Case study on implementing NFPA 1600: Goodyear Global Business Continuity Program

NFPA Journal®, January/February 2008

By Michael W. Janko, CBCP, ARM

A few years ago, if this statement was made by the media, or Goodyear associates, it would raise concerns for our fellow associates, customers, suppliers, and operations.

The concern would have been valid due to our lack of knowledge regarding the overall preparedness efforts in place, response and recovery experience, and defined responsibilities for a specific incident.

Goodyear’s preparedness efforts must address a global presence including more than 60 manufacturing plants in 26 countries, numerous logistics centers, more than 1,000 retail stores, approximately 70,000 associates and annual sales of $20.3 billion. Its strategic business units include North American Tires, European Union Tire, Eastern Europe, Middle East & Africa Tire, Latin America Tire and Asia Pacific Tire.

This case study looks at the ways Goodyear has prepared its operations to respond in the event of an emergency. Chief among their planning tools is NFPA 1600, Disaster/Emergency Management and Business Continuity Programs.

Since the evolution of Goodyear’s global business continuity process, key domestic and international Goodyear associates and management have been extremely active in implementing effective incident related strategies on a global basis. This includes our Business Continuity Web site, facility pandemic planning, use of business continuity planning tools (software), active participation in table top exercises, and a culture promoting and supporting our "overall strategy for operating under adverse conditions".

Regional Business Continuity teams and leadership’s support helped us to improve our global process as we implement "lessons learned" from human and natural incidents, which have affected their associates and operations.

DRII 10 professional practices
The groundwork for Goodyear’s Business Continuity Process began seven years ago, shortly before the tragic events of September 11, 2001. This process includes a corporate policy and charter for the organization, built on the Disaster Recovery International Institute’s 10 Professional Practices, which have been the industry’s premier educational and certification program for those engaged in the practice of business planning since 1988.

The most important of the 10 Professional Practices, as an organization’s business continuity process is being developed, is senior management’s support and commitment, which is identified in the first practice "Project Initiation and Management". Once management’s support is evident, a DRII-certified individual can set the project organization and management into place per the remaining planning model components.

Goodyear was fortunate to have facility incident response planning, corporate crisis management, crisis communications, and disaster recovery processes in various stages of implementation. The Global Business Continuity Process brought these pieces of the business continuity puzzle together, with additional functional support teams, including Environmental Health & Safety, Legal, Finance, Human Resources, Risk Management, and a multitude of others. Strategic Business Unit’s regional representatives also were identified and this group became known as the Goodyear Business Continuity Tactical Team. This team meets on a monthly basis as part of the education and planning process to be better prepared for planning, responding to and recovering from major incidents.

NFPA 1600 was used as the consensus document, which supplements the DRII 10 Professional Practices as Goodyear’s model. Being an engineer and having previously been a representative on two NFPA technical committees, as Goodyear’s manager of global business continuity, I had an understanding of the importance of the NFPA process and the value of using a consensus document which some day could become a required code or law. By using the guidelines and best practices identified in NFPA 1600 and the DRII model, the entire organization began to have a common focus and common terminology. This helped all tactical team members understand the importance of pre planning internally and with external partners. And, to develop a common focus to respond effectively and put all efforts into a prompt restoration and recovery effort. This effort also helps support a safer work environment and speeds up the recovery and restoration to normal operations.

Origin and development of NFPA 1600 The NFPA Standards Council established the Disaster Management Committee in January 1991 to develop documents relating to preparedness for, response to, and recovery from disasters resulting from natural, human, or technological events.

The first document that the committee focused on was NFPA 1600, Recommended Practice for Disaster Management. NFPA 1600 was presented to the NFPA membership at the 1995 Annual Meeting. That effort produced the 1995 edition of NFPA 1600.

For the 2000 edition, the committee incorporated a "total program approach" for disaster/emergency management and business continuity programs in its revision of the document from a recommended practice to a standard. They provided a standardized basis for disaster/emergency management planning and business continuity programs in private and public sectors by providing common program elements, techniques, and processes. The committee provided expanded provisions for enhanced capabilities for disaster/emergency management and business continuity programs so that the impacts of a disaster would be mitigated, while protecting life and property. The chapters were expanded to include additional material relating to disaster/emergency management and business continuity programs. The Annex material was also expanded to include additional explanatory material.

For the 2004 edition, the committee added a table in Annex A that created a crosswalk among FEMA CAR, NFPA 1600, and BCI & DRII professional
practices. The committee added significant informational resources to Annexes B, C, D, and E.

The document continues to be developed in cooperation and coordination with representatives from FEMA, NEMA, and IAEM. This coordinated effort was reflected in the expansion of the title of the standard for the 2000 edition to include disaster and emergency management, as well as information on business continuity programs.

The 2007 edition incorporates changes to the 2004 edition, expanding the conceptual framework for disaster/emergency management and business continuity programs. Previous editions of the standard focused on the four aspects of mitigation, preparedness, response, and recovery. This edition identifies prevention as a distinct aspect of the program, in addition to the other four. Doing so brings the standard into alignment with related disciplines and practices of risk management, security, and loss prevention.

Goodyear’s response
Goodyear has responded favorably to numerous incidents, as defined in NFPA 1600. They include those that are naturally occurring, human-caused (accidental and intentional), and technological caused events. These incidents have occurred across all strategic business units. They include natural incidents (hurricanes, earthquakes, volcanoes, tsunamis, flooding, etc.), work stoppages, power outages, political challenges, fires, etc.

"Lessons learned" from these incidents are developed, shared with all other strategic business units and are a tool for plan improvement. We look at every major incident as an opportunity to improve planning on a global basis.

Goodyear’s pandemic planning efforts were recognized in 2006 as a "private sector best practice" and posted on the State of Ohio’s Web site (http://ohiopandemicflu.gov/ ). A global pandemic planning effort was spearheaded by the business continuity team including development of regional plans, facility teams and planning on a local basis. "Table Top" training was conducted over the course of the year with more than 60 locations and over 400 key leaders participating. They represented locations in Asia Pacific, Latin America, European Regions and the US. In addition, there was a Table Top exercise in the Akron, Ohio, headquarters, which also included the local County Emergency Management Agency, state, and multiple county health department representatives, other local Fortune 500 companies and representatives of local emergency services, schools, hospitals and other external partners.

There also is a team of senior executives who comprise the Goodyear Business Continuity Steering Committee. They include cross-functional leadership who help champion the process and meet on a quarterly basis.

Goodyear’s business continuity vendor management program includes reaching out to critical partners, suppliers and customers—attempting to include business continuity planning as part of their normal course of business, ensuring their long term viability as well. They also are encouraged to follow the standards and guidance provided in NFPA 1600 and the DRII Business Continuity Process. All global raw material managers have plans underway to implement business continuity vendor management processes.

The implementation of business continuity planning is providing many benefits to Goodyear. Critical processes and documents may not have been identified across all business units, but are now part of a consistent process, implemented globally, with a single repository for all records. Key employees are identified, better prepared, and trained to respond to a variety of incidents. Best practices are documented and shared in a consistent, seamless direction for all programs. Supplier contact lists are maintained and preparedness audits are conducted. The process has changed from "reactive" to being more effective in pre-planning, response, restoration, and recovery.

As Goodyear was developing their Global Business Continuity Process, the National Commission on Terrorist Attacks Upon the United States (also known as the 9/11 Commission) was set up on November 27, 2002 "to prepare a full and complete account of the circumstances surrounding the September 11, 2001 attacks". The Commission was created by Congressional legislation, with the bill signed into law by President Bush. The Commission closed on August 21, 2004, after publication of its final report of July 22, 2004. The Commission interviewed over 1,200 people in 10 countries and reviewed more than two million pages of documents, some of which were closely – guarded classified national security documents.

There are specific references made in the 9/11 Commission report regarding 85 percent of the nation’s critical infrastructure being controlled by the private sector and a unified response adopting the formal Incident Command System (ICS) being recommended. The report includes Homeland Security and national preparedness beginning with the private sector. Preparedness efforts recommended include a plan for evacuation, adequate communication capabilities, and a plan for continuity of operations. The American National Standards Institute (ANSI) was asked by the Commission to develop a consensus on a "National Standard for Preparedness" for the private sector. ANSI responded by convening safety, security, and business continuity experts from a variety of industries and associations, as well as from federal, state, and local government stakeholders. They recommended that the Commission endorse NFPA 1600 as a common set of criteria and terminology for preparedness, disaster management, emergency management and business continuity programs.

In addition, the Commission stated that they "encourage the insurance and credit rating industries to look closely at a company’s compliance with the ANSI standard in assessing its insurability and credit worthiness". In addition, "We believe that compliance with the standard should define the standard of care owed by a company to its employees and the public for legal purposes. Private sector preparedness is not a luxury; it is a cost of doing business in the post 9/11 world. It is ignored at a tremendous potential cost in lives, money, and national security".

Goodyear’s sharing of effective business continuity practices with external partners led to the opportunity to provide comments and support for the voluntary standard, which became known as Title IX, Private Sector Preparedness. During the first quarter of 2007, we had the opportunity to provide comments to the team developing S.4., the "Improving America’s Security Act of 2007".

The Senate Committee on Homeland Security and Governmental Affairs focus was on a bill addressing a host of issues from homeland security grants, information sharing and terrorist travel to private sector preparedness, infrastructure protection, and weapons of mass destruction. Our comments and support for legislation referenced our business continuity process, which is built on the foundation of DRII professional practices and NFPA 1600, as referenced above.

S.4. was ultimately passed in the House on a 371 to 40 vote and 85 – 8 in the Senate. President Bush signed the legislation on August 3, 2007. Title IX – Private Sector Preparedness references a voluntary private sector preparedness accreditation and certification program is to be developed within 210 days of the date of enactment of the implementation of the bill. The program must address a variety of topics, including a formal structure for certification, standards to be followed and method of sharing information. This program should be developed by interacting with appropriate organizations and private sector advisory councils who can contribute and make this process most effective. Included in this 210-day window is a requirement for the Secretary to submit to Senate and House of Representatives the "Report to Congress"; a report with a summary of recommendations on implementing the process. Included we expect the following:

• Consultation with the private sector;
• Development of guidance and recommendations;
• Identification of best practices;
• Use of voluntary consensus standards;
• Certification process for those who seek it voluntarily under the program;
• Management and implementation of accreditation and certification;
• Demonstrate ability to certify private sector entities and
• Provide business justification for preparedness and adoption of voluntary preparedness standards.

There are various organizations making recommendations on voluntary certification and how it may affect private industries. Goodyear’s approach follows a common focus, extensive training and active leadership on the following items prior to, during and after applicable incidents:

• Goodyear associates, customers, suppliers and shareholders;
• Facilities, neighbors and surroundings;
• Product supply and raw materials; and
• Supply chain and continuity of operations.

Goodyear’s level of success is based upon following the present voluntary consensus document NFPA 1600 and the steps outlined in the DRII Professional Practices. Goodyear has expanded the focus of the DRII10 Professional Practices into what we call "Business Continuity Excellence" —Maximizing Goodyear’s Ability to Service Our Customers and Optimize Operations While Operating under Adverse Conditions. Each of the DRII 10 Professional Practices have been subdivided into 5 levels and each strategic business unit has conducted a self assessment and is working toward reaching a higher level of excellence as indicated in levels 1 through 5.

As new concepts are developed, such as Enterprise Risk Management, we conduct a gap analysis to determine whether they are addressed in our business continuity process and where improvements and changes are warranted.

We expanded the recent focus of September 2007 as National Preparedness Month, to Goodyear’s Global Preparedness Month. All regions were asked to ramp up their efforts by joining us in an aggressive communications campaign of incident preparedness which is structured to support our associates, facilities and operations.

"A major natural disaster has just been reported!"

Today, this statement indicates local Goodyear teams are engaged in an effective response and will be quickly providing updates. Resources (regional and global) are preparing to assist in many ways. Accurate communications strategies are underway. We will put every effort into meeting the needs of our customers and most importantly, steps are being taken to ensure the safety of our associates and the long term viability of the business.

To that end, Goodyear will continue to manage our strategies to our forward plan. Goodyear will continue to participate with external partners to continually improve our business continuity process. We will focus on Business Continuity Excellence to coordinate global, regional and facility process improvements. There is a continued focus on preparation, preparation and preparation (our process, key team members and the entire organization).

At Goodyear, we believe voluntary preparedness standards may be voluntary, but for those organizations using and supporting them—they are seen as a valuable part of doing business…supporting associates… customers and partners, and part of their overall strategy for operating under adverse conditions.