Interview with Regina Phelps

-
Regina Phelps is an internationally recognized thought leader in the field of crisis management, exercise design and pandemic and continuity planning. Since 1982, she has provided consultation and speaking services to multinational companies in five continents. She is founder of Emergency Management & Safety Solutions (EMSS), a crisis management and business continuity consulting firm. EMSS is 100% woman owned firm.

I met Regina on her visit to Peru last year, and she had the kindness to autograph her book Emergency Management Exercises for me. With the same kindness, Regina unhesitatingly agreed to give me this interview. 

Clic here to access the Spanish translation of this interview.


  • Place of birth: Visalia, California
  • Career / profession: Spent seven years in healthcare. As a registered nurse and then a hospital administrator 
  • Hobbies: I am deeply curious about many things. Avid birdwatcher, world traveler (have visited over 90 countries), I love to read and research all of the topics that catch my attention


1. How did you get into the world of business continuity? 

When I finished my Masters (Public Administration), my thesis was a business plan for what would become my company. I did not get along with my boss at the time and decided that it was worth an attempt to create my own business – that was 1982. We did emergency response, safety and wellness programs. Over the first five years, we did all three and then shifted in the late 80’s to focus solely on emergency response, business continuity, crisis management and exercise design. We started pandemic planning in the late 90’s.

2. In your experience, what is the most successful case of study in the discipline of business continuity that you would like to share with us?

I can’t speak about a specific company but I can speak about our crisis management program, which we have installed in hundreds of organizations worldwide. We utilize a methodology called the Incident Command System (ICS), which is used by many governments around the world and allows for an organized and structured response to a crisis. We install not only crisis management teams at a headquarters but also smaller teams in every company location to ensure that incidents are assessed rapidly and reported rapidly and quickly to the appropriate levels.

3. And the less successful (the worst failure)? What could you learned from it? 

Knock on wood… we have never had a failure. However, one of the things I have always been disappointed with is when a company hires us to develop a program or write a plan to just “check a box” rather than to do the work to truly improve organizational resiliency. Personally, it is not emotionally or psychologically fulfilling when assisting companies like this… and if they ever really need the program, it will likely not be very helpful because it hasn’t been maintained.

4. Regarding the RTO, how objective (and specific) should any organization be to establish it?

We have changed our views dramatically in how to conduct a Business Impact Analysis or BIA. In the “old days”, we would do detailed questionnaires and interviews and produce a large document filled with detail, statistics and graphs. At one point it just said, “is all of this detail worth it or necessary?” We have decided that for the most part it is not. If you get the right managers and employees in a room, they can be walked through a process that will get you 90% or more of the same information and then you can revise it and adjust it over time. It is a living document and iterative by its very nature. Don’t make it a gigantic project… start with a workshop with good information and solid questions, develop the recovery time objectives (RTOs) and revise them over time.

5. How do you see the future of business continuity in the next 10 years? 

Most of our clients are moving toward placing business continuity under the umbrella of risk. This makes good sense as business continuity, disaster recovery and crisis management are all about managing risk. I am expecting to see more and more free-standing business continuity departments folded under Risk Departments. The SARS-COV2 pandemic has showed the importance of business continuity planning including business impact analysis, business continuity plans and disaster recovery plans. This has helped the discipline to demonstrate value in organizations.

The cybersecurity landscape worldwide is also putting tremendous pressure on companies to become more resilient and able to function if there is a loss of technology, like what would be experienced in a ransomware attack. This highlights the importance of a well-designed business continuity plan and one that includes the sustained loss of technology, including network, applications and databases.

6. What do you think the community of professionals and practitioners of BC must do to accomplish that vision? 

BC professionals and practitioners must work to broaden their knowledge and skills in the risk area as well as deepen their knowledge in crisis management and information security. Additionally, practitioners must find ways to constantly communicate the value that they are creating in their program, plans, and exercises. BC professionals need to start thinking of business continuity as a product that needs to be marketed strategically within their organization.

7. What is most important lesson learned from our practice of BC from the actual crisis of SARS-COV2? 

The work that we do is critically important….really. The work that we do is critically important. As I mentioned in Question #6, we must find ways to demonstrate and communicate value every day to our organizations. How do you do that? Marketing!

We divide these marketing efforts into two categories: overt and covert. Overt marketing efforts are just as the word describes: they’re done or shown in the open and are plainly or readily apparent to everyone. For example, you could encourage employee home preparedness during the month of September, which happens to be “National Preparedness Month”. To build resiliency, you need employees to show up at time of disaster, and they will only show up if their families and homes are OK. One way to make that more possible is to encourage home preparedness, thus your National Preparedness Month activities feed into a win-win for your program and the company.

Covert marketing, on the other hand, is not openly acknowledged or displayed. There are ways you can share information and knowledge, thus informing others, but can also demonstrate the value you provide. For example, if your manager is keenly interested in cyberattacks and cyber preparation, it would be very appropriate (and help build your program’s value) if you kept him or her informed of key attacks or responses by other similar companies or competitors. Keep them in the loop on things that they might not likely see themselves, which can reinforce the value you bring to the organization. And when appropriate, do analysis of contemporary events and share that with key individuals.

And whenever key events occur, find ways to bring the information to the right people in your organization:
  • Write after-action reports for real activations or exercises. Be sure to outline the ways that the continuity process helped, the key lessons learned, and the next steps. 
  • Refer back to your internal marketing plan. Whether you had a real activation or held a great exercise, tell your story by internal communications vehicles, such as company articles, whitepapers, and/or presentations.

Comentarios

Publicar un comentario

Entradas populares de este blog

Mapa de suelos de Lima y Callao #BusinessContinuity #DisasterRecovery

-
Imagen
Extraído del Atlas de Peligros del Perú articulado por el Instituto Nacional de Defensa Civil (Indeci), en el mapa se muestran los resultados del estudio de microzonificación sísmica y tsunami realizado en 2010. Cada color indica una zona la cual corresponde un tipo de calidad de suelo: Peligro bajo (verde) : Está conformada por los afloramientos rocosos, los estratos de grava-aluvial de los pies de las laderas. Este suelo tiene un comportamiento rígido, con periodos de vibración natural. Peligro bajo Peligro relativamente bajo (amarillo) : Se incluyen las áreas de terreno conformado por un estrato superficial de suelo granulado fino y suelos arcillosos. Peligro relativamente bajo. Peligro alto (anaranjado) : Conformada en su mayor parte por los depósitos de suelos finos y arenas de gran espesor que se encuentran en estado suelto. Peligro alto. Peligro muy alto (rojo) : Conformada por los depósitos de arena eólicas de gran espesor y sueltas, depósitos fluviales, depósitos marin
Leer más

¿Qué dice la Ley 29783 (SST) sobre gestión de emergencias? #EmergencyPlanning #BusinessContinuity

-
Imagen
Mediante la ley de Seguridad y Salud en el Trabajo ( Ley N° 29783: 2011 ) y su reglamento respectivo  (D.S. 005.2012-TR), se estableció la obligación para las empresas de contar con un sistema de gestión en seguridad y salud en el trabajo ; el que especifica disposiciones legales específicas con respecto a la respuesta a situaciones de emergencia. En la Ley 29783 de Seguridad y Salud en el Trabajo (SST): Art. 39.- Objetivos de la Planificación del Sistema de Gestión de la Seguridad y Salud en el Trabajo . Con respecto al logro de resultados específicos, realistas y posibles de aplicar por la empresa; comprende (a) la mejora continua de los procesos, la gestión del cambio, la preparación y respuesta a situaciones de emergencia; y (b) la mejora del nivel de participación de los trabajadores y su capacitación.   En el Reglamento de la ley de SST: Art. 33.- Registros obligatorios del Sistema de Gestión de SST : g) […] registro de entrenamiento y simulacros de emergencia (
Leer más

Repasando el MTPD (o período máximo tolerable de interrupción)

-
Imagen
Acorde con la práctica estándar, las organizaciones determinan sus prioridades y requerimientos para el programa de continuidad del negocio, como parte del proceso de análisis de impacto o business impact analysis (BIA). Desde 2006 se introdujo un concepto para ayudar a determinar cómo debían priorizarse las actividades de las empresas ante un evento de interrupción y bajo qué condiciones estas debían ser recuperadas: el período máximo tolerable de interrupción o maximum tolerable period of disruption (MTPD). Image:  https://www.nbcnews.com/news/us-news/ditch-switch-call-go-permanent-daylight-saving-time-grows-n1043051 Según la norma internacional ISO 22301:2019, el MTPD es el período de tiempo dentro del cual, si no se pudieran reanudar las actividades, los impactos llegarían a ser inaceptables para la organización ; amenazando su supervivencia o haciendo que sus objetivos ya no sean alcanzables. Para poder identificar el MTPD para cada actividad, la organización debe decidir primer
Leer más