Addressing the ‘Critical Employee’ Quandary
- Published on April 26, 2011
- Written by FRANK LADY, CBCP, CISSP, PMP
Organizations should establish criteria for identifying critical employees. A survey of several business continuity resources yielded no industry consensus but the British Continuity Institute (BCI) Glossary definition of “critical” provides useful guidance: “A resource ... that must be available ... at the earliest possible time after an incident ... has occurred.” Merriam-Webster offers additional context in its definition of critical as, “crucial, decisive, indispensible, vital.” Urgency of availability and level of contribution to recovery task accomplishment emerge as excellent candidates for critical employee identification.
In a physical or pandemic disaster, planners must expect some critical employees to be unavailable. The U.S. Federal Financial Institutions Examination Council BC Planning Handbook states, “Institutions should not assume ... that critical personnel ... will be available immediately after the disruption.”
When responding to a disaster, organizations typically recover functions in order of importance. The subset of employees who support this initial recovery effort may be limited by quantity, but should not be limited by eligibility.
For example, if one third of a group is necessary to support the initial recovery phase, organizations should consider requiring two thirds of the group to be ready to participate immediately. In the ideal situation (all employees are available), the “first third group” could recover the top priority functions. The second group would provide substitutes for unavailable members of the first group, and would be prepared to recover the next tier of functions. The second group must be ready to immediately support the recovery effort, but some of its members may not be activated until the second phase of recovery. To complete this example, the third group would recover the last tier of functions, but also would be prepared to backfill second group members who were “called forward” to replace vacancies in the first group.
Clearly, this “call forward” approach compels organizations to cross-train and equip employees to participate in an earlier recovery group if circumstances dictate. Planners often consider certain employees, either formally or informally, to be indispensible (or critical) to a recovery task. While these employees may perform vital roles, organizations cannot allow any employee’s absence to become a single point of failure. Organizations must actively develop successor/alternate employees to contribute at the levels required, should the primary employee become unavailable. A mature business continuity program will identify, develop redundancies for, and exercise the replacement of critical employee skill sets.
This discussion of key employees has frequently used the word “critical,” but only because the term is commonly understood. In practice, organizations should avoid using this term when developing business continuity plans and identifying recovery teams. The problem with identifying an employee as “critical” is that the alternative, either in fact or by assumption, is a “non-critical” employee. Organizations may substitute many non-offensive alternatives, such as naming the previously mentioned “third” groups the blue, green, and gray teams.
Organizations cannot fail to prepare for critical employee unavailability. Although the subject of unavailability is an uncomfortable one to contemplate, there really is no responsible alternative. Two techniques that enable organizations to address this challenge are a flexible approach to requiring employee availability for the recovery effort and an employee development program that equips employees to accomplish primary and contingent recovery tasks.
Frank Lady, CBCP, CISSP, PMP, is a vice president of business continuity at Bank of America. He has been a member of the DRJ Editorial Advisory Board since 2008, and leads its Glossary of Terms Committee. Lady appreciates pre-publication comments on this article from Ken Shroeder and welcomes feedback and glossary suggestions at email@example.com.