Business Continuity Management professionals in publicly-regulated utilities (electric, oil, gas, water, telecommunications) are different. Not because of whom they are – but because of what their job requires.
They can’t blindly follow industry standards (not that any of us do). They have an alternate set of rules and responsibilities that those in financial services, retail, manufacturing and other industries don’t. They’ve got to serve two masters: BCM’s generally accepted standards, and those set by their industry’s national, regional and state regulatory overseers. But they are subject to degrees of both public scrutiny and regulatory requirements that require not only preparedness but incident management as well.
Threat Monitoring
The average electrical utility, gas distributor, water or telecom company has many potential points of failure along its transmission and/or distribution systems. Few other industries face the same degree of risks. Add the typical facility, technology, vendor and personnel risks and utilities are vulnerable to a broader spectrum of risks that other industries.
Citizens depend on these utilities to deliver their product uninterrupted. When weather, geology, accident, equipment failure, human error or vandalism intervene, the must be prepared to respond efficiently and effectively. Cyber threats and threats to the physical infrastructure must be monitored, recorded – and often reported to regulatory authorities.
That mandate requires that their level of awareness be as great as or greater than other organizations. The ability to monitor threats (and threat trends) is critical to quick and decisive response. Situational awareness is a vital component of their Incident Management capabilities
NIMS/Incident Management
As part of the National Infrastructure, utilities are required to follow NIMS (National Incident Management System) guidelines for planning, preparedness and Incident response. They must test their response capability regularly, and report the results to industry regulators (including state and federal government organizations). Just having an Incident Management Plan is not sufficient. They must be able to prove their response capabilities using the Incident Command System (ICS). And unlike many industries, those capabilities are frequently exercised under actual disruptive conditions.
ICS/Documentation
For many organizations, Incident Management is theoretical. There’s an Incident Management Team, and an outline of their responsibilities (the IM ‘plan’). The IM Team may even participate in exercises. But documentation is seldom part of that ‘plan’. For utilities – because of NIMS requirements – documentation is an essential part of their Incident Management Plan. They are required, under NIMS, to utilize ICS forms mandated by NIMS. Every person, strategy, resource and activity employed in responding to a disruption must be recorded and maintained. Simply maintaining those forms under the duress of responding to a disruption or incident can be daunting – but it’s not an option (and the forms must be maintained in real time, not as a post-incident afterthought)
Communication
Every BCM professional is aware of the criticality of communication during a business disruption. No matter the scope of the disruption, utilities must communicate with a broader audience than most businesses. Their ‘stakeholders’ include the usual (their board, their employees, there customers), but almost always include regulators and the media – both of whom require real-time, up-to-date information. If your building burns down, it’s news; but if your products and services are disrupted for ten minutes, your customers – and the media – often won’t notice. The same is not true for utilities. If customers can’t get dial tone, have no electricity or water, or are impacted by a fuel spill, the media will take notice immediately. Regulators won’t wait for a post-incident report. The capability to communicate effectively with a wide audience is critical to public utilities’ ability to respond – and to protect their reputations.
The Right Tools for the Job
Managing the Business Continuity requirements of a public utility requires diligence, preparedness, practice – and the right tools to coordinate their threat tracking, planning, testing, Incident Management and communication needs. For information on how eBRP Solutions can help, visit our Utilities Solution page.
