So You are The Company's New Contingency Planner!
- Published on Monday, 29 October 2007 22:25
Private industry is subjected to many non-business related perils. Ironically, as technology advances, previously unknown or nonexistent threats seem to continually evolve. These are in addition to the natural or man-made disasters normally considered. Disasters can strike at any time; and, the more an organization is concentrated in a single location or geographic area, the greater the risk that a single disastrous event could cause serious business disruption or organizational decapitation.
Yet, even in the face of overwhelming daily evidence, executive managers continue to resist the need for disaster contingency planning. They rationalize that since they are not on a hurricane prone island, or sitting on an earthquake fault, they have no real need to prepare for a disaster. They firmly believe that their organization’s fiscal and strategic programs are quite adequate; the current disaster response capability is adequate; and that nothing is broken, so why fix it?
The operative terms are “adequate” and “not broken.” Too often, “adequate” is used to limit refinements or further exploration. In emergency planning, it stifles improvements. “Not broken,” coupled with adequacy, tends to hinder internal initiative and limit outside observation or influence. Maintaining adequacy not only prevents progress, but also causes regression, which can lead to failure. Progress cannot be made without some forward motion.
A side issue is NIH, Not Invented Here. If it was not the idea of a senior executive, it cannot be worth the expense to explore and should be dismissed without further thought. These managers quote statistics to show that the risk of a major disaster is too small to be of concern. They overlook the fact that disasters caused by HAZMAT incidents and power and phone outages are unforeseeable, widespread, and often very damaging. Even if such managers do not totally resist disaster planning, they too often pay the concept grudging lip service by quickly assembling a plan for insurance purposes, and then filing it away. Or, even worse, they accept a mediocre plan believing that they are fully protected.
WHAT’S THE THREAT?
Risks--avoid, minimize, accept, BUT do not ignore!
Contingency planners base their plans upon a perceived threat in order to identify the resources required to counter that threat. These threats can generally be classified into four broad categories: Accident--radiation leaks, chemical contamination, loss of power, transportation incidents, toxic fumes, etc.; Natural--floods, fires, earthquakes, hurricanes, etc.; Internal--sabotage, theft, etc.; and Armed Conflict--terrorism, civil insurrection, armed conflict, etc..
Boiled down to a simple sentence--“A threat is any event that will deny you the use of your normal work area or the telecommunications connectivity to that area.”
In all but the smallest organizations, adoption of a formal planning methodology is needed to ensure quality, consistency, and comprehensiveness of the completed contingency plans. A standard methodology can also provide maximum assurance that the plans for interrelated departmental functions (Administration, ADP, Communications, Finance, etc.) mesh properly to form a cohesive program.
The “ad hoc” approach to contingency planning should absolutely be avoided. A formal and disciplined planning methodology will ensure that plans address the total organization, not just survival of the pieces. Additionally, the planner should avoid fragmented solutions such as building a contingency plan for the ADP Division that will ensure survival and recovery of data (computer survival), but giving no thought to addressing the issues that ensures overall organizational survival.
A basic planning process will outline the requisite content for contingency plans including objectives, requirements, and a desired format. This process will also determine: which type of disaster is most threatening to organizational survival, which key locations and critical functions must be protected, and it will establish time-lines (i.e., the maximum amount of time an organization can be without a critical capability) for unacceptable loss of capabilities. Each determination should include a critical, holistic, functional assessment.
One of the vital talents that any contingency planner should acquire is the ability to think backward. Specifically, one must be able to visualize hours, days, and even weeks into an event, and then mentally work backwards, asking at each step of the way,--“how did I get here?,” “what was needed?,” and “what is required at this instant in time?.” As planners refine this talent, they will be able to “freeze frame” specific phases of an event and analyze all the required actions and reactions that must take place to ensure a successful disaster recovery operation.
“No one plans to fail, they just simply fail to plan.” Developing an organization’s disaster contingency plan is not a trivial undertaking. It is a painstaking process. Furthermore, once the plan has been developed, it must be reviewed and updated whenever the company adds new products, new facilities, new technology, or undergoes major internal changes. A disaster contingency plan is the corporate blueprint for response and recovery. It must be sufficiently complete to allow the lowest operating element to know precisely what to do and, if necessary, to move to an entirely new facility and resume operations--“business as usual.” The plan follows the basic interrogatives--who, what, when, and how: who is involved; what resources are involved; when must the resources be used; and how are they to be used. The plan must basically outline people responsibilities, the use of equipment and other material resources, and detailed operating instructions; nothing can be assumed. The plan is the organization’s strategic battle plan for recovery. The follow-on contingency plans of the operating elements become the organization’s tactical battle plans for survival.
BUT FIRST, THE CONCEPT
There are no permanent solutions, only evolving answers!
We are constantly bombarded with the need to produce “THE PLAN”. The plan thus becomes the end means of corporate survival and recovery. What is rarely, if ever, mentioned is that the plan is an operational document that is designed to be implemented when needed and, as such, it must be based on something authoritative. What is missing in the rush to produce “THE PLAN” is the awareness that there is a crucial first step that should always be conducted.
No plan can be developed, or should even be attempted, without first performing an objective analysis of the organization’s needs and objectives. The contingency requirements, assumptions, and constraints must be clearly understood first before a pencil ever touches paper for the first draft plan outline. The assessment must be conducted with meaningful participation by both management and operational personnel. Participation by both groups is absolutely required. Although management establishes organizational policy and planning objectives, it is the operational personnel who must execute the plan.
The end product of the analysis will be a well-documented Concept of Operation. It is this document that details the specific threat, requirements, assumptions, constraints, and outlines a proposed general course of action. In “global” terms, it states what needs to be done and forms the foundation document for the follow-up plans that deal in specifics. Furthermore, care must be taken to ensure that it is not driven by a single solution. All possible solutions must be explored, analyzed, and each compared to the other. Only after all other solutions have been eliminated, should the remaining solution be used as the basis for the concept.
As the foundation document for a plan, the Concept of Operation is the single authoritative document that addresses such elements as: the critical and uninterrupted corporate activities or functions, the threat, the requirements, assumptions, and constraints. Also imbedded in these elements are both risk and impact analysis. Should any of these elements change significantly, a revalidation of the concept is absolutely required. Too often, either because of time or resource constraints, emergency managers take the easy way out by modifying a plan without first taking the time to re-visit the basic concept. Unfortunately, history is full of examples of contingency (mission) failures because the underpinnings of a plan had changed and no one thought it important to revalidate the concept. Therefore, when the time came to execute the plan, it was found to be unusable.
A concept document differs from a support plan in that it is generalized and applies broadly to a large portion of the organizational structure. Unlike a plan, it does not directly relate to a specific geographical area, specific time frame, or specific elements. It explains general organizational and staff interrelationships and defines broad policies to be followed and the objectives to be attained.
Guidelines for effective concept development are:
- Keep it as short and simple as possible. Use an annex or appendix for lengthy discussions.
- Avoid footnotes--they tend to distract the reader and too often appear as an afterthought, causing more questions than they answer.
- The document must stand alone as the foundation source for any organizational activity or program; however, it is not the document of execution.
- A concept generally describes why and what needs to be done. The follow-on “family-of-plans” describe in specific detail the who, where, and how.
- Write for the reader(s). REMEMBER, the one who approves the concept may not be the one who must subsequently create the supporting plans and procedures with nothing to work with but the concept.
- Watch your language. Terms and phrases often mean different things to a manager and an operator.
- Beware of preparing a Camel.
- Concepts prepared for approval in Corporate Headquarters are often loosely worded political compromises that can result in ambiguous guidance when sent to the field to execute.
- Concepts prepared for approval and execution in the executive suite of Corporate Headquarters are vastly different in detail than those prepared at the operating level.
- In large and diverse corporations multiple concepts may, and most likely should, be required. In these situations, do not attempt to create a single, all inclusive document that is everything to everybody--the result is usually a document so complicated that it is unreadable and, therefore, worthless.
- Remember your roots. The true acid test of any concept is the ability of the guys and gals in the outer offices to understand what must be done, and then do it--without the need for a Corporate Headquarters adult around to interpret.
TESTING AND MAINTENANCE
It has often been said--and for good reason--that a plan isn’t a plan until it has been tested. The adage that plans must be maintained to accommodate change is also well known. Despite this awareness, surprisingly large numbers of organizations commit significant resources to contingency plan development only to see the value of the investment dwindle as time passes. This wasteful attrition is usually due to an unwillingness to test and maintain the very plans that were created for organizational survival. This usually occurs when a company has been fortunate enough to not experience a crisis for a prolonged period. The ensuing complacency lures the organization into the classic “it’s not broken” trap!
Contingency plans are extremely dynamic. Things change. Most emergency and contingency operations usually require a complete rewrite of all procedures every five years. These rewrites should be based on a refinement of requirements, exploit new technology and use fresh eyes to look at old solutions to new problems. This process is called plan maintenance.
To develop a contingency plan, three basic options--or some combination of the three--are available to the contingency planner. These options are to: complete the work in-house; obtain assistance from a specialized disaster software and/or storage vendor; or hire an outside (disinterested) contingency planning consultant to assist in plan development.
In-house: This option often appears to be the cheapest because no additional expenditures are required. However, there are hidden costs as employees are diverted from their normal work and, therefore, some of their normal work assignments may not get done. Furthermore, it usually takes longer to complete the plans which often prove to be inadequate. This is especially true if in-house personnel lack contingency planning expertise and experience. Moreover, because the planning effort can siphon off energy from day-to-day activities, supervisors tend not to offer their very best employees to participate.
Specialized vendors: This approach varies in cost. However, as these vendors tend to concentrate on data storage and transfer issues, and on telecommunications services, it is often better to defer the use of their services until there are known needs and requirements. Although there are very good vendors in this area, some are focused on providing a very limited service and are not concerned with synergistic organizational survival.
Outside (disinterested) consultant: On the surface, this option appears to be the most expensive. However, it is the most predictable option to ensure complete, tailored assistance. When weighted against internal employee costs of trying to get organized, false starts, and the internal strife in-house efforts cause, the actual expense of consultants may actually prove to be no more (and sometimes less) than the in-house option. Consultants can provide outstanding assistance in helping understand the total planning process.
A combination: More often than not, a combination provides the best of all options. By selectively using only the outside assistance required for each step, combined with the use and training of in-house assets, the entire process is significantly accelerated. Furthermore, it ensures that expertise is available when needed, and that all additional specialized assistance is pre-identified as absolutely required to satisfy specific corporate contingency objectives. And, with adequate staff participation, this approach ensures that planning knowledge becomes embedded inside the company. However, to reach its full potential, this option requires the organization’s Contingency Planner to strategically, and relentlessly, manage the process.
Every day, businesses are confronted with disasters of varying degrees. Those that have adequately developed, maintained, and exercised their contingency plans will survive. Yet many corporate executives continue to take the uninhibited operations of their companies for granted. They remain complacent, assuming that the power will always be available, the telephone system will not fail, there will be no fire or earthquake--everything will always be normal. Very few executives plan for their own, much less their organization’s mortality; however, if a business is to survive, organizational “strategic” and “tactical” battle planning is essential.
The final corporate contingency plan is the lifeblood of corporate survival. However, it is only as good as the foundation upon which it was built. The foundation is, of course, the concept. This document is the means by which a particular mission, program, or policy directive is translated into a fundamental organizational and operational methodology. Once the concept is developed through a logical building block approach, and is sanctioned by both management and the operating elements, construction of the contingency plan may commence.
A fundamental premise of successful contingency planning is that plans are developed by those who must actually carry them out in the event of an actual disaster. The role of the Corporate Contingency Planner is to strategically, and relentlessly, manage the process. And, in doing so, he or she must rely on both internal and external assistance. In addition to in-house assistance, there are a multitude of disaster assistance organizations and services available to assist the contingency planner. However, many are specialized and provide only a specific function (communications, data storage, etc.). As a consequence, synergistic contingency planning is often left to the user’s resourcefulness.
Preparing a corporate contingency plan is a non-trivial undertaking. However, corporate leaders must recognize the vulnerabilities they invite by not adequately planning for survival. Disaster planning is truly a vital part of the overall business plan.
I have spoken to the perplexed woman from the conference a few times since our chance encounter. Like most of the rest of us, she enjoys the challenges of being a contingency planner, despite the inherent frustrations of dealing with changing threats, corporate commitments, lack of resources, and the ever-present budget. Having developed this perverted addiction, she has truly earned the right to calmly listen, as a veteran, to the next rookie planner as they expound on their seemingly futile quest to save their company from imminent destruction.
William A. Hussong Jr. is the Senior Member of the Professional Staff of the Special Operations Division of System Research Applications, Inc., of Arlington, VA.