Identifying and managing risk is one part of the equation; it is equally as important to be prepared in the event a worst reasonable case occurs – such as the loss of a data center or a global pandemic. Our Enterprise Resilience team functions on a 24 x 7 x 365 day basis and is charged with sustaining the enterprise’s emergency management and business continuity capabilities. Our Emergency Management Core Plan aligns with the National Incident Management System and adopts the principles of the incident command system, which government agencies across the U.S. use to respond to local emergencies and large disasters. Our emergency management framework is an integral part of how we efficiently respond to and manage events to keep critical operations functioning.
To prepare, the Enterprise Resilience team works closely with ERO to identify the drivers that could trigger an event; the controls for preventing it or reducing the frequency of it occurring; and mitigation strategies if it does occur. We try to anticipate high-impact, high-probability events to prepare for the ripple effects they could have and to limit the negative consequences. We’ve established business unit-based and hazard-specific plans aligned to our emergency management framework to manage the strategic response. Business unit and operating company-specific resilience plans are in place to protect our critical and non-critical processes to support continuity of operations during business disruptions.
This framework proved critical in responding to the COVID-19 pandemic, when the Enterprise Infectious Disease Response Plan was activated, guiding preparedness activities ahead of the pandemic and ensuring a comprehensive and coordinated response. Learn more in the COVID-19 section.
The global pandemic is an example of a risk that could interrupt business operations. In 2020, we strengthened the existing business continuity plans that support critical and non-critical business processes. These plans were expanded to include more depth around loss of facilities, personnel and supply chain due to coronavirus impacts. This was to ensure all business functions and assets – critical and non-critical – could continue to operate during the pandemic with little to no disruption. Well-planned and executed responses can reduce the impacts to AEP and to our customers, shareholders and communities we serve.
Our business continuity plans evaluate:
- Our business resilience plans, which include continuity and emergency response plans, serve as important training tools to prepare our workforce to respond and recover when an event occurs. During event response and recovery, real-time adjustments are made based on planning assumptions specific to the event size, complexity, and timing.
- Prioritization of critical business process recovery with consideration for special circumstances or cyclical events that may worsen the impacts of the disruption.
- Staffing considerations for critical business processes and identification of niche or highly specialized skillsets.
- Adequacy of workarounds specific to the event complexity and estimated time to recover critical business processes.
Third-party vendors, contractors/consultants, and outsourced partners are also key to our business continuity in a crisis. Business units and operating companies within AEP that own these relationships must review the external party’s business resilience plans to determine whether or not they meet our criteria and to guide adjustments that may be required to our response and business recovery capabilities.
We believe that strong data security and privacy protections, using technology and internal policies and practices, are vital for effective and trusted interactions. To accomplish this, we are enhancing the protection of high-value data through improved data inventory practices, security protocols, data lifecycle management and leadership accountability. This aligns with our multi-year Personally Identifiable Information (PII) protection program that lays the foundation for this new initiative.
For several years, we have focused on minimizing the volume of PII storage repositories to better protect employee, customer and contractor PII. In 2020, we expanded our PII protection program as we transitioned more than 60% of our workforce to remote work. Working remotely opened up new vulnerabilities that required adapting enhanced data security protocols such as tightening administrative controls around installing personal printers on company devices and printing sensitive company documents.
AEP’s Privacy Collaboration Efforts:
- Enterprise Data Privacy Governance Committee
- Internal stakeholder partnerships
- Privacy Champions
- Privacy Legislation and Regulatory Risk Working Group
- Enterprise Risk Register