For many people, the term “continuity of operations” (or “COOP”) conjures thoughts of the Cold War, when the nation spent decades preparing for a potential nuclear attack on U.S. soil, with vivid mental images of “duck and cover” drills and community sirens.
That image got a new twist in 1999, when Y2K concerns triggered a shift from preparedness against a kinetic attack from a nation state to a cyber impact.
Today, we are facing a combination of kinetic and cyber attacks, with threats originating from lone wolf actors, nation states, and everybody in between. COOP planning is more relevant than it has ever been, yet the focus by planners and leaders alike on this critical effort is severely lacking.
Our broader approach to COOP reaches beyond the federal government to include state, local, tribal, and territorial governments and the private sector. We have programs focused on business continuity and resilience. Regardless of the titles we give it, the functions remain the same—how do we identify the critical functions, systems, personnel, and support needed to keep our operations running against natural and man-made threats?
COOP and Resilience
Often, parallel with COOP planning, we’re searching for ways to enhance our resilience. COOP and resilience look at the same fundamental information, make the same assessments on priorities and criticality, and involve the same decisions on buying down or accepting risk. Depending on priorities, we may look at resilience through the lenses of all-hazards emergency preparedness, climate change, evolving cyber threats, or all of the above—but no matter how you look at it, COOP and resilience programs are inextricably linked.
Despite their critical importance to a mission’s success, COOP and resilience are still viewed as optional in many organizations. In agencies at all levels of government, COOP and resilience planning have been delegated as an “additional duty” that rarely garners the full support of senior leadership. It’s seen as a check box activity to meet requirements as opposed to an effort that can truly help an organization prepare for natural and man-made disasters.
Similarly, in the private sector, where owners and operators of critical infrastructure confront a number of threats and hazards that pose significant risk to critical business processes and operations, business continuity practices are often not fully integrated with enterprise-wide emergency response strategies.
Steps to COOP Preparedness
To address these challenges, there are several steps that organizations, both public and private, can take to further their COOP and resilience planning efforts:
1. Get true commitment from senior leadership.
This happens through active participation, not just by memo. If leaders commit the time, others throughout the organization will follow their example. This includes personal attendance at most meetings from the onset of the process. The more leaders can describe the quantitative or qualitative benefits of the process and the outcome to the entire organization, the stronger support it is likely to receive. Finally, true commitment requires the appropriate dedication of personnel and other resources needed to conduct comprehensive planning.
Remain committed throughout the process by being present and active in the process every step of the way. This does not mean that senior leaders need to micromanage the process; however, attendance at only the beginning and the end, as often happens, will not be as beneficial to the organization and may result in higher implementation costs. It won’t happen overnight, but not following through will have a significant impact on success or failure.
2. Develop a working group with staff across the organization.
Cast your net wide at the start. Invite all potentially relevant players to the conversation and let them decide if they should be involved. As participants gradually opt out of the process, you’ll be left with a core of active, key players who have a solid investment in the outcome.
3. Address both cyber and kinetic threats and vulnerabilities in a joint manner through comprehensive risk assessment.
Looking at security only from either the IT or physical security perspective creates a dramatic hole in the most seemingly robust security infrastructure. Be sure to unify your risk assessment by looking at the full picture. (Learn more: “Embrace the Cyber Security-Physical Security Nexus.”)
4. Validate, through a comprehensive review with internal and external evaluators, that plans are current, complete, and address all hazards, including cyber and physical threats.
Be critical of your work, even if it means exposing vulnerabilities.
Bring in external evaluators to help review plans. Cadmus’ experience with a wide variety of federal, state, local, tribal, and private sector partners allows us to bring a breadth of perspective and first-hand knowledge that is not commonly found in house.
5. Conduct training to educate staff and management on existing plans.
Invest in the design and delivery of customized training programs that can be delivered regularly to staff and management. Off-the-shelf training programs don’t account for the nuances of your organization or your operation. Cadmus’ clients have benefited from curricula specifically tailored to their individual needs and designed to reach their unique audiences, on a regular and recurring basis, using the latest educational delivery tools and methodologies.
6. Conduct and evaluate exercises and drills to assess understanding of newly revised policies, plans, and procedures and identify any gaps in knowledge and areas for improvement.
There is no substitute for exercises when it comes to assessing and improving preparedness for a crisis. Conduct your exercises and drills regularly, rigorously, and without fear of failure – participants should feel more comfortable with a system that identifies weaknesses and continually improves than one that claims perfection year to year. (Learn more: “Exercise Because of Want, Not Because of Need.”)
7. Develop a corrective action plan (CAP) or improvement plan (IP) to address gaps.
Many see a CAP or IP as the end of an exercise. In fact, it should be the beginning of a new planning and exercise cycle.
CAPs and IPs shouldn’t just reside on a shelf – they should be used as drivers to enhance preparedness, assess and mitigate risks, determine budget and staffing strategies, and perform a wide variety of governance tasks.
CAPs and IPs should be practical, thorough, and honest reflections of the organization’s status. Resilient organizations of all sizes and stages make actionable plans to address gaps in their preparedness.
These actions are simple, but they aren’t easy. The first step is to garner support from senior leadership and commit to change. By building or strengthening programs, government agencies and private sector companies can become prepared to maintain operations during future incidents and disasters across all hazards. Furthermore, an enterprise that is organized and optimized to respond to and mitigate the effects of a significant incident or disaster will quickly return to its core business with its brand and reputation intact.