Environmental Response

Texas Quality Assurance and the #QualityMatters podcast

Business Continuity 2: From Risks to Business Continuity | #ECC2023 | Energy Continuity Conference

October 6, 2022 |by Michael Mills | 0 Comments | ECC Artciles | #ECC2023, business continuity

Business continuity is the ability of a business to get back to work after something has disrupted it: hurricane, fire, flood, pandemic, or whatever. Business continuity planning is all the planning you do to prepare for disasters before they happen, so you can get back to work smoothly afterwards.

I said in Part One that business continuity planning is a part of risk management in general. Specifically, business continuity planning means identifying all the risks that could interrupt your business, or some part of it, and then taking action to mitigate those risks or planning contingency actions in case they take place. The basic approach is exactly what I described in Part One , but a few features are unique.

In the first place, you have to start with your Executive Team. This is not a job you can delegate to the Safety Committee. The reason is that every entity inside the organization—every division, every department, every plant, every team—has to be engaged. They have to contribute to defining how to secure their work (because they know it better than anyone else); and they have to know what to do in case disaster strikes. So you start at the top.

When you start to identify business continuity risks, remember that you are looking for anything that can interrupt any aspect of your operations. This means you have to look not only at your direct operations, but at any support functions: billing, payroll, purchasing, and the rest. It also means you have to think about anything that can interrupt your customers or your supply chain. If you were unscathed by a disaster, but your main customers are out of commission and won’t be ordering for another year, you could have a problem. Likewise with your supply chain.

When you identify a risk, you cannot assign it to just one Owner. This is one of the big differences between business continuity planning and other kinds of risk management. If disaster strikes—hurricane, fire, flood, earthquake, or whatever it is—it’s probably going to strike everybody. So you can’t assign the whole problem to Fred or Max and ask him to figure out a solution for the entire company. Instead of that, each member of the Executive Team goes back to his people (or hers, of course) to determine how they have to secure their parts of the business. Depending on the size of your organization, some of them might have to go back to their people as well, to work out the details. Do whatever you have to do, but come back to the rest of the Executive Team with a plan for your area.

Then the Executive Team as a whole reviews the plans to make sure they are consistent. You can’t respond to a disaster by pulling in different directions: so while every team has to figure out what they specifically need, the plans still have to mesh together. As just a single example, if you are going to tell the office folks to work from home they should all be using the same communication platform to keep connected. If your team is the odd one out, you might have to change your plan a little to align with the rest of the company. Make sure you engage all the people you engaged before, so that everyone understands what’s changed.

Finally, when all the details have been worked out, document your plans in the simplest format possible, and store them somewhere that’s easy to find in an emergency. Remind people periodically where to look. (If you do regular fire or emergency drills, you might be able to incorporate pulling a copy of the emergency plan.) And mark a day on the Executive Team’s calendar—six months out, or maybe twelve—to do the exercise again.

**************

Michael Mills has spent over 25 years managing quality and documentation systems for large companies and small ones. Now he does internal audits and consults on Quality projects, while regularly posting online. He publishes every week at the Pragmatic Quality Blog (pragmatic-quality.blogspot.com), and writes the Management Light column for the Organizational Excellence Specialists Group on LinkedIn. You can find him on LinkedIn at Michael Mills | LinkedIn.

**************

Texas Quality Assurance and the #QualityMatters podcast

Business Continuity 1: Basic Risk Handling | #ECC2023 | Energy Continuity Conference

October 6, 2022 |by Michael Mills | 0 Comments | ECC Artciles | #ECC2023, Basic risk handling

Business continuity 1: Basic risk handling

Business continuity is the ability of a business to get back to work after something has disrupted it: hurricane, fire, flood, pandemic, or whatever. Business continuity planning is all the planning you do to prepare for disasters before they happen, so you can get back to work smoothly afterwards.

It’s a big topic. In a sense it’s a part of risk management in general, though saying that doesn’t narrow it down much. But let me start there.

You probably already have a risk handling system in your organization, so what I say here will all look pretty elementary. Still, I’ll review it briefly.

Think of the Safety Committee in a grocery store. They brainstorm all the ways somebody could get hurt, and then define measures to keep it from happening. If someone breaks a jar of spaghetti sauce in Aisle 3, put up a “Wet Floor” marker and mop it up. Don’t put heavy things on high shelves. And so on.

Sometimes they might think of a risk that’s not very likely: What if a customer brings his dog and the dog bites somebody? Well, OK. It’s true you want to know what risks you face, and (for example) the ISO management system standards all require some level of risk identification. (ISO 9001, ISO 14001, and ISO 45001 all put this requirement in section 6.1.1.) But you can’t prevent everything, so you need to rank your list in order of importance. Then you plan for the ones that really matter, and let the rest go. But what ranking do you choose? Generally there are at least two questions to consider:

How likely is this risk?
And how bad will the impact be if it happens?

Anything that scores high on both questions goes to the top of the list. After that, it’s not so obvious. But here’s one simple approach you can take. Please note two things:

You can use this approach for any kind of risks. Just now I was talking about safety risks. But your marketing team can do the very same thing with competitive risks. Your engineers can use this approach (or a more sophisticated version of it) as an FMEA (Failure Mode and Effects Analysis) to think through product or operational failures. Your shipping department can do this to evaluate different logistical methods. It is a very general and very powerful tool.
There are a lot of ways to make this approach more sophisticated, depending on the needs of your organization. What I describe here is the simplest possible version.

Step one: Score all of your risks according to how likely they are, using just three values: High, Medium, Low.

Step two: Now score all of your risks according to their impact—how bad things would be if they happened—using the same three values: High, Medium, Low.

Step three: Use these two scores to calculate a priority for each risk, using the following formula:

Priority = Likelihood x Impact

	High	Medium	Low
High	High	High	Medium
Medium	High	Medium	Low
Low	Medium	Low	Low

On this scale, for example, “getting bitten by a customer’s dog” would probably rank Low for likelihood but potentially High for impact, for a composite priority of Medium.

Now that you have assigned a priority to every risk on your list, what next? The next step should be to address the important ones.

What does it mean to “address” a risk?
- If possible, prevent it.
- If you can’t prevent it, take steps now to mitigate the impact when it happens.
- Also, consider how you will respond when it does happen: those are your contingency actions.
- To make sure this gets done, assign the risk to an Owner, and assign a deadline by when the actions have to be in place. Then be sure to follow up that they really are.

Which ones are “important”? It depends on what you are doing. At the very least, you should address all the risks with priority = High. But you don’t have to stop there. Maybe you want to address the Medium ones as well, or some of them. Maybe there are steps you can take for a few of the Low risks too, though typically you should think about them last. You have to decide what works for you. But addressing all the risks rated High is pretty much a minimum.

What happens to the risks that you choose not to address? If the store’s Safety Committee updates their list of risks to include “getting bitten by a customer’s dog” and then calculates its priority as only Medium, they might not plan any action for it. So why put it on the list?

The point is that the priority ratings aren’t static. From time to time—at least once a year, if not more often—you’ll review your list to see if things have changed.

As you take mitigation steps, for example, the impact of some risks will drop and so their priorities will change.
The impact of others might rise, depending on changes in the outside world. Back in 2019, most American companies who did business continuity planning probably rated “global pandemic” at a very low likelihood; by mid-2020, it had become a fact of life.
While you are at it, check whether your contingency plans are still correct and current. Is that still the best way to handle this risk, if it comes about? Are the responsibilities all assigned to the right people, or do you have some tasks assigned to a guy that retired last month? And check to make sure your supplies are all in stock and up to date.
Assign actions as needed, and follow up to ensure the actions are closed on time.

So even if a risk falls below your threshold and you decide not to address it right now, keep it on the list. Then the next time you review the list—next quarter, next year, or whenever—you can think about it again. And as long as it stays on the list, you won’t forget.

**************

Michael Mills has spent over 25 years managing quality and documentation systems for large companies and small ones. Now he does internal audits and consults on Quality projects, while regularly posting online. He publishes every week at the Pragmatic Quality Blog (pragmatic-quality.blogspot.com), and writes the Management Light column for the Organizational Excellence Specialists Group on LinkedIn. You can find him on LinkedIn at Michael Mills | LinkedIn.

**************

Texas Quality Assurance and the #QualityMatters podcast

Environmental Response | #ECC2023 | Energy Continuity Conference

September 12, 2022 |by Kyle Chambers | 0 Comments | ECC Artciles | #ECC2023, contamination, environmental response, epa, OGGN, tceq

Environmental Response

Environmental Response is the process of addressing contamination of natural and human environments caused by various types of waste. EPA-established guidelines require companies to report hazardous substances and oil releases, and state and local governments may have additional requirements. The problem lies in the fact that response to such issues is often times complicate and difficult to navigate. This is where pre-planning for know risks is vital. What need reported if, how will we take immediate action when and who in the local environment needs to be notified. Not that we expect these failures to occur, but when they do be prepared far in advance.

Texas Quality Assurance and the #QualityMatters podcast

Workplace Safety | #ECC2023 | Energy Continuity Conference

September 12, 2022 |by Kyle Chambers | 0 Comments | ECC Artciles | #ECC2023, business continuity, disaster recovery, employee communication and participation, tool box talks, Workplace Safety

Workplace Safety

Take a few moments and think about the health and safety programs at your workplace? Then think about the results of these programs. What are the first few words that come to mind? In an ideal world, words like: secure, protected, prepared and confident come to mind. But if you’re like so many people in the industry, words such as: unsure, nervous, and unprepared, and maybe good enough might come to mind.

When it comes to workplace safety, employee communication and participation is critical and cannot be overstated. This goes beyond, but definitely includes, a well developed and executed occupational health and safety training program and regular tool box talks. Engagement with the team, understanding their perception of events and policies is more valuable than best safety assessment.

Workplace safety has business continuity & disaster recovery ramifications, not to mention the impact on human resources when incidents occur and the ultimate result on job security and productivity. A well-functioning Workplace Safety program may be your best defense against business continuity disasters. We’ve seen the role health and safety can play in preventing incidents from occurring and how it can not only protect the lives of your workforce during an incident but ensure workforce stability. Engage your people early and often and build systems based on a culture of safety and accountability.

Texas Quality Assurance and the #QualityMatters podcast

Cyber Security | #ECC2023 | Energy Continuity Conference

September 12, 2022 |by Kyle Chambers | 0 Comments | ECC Artciles | #ECC2023, #QualityMatters, Cyber Security, Information Technology

Cyber Security

Developing an effective cyber security posture requires solid management techniques, often a robust budget, staffing, and ongoing monitoring. Cybersecurity tools and training raise employee awareness of security threats and the need for defense in depth strategies. Careful vendor vetting is another important element of a successful cybersecurity program. The most effective cybersecurity strategies invest in people, processes, and technology to prevent cyber threats. A lack of these elements can lead to an increase in costs, complexity, and staff frustration.

Malicious actors spend days hacking software and looking for vulnerabilities in systems. Cyber Security and Information Technology teams should look at the entire architecture of the computing system and identify the risks and sensitivity of data. The activities are typically concluded with a report on potential vulnerabilities. While the forensics teams are critical in protecting data, it is not enough to install a product that will protect against malware.

Encryption blackmail attacks, also known as ransomware, are a serious threat. Hackers penetrate internal networks via a worm virus and encrypt data using a password only they know. Once they have encrypted the data, the hackers contact the organization, demanding a bribe to decrypt it. Cybercriminals are now the most common form of cyberattacks, and the amount of money spent on cybersecurity is increasing at a rapid pace.

Texas Quality Assurance and the #QualityMatters podcast

Workplace Violence – Active Shooter | #ECC2023 | Energy Continuity Conference

September 12, 2022 |by Kyle Chambers | 0 Comments | ECC Artciles | #ECC2023, #QualityMatters, Active Shooter, Going Postal, OGGN, Workplace Violence

Workplace Violence – Active Shooter

What is really going on with workplace violence and God forbid active shooter scenarios? There are no shortage of ideas and theories, but there are some simple facts that are not disputed. Workplace violence has its origins in the hearts and mind of people, people like you I. Workplace violence is more common when the culture promotes hostility, or strongly suppresses it under the pressure that has built for years, hence the term “going postal”. Winning the hearts and minds of our people, being aware of stress and pressure under the surface, and ready to respond when something or someone slips through the cracks is the key to preventing workplace violence and active shooter scenarios.

The first steps include employee screen and background checks, but we all know that these are not full proof, there must be a first incident for anyone. The same skills and tools we use for workforce stability will be critical here. Ensure as managers, owners, and operators you truly get to know your team members. Ensure they are comfortable sharing troubles and concerns that are hampering their ability to person, and ensure you are investing back into their training and development.

Development of a workplace violence response plan is going to be vital. The plan should highlight what you can do to stabilize the situation, communicate with employees, and transition into recovery mode. You may consider investing in armed security and/or select team members to deter someone who otherwise would seek to do harm. No doubt solutions such as these prevent their own risk, and they must be reviewed and proper continency plans and efforts developed to maximize the benefit. Programs are also available to provide support and assistance for employees struggling with mental health and struggles at home.

At the end of the day the key is going to be to winning the hearts and minds of your employees by building trust and security and being prepared for the worst.

Texas Quality Assurance and the #QualityMatters podcast

Workforce Instability | #ECC2023 | Energy Continuity Conference

September 12, 2022 |by Kyle Chambers | 0 Comments | ECC Artciles | #ECC2023, COVID-19, OGGN, Workforce Instability

Workforce Instability

Workforce Instability has changed dramatically since the COVID-19 pandemic and the following Great Resignation showed us all how critical an issue workforce instability is. One of the most critical aspects of improving workforce stability is increasing employee productivity, morale, and retention. All these elements contribute to employee/worker satisfaction and our ability to build and grow the teams and culture necessary to stay competitive in such turbulent times as these. Consequently, workplace stability can help employers improve the personal stability of their employees, creating a positive feedback loop.

In addition, a business can avoid workforce instability by promoting employees from within. By doing so, it can improve brand value, increase morale, and improve productivity and profitability. For example, if you have a low-wage employee, you might want to consider a temporary employee instead of hiring a permanent employee. Employee retention can be a difficult process, but it can help improve business results. Keeping employees happy and productive is critical to the long-term success of a company.

Our team members, both current and future, are looking to find more value and meaning in their work as well to be better valued and understood. The soft skills of management have truly never been more important, valuable, and beneficial than they are today. Sad but true, college education and on the job training does a poor job of teaching these skills. New ideas, new methods, new training programs like the API Skills are going to be vital for building and training the workforce of tomorrow.

Texas Quality Assurance and the #QualityMatters podcast

Natural Disasters | #ECC2023 | Energy Continuity Conference

September 12, 2022 |by Kyle Chambers | 0 Comments | ECC Artciles | #ECC2023, #QualityMatters, contingency plan, flood, freeze, hurricanes, natural disaster, to tornados, wildfires

Natural Disasters & Contingency Plans

From hurricanes, to tornados, wildfires, freezes and floods, mother nature is going to battle against you and your business. The proper precautions and contingency plans can save lives and property. A good plan also makes it easier to get things up and running in the aftermath.

Drawing up a disaster contingency plan can seem overwhelming. Looking at the recent nightmare of Texas wildfires or the damage caused by Hurricane Harvey and the freeze of 2021, it may feel pointless to think about contingency planning. You may be thinking, “What can I do to stop mother nature herself?” but steps can and should be taken to prepare.

First, pinpoint what sort of disasters you are most likely to deal with, you know your business better than anyone else. Identify the risks and list them out. For instance, in a flood zone, elevating your property above normal flood levels can protect your premises from disaster.

Pre-planned methods of communication are vital for holding things together. Have contact information for everyone: employees, managers, customers, and family, even their members. Make plans for what to do if the Internet or phone service is out. Keep in mind how vulnerable paper and critical electronics are, and make sure to have plans in place for when you return to the office.

Preserving your people and assets makes it possible to reopen your doors quickly. Make plans for resuming business activity too. Can you arrange to set up at another site, work remote or from a cloud server? Is there a way to get inventory shipped in to an alternate location? It’s much easier to work this out in advance than when the catastrophe happens.

Texas Quality Assurance and the #QualityMatters podcast

Turnaround Manager | #ECC2023 | Energy Continuity Conference

September 12, 2022 |by Kyle Chambers | 0 Comments | ECC Artciles | #ECC2023, #QualityMatters, Energy Continuity Conference, Manpower shortage, OGGN, Turnaround Manager, turnaround process

Turnaround Manager

Managing a turnaround process is not always easy, but its possible. There are many different skills involved in this process and the success of the turnaround process depends on the people and management working on it. If you are the person who oversees the execution of the turnaround process, then there are some things you should know, especially when the project does not go as planned.

Human resources and workplace instability can be the Achilles heel of the project. Cost is considered the biggest right, but the costing process of a turnaround can be modeled using a bell curve and other commonly available tools and techniques. Initially, specialty skills are brought up slowly as units or vessels are opened and shut down. Towards the end of the turnaround process, the specialty skills start to diminish. Managers should review staffing levels frequently against schedule requirements and demobilize excess manpower to control costs. Manpower shortage, and shortage of properly skilled and trained manpower can run the project off course quickly. As a rule, turnaround managers should have a contingency budget that is 10% higher than the budgeted amount.

A critical component of turnaround management is the ability to communicate well and manage the scope. In fact, there are several common challenges that arise when managing a turnaround. The most difficult problem to overcome is the lack of dialogue between management and field supervisors. Senior management might allow major jobs to be added late. This presents an unacceptable risk to the project. Identifying problems and resolving them as early as possible is vital to the success of a turnaround.

Texas Quality Assurance and the #QualityMatters podcast