop gaps (the deficiencies), gives (contributions), and gets (needs). These provide the groundwork to build upon.

The CDC Foundation’s Meta-Leadership Summit for Preparedness does not just stop there. They continue to work with the host committee to develop a post-summit activity so as to reconvene leaders to continue building cross-sector connectivity and applying meta-leadership concepts to preparedness planning. This post-summit activity is unique to each community. Activities are based on preparedness gaps identified at the summit and through the evaluations from the participants.

The CDC Foundation’s Meta-Leadership Summit for Preparedness has helped overcome that first hurdle - bringing the right people and organizations together and keeping that momentum going. With more than 30 summits conducted across the United States they have help laid the foundation of many public/private partnerships. This last Spring at DRJ’s Spring World 2011, PPBI awarded the CDC Foundation the PPBI Best Practices award. For more information on the CDC Foundation’s Meta-Leadership Summit for Preparedness you can visit their website at: http://www.meta-leadershipsummit.org/meta/

Lee Goldstein, CBCP, MBCI, is the president of the Business Contingency Group specializing in disaster/business recovery and emergency management planning, crisis information management software for EOCs, and humanitarian assistance programs. He serves on the board of directors for both PPBI and BICEPP. He can be reached at (818)784-3736 or via e-mail at This email address is being protected from spambots. You need JavaScript enabled to view it..
Before I left for work, I popped off an e-mail to a BCP manager in Basel to catch up on personal and professional stuff. It had been over a year since we touched base, but it was as if we never stopped communicating and we picked up right where we left off. We shared information; she was up to her eyeballs in exercises and I was up to my eyeballs in a program design. I then opened an e-mail from someone fairly new to business continuity planning located in Riyadh. I reached out to someone in Ontario to help answer a complicated question posed from Riyadh and to also ask for a template for myself. Within a few minutes I had popped off a few quick messages either sharing information I had or requesting someone to share information with me.

It was Friday the 13th, the traditional day of bad luck, and I reflected on the irony of my good luck that day. As I drove to work, I realized it’s not just one day, but every day I am fortunate to have a great communications network of resourceful, brilliant, and helpful professionals at the tips of my fingers. There is not a day that goes by that I don’t learn something from those willing to share information.

If you could use a few more “go to people” and further build a solid network of professionals to share resources, here are a few ideas to consider. Industry conferences and local BCP organizations are good places to start. There are BCP websites that offer networking opportunities and free webinars too.

There are a myriad of blogs, information sharing spots, and places to post questions to your fellow colleagues in this industry. Consider joining some of the online organizations as a starting point. You may find yourself laughing a bit in the process of learning something new or sharing your own thoughts and ideas. Did anyone see the online posting where a fellow colleague asked everyone to provide great disaster song titles for a year end party for his company? Who says BCP professionals don’t have a sense of humor?

What did you do with the contact list of attendees you received from the last DRJ conference? How about that business card someone gave you a few months back? Was there someone who you meant to send a quick message to and it just sort of slipped through the cracks because of the pile of work on your desk? When was the last time you went through your online address book and sent a message to a former colleague you lost touch with just to say hi? Did someone request a piece of advice and you just haven’t had time to respond? Did you hear through the BCP grapevine that someone needs a helping hand? Do you know someone who might be perfect for an open position and haven’t found the minute it would take to let that person know about the opportunity?

It doesn’t matter what you answered to any of these questions because the past is the past. However, your future network is waiting for you. I encourage you to contact that person who you meant to contact today.

While trying to decide what to write, I reached out to a former colleague who is fairly new to this industry. He told me that he agrees with the whole networking idea, but is hesitant to hit the send button to a more experienced person because of his lack of years and experience in this field. So I asked the obvious question. I asked him what advice would he wouldgive those who are new to the industry. What would he tell those professionals who were in the same boat he found himself in if he had a chance? He said you just must be bold about it.

Martin Luther King said, “You don’t have to see the whole staircase, just take the first step.”

So if you are new to this industry, please do not let your lack of experience keep you from building your network now. Be bold and send that e-mail, make that call, send the message on your communications device of choice and ask your question and share your thoughts. Forge your BCP contacts and build your network of resources no matter your age, your generation, your experience level, your business culture or your geographical location. You may be surprised to find that one kind message may end up opening a door to a gateway of endless networking possibilities.

It takes some time and effort to expand your BCP network, but the investment is worth it. Consider carving out 10-15 minutes a day to network with other professionals. Perhaps this is something to look forward to every morning. What do you have to lose by sending a few communications to build your network while stirring your coffee and shaking out those cobwebs?

You also might want to try to carve out another 10-15 minutes to reach out to your internal network. Sharing information with your team(s), internal clients, and your management may help strengthen your business relationships and offer up a few surprises. For example, you may learn about a strategic initiative in your organization that is pertinent to what you are doing had you not sent the communication.

Business continuity, a rather niche field of work, provides us with an amazing network of business professionals. There are many who are more often than not, willing to help. If one person sitting in Northern Virginia can use the Internet to connect a few others on three different continents in just 10 minutes, can you imagine the impact if several hundred or thousands did this regularly? Networking, sharing information, communicating, reaching out to others in this field may be helping you, but it is also giving back to this industry immeasurably. That said, no one will benefit more from your networking efforts than you.

Jean Rowe has been in business continuity as both a practitioner and a consultant for more than 15 years. She is currently the business resilience manager for Verisign.
Auditors of information systems, information security systems, and it governance or business continuity professionals may be interested in adding to their professional qualifications by becoming an auditor of business continuity management systems. Never heard of this designation? That’s because it is a new requirement that is an outcome of US legislation enacted as way to increase the preparedness of the private sector. It is called PS Prep Certification.

What is Private Sector Preparedness (PS Prep)?

In 2001, the USA Patriot Act identified the importance of protecting critical infrastructure in the United States. It also focused on the importance of protecting key resources essential to the minimal operations of the economy or government that are publically or privately controlled.

The National Infrastructure Protection Plan (NIPP) was developed as an output of the act to be a unifying structure for the government and the private sector and to improve the protection and resiliency of critical infrastructure and key resources.

On August 2, 2007, Public Law 110-53 was enacted and documented in a report titled, “Implementing Recommendations of the 9/11 Commission 2007 Act – Comprehensive Summary of Public Law 110-53.” For a full copy of this report visit http://intelligence.senate.gov/laws/pl11053.pdf.

Title IX of this law focuses on Private Sector Preparedness (PS Prep) and identifies a program for encouraging the private sector to voluntarily participate in being certified under PS Prep to demonstrate that they are prepared to manage risks and have increased the resiliency of the organization.

With more than 80 percent of the US critical infrastructure owned and controlled by the private sector, this law is vital to ensuring the private sector is prepared to provide its goods and services under all conditions.

Under Title IX, the administrator and the assistant secretary for infrastructure protection was assigned to develop recommendations to assist or foster action by the private sector to increase their resilience.

Section 524 assigned the development of the Voluntary Private Section Preparedness Accreditation and Certification Program (PS Prep) to the American National Accreditation Board (ANAB).

PS-Prep is a partnership between DHS, FEMA, and the private sector that enables private entities to receive emergency preparedness certification from a DHS accreditation system created in coordination with the private sector.


What are the PS Prep Standards?

In June 2010, three standards were identified and accepted for compliance:

1. ASIS SPC. 1-2009-Organizational Resilience: Security Preparedness, and Continuity Management Systems- Requirements with Guidance for Use. (Download for Free at http://webstore.ansi.org/RecordDetail.aspx?sku=ASIS+SPC.1-2009.)

2. British Standard 25999-2:2007- Business Continuity Management. (Download at cost at http://www.bsiamerica.com/en-us/Assessment-and-Certificationservices/Management-systems/Standards-and-schemes/BS-25999?gclid=CMfGrLHXw6ICFQE_bAodIFCInw.)

3. National Fire Protection Association1600 - 2010 -Standard on Disaster/Emergency Management and Business Continuity Programs. (Download for Free http://www.nfpa.org/assets/files/PDF/NFPA16002010.pdf)

“Private organizations across the country-from businesses to universities to non-profit organizations- have a vital role to play in bolstering our disaster preparedness and response capabilities,” said Secretary Janet Napolitano. “These new standards will provide our private sector partners with the tools they need to enhance the readiness and resiliency of our nation.”

PS-Prep will raise the level of private sector preparedness through a number of means, including:

1. Establishing a system for DHS to adopt private sector preparedness standards;

2. Encouraging creation of those standards;

3. Developing a method for a private sector entity to obtain a certification of conformity with a particular DHS-adopted private sector standard, and encouraging such certification; and

4. Making preparedness standards adopted by DHS more widely available.

Why Should my Business Become Certified?

Certification helps you to demonstrate to your stakeholders that your business is run effectively and that it will continue to do so in the event of a disruption.

The process of achieving and maintaining the business continuity management (BCM) certification also helps ensure that you are continually improving and refining your BCM activities. The regular assessment process will also improve staff responsibility, commitment and motivation.

Certification improves overall performance, removes uncertainty and widens market opportunities. It will prove to your customers that you can be trusted to deliver. Certification to one or more of the three standards creates an opportunity to reduce the burdens of internal and external audits from your key customers.

Despite all these internal reasons, the reason for many companies will be that a major customer requires some evidence of competent BCM performance.

If this is your reason then don’t panic; BCM isn’t as complicated or as difficult as you might think. Also you don’t have to be an expert in any of the other management systems such as ISO 9001 (quality management systems) or ISO 14001 (environmental management systems) – the BCM system can be implemented alone.

However because it follows the simple “plan, do, check, act” cycle of other management systems if you are already a user of ISO 9001 and/or ISO 14001 then getting started with the BCM system will be very familiar to you.

How can my Organization Become Certified?

Title IX also identified the process for private sector organizations to become certified. Small businesses (at this time the criteria as to what is a small business under the law has yet to be determined) are allowed to use a first party self-declaration of conformity to one or more of the standards. What the requirements for first party self declaration of conformity will be is still to be determined.

All other organizations are required to use third-party certification by an ANAB accredited certifying body.

It is important that your organization hires an ANAB accredited certifying body to conduct the third-party audit for certification. The certifying bodies have had to complete rigorous training to ensure that they are competent to conduct the certifying audits.

For an up to date listing of those certifying bodies currently applying for accreditation by ANAB and for other information about PS Prep, visit http://www.anab.org/accreditation/preparedness.aspx

How Can I Help my Organization to Prepare for Third-Party Certification?

It is important that before your organization applies for third-party certification from an ANAB approved certifying body, that your organization is ready.

The first decision that needs to be made is which standard or standards should your organization be certified to? To answer this question you will want to review each of the 3 standards to determine which one is best aligned to the program you already have in place.

Professionals who wish to prepare organizations for PS Prep Certification should consider completing a training course. There are several options in the marketplace:

1. ASIS International: Organizational Resilience: Implementing and Auditing and the ASIS American National Standard. This three-day course teaches the ASIS SPC.1 Standard. For more information, download the brochure. https://www.asisonline.org/images/store/programs/2011_Org_Resilience_Education_Flyer.pdf

2. Business Continuity Institute: BS 25999 Lead Auditor. This five-day course teaches the BS 25999 standard. For more information, download the brochure. http://www.bsigroup.ca/en-ca/training/course-areas/BCM/BS25999-LA/

3. DRI International: BCLE-AUD – Certified Business Continuity Auditor. This five-day course explores different standards, laws and regulations. For more information, download the brochure. https://www.drii.org/education/course_desc.php?courseeventid=405&courseid=55

4. The International Consortium for Organizational Resilience: ICOR offers two courses:

a. BCM 5000: Auditing BCM Programs for PS Prep Certification. This five-day prepares auditors to be able to audit a BCMS against all 3 PS Prep standards. http://www.theicor.org/art/pdfs/courses/bcm5000.pdf

b. BCM 4050: Business Continuity Maturity Model Assessor’s Training. This two-day course prepares BC professionals to use the BCMM® as an internal audit tool for PS Prep certification preparation. http://www.theicor.org/art/pdfs/courses/bcm4050.pdf

What Should you do Now?

Now is a good time to learn more about the three standards and to talk to senior management and your auditing leadership about PS Prep and how your organization might benefit from PS Prep certification.

It is expected that by Sept. 2011, third-party auditors will be ready to begin conducting audits of the private sector. Will your company be one of the first certified?

Lynnda M. Nelson, president of The International Consortium for Organizational Resilience (IOCR), manages the day-to-day operations of ICOR’s education program. Nelson is also a professor for Norwich University’s Masters of Business Continuity Degree Program (MSBC).