Business Continuity and Pandemic Response Planning on One Page!

Mary D. Lasky Johns Hopkins University Applied Physics Laboratory

Agenda • The Applied Physics Laboratory (APL)

• APL’s Business Continuity Model

• One page model

• Pandemic Response Planning

• One page pandemic plan

Divisions of The Johns Hopkins University

School of Arts & School of Hygiene & Applied Physics Nitze School of Peabody Institute Sciences Public Health Laboratory Advanced International Studies Whiting School of School of Medicine Engineering School of Nursing School of Professional Studies in Business & Education

1 APL is Located in the Baltimore-Washington Vicinity

4

Profile of the Applied Physics Laboratory • Not-for-profit university research & development laboratory

• Founded in 1942 as a division of the Johns Hopkins University

• On-site graduate engineering program in eight degree fields

• Staffing: 4,000 employees (69% scientists & engineers)

• Annual revenue ~ $ 700M

APL Staff Demographics

Supporting Staff 22% Technical Administrative Professionals Professionals 69% 9% Technical Professionals Degree Level Degree Field 19% Doctorate 47% Engineering 54% Masters 25% Math & Computer Sciences 21% Bachelors 22% Physics, Chemistry & Other 6% None Total Staff ~ 4,000

2 JHU/APL Organization

Director

Assistant Director Assistant Director Programs Operations

Departments Enterprise Working for Departments/ Customers Functions

7

History of Continuity Planning at APL

• The purpose of Business Continuity Planning is to ensure that the Laboratory has effective plans in place to enable it to resume business operations quickly in the event of a business interruption that lasts longer than 48 hours.

History of Continuity Planning at APL • After September 2001, a team was formed to explore business continuity • Consultants were hired to introduce continuity planning, and they helped catapult us into our planning • Business Impact Analysis was performed to help uncover vulnerabilities • Business Continuity Plans were built first for a couple of business areas and then for all departments, because departments own the resources • An Incident Management Team was formed

3 Emergency

Chief Operating Officer Emergency Response Team Leader Declares Incident Yes Incident Mgmt Team Business interrupted Department Liaisons > 48 hr

Emergency Incident Business Response Plan Management Plan Continuity Plans Single Lab-wide plan to Single Lab-wide plan to document responsibilities and document response actions for Each department’s response to actions for an emergency an Incident an incident

Emergency Response Team Incident Management Team Department Liaisons & Managers APL Business Continuity Planning Overview

Incident Management Team • Led by the Assistant Director, Operations

• Serves as the Command Center to help manage a business interruption

• Goal is to coordinate restoring the business to normal operations

• Manages the recovery process by coordinating with the Department Liaisons who in turn work with their department’s management teams

Incident Management Team Members Assistant Director, Operations – Leader Assistant Director, Programs – Alternate Leader Representatives from: • Security Support from: • Human Relations • BCP Program Manager • Information Technology and team • Facilities • BCP Advisors • Business • Space Management • Legal • External Communications

4 APL Departmental Continuity Plans encompass: • Call Trees • Action plans for each of the following teams: – Department Liaisons – Key management team (varies by department as to who is on that team) – Group supervisors & program managers – IT (in some departments) • Vendors • Software • Customers • Essential Facilities (mainly for Pandemic Flu) • Locations – key rooms and facilities • Listing of Staff -- by group and by building • Listing of Property

Business Continuity Plans are: • Comprehensive

• Kept updated with new HR and customer data biweekly

• Complete list of all vendor data is kept on the BCP web site and updated daily

• Flash drives containing all plans and data are provided biweekly to: – Assistant Directors – Human Relations Department Incident Management Team Representative – BCP Program Manager

APL Business Continuity Plans are: • Large with a great deal of data

• Not easy to get the big picture from the complete document

• Not something that everyone wanted to keep at work and at home

CONSEQUENTLY –

Developed a one-page diagram

5 History of the One Page Model • Table Top for the Operations Council

• From that meeting, one of the departmental representatives became interested but the entire process was too complicated – Wanted material to be understandable at a glance – Wanted material to provide the big picture

• Working with that representative led to the “One Page Model”

One Page Plan -- Emergency & Incident Management – Sequence of Activity

Incident Management Phase 1 Incident Management Phase 2 Incident Management Phase 3 Emergency Response Phase (communicate & locate staff ) (assess impacts & plan recovery) (execute recovery plan)

Triggering event Triggering event: Phase Transition: Phase Transition: Any emergency Circumstances that may result in an Flow to Phase 2 depending on Initiate execution of the recovery plan incident being declared circumstances. Each Incident may be Business interrupted > 24 hr different. Expected activity (ERT) Expected activity (IMT) Expected activity (IMT) Expected activity (IMT) 1.Protect the staff 1. Incident declared (ADO) 1. Coordinate/manage internal and 1. Acquire and/or establish 2.Coordinate the actions of the ERT, 2. IMT is stood up external communications temporary/alternate resources & supporting Lab service organizations, 3. Initiate call trees 2. Responsible for: services: and affected departments using pre- 4. Coordinate/manage all internal and - Space assignments - Temporary spaces established emergency protocols external communications - Coordinating salvage of equipment - Equipment 3.Manage requirement for and 5. Establish communications with - Legal matters - Plant engineering intervention of 1 st responders Departments Liaison - Relocation support 4.Determine evacuation needs (in - Brief Dept. Liaisons - Communications coordination with 1 st responders when - Issue instructions as specified in 2. Coordinate with insurance companies appropriate) IM Plan 3. Stand down IMT and resume normal 5.Coordinate evacuation of affected 6. Maintain global status (staff operations and operational interfaces spaces and sweep for undetected accounting, damage, etc) casualties 7. Central functional support is available via the IMT to assist departments as required

Expected activity Expected activity Expected activity 1. Department liaisons will meet with 1. Assess program impacts 1. Stand up temporary spaces IMT - Requirements to continue - Staff occupation 2. Establish a department meeting - Impact to deliverables - Facilities place - Staff availability 2. Acquire equipment 3. Conduct concentrated effort to - Staff space requirements 3. Software restoration to facilities locate staff by department Key - Facilities & SW requirements 4. Resume normal operations and Management Team - Equipment requirements operational interfaces Legend: 4. Department Liaisons and IMT - Communications requirements exchange situation reports and - Closed area security requirements Emergency Response Team (ERT) status 2. Prepare, vet (with IMT), and deliver 5. Communicate with sponsors using detailed communication to sponsors Incident Management Team (IMT) material provided by IMT and report 3. Develop plans & requirements lists Department Key Management to IMT on results of interaction with necessary to resume business Team sponsors operations 4. Work with IMT on space requirement and salvage opportunities Plan to be used: Plans to be used: Plans to be used: Plans to be used: Emergency Response Plan Lab Incident Management Plan and Lab Incident Management Plan and Lab Incident Management Plan and Dept Business Continuity Plans Dept Business Continuity Plans Dept Business Continuity Plans

Back of the One Page – Contains Call Tree information and other key contacts as required Emergency Contacts

Key Employee Contacts # Name Role Work Home Phone Cell Emergency Phone/cell in Incident Ext. Contact 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12.

Local Police Department : Emergency (911) Non-emergency – 410-313-2200 Fire and Rescue : Emergency (911) Non-emergency – 410-313-6000 Assistant Director, Operations – Howard County General Hospital : 410-740-7654 name and numbers BG&E : 1-877-778-2222 Telephone : (Verizon 1-800-870-0000) (COMCAST -- ) (other ) Emergency Response Team Leader Howard County Emergency Radio : 1700 AM name and numbers Local Radio Stations : WBAL AM, 1090; WIYY FM 97.9; WMIX FM, 106.5 Business Continuity Program Manager name and numbers

6 Benefits of the One Page Model • Can see steps at a glance and is easily understood

• Can understand where emergency starts and stops and the Incident Management Team and departments take over

• Color coded for quick reference and helps you get started and then use the big plan for the details

• Enables you to concentrate on first things first and not worry about things that can be dealt with later

• Can be laminated and kept at work, at home and in your car

The high-level view of the Plan can be on One Page.

Can Instructions for Plans be on One Page?

Work for Howard County Maryland • Community Emergency Response Network (CERN)

• Requested to bring Continuity Planning to all businesses – April 2007 – Piloted in January 2008 – Announced in March 2008

• One Page planning document with example on opposite side

7 Planning for an Incident which Interrupts Your Business (See other side for an Example )

Planning Step 1 Planning Step 2 Planning Step 3 Planning Step 4 Planning Step 5 Planning Step 6

Assess Risks Mitigating the Risks Information Technology (IT) Interruption Due to Facility Communication Plan Employee Welfare Issues damage

List the 3 most List 3 alternative • Backup your data. • Plan where you could set- • Plan with whom you Investment in the health of important activities, ways of keeping your • Store the backup at a up your facility at an need to communicate and your staff during a crisis is functions or facilities business operating if different facility regularly alternate location. Options fill in the information on the vital to organizational that your business F1-F3 are • Backup the programs may include temporary “Emergency Contact” sheet resiliency and operations. It is depends upon. For unavailable. that use the data. trailers, vacant office space, for: Staff; Vendor; important that you let your example: inventory, • Develop procedures on home, etc. Customers; Insurance. employees know that the computer data, A1. restoring the programs and • Document procedures for • Document telephone organization is concerned customer/vendor data. such things as payroll, configurations and about their day-to-day welfare records, etc. A2. • Document configurations financial transactions, data requirements (voice and and family functioning during of your desktop computer recovery, invoicing, ordering data). a time of crisis. F1. A3. and servers – standardize, supplies. • Create a procedure for • Encourage your employees if possible. • Document the inventory forwarding telephone lines and their families to be self- F2. • Ensure IT service stock and other major so customers could reach sufficient. agreements are in place company’s assets and their you in case of an incident. • Promote family F3. and address response approx values, which helps • Work with your telephone preparedness. Obtain times and type of help for with insurance claims – take provider on expectations in information from CERN’s emergencies pictures of assets. case of an emergency. Neighbor to Neighbor (N2N) • Protect vital paper records • Evaluate your insurance • Draft a communications program, at: www.cernhc.org and reduce your need for policies periodically. plan, which can be modified • Ask your employees to paper, if possible. • Has Howard County Fire & quickly to fit the exact provide voluntary information • Keep passwords to Rescue Department situation. on how the organization might electronic files/systems off recently done an inspection • Plan for succession and best assist them and their site and secured. of your facility? Do they delegation and family in a time of crisis. have the latest floor plans? communicate this information to key people

What are 3 What are 3 steps you Personal Computers - • Decide on evacuation • Fill in phone numbers for Voluntary questions, which circumstances that could take to lessen Servers routes from your buildings key employees and could help the organization could threaten your or mitigate the threats • If PCs/Servers and assembly points and contacts. assist its staff and show top 3 activities, listed in T1-T3? were destroyed, how fast have practice drills. • Establish the ability to concern, might include: functions or facilities could equipment be • If advised that you not make a conference call. • Do you have anyone at that you listed in F1- S1. restored? 1 day, 1 week, leave your building and you • Appoint a safety officer to home with special needs? F3? 1 month? need to shelter-in-place, coordinate evacuations. • Is anyone under 5 at home? S2. • List 3 alternatives what can you do to survive • Work with staff on • Do you have family near by T1. to obtain the needed for 2 or 3 days? evacuation routes. who could help you? S3. equipment. • How can the organization T2. 1. assist you in a crisis? 2. • How long can you be away T3. 3. from home in times of crisis? © Howard County Community Emergency Response Network (CERN) 2008

Incident Planning Example: A Fire at a Pharmacy

On a Sunday evening in late January at 7 pm, the Howard County 911 center receives a call that heavy smoke is coming from a pharmacy located in a strip shopping center. The temperature is approximately 25 degrees and a strong wind is aggravating the fire. As fire companies arrive on the scene, smoke completely covers the intersection and the strip shopping center. The store was closed when the fire started. The fire escalates and the store is destroyed. The fire chief explains that it is too dangerous to re-enter the building. However, due to the quick response of the fire company and the 3,000 gallons of water per minute they poured on the fire, the fire is contained to this store, saving the remaining stores in the shopping center.

The owner arrives about an hour after the fire started and discovers his family business in ruins. He declares there are many important documents in the rear of the store in the safe and file cabinets that he needs to retrieve. Unfortunately, the building has collapsed in this area and the fire chief explains it is too dangerous to move into that area, and a contractor will have to be called to remove the collapsed structure. The owner states the records for his 13,000 prescription customers are in the file on the store’s computer and explains that the store business manager, who is out of town until Wednesday, is the one who knows the insurance information and he, the owner, only deals with the pharmacy business. The owner now has to begin dealing with the results of this disaster, which could have been mitigated by proper planning, as illustrated below . There were 200 prescriptions ready for pick up on Monday. This is also the main supplier of prescriptions for three assisted living centers located less than a mile away. During an average month 1,300 prescriptions will be refilled.

Example of “Planning for an Incident” -- Underlined items show possible planning responses Planning Step 1 Planning Step 2 Planning Step 3 Planning Step 4 Planning Step 5 Planning Step 6

Assess Risks Mitigating the Risks Information Technology Interruption Due to Communication Plan Employee Welfare Issues Facility damage

List the 3 most important List 3 alternative ways Data Backups — • Create a list of who to • Has Howard County Fire & Investment in the health of activities, functions or of keeping business • Is your data backed up? call in case of an Rescue Department your staff during a time of facilities that your operating if F1-F3 are Ideally the answer would Incident. recently done an inspection crisis is vital to organizational business depends upon. unavailable. be yes. • Fill in information on of your facility, and do they resiliency and operations. It the “Emergency have the latest floor plans? is important that you let your F1. Medications A1. If store has more • Is the backup stored at a Contact” sheet for: • Plan with whom do you employees know that the than one location, different facility regularly? F2. Electronic could refer customers
Staff need to communicate: organization is concerned Ideally the answer would
Vendors
Staff about their day-to-day customer records to other store, or be yes. Data is stored at
Customers
Customers welfare and family might create a an off-site location on a
Insurance
Key stakeholders functioning during a time of network with other F3. Electricity to keep regular basis. If more • If you had to set up Calling staff and key crisis. pharmacies with medications at than one location, your facility at an customers quickly would • Encourage your employees agreements to help controlled exchange data. Could alternate location, be important. and their families to be self- each other in times of where would it be? temperatures use on-line or networked • Preplan and draft sufficient. • Vital paper records – disaster. back-up capabilities. communications, which can
Promote family where are they? Plan A2. Store electronic • Are the programs that use be modified quickly to fit the preparedness. Obtain how to protect them. information from CERN’s records off-site the data also backed up? exact situation. A3. Obtain a backup • Succession planning Neighbor to Neighbor (N2N) Ideally, yes. and delegation. generator. program, at: www.cernhc.org © Howard County Community Emergency Response Network (CERN) 2008

Pandemic Response Planning

8 Source: February 2008 -- http://www.pandemicflu.gov

Social Distancing • Center for Disease Control and Prevention (CDC), February 2007: Interim Pre-Pandemic Planning Guidance for Communities and Others • CDC has based its social distancing guidance on modeling conducted by the Institute of Medicine • If moderate, CDC suggests that an organization should consider social distancing • If severe, CDC says that the organization must enact social distancing – Since we will not know the severity at the beginning, CDC states social distancing would need to be implemented early – CDC also recommends planning for a severe pandemic

Modeling Shows Benefit of Social Distancing Goals of Community Mitigation 1. Delay outbreak peak 2. Decompress peak burden on hospitals/infrastructure 3. Diminish overall cases and health impacts

Pandemic outbreak: No intervention Daily Daily Cases Pandemic outbreak: With intervention

Days Since First Case

CDC Interim Pre-pandemic Planning Guidance, February 2007

9 Johns Hopkins University Applied Physics Laboratory’s Pandemic Influenza Response Planning

Hopkins Critical Event Preparedness and Response (CEPAR) Activities • Pandemic Plan – uses three phases

• Routine -- Business as usual

• Transition -- Pandemic in US

• Critical -- Pandemic in local area

Governance for the Pandemic

Director & Executive Council Incident Management Team

DEPARTMENTS

10 APL’s Executive Council Sets High-Level Criteria to Guide Planning

• In 2006, the APL Executive Council created:

– The criteria to be used for planning, communications and decisions if there is a pandemic or similar incident

• Provide for the health and welfare of APL staff and their families • Meet immediate Government needs of critical national or regional importance • Assure the continued existence and viability of APL

One Page APL Pandemic Trigger Actions Responsibility Trigger 1 -- Trigger 2 -- Trigger 3 -- Trigger 4 Trigger 5 – Wave is Pandemic Flu in Pandemic Flu Pandemic Flu in Hospitals are over & return to the world not in in USA local area overcrowded and normal activities USA schools are closed WHO*, WHO Phase 6, WHO Phase 6, WHO Phase 6, WHO Phase 6, WHO Phase 3/4/5 Federal Govt. Federal Govt. Federal Govt. Federal Govt. Federal Govt. Federal Govt. Stage 3 Stage 4 Stage 5 Stage 5 Stage 6 JH CEPAR CEPAR -- routine CEPAR- transition CEPAR – critical CEPAR – critical CEPAR – routine

APL Incident • Communicate • Draft • Enact social • Recommend • Reverse social Managemen to staff and families communication on distancing, “critical work” at distancing t Team • Enact non- contingency examine limitations facility” and • Stand down the (IMT) essential travel ban policies on meetings, “maximum work- IMT to affected areas • Decide if masks staggered work at-home” • Facilities are • Enact are required hours, cafeterias, • Communicate open for routine quarantine if staff etc. often with staff operations traveled to an • Communicate affected area often with staff ● Examine • Voluntary “critical work” work-at-home APL Executive • Ratify travel • Ratify mask • Consider • Approve • Reverse Managemen ban & quarantine decision contingency “critical work” at contingency policies, t decisions policies and ratify facility decisions & and assess financial social distancing monitor financial situation taking action status as required APL • Implement • Develop plans • Implement • Implement • Return to Departments non-essential travel for “maximum social distancing “maximum work business as normal ban & quarantine work-at-home” at-home”

* World Health Organization (WHO)

Decision Matrix – approve during planning

Triggers Decision IMT Executive Departments Council Trigger 1 -- Trigger to this stage, declare Declare Informed Informed Pandemic incident and stand up IMT elsewhere in the world Initiate ban on all travel to affected Recommend/ Approve/ Implement areas Approve Ratify Initiate self quarantine for “n” day if Recommend/ Approve/ Implement traveled to affected area Approve Ratify Establish deadline to identify the Approve Informed Informed current “critical work” Trigger 2 -- In USA Trigger to this stage Declare Informed Implement

Decide if mask will be mandatory in Decide Approve/ Informed Step 3 Ratify Trigger 3 – In our Trigger to this stage Declare Informed Informed area Policy changes Recommend Approve Implement Initiate social distancing Recommend/ Approve/ Implement Approve Ratify Trigger 4 -- Trigger to this stage Declare Informed Informed Hospitals crowded Decide if “critical work” only at Recommend Approve Implement facility and maximum work-at-home Trigger 5 – Declare incident closed Declare Informed Informed Pandemic is over

11 “What If” Scenarios

Scenario 1: The World Health Organization (WHO) has raised the Pandemic level to Phase 5 because there are clusters of human-to-human transmission in Asia.

What actions does your organization take when WHO states the world is in Phase 6 – a pandemic?

One Page APL Pandemic Trigger Actions Responsibility Trigger 1 -- Trigger 2 -- Trigger 3 -- Trigger 4 Trigger 5 – Wave is Pandemic Flu in Pandemic Flu Pandemic Flu in Hospitals are over & return to the world not in in USA local area overcrowded and normal activities USA schools are closed WHO, WHO Phase 6, WHO Phase 6, WHO Phase 6, WHO Phase 6, WHO Phase 3/4/5 Federal Govt. Federal Govt. Federal Govt. Federal Govt. Federal Govt. Federal Govt. Stage 3 Stage 4 Stage 5 Stage 5 Stage 6 JH CEPAR CEPAR -- routine CEPAR- transition CEPAR – critical CEPAR – critical CEPAR – routine

APL Incident • Communicate • Draft • Enact social • Recommend • Reverse social Managemen to staff and families communication on distancing, examine “critical work” at distancing t Team • Enact non- contingency limitations on facility” and • Stand down the (IMT) essential travel ban policies meetings, staggered “maximum work- IMT to affected areas • Decide if masks work hours, at-home” • Facilities are • Enact are required cafeterias, etc. • Communicate open for routine quarantine if staff • Communicate often with staff operations traveled to an often with staff affected area • Voluntary ● Examine work-at-home “critical work” APL Executive • Ratify travel • Ratify mask • Consider • Approve • Reverse Managemen ban & quarantine decision contingency “critical work” at contingency policies, t decisions policies and ratify facility decisions & and assess financial social distancing monitor financial situation taking action status as required APL • Implement • Develop plans • Implement • Implement • Return to Departments non-essential travel for “maximum social distancing “maximum work business as normal ban & quarantine work-at-home” at-home”

“What If” Scenarios

Scenario 2: The World Health Organization (WHO) has raised the Pandemic level to Phase 4 because there are clusters of human-to-human transmission in Egypt.

What happens if one of your employees is in Egypt and contracts the disease bringing it back to your organization?

12 One Page APL Pandemic Trigger Actions Responsibility Trigger 1 -- Trigger 2 -- Trigger 3 -- Trigger 4 Trigger 5 – Wave is Pandemic Flu in Pandemic Flu Pandemic Flu in Hospitals are over & return to the world not in in USA local area overcrowded and normal activities USA schools are closed WHO, WHO Phase 6, WHO Phase 6, WHO Phase 6, WHO Phase 6, WHO Phase 3/4/5 Federal Govt. Federal Govt. Federal Govt. Federal Govt. Federal Govt. Federal Govt. Stage 3 Stage 4 Stage 5 Stage 5 Stage 6 JH CEPAR CEPAR -- routine CEPAR- transition CEPAR – critical CEPAR – critical CEPAR – routine

APL Incident • Communicate • Draft • Enact social • Recommend • Reverse social Managemen to staff and families communication on distancing, “critical work” at distancing t Team • Enact non- contingency examine limitations facility” and • Stand down the (IMT) essential travel ban policies on meetings, “maximum work- IMT to affected areas • Decide if masks staggered work at-home” • Facilities are • Enact are required hours, cafeterias, • Communicate open for routine quarantine if staff etc. often with staff operations traveled to an • Communicate affected area often with staff ● Examine • Voluntary “critical work” work-at-home APL Executive • Ratify travel • Ratify mask • Consider • Approve • Reverse Managemen ban & quarantine decision contingency “critical work” at contingency policies, t decisions policies and ratify facility decisions & and assess financial social distancing Monitor financial situation taking action status as required APL • Implement • Develop plans • Implement • Implement • Return to Departments non-essential travel for “maximum social distancing “maximum work business as normal ban & quarantine work-at-home” at-home”

Benefits of the One Page Pandemic Triggers • People focus quickly on the big picture

• The APL director understood it immediately and started wanting to add “what ifs”

• Table Top Exercises (Scenario 2 shown here) validated that plan could be flexible

Pandemic Planning for Howard County Maryland • The Community Emergency Response Network (CERN) has done some initial work on a one-page document to help all businesses be prepared for a Pandemic

• The most complicated part of pandemic planning is the HR side of things.

• IT is very important, if staff members are going to work from their homes

13 Preparing for a Pandemic Influenza A Pandemic is an outbreak of a disease that covers a wide geographic area and affects large numbers of people. . Develop Communication Plan • What to say to staff now to be sure they are prepared before a pandemic and at each stage during a pandemic • Ask suppliers about their plan and determine alternative resources

Develop Contingency Policies • Do you need a policy to request staff to stay at home if ill? • Do you need rules about working at home and what you will and will not support? • Will you pay your staff during the pandemic if they are not working? • Will staff benefits continue? • Ensure direct deposit for all staff members

Determine Critical Work • Work that must be done at the facility and cannot be done from home • Risk to the business if not supported

Obtain Supplies to have during the pandemic • Masks, hand sanitizer, gloves, special hospital grade cleaners?

Determine Computing Requirements • Working at home (check with legal and Human Resources about insurance issues) • Can staff work from home? Be sure to practice. • Consider laptops for key staff • Can payroll be run from home? – If not, how will you pay your staff? • Transferring phones to staff member’s homes © Howard County Community Emergency Response Network (CERN) 2008

Acknowledgements & Thanks • APL Incident Management Team and the Assistant Director, Operations, Ruth Nimmo

• Howard County Community Emergency Response Network (CERN) and its chairman, Richard M. Krieg

• Lynn Coleman, Vice President, Howard Community College

• First Responders - Howard County, Maryland

• Jim Wyant, Operations Executive, Air and Missile Defense Department, APL

Mary D. Lasky

[email protected]

14