Tagged in: Business Continuity
By Glen Bricker, Managing Consultant, Avalution Consulting
Article originally posted on Avalution Consulting’s Blog
The goal of any recovery plan, regardless of the size or nature of the organization, is to protect life, minimize damage from an event, and quickly resume the delivery of critical products and services to meet customer requirements. How this is accomplished, however, not only depends on the nature of the organization, but also its customers, size and resources, and culture. The objective is to build plans that are based on realistic requirements, fit within the organization’s culture, and remain cost effective and appropriate. The remainder of this article will discuss these characteristics and how they are incorporated into recovery plans.
The key to a great recovery plan is building what is appropriate. For example, it would be inappropriate to implement five levels of command structure and multiple plans in a thirty person company, or expect a single team in a multi-site, global organization to do everything. In a large organization recovery plans are typically broken down into multiple plans that are owned and maintained by specific departments – emergency response will be owned by a Facilities or Security group, crisis communications will be owned by Corporate Communications or Public Affairs, and operational recovery plans will be owned by the business units. All of these elements will be controlled and directed by a central Crisis Management Team and Plan. In a smaller organization a single plan could suffice for most of these activities with limited addenda for specific critical functions.
So how do you determine what is appropriate? All organizations require emergency response capabilities to deal with the immediate impact of an emergency, command and control for executive decision making, communications to coordinate with stakeholders and business recovery procedures to document how to recover your most important activities.
However, determining the depth of business recovery procedures needed requires some analysis. Regardless of the size or nature of an organization there needs to be a process to identify critical products and services, analysis to determine recovery objectives and requirements, and management commitment to drive the program. Based on the identified requirements, strategies – methods chosen to meet the requirements – can be developed. Strategies can vary from simple work from home procedures to relocation and restoration processes involving third-party contracts or pre-built recovery sites. Based on the complexity of the strategies chosen, the scope of the plans can be established.
Once you have established what the planning structure is, the question becomes what to include in the plans and how to structure them. Keep two rules in mind when making these decisions:
- Plan content should be action oriented. Plans are not compliance documents; they are guides to achieving a goal and should only contain information necessary to perform the task.
- Plans should be structured in as clear and precise a manner as possible. Where possible, they should be reduced to checklists that identify what needs to be done, who is responsible, and who needs to be informed of progress, issues, or completion.
With these guidelines in mind let’s briefly discuss the key elements that should be in each area of a plan:
Emergency Response – with the goal of life safety and immediate stabilization of the situation
- Evacuation procedures, including maps and assembly areas (which are only valuable if available to all employees and practiced regularly)
- Accounting and reporting procedures to identify the missing
- Communication procedures and contact information to enable interaction with first responders and facility management
- Injury / fatality procedures, including interacting with families and medical facilities
- Facility stabilization procedures, including contact information for necessary contractors and security services
Crisis Management and Communications (command and control, communications) – with the goal of directing all plan resources, making timely, informed decisions, and communicating to all internal and external stakeholders
- Crisis Management is embedded in all phases through reporting requirements of specific tasks. Additionally through:
- Establishment of Crisis Management Team meeting schedules, locations, and alternate means of communication
- Implementation procedures for specific recovery strategies, especially those that require activation of a third party contracted solution
- Crisis Communication focuses on three main areas, each with unique needs:
- Internal communications – intended for employees to convey status, request information, or direct recovery efforts. Typical methods include call in numbers, conference bridges, and web based communications
- External stakeholder communications – intended to convey status and reassure customers, financial institutions and other stakeholders. Typically these are outbound direct communications by key senior staff
- Public communications – intended to reassure the public, the broader employee community and other stakeholders not addressed directly through other means. Typically these include written press releases and web postings as well as media interviews if the situation has become visible
Business Recovery Procedures – with the goal of implementing selected strategies at the direction of the Crisis Management Team. Major elements include:
- Documentation of team members and the information necessary to contact them
- Documentation of strategy logistics and messaging to communicate to team members (to augment documentation that should already be in their possession)
- Procedures to verify established recovery requirements and request changes
- Procedures to ensure regular communication with the Crisis Management Team
- Procedures and requirements to increase activities over time
- Procedures to wind down recovery operations and transition back to a production environment
Whenever possible, lengthy lists and other non-operational documentation should be removed to appendices or other reference documentation. Regulatory and other compliance information should be maintained in other program related materials such as policies, program charters, and standard operating procedures.
If you focus on these key elements and are disciplined enough to keep plans as simple and streamlined as possible, you will consistently develop plans that will be usable, and more importantly, used during an event.
Glen Bricker, Managing Consultant
Avalution Consulting: Business Continuity Consulting
Our consulting team regularly publishes perspectives (shorter, independent articles) that touch on the trends currently affecting our profession and the strategic issues facing our clients. This is one of our most recent posts, but the full catalog of our perspectives – over 100 published since 2005 – can be accessed via our blog.