Toshiba America Electronic Components, Inc., (TAEC) headquartered in Irvine, California, manufactures and sells advanced electronics equipment to clients worldwide. Staff often need to travel to remote manufacturing locations in newly industrialized countries, where they face an array of hazards ranging from local power outages that could strand an employee to a tsunami that could devastate an entire region.

TAEC hired a security consulting team from Direct Measures International, Inc., (DMI) of Newport Beach, California, to help it address these exposures. DMI was asked to conduct a travel safety audit and develop a comprehensive crisis management program incorporating TAEC’s existing disaster recovery and business continuity programs.

As part of the review, DMI searched for a comprehensive computer program that the TAEC crisis management team could use to evaluate emergency situations and decide on the best course of action. No such product was available in the market in late 2006 when DMI was researching potential solutions, so DMI developed a customized crisis management software package for TAEC.

Designed to help the company mitigate risk and determine the best course of action in an emergency, the program analyzes a situation and suggests a wide range of potential crisis solutions, both to maintain business continuity and to provide support for employees. The Internet-based software program consists of more than 1,000 different image screens—each representing a possible crisis and a course of action—linked together to create a solutions matrix.

The software was designed around TAEC’s specific concerns as outlined in the company’s emergency response and risk management plans and includes potential crises outlined by the U.S. Department of Homeland Security. The software also links to external resources such as the U.S. Department of State and mapping services as well as to lists of various critical contacts such as emergency first responders, utility companies, insurance contacts, media resources, intelligence reports, and travel alerts. The software program is Web-based and can be deployed on any computer that has a Web browser and an Internet connection.

Security personnel monitor various media and intelligence reports on a daily basis for events that could affect employees, assets, or business operations. Once security believes there may be a potential crisis, preliminary data is collected for threat validation and a decision is made to either handle the situation directly within security or implement the crisis management plan.

If the plan is implemented, the crisis management team members are notified via e-mail or telephone. Those who can get to the company facilities work from their office computers. Others are hooked in via teleconference. Together, all members of the team use the crisis management software to make decisions.

The team loads new information into the system as it becomes available. The software analyzes the situation and recommends issues that the team should consider or courses of action they should take. The team then decides whether to implement the recommendations or alter them.

The information about company assets linked to the system is critical to making it useful during a crisis. The system is constantly updated so that the company’s resources are accurately reflected.

“What’s really important in a crisis management tool is that users must be assured of the accuracy of the information in a timely fashion, and the information must be relevant to the company’s business and operations,” says Rick Gundo, director of administration and office services for TAEC. “Just hearing that there is a tsunami in Southeast Asia is meaningless unless you also understand that the area affected includes a manufacturing plant that you or your supplier or your customer operates.”

After the beta version of the program was completed in early 2007, TAEC held training sessions for its crisis management team and security staff. DMI prepared a series of drills in which time was simulated at an accelerated rate—each 10 minutes represented an hour. Participants were told that 80 employees, including company executives were traveling. (The company has about 120 employees at its Irvine headquarters and about 450 at 12 regional offices elsewhere in the United States.)

The team was then given simulated intelligence and information from outside sources—including news items, reports from traveling employees, and hotel and travel information. One drill involved an employee stranded without money, passport, or airline tickets in a Southeast Asian country. Another simulation dealt with a pregnant employee missing during a blizzard in the Northeast.

As the situation progressed, the software prompted the team to consider the new events in light of previous incidents and given the company’s resources. For example, during the exercise involving the employee trapped in Southeast Asia, the program noted that because dozens of employees were traveling outside the United States at the time, the team should consider whether several employees traveling in the same region as the stranded employee could be of help.

The total cost of the software program, including consulting and training, was somewhat less than six figures, according to Gundo. While he notes that the solution was expensive, the system more than paid for itself when TAEC faced its first real disaster—wildfires that devastated Southern California in October 2007.

There were three separate but simultaneous fires that threatened either company property or employee homes. The company implemented its crisis management plan.

As part of the plan, all affected employees were contacted to determine their status. In addition, the emergency hotline was equipped with an outgoing message so that when employees called in, they would get updates and instructions. Updates were also sent out to employees via e-mail.

The members of the crisis management team used the software to input the types of fires and their locations. The software then retrieved information on the company’s locations and resources. The software determined whether the new information altered the company’s risk. If so, the program then prompted the team to consider a series of actions to mitigate the threat. Based on the information the team entered, the software urged action on several fronts.

 First, the software analyzed the threat to the company’s San Diego design center, which was in the mandatory evacuation area for one of the fires. The software laid out the appropriate steps for evacuating the facility.

One step entailed making sure that the center would be monitored around the clock through the online security system after it was evacuated. While the fire never engulfed the building, it got so close that the heat from the fire caused the air conditioning to malfunction, causing the server room to overheat. This was observed by the staff monitoring the facility, so the servers were remotely taken off-line and arrangements were made to repair the air conditioners as soon as the facility became accessible.

The second crisis involved TAEC’s inventory at a warehouse in south Irvine, which was threatened by another rapidly growing fire. Smoke was a potential health risk to employees as well as a threat to inventory. Staff members were given masks to wear while working to relocate the operations to another facility nearby.

A third concern was staff housing. Ten employees in San Diego and Orange County had to evacuate their homes. In this instance, the software reminded staff of the company’s emergency plan, which called for security to use cell phones and e-mail to keep in contact with the displaced employees and provide support as necessary. All employees were able to return to their homes eventually, with smoke damage being the biggest problem.

The fourth issue was that a critical customer design project in process at the San Diego design center was disrupted. The customer was notified of the problem. (Luckily, the customer was local and understood the situation.) In accordance with TAEC’s engineering infrastructure redundancy plans, the customer’s design data had been replicated elsewhere on the engineering network.

Some personnel were temporarily relocated to the company’s design center in San Jose, where they were able to continue working on the customer project. As a result, there was minimal impact to the development schedule.

TAEC was pleased with how the system worked and felt that it allowed security to focus on several problems simultaneously. “We had to face employee health and safety risks, risks to our facilities and assets, and business risks,” says Gundo. “But we were confident that we were addressing each scenario with the best information available and that we had explored every potential risk and mitigating strategy.”