Business Continuity and Disaster Recovery Planning

September 8, 2006 1

Business Continuity and Disaster Recovery PlanningJoseph P. Tylutki

Senior Counsel, McDonald’s Corporation

September 8, 2006 3

Where are we going today?

• What is Business Continuity Planning?• Review of Potential Legal Issues and Concerns with BCP• Review of IT Issues and Concerns with BCP• Q&A

September 8, 2006 4

Business Continuity Planning…

• Business Continuity Planning (BCP)* is an interdisciplinary peer mentoring methodology used to create and validate a practiced logistical plan for how an organization will recover and restore partially or completely interrupted critical function(s) within a predetermined time after a disaster or extended disruption. The logistical plan is called a Business Continuity Plan.

* Source: Wikipedia; http://en.wikipedia.org/wiki/Business_continuity_planning - visited 08.02.07

September 8, 2006 5

What the heck does that mean?

• In plain language, BCP is how an organization prepares for future incidents that could jeopardize the organization's core mission and its long-term health. Incidents could include, but not be limited to, localized incidents like building fires, regional incidents like earthquakes, or national incidents like pandemic illnesses.

• The entire process is designed to eliminate the panic factor of dealing with the unexpected.

• We may plan to fail, if we fail to plan.

September 8, 2006 6

Is this a legal requirement?

• In certain countries, yes!• In December, 2006, the British Standards Institute released

BS25999 which relates to Business Continuity Planning and is applicable to all organizations (including non-profit) regardless of industry or size.

• In the U.S., there is no federal mandate; however, it would not be a stretch to imagine legal liability could follow an organization if they fail to have a BC Plan in place.

• As we will see, certain other applicable statutes could be violated resulting in other types of possible fines.

September 8, 2006 7

Preparation of a Corporate Plan

Four Goals of Planning:• Prepare for an Emergency• Respond to a Major Disruption• Mitigate the effect of the Disruption• Recover (restore) from Consequences

BCP greatly enhances a Chapter’s ability to recover from losses, may reduce liability insurance costs, and may limit exposure to liability claims from 3rd parties.

September 8, 2006 8

Key Goals in BCP1. To greatest extent possible, ensure safety of employees

and families that rely on RMHC services2. Maintain, to the greatest degree possible, continued

Chapter operations3. Contain and minimize short- and long-term loss,

minimize the time in which operations are disrupted, and restore key elements of operations as quickly as possible.

4. Simplify the recovery process through analysis, organization, and preparation before disaster strikes.

September 8, 2006 9

Additional Key Goals

5. Mitigate economic damages through insurance coverage and risk management efforts

6. Handle regulatory and human resource challenges, including communications and benefit coverage and coordination

7. Prepare for PR and guest challenges with adverse circumstances

8. Respond to management issues (including succession plans if necessary)

September 8, 2006 10

Before you run out of the room…

• This does not solely cover employer-employee relationships.

• For any Chapter with Programs outside of Grant Making, this also applies to your Guest Families too!


Legal Challenges and BCPOSHA Compliance:

• General Duty Clause (“GDC”):+ Employers are required to provide employment and working

conditions free from hazards that are causing, or likely to cause, death or serious bodily harm. (Many states have similar plans as well. 29 CFR 1910 (e)).

• Emergency Action Plans (“EAP”):+ Employers that have a facility with 10 or more employees are

required to have a written EAP. The EAP must cover the following minimum points:


EAP Key Points

1. Procedures for reporting a fire or other emergency;2. Procedures for emergency evacuation (including type of

evacuation and exit route assignments);3. Procedures to account for all employees after the

evacuations;4. Contact information on employees who can provide

additional information about the EAP.Additionally, beyond creating the EAP, employers must review the EAP with all employees and must designate and train employees to assist in the event of an evacuation.


OSHA Requirements, con’t.

• Fire Prevention Plans+ In addition to the EAP, employees with 10 or more

employees must maintain a written fire protection plan.

+ No RMHC facilities should be subject to issues in this area as these relate primarily to listing major fire hazards and storage of hazardous waste.

+ Important to note: OSHA requires all sprinkler systems, alarm systems, and exit lighting to be in working order at all times.


OSHA, con’t.

• Exit Routes:+ OSHA requires all employers, regardless of size, to establish

and maintain exit routes from their facilities for employees.+ Exit Routes must lead directly outside to a street, walkway,

or open space with access to the outside. Each route must have adequate lighting, signs, and be of minimum heights.


Employment Law Considerations

• FMLA – Injuries sustained during an emergency may qualify.+ What would happen if a majority of your staff needed time off?

• ADA – Require “Prompt and Efficient” assistance+ You can ask after extending a job offer if an employee would

require any assistance+ May survey current employees with same questions – so long as

information is given voluntarily+ Survey employees with known disabilities; however, don’t assume

an employee with a known disability will require assistance


ADA and Rescue AssistanceEEOC guidelines suggest providing all employees a memo with an attached form seeking additional information on any special assistance needed. Alternatively, an employer can have a follow-up conversation with an individual who has indicated a need for special assistance. The employer should also determine if any special medication or equipment will be necessary in the event of an emergency (e.g. a wheelchair).

While this is confidential information, the ADA does have a limited exception to share with those who “need to know”. For example, a building security office, floor captain, and evacuation personnel.


Uniform Services Employment and Reemployment Rights Act (“USERRA”)

• Under USERRA, all employers are required to provide leave to employees who need to satisfy military obligations.

• In the event of a major natural disaster, National Guard troops could be activated and deployed to assist with clean-up efforts.

• Plan accordingly for staff who could be impacted by military obligations.

• In addition, there may be training obligations and service related disability issues to contend with as well.


RMH Guest FamiliesNow that we have covered employees, let’s not forget that our RMH

programs also need to consider our Guest Families:• ADA could cover Guest Families (public accommodation)• Have you asked Guest Families if the family (or any member)

would require special assistance? If so, where is this documented? Who has this info in an emergency?

• Does more than one person have the occupancy list? Can it be easily found (not on a computer)? What about visitors (if permitted)? Are contact numbers readily available for Guest Families?

• Do you have a plan to deal with other housing for your Guest Families if the House is out of service for a while? What if something happens suddenly?


Ronald McDonald Family Room

• Do you know what the hospital procedures are?• Have they been addressed (and practiced) with

Staff and Volunteers?• For those who have bedrooms, who has the list of

guests available at night? What if that person can’t be found?


Ronald McDonald Care Mobile

• If your RMCM program was out of commission, what would those staff be responsible for?

• Do you have contact information readily available for your insurance company and Life Line?


Record Keeping RequirementsWhat would happen if all your records disappeared?

- Employee Files- Legal Documents (e.g., State Registration, 1023

applications, 501(c)(3) determinations, trailing three years of 990, Sales Tax Exemption, IRS Original Letters, contracts, meeting minutes)

- Financial Records (tax returns, audited financial statements, vendor list, monthly financial back-ups)

- Day-to-day records (invoices, payroll records, Chapter’s checkbook, occupancy records and guest family info)

• Consider electronic back-up (e.g. scanning of documents) with appropriate safeguards

• Consider off-site secured storage of back-up files


Information Security Planning• What would happen if your network was interrupted?

+ Does not necessarily require a disaster to impact your computer network

• Do you know how to manually process your “mission critical” processes? Have you thought about your telephone system too?

• What is the maximum tolerable downtime?• Do you have critical files backed up on regular schedules

and are they stored off-site?• Have you practiced the recovery? Have you planned for

contingencies?


Implementation Steps• Management and Board Acceptance

+ Planning+ Endorsement

• Employee Training• Board and Succession Planning• Communicate Plans (before, during, and after)• Commitment to review and update regularly – this is NOT

a static document• Provide strategic thought on payment of wages and

benefits, access to checkbook and bank accounts, ready cash and investments BEFORE you face the issues.


Implementation Steps (cont’d)

• Contact RMHC-Global if you have additional specific questions

• Reach out to your McDonald’s Regional Contacts+ Many Regions and Division offices have staff trained in this

area+ Most will be willing to help your Chapter+ May have additional contacts/resources available to assist in

planning or in the event of an incident


Questions??

Business Continuity and Disaster Recovery Planning

Documents

Transcript of Business Continuity and Disaster Recovery Planning