Business Continuity Disaster Recovery
Download
Report
Transcript Business Continuity Disaster Recovery
Business Continuity
Disaster Recovery
Are You Ready??
Definition of Crisis Management
Planning
“The advance planning and preparations
which are necessary to minimize loss and
ensure continuity of the critical business
functions of an organization in the event of a
disaster.
Preparing for Disaster: A Toolkit to
assist preparing to respond to a
crisis
Today's Objectives:
Identify and prioritize areas of risk for
your business
Select a compilation of forms to start
your own plan
Create an employee calling tree, key
contacts forms and critical patient list
Prepare a “test” for your plan
Business Impact Analysis
Financial risk (of loss) and what your
organization can withstand need to be
defined separately. Consider a formula
that extrapolates hours to days
How long is your average patient willing
to wait for your business to be restored?
BIA includes a thorough stress test of
back up, restoration and
interdependency (V/D) processes for
critical applications
BIA - more
You need to:
Identify points of failure in your network
Identify need for robust voice/data
restoration
Identify how “Reputational loss” will
affect your business
BIA – 10 top questions to ask
1. What are your most critical business
processes?
2. If those systems were no longer
available, how would you function?
3. How do you currently mitigate risk of
compromised IT systems?
4. What is your recovery initiation process
for compromised or destroyed systems?
5. How will employees respond to a
catastrophic event if your business is
evacuated?
Top 10 - continued
6. If you are no longer able to access your
office, how will you restore critical functions?
7. If you face a disaster scenario, what is
your communication process to employees,
authorities, etc.?
8. Do you have policies/procedures
established to keep your company in
business post-disaster?
9. Do you have measurable benchmarks for
effective response, recovery and restoration
programs?
Top 10 – not the least
10. Do you test (and how often) your
BCP? Do you know where to find
those results?
TEST!!
TEST!!
TEST!!
TEST!!
Business Impact Analysis
Key Points
Clearly define critical business and
restoration processes
Strategize BCP by reviewing current
operational service levels
Identify personnel responsible for
determining BCP launch
Confirm authorization and security
access for launch and restore
personnel
If a building is evacuated identify
alternate site needs or telecommuting
standards
Key Points BIA…..
Can you service your patients from an
alternative location or a similar (noncompetitive) business? Think out of
the box
Utilize industry standards to guide
decision to launch BCP or determine
functional status
DO NOT SKIP TESTING!!!
Study and repair routine test results
and deficiencies
Disasters should not be used to fix
known problems
Testing Validation
Define roles/ responsibilities by
abilities/skill
Designate subject matter experts for
efficient recovery
Plan testing is critical
Use DR plan for small outages
Be aware that some accrediting
bodies now require plan drills, i.e.,
Joint Commission
Testing identifies DR deficiencies
Your to-do list…
Assemble a small team of management from
your organization
Review each of the six short chapters in the
Toolkit and review the material within:
www.hmehurricane.com
Download and print the Toolkit and complete
the worksheets
Spend some time discussing your company’s
response to a prospective crisis
Risk Assessment
Consider what kind of likelihood a risk
poses to your business or area
Consider what severity level you feel
that risk would pose to your business
Based on your analysis, determine
which risks merit a significant part of
your focus/plan
Consider setting those priority items
as risks that you’ve determined to be
reasonably possible and which have a
medium or high severity to your
business
#1 - Insurance
Insurance
Meet with your insurance provider
annually to review current coverage
for such things as physical losses,
flood coverage and business
interruption.
Exception: If you are substantially
growing, review coverage for property
and liability more frequently.
Insurance
Consider how you will pay employees
and creditors in the event of a
business interruption
Business Income/Business
Interruption/Loss of Income riders
frequently are included in property
policies (e.g. $25,000)
Additional increments may be
purchased for relatively low amounts
(e.g., $50K for $100)
Insurance
Plan how you will provide for your
income if your business is interrupted
About 1/3 of current VGM Insurance
Inc. customers carry business
interruption/loss of income insurance
Actual Case: First Call Pharmacy
(New Orleans) relocated operations to
Houston. Moving, loss of income
coverage: $100,000.
Insurance
Find out what records your insurance
provider will want to see after an
emergency and store them in a safe
place
Keep a copy of your insurance
policy/policies offsite and include a
checklist for insurance coverage in
place and a form to record insurance
policy information
Understand what each policy covers
and what it does not
Insurance – Things to think
about
Standard Commercial Property
Insurance policies cover fire and theft
on premise. Various provisions
restrict coverage in insurance policies.
Read the entire policy carefully to
determine your rights, duties and what
is and is not covered.
Insurance – Things to think
about
HME providers’ equipment that is out
in patients homes is not usually
covered under a Standard
Commercial Property policy unless an
Equipment Off Premise endorsement
is purchased. Equipment off premise
provides limited protection for insured
property while temporarily at a location
not owned, leased or operated by the
insured.
Equipment Off Premise
“Inland Marine”
Depending on the area, some
insurance companies include the
endorsement within the property policy
Some companies will not write the
endorsement in flood plains
Check with your agent!
Perils normally excluded from
Standard Policies
Flood – 75% of disaster declarations
result from natural phenomena in
which flooding was a major
component. If you are unsure, you can
find out if you live/operate in a flood
prone area from your state emergency
management office or Red Cross
chapter
Perils normally excluded from
Standard Policies
Individuals and business owners can
protect themselves from flood losses
by purchasing flood insurance through
the National Flood Insurance Program
(there is normally a thirty day waiting
period before a new policy becomes
effective). Most commercial property
policies exclude flood.
Don’t “Under-insure”
Review your buildings and contents
coverage
Penalties were applied to many HME
providers affected by the disaster for
“under-insuring”. Generally, most
policies required the providers to
purchase property coverage at 80% of
“in-house” assets (inventory, furniture,
fixtures, office equipment, etc).
Other Perils
Earthquake – Coverage for
earthquake damage is excluded in
most property insurance policies. If
you are located in an earthquakeprone area, you’ll need a special
insurance policy or commercial
property earthquake endorsement
Wind/Hail – Coverage for wind and
hail is typically excluded in the coastal
regions. If coverage exists, usually a
deductable applies; this will be
explained in your policy wording.
Conclusion
Every policy has different variations of
coverage
Get educated regarding your
insurance policies. Don’t wait to find
out if you are adequately covered…it
may be too late!
John Spragle, President, VGM
Insurance:
“Read your Dec (declaration) Page! If
you don’t understand what’s covered
and what isn’t, call your agent!”
# 2 – Ongoing Operations
Triage of Critical Patients
Of course, one of the most important
functions of the HME recovery
process is providing ongoing care to
your critical patients
Identifying these patients by category
(e.g., patients on ventilators, mobility
challenged patients, oxygen patients)
should be done before an emergency
happens.
In a follow up with HME providers,
virtually 100% of them maintained
patient lists, which included
emergency contact, diagnosis,
physician/contact information, HME
equipment, settings and back-up
equipment information.
However, less than half were up to
date…many inaccuracies especially in
current addresses were noted.
As you identify patients by diagnosis
category, you need to assess what
resources you need to have to provide
ongoing support. Also, it is important
where these resources are. Perhaps
the most important is…
Your Gas Supplier:
Ensure that your oxygen supplier has
a generator!
Have emergency numbers to contact
them (cell phone, pager, answering
service, home numbers).
From a VGM member:
“This saved us because cell phones,
answering services and pagers were
done. I was able to reach the General
Manager at his home. He was able to
contact his employees to help us with
liquid base units. In our case, our gas
supplier did not have a generator and
could not transfill. He did give us all of
his liquid base units and “H” cylinders
(used as backups). An “H” cylinder full
lasts approximately 57 hours on 2
liters.”
Have a backup gas supplier
Ensure that the backup supplier has a
generator and will come to your aid in
a crisis situation.
From another member: “ I happened
to know a supplier in our area and he
was ready if we needed him. It is very
important to requote your business
when your contract is up. You truly do
make contacts and during a crisis this
will separate the best from the
average companies.”
Generator:
Ensure your generator can power your
facility.
“We had lights and phones within 1-2
minutes after the blackout. This saved
us because our answering service
could not handle our calls. We ended
up spending the night to ensure our
patients were taken care of.”
Generator
Even though your HME has a
generator, it may not power your
computer (e.g., surges, etc). Have a
current hard-copy list of oxygen
patients, and prioritize contacting
those patients without backup oxygen
cylinders.
Gasoline Supplier:
Ensure that your gas supplier can
manually pump gasoline.
Many diesel suppliers will be OK, but
most HME vans run on gas.
New Policies:
All trucks must fill up at then end of
the day (versus in the morning)
Locate a gas station that can manually
pump gas in an emergency
Contact the city that your company
resides in, trucking firms, oxygen
suppliers, apartment complexes and
see if they have a gas pump on the
site that you could utilize during an
emergency.
Miscellaneous:
Bottled water and snacks on site for your
staff
Flash lights
Extension cords
From another member – “Most importantly,
have someone in charge that can direct and
keep people calm. It was truly a challenge
when it was not long after 911 and without
notice our communication to the world
stopped. Someone needs to take control
and have a calming affect until you really
know what you are dealing with.”
Billing Capability
An HME’s ability to continue as an
ongoing business is usually contingent
upon the ability to bill Medicare and
other payer sources.
As part of your planning process you
must evaluate how you’re going to
continue billing in the event of a
disaster.
We found that HME’s using Internet
based billing systems or billing
services were better prepared to
continue billing.
What percentage of members of
audience use Internet-based
systems? Outside billing services.
Input on advantages or
disadvantages?
Billing Capability
CMS has created the following new
condition codes and modifier (effective
8/12/2005): “DR (Disaster Related)”
and “CR (Catastrophe/Disaster
Related)”.
For more detailed billing information
and FAQs go to:
http://www.hmehurricane.com/
Payroll
Payroll continuity is key to continued
loyalty of your employees, so make
sure your planning addresses your ongoing ability to pay employees. It
helps them handle disaster-related
problems at home and meet their
personal financial obligations.
Disaster Bonus
“At the time we did not have a bonus
structure in place for emergencies. Our
employees rose to the occasion. I was
extremely proud of them for going above and
beyond. After the blackout, we instituted a
bonus plan and paid employees a bonus. We
had a luncheon meeting and presented all
employees with the bonus. It went over so
well. I really have to say it was one of the
most moving moments for me. These
people love and care for our patients. We
even serviced patients that were not ours,
just because we are who we are.”
#3: Internal & External
Communications/Public
Relations
Internal Communication
One of your most valuable assets is
your employees. In the event a
disaster occurs, you need to protect
yourself and your staff. You also have
to consider the possible impact a
disaster will have on your employees
ability or desire to return to work.
Advanced Planning Steps
Create and maintain an employee
contact list with current address and
phone numbers for each person on staff.
Create a “calling tree”. Use your
employees contact list to fill out a calling
tree. Maintain and keep this in an
accessible location. Also make sure a
copy is offsite. The person designated as
“primary” on the tree should be the one
responsible for the tree and for calls by
fellow employees.
Actual Scenario:
Virtually 100% of HME providers had
developed call tree procedures.
Copies were in offices, vans, homes,
on-call vehicles, etc.
When asked the last time the “calling
tree” procedure was tested, responses
ranged from “never..we made one for
JACHO”, to “a few months ago”.
Select a day in the near future and
TEST!
Transportation and Housing
Have you considered the need for
alternative forms of transportation for
employees? Rental vehicles?
You need to be prepared if a disaster
occurs and your employees don’t want
to return to the area. You may need to
consider issues such as alternative
housing options and ways to replace
the knowledge base lost if employees
don’t return to work.
Store a hard copy of your vital
information such as your employee
data and payroll in a fire-proof box offsite. Some experts recommend at
least 50 miles away. Make it a critical
part of your routine to regularly back
up your personnel and payroll files
More companies are using internet
based back up companies who
routinely back up critical information.
Then the information is readily
available from any internet ready
source.
External Communication
Planning is required so that when a
disaster or emergency occurs,
inquiries from the news media,
patients, referral sources and staff can
be handled effectively. It is easier to
compose communications in advance,
with time to think, than it is in the face
of a crisis.
In our follow-up, we asked HME
providers what they would have done
differently with regard to external
communications and suggestions for
advance planning. They replied….
Identify a Spokesperson. Within the HME
communication team, there should be an
individual who is authorized to speak for the
company. That person should be an
effective communicator.
Anticipate and prepare universal talking
points. You need to make sure the facts
presented to the public are accurate and
positive. Be proactive and prepared for a
crisis. Hold a Communication Team meeting
and identify possible crises that can occur.
Think in advance about “canned” responses
to different situations.
This is a good example:
“We have implemented our crisis plan, which
places high priority on our patients and
employees. For additional information we
can be contacted at…”
Always make sure contact information is
included. Your patients, employees, referral
sources, etc, need to know how to contact
you. You cannot tell them too often during a
time of crisis.
To Do List: Prepare an updated
external key contact list! You will need
to develop a list of key contacts who
may be critical to the operation of your
business.
Special Web Sites
Activated in time of crisis (or as a
follow-up to an emergency situation)
with the purpose to keep patients
informed.
Toll free emergency call in numbers,
contact information, FAQs with regard
to equipment, etc
Other appropriate information
Discuss with your web
hosting/development company
#4: Data Protection &
Recovery and
Document Retention
Data Protection and Recovery
In this electronic-age, you rely more
than ever on your computers to supply
you with the information you need.
Chances are every piece of data you
might ever rely on to make an
important decision has been reduced
to a digital format and resides
somewhere on a computer hard drive.
Improved functionality and productivity
are the benefits of technology,
however on the flipside, one wrong
click, one nasty virus, one untimely
power surge, one unhappy employee
or one natural disaster and that data
can be gone forever!
Data Back-Up
Having hard copies of data important to
your company is crucial to recovery.
Data is located in many places
throughout your business, even if you
are “computerized”. Use the Data
Backup Worksheet to help you identify
what data you need and determine if it’s
backed up and where. Then use the
Risk Assessment worksheet. These
two worksheets will help you determine
where your data backups need to reside
for the greatest level of protection for
your business.
Many disaster providers wished they
had subscribed to a business data
storage/replication service.
All agreed that storage some place
outside of the HME facility offered the
best protection.
On-line backup services are a good
choice with reasonable costs.
Test your backups!!!!!
You need to make sure that your
backup process is working before you
need it. A simple way to test the
effectiveness of your backup
procedures is to create a test file that
is backed up during your normal
backup process. Delete this file from
your computer and attempt a restore
from your backup media. We suggest
doing this at least twice a year.
Keep a current list of hardware and
software
Actual Scenario: “This helped us with
our insurance claim and aided in
replacing the computer equipment”.
Make sure this list includes the
hardware for the tape or disk backup
method you use.
See the Essential Equipment
worksheet.
Document Retention
As you are well aware, certain
documents are extremely important to
an HME business, including patient
medical records and CMN’s. In the
planning process you must consider
how you would deal with the potential
loss of these important documents.
Consider the purchase of scanning
capabilities to “image” patient CMN’s
and other papers that are crucial to
your business.
#5 HME Physical Plant
Advance Planning Steps
Contact Information. Make sure a list of
all contact information for utilities,
contractors, building maintenance, any
company that is involved in physical
building is kept offsite.
Included in this list will be all account
numbers, any contractual information or
any other pertinent information. Make
sure you also have a telephone list for all
employees that would be involved with
fire, police and emergency personnel.
Advance Planning Steps
Setup Building Safe Area. Identify
safe areas in building if disaster
occurs during business hours.
Identify these areas with appropriate
signage, e.g., Tornado Shelter
In case of fire, designate an area
outside the building where employees
should meet. If building is
unavailable, have predetermined
location for personnel to meet after a
disaster. Have two alternates, just in
case disaster is wide spread.
Advance Planning Steps
Office Equipment Inventory. Keep an
inventory of all office equipment, copiers,
office machines, desks, chairs, fixtures, etc,
and whether you own or lease.
You should explore rental options to replace
damaged equipment during the time it is
being repaired or replaced and request
written estimates of rental, set-up, shipping
costs and delivery times. This is particularly
important if you rely on equipment that is
highly specialized or difficult to replace. Be
sure to add the rental companies you have
contacted to your Suppliers/Vendors form.
Advanced Planning Steps
Transportation Needs. Don’t forget
your cars/delivery vans. Plan to
protect them, but also have alternate
plans to meet your essential
transportation needs.
Essential Equipment List. After a
disaster a building might not be
entered for more than a few minutes.
Have predetermined list of critical
items (if salvageable) that you would
need to retrieve. Items such as
computers, computer disks, certain
paper files and work in progress.
#6: Phones and Internet
Advance Planning
Determining how your patients,
referral sources and employees reach
you during an incident is critical.
Whether it is by voice, email, fax or
snail mail, you need to pre-plan how
you will be contacted!
Advance Planning
Arrange for programmable call
forwarding for your main business
number.
If you cannot physically access your
business, you can call into your local
phone service provider and have the
calls to your local phone number
reprogrammed to ring elsewhere.
Advance Planning
Consider alternative forms of
communications. Should your phone
system not be working, it is necessary
to keep in touch with your employees
and patients. In anticipation of a
break in all phone service, including
cell phones, some alternatives would
be simple two-way radios, satellite
phones and pagers that send signals
to each other.
Actual Scenarios from HME
providers
Many communicated by email.
Those with websites posted an
emergency messaging system after
power was restored.
Check with your answering service to
arrange a voicemail box that can
record messages for your employees.
They can then check this one location
for information on the business.
More Advanced Planning
Recovery Location. As you think about
your voice communication needs at
your recovery location, determine
whether you will need speakerphones,
voice mail capacity or the ability to
record conversations. Also decide if
you will need conference calling
capability in order to have conference
calls with employees, key contacts
and/or patients to assess disaster
damage and to make recovery
decisions.
Actual Scenario:
During a power failure, the HME
telephone system did not work since it
relied on external power.
Suggestions:
If your fax machine is directly
connected to a telephone line, you
should be able to plug a plain
telephone into the connection the fax
uses and make phone calls. This is
because the local phone company has
extensive back up power.
Consider purchasing back-up “Plain
Old Telephone” sets(very
inexpensive!)
Importance Communications
Records
(Keep Offsite) & To Do..
Local phone service-get “Customer Service
Record”, all contact information, discuss
emergency options
Answering service-get contact information;
ask what services they offer
Telephone system-updated inventory list,
contact info, replacement procedures
discussed
Long distance-contact info, ask to repoint
your toll-free # to answering service or
alternative
And, most importantly
Assign Accountability!!!
It is essential that senior leadership of
the HME organization sponsors and
takes responsibility for creating,
maintaining, testing and implementing
these steps. This will insure that
management and staff at all levels
understand that preparedness is a
critical top management priority.
Then……….
TEST
TEST
TEST
TEST
TEST
Update: Pandemic??
“The fact of the matter is, when it
comes to pandemics, we are overdue
and we are under-prepared,” warned
U.S. Health and Human Services
Secretary Mike Leavitt at a forum at
the National Press Club in Washington
D.C.
HHS’s Home Health Care Services
Pandemic Influenza Planning
Checklist is now available!
Go to
http://www.pandemicflu.gov/plan/healthcare.html
Please download, review and complete
this document carefully!
Establish policies to be implemented during a
pandemic:
Establish policies for employee
compensation and sick-leave absences
unique to a pandemic (e.g. non-punitive,
liberal leave), including policies on when a
previously ill person is no longer infectious
and can return to work after illness.
Establish policies for flexible worksite (e.g.
telecommuting) and flexible work hours (e.g.
staggered shifts).
Establish policies for preventing influenza
spread at the worksite e.g., promoting
respiratory hygiene/cough etiquette, and
prompt exclusion of people with influenza
systems.
More policies….
Establish policies for employees who have
been exposed to pandemic influenza, are
suspected to be ill or become ill at the
worksite (e.g. infection control response,
immediate mandatory sick leave).
Establish policies for restricting travel to
affected geographic areas, evacuating
employees working in or near an affected
area when an outbreak begins, and
guidance for employees returning from
affected areas (refer to CDC travel
recommendations).
One more….
Set up authorities, triggers and
procedures for activating and
terminating the company’s response
plan, altering business operations
(e.g. shutting down operations in
affected areas), and transferring
business knowledge to key
employees.
Additional Resources
US Department of Homeland Security
www.ready.gov
Federal Emergency Management Agency
www.fema.gov
International Risk Management Institute
www.irmi.com
VGM Insurance
www.vgminsurance.com
VGM Technologies
www.vgmt.com
Other possible resources:
Your State Association
www.mhha.org
State and/or local government
Department of Public Health