A new continuity framework
Understanding FEMA’s latest federal continuity directive ?
Introduction
In December 2023, the Federal Emergency Management Agency (FEMA) issued the first in a series of new Federal Continuity Directives (FCDs), which represent the backbone of the continuity framework across the US government and the whole community. This FCD, titled Continuity Planning Framework for the Federal Executive Branch (FCD: Framework), outlines a new approach to implementing National Continuity Policy and is the first FCD published since 2018. This new directive builds on the 2020 Federal Mission Resilience Strategy (FMRS), which represented a strategic shift toward holistic risk-informed decisions for ensuring continuous performance of essential functions.
This paper provides an overview of the new FCD and is directed to the whole community, with a particular focus on federal departments and agencies. Leadership and continuity personnel—such as continuity coordinators and continuity program managers—can consider the insights from this paper to communicate new requirements for continuity programs to gain broader support ahead of the follow-on FCD updates in the pursuit of enhancing their organizations’ resilience.
The new FCD establishes a new Continuity Planning Framework, comprised of four planning factors: Staff and Organization, Equipment and Systems, Information and Data, and Sites; these are described in detail below. It intends to position organizations[1] to leverage their continuity strategies against a full spectrum of threats, in support of the broader goal of mission resilience. The new FCD also calls for increased leadership and mission owner engagement and accountability to empower personnel at all levels to collectively provide for essential-function resilience. Finally, FCD: Framework lays the foundation for a revamped approach to managing continuity programs and a new approach to risk management that reinforces the continuity of the US government.
A new continuity planning framework
The four factors are designed to help organizations identify and address the risks to their essential functions. FCD: Framework maintains that people must perform activities to execute functions, equipment and systems facilitate their performance, information and data are needed to inform decisions, and that these factors must be located at both centralized and distributed sites. This new typology demonstrates that FEMA is prioritizing the need to make the concept of continuity of operations more approachable so that continuity programs can better align and integrate leaders and staff into preparedness, response, and recovery activities. Doing so allows each organization, and the government collectively, to better mitigate the impact of threats and hazards and perform essential functions without delay.
Some key considerations in the new planning framework
Organizations can implement the Continuity Planning Framework into their day-to-day operations through a few considerations outlined below.? Although organizations can expect further guidance in follow-on FCDs that will address program management and essential function identification and management, FCD: Framework offers insights to pre-position continuity programs. Given the new direction presented in the FCD, organizations planning to implement the new continuity planning framework should begin coordinating and collaborating with those who play a role in executing their continuity strategies. Doing so can foster deeper integration of continuity concepts with day-to-day activities, and it can enhance the collective goal of a more resilient nation.
“Federal Mission Resilience is the ability of the Federal Executive Branch to continuously maintain the capability and the capacity to perform essential functions and services, without time delay, regardless of threats or conditions, and with the understanding that adequate warning of a threat may not be available. Federal Mission Resilience will be realized when preparedness programs, including continuity and enterprise risk management, are fully integrated into day-to-day operations of the Federal Executive Branch.” Federal Mission Resilience Strategy, 2020
Active leadership in essential function resilience
Resilient organizations are often led by leaders who actively promote essential function resilience and incorporate the continuity activities into the planning and execution of the organization’s mission, operations, and culture. This allows for organizations to be more adaptive to a dynamic threat and hazard landscape. Implementing the changes in FCD: Framework to day-to-day operations should be driven from the top of the organization. FCD: Framework places the responsibility for integrating continuity of operations into our day-to-day operations on each organization’s leadership and mission owners, as they further the collective responsibility of essential function resilience and the continuity of the US government.
Leaders at the Secretary, Deputy Secretary levels, or equivalent C-Suite members, should encourage their continuity program coordinators, managers, and mission owners to be involved in organization-wide strategic planning, programming, planning, and execution activities, like performance management and measurement. One such example is strategic planning. A leader’s strategic intent, which highlights continuity and risk management and directs related performance measures, should encourage personnel to consider resilience principles in organization-wide initiatives.
FCD: Framework introduces the need for organizations to designate mission owners who are responsible for the performance of an essential function. Ahead of the follow-on FCDs, leaders should empower their continuity coordinators and continuity program managers to identify and integrate mission owners into continuity efforts. This effort will likely require existing continuity program personnel to reach across the organization, and senior leaders can begin directing, encouraging, and supporting such engagement. This can be achieved through outreach efforts to socialize the new responsibilities across the organization (e.g., training, collaborative workshops, or townhalls).
Personnel and facility footprint(s)
FCD: Framework, and the Federal Mission Resilience Strategy before it, represent a sustained movement toward changing the collective approach to continuity of operations from a reactive approach toward a more distributed, resilient organization capable of sustaining essential functions. They emphasize a model wherein functions and command and control may be transferred between and across geographies (e.g., HQ to regional offices) without gaps in performance.
Organizations can proactively reduce risk by spreading the four factors that contribute to a function’s performance across geography. Continuity coordinators, continuity program managers, and mission owners can use the four factors to examine strategies to strengthen its continuity program through diverse and dispersed continuity teams. FCD: Framework lays the foundation for continuity programs to begin reorienting their capabilities (such as where staff who support essential functions are located, which critical systems they maintain, and at which sites) ahead of further program management and risk management guidance in the follow-on FCDs.
Organizations that have centralized locations where personnel perform essential functions will need to consider how to adjust operations to align with Federal Mission Resilience. Although many organizations already have a dispersed physical footprint that is distributed across the country or even the world, those organizations whose continuity personnel and capabilities necessary for the performance of functions are centered in one area should find new ways to reduce their risk exposure. Organizations should also routinely assess whether staff can perform essential functions from a telework environment. Telework may be one option, but only if an organization determines it can perform its essential functions from a remote posture (particularly if the mission requires secured or classified systems). Through dispersal, organizations can not only look for ways to reduce vulnerabilities and mitigate risks, but they can also more closely and critically examine how functions are performed. This analysis can paint a broader picture of the organization’s footprint, and help it optimize who supports essential functions and the use of existing space.
Relocation, distribution, and remote work
Organizations should take the opportunity presented by an FCD refresh to assess the resilience of their continuity strategies (e.g., relocation, hardening, distribution, and devolution). The COVID-19 pandemic forced a large contingent of the workforce to embrace remote work conditions, dispelling the notion that effective operations are not possible without a centralized worksite. Many organizations have leaned on various strategies in recent years to maintain their day-to-day operations—organizations should now seek to apply these lessons learned to their continuity program.
Many organizations may find that a more distributed workforce and an enhanced use of remote work can help lessen the impact of disruptions to operations and reinforce the continuous performance of essential functions and critical services. Even with relocation, for which all organizations are required to plan, organizations may identify new facilities in new locations to distribute command and control nodes and the performance of essential functions based on workforce movement in recent years. Existing and new sites should explore hardening strategies to reinforce existing infrastructure to support continuity operations. These strategies, however, should not seek to replace efforts like devolution.
Nevertheless, determining where and how functions will be distributed generally requires organizations to reassess their footprint and use of remote work, the continuity strategies for their program, and the coordination of budgets, personnel, facilities, and continuity leaders. Organizations should perform a comprehensive program assessment rooted in the four planning factors to understand how continuity strategies for the operations of today and tomorrow can enhance their ability to support essential functions before, during, and after a disruption.
Integration of cross-organizational components
There has been a significant shift in the workplace and the Future of Work[2], including the widespread adoption of collaboration tools and the emergence of Generative AI, which has resulted in a greater integration of teams and a reliance on AI technology to conduct business. This fluid and rapidly evolving environment has opened up organizations to both familiar and emerging risks. It is clear now more than ever that organizations should prioritize collective efforts to make the performance of essential functions more resilient.
Continuity programs can more effectively address the dynamic threats and hazards they face through greater integration of existing organizational components. Existing enterprise risk management (ERM) and cybersecurity capabilities are key to this effort and are critical to achieving Federal Mission Resilience. Continuity programs should regularly seek ERM team input to leverage existing risk registers and integrate cyber resilience processes for critical systems and data. Continuity program managers and mission owners should be well versed in broader ERM and cybersecurity efforts to gain better visibility on current and emerging kinetic and non-kinetic threats to organizations. Exploring this avenue can help diversify capabilities, enhance continuity strategies, and mitigate the impact of disruptions to the performance of essential functions.
Organizations should reference planning materials published by FEMA, the Cybersecurity and Infrastructure Security Agency (CISA),[3] and recent revisions to National Institute of Science and Technology (NIST)[4] standards to build on FCD: Framework to progress toward mission resilience. Leaders should champion the integration of continuity, cyber, and risk management concepts to identify holistic risk mitigation strategies. Full-scope reviews of risk to essential functions at all levels of the organization can drive enhanced preparation for implementing the new continuity requirements and support decision-making for resource acquisition and program budgeting.
Investing in resilience
In an environment characterized by tighter budgets, competing priorities, and complex threats, continuity programs should focus on enhancing existing capabilities and resources across the four planning factors—this can help drive effective organizational change. To sustain essential functions within this new framework, organizations should incorporate their continuity of operations components into the budget process and identify performance management opportunities (e.g., through the annual budget submission process for federal agencies) that integrate continuity and Federal Mission Resilience efforts into organization-wide strategies, rather than seeing continuity as a compartmentalized and separate effort.[5]
Implementing changes in accordance with this new FCD will require investments to better understand and harden capabilities across the continuity planning framework. Leaders, continuity coordinators, and mission owners should prioritize investment in resilient and redundant processes and systems, then conducting exercises to test continuity strategies and familiarize staff with emergency plans. Expanding participation in these tests and exercises can not only build essential function resilience but is an interactive method to integrate staff into the various components of a continuity program.
领英推荐
Conclusion
FEMA’s new FCD: Framework establishes a foundation for navigating real-world incidents and evolving threats and hazards to encourage practical implementation of continuity strategies. The Framework emphasizes the importance of proactive planning, regular testing, and continuous refinement of the capabilities to promote mission resiliency. By emphasizing the need for comprehensive mission resiliency, it creates a rubric for identifying and maintaining essential function resilience strategies for a stronger national continuity capability.
Christina Crue
Principal
Deloitte & Touche LLP
Tel: 1 (571) 329-3666 Email: [email protected]
?
Hal Cohen
Specialist Leader
Deloitte & Touche LLP
Tel: 1 (202) 709-0360 Email: [email protected]
?
Andrew Hunt
Manager
Deloitte & Touche LLP
Tel: 1 (202) 794-3717
Email: [email protected]
?
This document contains general information only and Deloitte is not, by means of this document, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This document is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.
Deloitte shall not be responsible for any loss sustained by any person who relies on this document.
As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of our legal structure. Certain services may not be available to attest clients under the rules and regulations of public accounting.
Copyright ? 2024 Deloitte Development LLC. All rights reserved.
[1] ”Organizations” includes the federal Departments and Agencies, boards, bureaus, commissions, corporations, foundations and independent organizations within the Federal Executive Branch. https://www.fema.gov/sites/default/files/documents/fema_federal-continuity-directive-planning-framework.pdf
[2] Future of Work | Deloitte & Touche LLP https://www2.deloitte.com/us/en/insights/focus/technology-and-the-future-of-work.html
[3]? Shields Up: Guidance for Organizations | Cybersecurity and Infrastructure Security Agency (cisa.gov)
[4] Security and Privacy Controls for Information Systems and Organizations | Special Publication 800-53 | National Institute of Science and Technology (nist.gov)