Business Planning

Business PlanningBusinesses can do much to prepare for the impact of the many hazards they face in today’s world including natural hazards like floods, hurricanes, tornadoes, earthquakes and widespread serious illness such as the H1N1 flu virus pandemic. Human-caused hazards include accidents, acts of violence by people and acts of terrorism. Examples of technology-related hazards are the failure or malfunction of systems, equipment or software.

The information below will help in developing a preparedness program by providing tools to create a plan that addresses the impact of many hazards. This website and its tools utilize an “all hazards approach” and follows the program elements within National Fire Protection Association 1600, Standard on Disaster/Emergency Management and Business Continuity Programs. NFPA 1600 is an American National Standard and has been adopted by the U.S. Department of Homeland Security.

The five steps in developing a preparedness program are: program management, planning, implementation, testing and exercises, and program implementation. Each of which are explained in detail below. 

Program Management

The preparedness program is built on a foundation of management leadership, commitment and financial support. Without management commitment and financial support, it will be difficult to build the program, maintain resources and keep the program up-to-date.

It is important to invest in a preparedness program. The following are good reasons:

  • Up to 40% of businesses affected by a natural or human-caused disaster never reopen. (Source: Insurance Information Institute)
  • Customers expect delivery of products or services on time. If there is a significant delay, customers may go to a competitor.
  • Larger businesses are asking their suppliers about preparedness. They want to be sure that their supply chain is not interrupted. Failure to implement a preparedness program risks losing business to competitors who can demonstrate they have a plan.
  • Insurance is only a partial solution. It does not cover all losses and it will not replace customers.
  • Many disasters — natural or human-caused — may overwhelm the resources of even the largest public agencies. Or they may not be able to reach every facility in time.
  • News travels fast and perceptions often differ from reality. Businesses need to reach out to customers and other stakeholders quickly.
  • An Ad Council survey reported that nearly two-thirds (62%) of respondents said they do not have an emergency plan in place for their business.
  • According to the Small Business Administration, small businesses:
    • Represent 99.7% of all employer firms
    • Employ about half of all private sector employees
    • Have generated 65% of net new jobs over the past 17 years
    • Made up 97.5% of all identified exporters.

How much should be invested in a preparedness program depends upon many factors. Regulations establish minimum requirements and beyond these minimums each business needs to determine how much risk it can tolerate. Many risks cannot be insured, so a preparedness program may be the only means of managing those risks. Some risks can be reduced by investing in loss prevention programs, protection systems and equipment. An understanding of the likelihood and severity of risk and the costs to reduce risk is needed to make decisions.

Preparedness Policy

A preparedness policy that is consistent with the mission and vision of the business should be written and disseminated by management. The policy should define roles and responsibilities. It should authorize selected employees to develop the program and keep it current. The policy should also define the goals and objectives of the program. Typical goals of the preparedness program include:

  • Protect the safety of employees, visitors, contractors and others at risk from hazards at the facility. Plan for persons with disabilities and functional needs.
  • Maintain customer service by minimizing interruptions or disruptions of business operations
  • Protect facilities, physical assets and electronic information
  • Prevent environmental contamination
  • Protect the organization’s brand, image and reputation

Program Committee and Program Coordinator

A program coordinator should be assigned by management to lead the development of the preparedness program and will be responsible for achieving the goals and objectives that have been established by management. The role of the program coordinator should be communicated throughout the business. The program coordinator leads a program committee that will provide input into the preparedness program. It will also assist with the development, implementation, evaluation and maintenance of the program. The Committee should include employees with knowledge of all aspects of the business.

These functional areas may include:

  • Management
  • Legal
  • Human Resources
  • Public Relations
  • Insurance and Risk Management
  • Environmental Health and Safety (EHS)
  • Finance
  • Labor Relations
  • Operations
  • Facilities or Property Management
  • Engineering
  • Security
  • Medical
  • Information Technology
  • Purchasing, Supply Chain and Distribution
  • Quality Control
  • Employees

External participants can also provide valuable input. Opening lines of communication and developing relationships with public emergency services, contractors and vendors now will prove beneficial in emergencies. Consider reaching out to the following:

  • Law Enforcement
  • Fire Department (including rescue service)
  • Emergency Medical Services
  • Hazardous Materials Contractor
  • Local Emergency Planning Committee (LEPC)
  • Emergency Management Agency
  • Public Health
  • Public Works
  • Contractors
  • Vendors
  • Customers

Program Administration

The preparedness program should be reviewed periodically to ensure it meets the current needs of the business. Keep records on file for easy access. Lastly, where applicable, make note of any laws, regulations and other requirements that may have changed.

The program coordinator is accountable to management for achieving program goals. Effective program administration is necessary to coordinate activities, review the program and initiate action to improve the program. The program coordinator is responsible for ensuring that the following are addressed in the program.

  • Preparedness policy
  • Goals and objectives
  • Program scope
  • Regulations
  • Priorities
  • Budget
  • Schedule
  • Resources
  • Program evaluation
  • Records management

Program Scope

The scope of the program is determined by multiple factors including type of business, complexity of business operations and information gathered from the risk assessment and business impact analysis. Regulations determine minimum requirements for the program. A business with complex business processes and significant exposure to possible injuries, loss of life, environmental pollution and business disruption would require much more planning than a business with one facility and one product line or service.


A program budget should be established to create the preparedness plan, provide funds to conduct exercises and tests and conduct periodic reviews and make improvements to the plan as necessary. Funding for preparedness planning improvements and maintenance should be part of the annual budget process.

Program Development Schedule

Make a program development schedule that includes major tasks, assignments and due dates. Organize the program into manageable phases prioritized to achieve goals and objectives. Identify milestones to mark completion of phases of the program. The program coordinator should use the schedule to track the completion of activities and tasks and to identify any slippage in the schedule.

Finance and Administrative Procedures

In addition to a budget, procedures should be established for procuring resources before, during and following an incident. A quick process to authorize funds to procure resources will reduce delays. Procedures that account for labor, materials and other costs associated with a hazard should be established before an incident. Risk management or insurance procedures for notification of insurance agents, brokers or underwriters should be included. Procedures for filing property damage, workers’ compensation and liability claims should be referenced in the plan.

Program Reviews

As the program is developed, keep in mind the need for periodic reviews. Use the performance objectives to evaluate whether goals and objectives are being achieved. Identify personnel who can assist with reviews and develop checklists and procedures to conduct periodic reviews.

Records Management

Copies of all editions of plan documents should be kept in accordance with the organization’s records management program. Records of committee meetings, training, exercises, evaluations and corrective action should be maintained. Research recordkeeping requirements within applicable regulations to identify additional records to be maintained. This may include records of inspections, testing and maintenance of fire protection, life safety, communications and other systems and equipment.

[/accordion][accordion title=”Laws and Authorities”]Federal, state and local laws and regulations define minimum requirements for emergency management and business continuity.

Requirements may apply to industries that are part of our nation’s “critical infrastructure.” These industries range from financial services to energy. Regulations may require emergency planning, business continuity plans, information technology disaster recovery plans, cyber/information security, physical and operational security and other issues. 

Other industries must comply with regulations because of their use of hazardous chemicals or their hazardous operations.

Most buildings must be built in accordance with building, life safety and fire codes. These codes specify requirements for building construction, occupant warning systems, exits and protection systems designed to get people safely out of a building during an emergency. Some buildings may require higher levels of protection because of their size, height (e.g., high-rise buildings) or the number of occupants they house (e.g., public assembly facilities such as theaters).

Facilities that manufacture, treat, store or dispose of highly hazardous chemicals must comply with environmental regulations. Chemical facilities that pose a pollution threat to water resources also must comply with environmental regulations.

Regulations may differ by jurisdiction (city, town, county, parish or state). If you are developing a program for multiple facilities located in different jurisdictions, you need to identify applicable regulations by facility location.

Role of the Program Coordinator and Program Committee

The program coordinator working with the program committee and external representatives should determine which regulations are applicable. Confer with environmental, health, safety and security professionals within the business. Determine which regulations apply and then identify the requirements that need to be incorporated into the preparedness program. Regulations may apply to hazard prevention, risk mitigation, emergency response and business continuity.

Employee Safety & Health

Occupational safety and health standards by OSHA (U.S. Occupational Safety and Health Administration or state OSHA) specify measures to be taken to protect employees in the workplace. Emergency action plans are one of the OSHA standards that apply to many employers of 10 or more employees. Other regulations pertain to means of egress (exits), medical services, hazardous waste, confined spaces, fire protection, firefighting and more. OSHA’s Evacuation Plans and Procedures eTool is a great resource to determine if your business needs an emergency action plan. OSHA Publication 3122 provides guidance on emergency response requirements in OSHA regulations. OSHA also provides links to approved State Occupational Safety and Health Plans.

Environmental Laws and Regulations

Businesses that manufacture, treat, store or dispose of hazardous chemicals that exceed threshold quantities may have to comply with multiple environmental regulations. Facilities that store large quantities of hazardous materials also may have to comply with environmental or hazardous materials regulations. These plans include hazardous materials management plans (required by fire codes), spill prevention control and countermeasures plan and hazardous waste plans.

Check with your Local Emergency Planning Committee (LEPC) to obtain information. The U.S. Environmental Protection Agency provides links to U.S. laws and regulations pertaining to environmental emergency management, compliance assistance by manufacturing sector and links to state and territorial environment agencies.

Life Safety and Fire Codes

Life Safety codes are designed to ensure that occupants of a building can be safely evacuated or protected in place if there is a fire or other emergency within a building. NFPA 101, Life Safety Code is published by the National Fire Protection Association. Life safety requirements may also be specified in building codes. Check with your local building department, fire department or state fire marshal.

Fire prevention codes specify requirements for fire safety. There are two model fire prevention codes within the United States—NFPA 1, Fire Code and the International Fire Code. Some states and cities also publish their own codes or amend the model codes. Check with your local fire department or fire marshal to determine which code is enforceable in your community.

Business Continuity and Information Technology

Recognizing the need to protect the confidentiality of electronic information and to ensure the stability of our financial system, the financial services and health care industries should carefully research regulations pertaining to business continuity and information technology disaster recovery planning. Businesses that store customer contact and financial information such as credit card data may have to comply with information security regulations. Check with your industry trade group or state office of economic development for regulations in your state.

Standards and Best Practices

There are many non-mandatory standards and practices for emergency management and business continuity. These standards and practices provide guidance on the subjects of fire brigades, rescue, hazardous materials response, pre-incident planning and security services in fire loss prevention.

The Professional Practices for Business Continuity Planners published by DRI International (a non-profit education and certification body) is a comprehensive guide to developing business continuity plans.


The planning process should take an “all hazards” approach. There are many different threats or hazards. The probability that a specific hazard will impact your business is hard to determine. That’s why it’s important to consider many different threats and hazards and the likelihood they will occur.

Strategies for prevention/deterrence and risk mitigation should be developed as part of the planning process. Threats or hazards that are classified as probable and those hazards that could cause injury, property damage, business disruption or environmental impact should be addressed.

In developing an all hazards preparedness plan, potential hazards should be identified, vulnerabilities assessed and potential impacts analyzed. The risk assessment identifies threats or hazards and opportunities for hazard prevention, deterrence, and risk mitigation. It should also identify scenarios to consider for emergency planning. The business impact analysis (BIA) identifies time sensitive or critical processes and the financial and operational impacts resulting from disruption of those business processes. The BIA also gathers information about resources requirements to support the time sensitive or critical business processes.

This information is useful in making informed decisions regarding investments to offset risks and avoid business disruptions.


Implementation of the preparedness program includes identifying and assessing resources, writing plans, developing a system to manage incidents and training employees so they can execute plans.

  • Resource Management: Resources needed for responding to emergencies, continuing business operations and communicating during and after an incident should be identified and assessed.
  • Emergency Response Plan: Plans to protect people, property and the environment should be developed. Plans should include evacuation, sheltering in place and lockdown as well as plans for other types of threats identified during the risk assessment.
  • Crisis Communications Plan: A plan should be established to communicate with employees, customers, the news media and stakeholders.
  • Business Continuity Plan: A business continuity plan that includes recovery strategies to overcome the disruption of businessshould be developed.
  • Information Technology Plan: A plan to recover computer hardware, connectivity and electronic data to support critical business processes should be developed.
  • Employee Assistance & Support: The business preparedness plan should encourage employees and their families to develop family preparedness plans. Plans should also be developed to support the needs of employees following an incident.
  • Incident Management: An incident management system is needed to define responsibilities and coordinate activities before, during and following an incident.
  • Training: Persons with a defined role in the preparedness program should be trained to do their assigned tasks. All employees should be trained so they can take appropriate protective actions during an emergency.

Testing and Exercises

You should conduct testing and exercises to evaluate the effectiveness of your preparedness program, make sure employees know what to do and find any missing parts. There are many benefits to testing and exercises:

  • Train personnel; clarify roles and responsibilities
  • Reinforce knowledge of procedures, facilities, systems and equipment
  • Improve individual performance as well as organizational coordination and communications
  • Evaluate policies, plans, procedures and the knowledge and skills of team members
  • Reveal weaknesses and resource gaps
  • Comply with local laws, codes and regulations
  • Gain recognition for the emergency management and business continuity program

Testing the Plan

When you hear the word “testing,” you probably think about a pass/fail evaluation. You may find that there are parts of your preparedness program that will not work in practice. Consider a recovery strategy that requires relocating to another facility and configuring equipment at that facility. Can equipment at the alternate facility be configured in time to meet the planned recovery time objective? Can alarm systems be heard and understood throughout the building to warn all employees to take protective action? Can members of emergency response or business continuity teams be alerted to respond in the middle of the night? Testing is necessary to determine whether or not the various parts of the preparedness program will work.


When you think about exercises, physical fitness to improve strength, flexibility and overall health comes to mind. Exercising the preparedness program helps to improve the overall strength of the preparedness program and the ability of team members to perform their roles and to carry out their responsibilities. There are several different types of exercises that can help you to evaluate your program and its capability to protect your employees, facilities, business operations, and the environment.

Program Improvement

There are opportunities for program improvement following an actual incident. A critique should be conducted to assess the response to the incident. Lessons learned from incidents that occur within the community, within the business’ industry or nationally can identify needs for preparedness program changes. Best practices and instructional guidance published by trade associations, professional societies, newsletters and government website can be resources to evaluate and improve your preparedness program.

Gaps and deficiencies identified during reviews should be recorded and addressed through a corrective action program. Reviews, evaluations and improvements should be documented and maintained on file.

The U.S. Department of Homeland Security (DHS) closely monitors attacks on public gatherings and public places to constantly enhance the Nation’s security. During both steady state and times of heightened awareness, DHS engages closely with our private sector and community partners to provide expert counsel and recommendations about protective measures they can implement to protect facilities and venues. DHS provides free tools and resources to communities because the Department recognizes that communities are the first line of defense in keeping the public safe and secure,

The Department encourages businesses to Connect, Plan, Train, and Report. Applying these four steps in advance of an incident or attack can help better prepare businesses and their employees to proactively think about the role they play in the safety and security of their businesses and communities.

To learn more on how to Connect, Plan, Train, and Report, download the Homeland Security’s Tools and Resources to Help Businesses, Plan, Prepare, and Protect from an Attack.