Interview with Michele Guido, CBCP, MBCI, Business Assurance Principal at Southern Company

1. Learn from Southern Company’s Corporate Business Assurance Program
Interview with Michele Guido, CBCP, MBCI, Business Assurance Principal at
Southern Company
While electric and gas utility companies have
developed business continuity and disaster recovery
plans in the past, the challenging economic
environment of recent years has caused utilities to
both accelerate new plan development and strengthen
existing plans. With increasing threats such as
pandemic, natural disasters and physical and cyber
security attacks, the changing landscape created by
these drivers highlights the need to revisit business
continuity management.
Michele Guido answered a series of questions posed by
marcus evans before the forthcoming Business
Continuity & Organizational Resilience Conference, July
16-18, 2013, in Atlanta, GA. Michele shares how to
effectively utilize the incident command system.
How was the business assurance program with Southern Company
originally initiated and implemented? How long did it take to get where
you are today, and what were some of your challenges along the way?
Michele Guido: Business Assurance is defined as “the confidence in our ability to
maintain business-critical operations during an unexpected disruption.”
Preparedness is institutionalized across Southern Company and its operating
companies. Over the past 10 years, we have transformed from project to program
to culture.
The Business Assurance program supports this transformation through three key
elements: Protect, Prepare, Respond. The elements focus on minimizing or
eliminating the impact of events that have the potential to disrupt critical business
operations, functions or services. There are many owners and vehicles to support
the program from evacuation, safety, storm operations, business continuity, risk
management, crisis communication and compliance. Many of these programs have
been established and operationalized across Southern Company over many years.
This represents our culture.
An opportunity presented itself to place “all” of what we do under one umbrella
called the Business Assurance program. Another was to develop supporting policies
to ensure compliance. Ongoing executive support was another critical path to
implementation. The Business Assurance program reports to an executive council

2. that sets prioritization of work, ranging from policy to engagement. The council
meets on a quarterly basis. Advisory and working committees meet on a regular
basis to support policy implementation during steady state and as needed during an
incident. Our Business Assurance department is the enabling arm of the program.
However, ownership is across the company from executives, business unit
managers, information technology, enterprise risk, legal, compliance, facilities and
security.
With all of Southern Company’s subsidiaries and vast operations, how do
you ensure each group, department, etc. stays up to speed with their
individual business assurance plans?
MG: Southern Company is focused on providing our customers clean, safe, reliable
and affordable electricity. In the context of reliability, being part of our nation’s
critical infrastructure emphasizes the need for the prioritization for critical functions
and services. Our program is a business issue. It’s managing risk across the
enterprise along with stakeholder expectations.
At a high level, Southern Company has adopted and institutionalized the concept of
all-hazard planning for both electric and corporate operations. This approach to
planning ensures understanding of critical process, associated business
infrastructure (technology, personnel, data, facilities, etc) and interdependencies;
both internal and external. Needs may be unique for a group but the approach
provides viability, sustainability and consistency. Policy and procedures have
ensured this across the enterprise. An example is the annual exercises that must be
conducted at many levels to stay in compliance with the policy.
What types of exercises, drills, or dry runs do you perform for the
multitude of potential disasters that could affect Southern Company’s
operations?
MG: Plans are developed, maintained and exercised on all levels throughout the
enterprise. Plans include continuity of operations, incident response, crisis
management, storm response, emergency management (fire/tornado/hostile
intruder/etc) and disaster recovery for our business infrastructure (technology,
network and data).
As an example, Southern Company’s operating subsidiaries maintain detailed and
dynamic disaster recovery plans for storms along the Gulf Coast. These plans are
graduated based on the expected damage from the five categories of hurricanes,
with specific responses and actions identified for each. Our plans provide for flexible
and decentralized authority to make decisions as close as possible to the disaster.
Hurricane season begins June 1st
, but planning and exercising is year round.
Education and awareness are vital to success. We practice and routinely revise the
plans as we gain new experience, whether that be through a hurricane, tornado or

3. technology failure. Continuous learning in an organization is a critical component to
achieving superior performance. Lessons learned are captured through a root-cause
analysis and post mortem meetings.
How do you manage the various public-private partnerships Southern
Company has during the stages of the business assurance plan (protect,
prepare, respond)?
MG: Southern Company is an industry leader in all facets of reliability and
resilience. Southern Company’s leadership and active participation in significant
forums and initiatives with the Homeland Security Enterprise (HSE)i
continues to be
a priority as Southern Company is an important member of the nation’s critical
infrastructure.
Our HSE objective is to support the shared mission of resilience and national
preparedness. Resilience for HSE refers to the ability to adapt to changing
conditions and withstand and rapidly recover from disruption due to
emergencies. National Preparedness refers to the actions taken to plan,
organize, equip, train, and exercise to build and sustain the capabilities
necessary to prevent, protect against, mitigate the effects of, respond to and
recover from those threats that pose the greatest risk to the security of the
Nation.
This strategy is also shaped by external bodies through FERC, NERC, DOE, EPA, for
example, as well as future and existing Federal legislation and State regulations
through our Public Service/Utility Commissions.
Continued participation clearly promotes Southern Company’s commitment to
preparedness and to bridge existing gaps between the public-private sectors.
Commitment to bridge gaps is proactive and demonstrates partnership, while
supporting the National Infrastructure Protection Plan (steady state) and National
Response Framework (crisis state).
Michele Guido is a Business Assurance Principal for Southern Company, which owns
electric utilities in four states and a growing competitive generation company, as
well as fiber optics and wireless communications. Michele has 20 years experience
in the continuity industry. Prior to joining Southern Company, Michele was
employed at IBM, BellSouth and Federated Systems Group with responsibilities
ranging in all facets of crisis management, response, disaster recovery and
business continuity. Michele has a B.S. degree in Computer and Information
Systems, an A.S. degree in Business Administration; both degrees from King's
College and graduate studies in Emergency in Preparedness and Planning from
University of California at Berkeley.

4. For more information, please contact Michele Westergaard, Senior Marketing
Manager at 312-540-3000 ext. 6625 or Michelew@marcusevansch.com.
About marcus evans
marcus evans conferences annually produce over 2,000 high quality events
designed to provide key strategic business information, best practice and
networking opportunities for senior industry decision-makers. Our global reach is
utilized to attract over 30,000 speakers annually; ensuring niche focused subject
matter presented directly by practitioners and a diversity of information to assist
our clients in adopting best practice in all business disciplines.
i
HSE includes public sector entities; DHS, DOE, DOD, FEMA and the nation’s critical infrastructure
owners (public and private).