The Contingency Planning Cycle
by Jeff Nicolet
You attend a seminar on contingency planning and hear presentations such as "developing and maintaining your plan", "testing your plan", "business impact assessments", and "lessons learned" from other people’s disaster experience. All the presentations are highly informative and describe a best practice strategy for their subject matter. But how do these strategies connect? New, and even seasoned contingency planners are sometimes confused on how all the aspects of true contingency planning fit together.
The chart on page 56 provides a basic overview of the Contingency Planning Cycle. Like other methodologies it provides a framework of requirements, effort, and deliverables, each leading into the next "phase" of an endlessly repeating cycle. In real life many of these phases may be conducted simultaneously, or unfortunately may not be done at all. While this chart does provide visual clues as to the amount of time (thickness of phases) and changing emphasis (diagonal lines) within a phase, these are for reference and do not represent an absolute percentage of time. My intent in the following dialogue is to briefly explain the chart and methodology. It is not intended to be a detailed explanation of "best practices" within each section.
The "first" phase is dedicated to gaining a fundamental understanding of the world in which you live and work. You need to Understand the Business. All too often contingency plans are being built around technology, and don’t really address their business needs. Understanding your corporate business goals and direction is a first step. Understanding and having documented the existing business functions and procedures is also important. Process Control Manuals or Business Process Manuals are often used to collect together information such as business work flow diagrams, alternate methods of doing the same business function, and the interrelationships / dependencies between business functions. "Process mapping", which relates Procedures to Standards and Standards to Policies, also facilitates an understanding of why the business works the way it does.
Understanding Contingency is important because today’s disaster recovery/contingency planning is much more than simply "taking a backup". One must understand the fundamental contingency principles concerning prevention, protection, availability, and continuity. Lessons learned from other people’s experiences is a great way to avoid "recreating the wheel" or making similar, costly mistakes. You should keep a current understanding of the contingency industry trends, direction, and available tools, along with the industry’s "best practice" strategy recommendations. All of this helps you to develop your own internal vision and goals.
You also need to Understand the Legal Requirements for your contingency planning efforts. Some industries have explicit regulatory requirements for contingency plan implementation (i.e. for financial institutions, for the manufacturing or handling of hazardous materials, etc.). Less regulated industries may have contractual, human safety, and / or "common sense" liabilities to consider.
The next phase is dedicated to understanding the risks and impact of outages to your business. A Business Impact Assessment will examine your business and at a minimum, document the resources used for each business function, identify the tangible and intangible losses, and determine any increasing magnitude of losses over time. Tangible losses include revenue, lost productivity, fines and penalties, interest payments, overtime, etc. Intangible losses include your personnel knowledge base, customer goodwill / service, morale, community impact, etc. You will need to set thresholds and create a scale of impact determination that is acceptable to your company. This facilitates establishing and understanding your business priorities.
The Risk Assessment will identify internal and external business exposures. These include exposures due to location, chain of supplies, IT and telecommunications networks, utilities, physical and data security, etc. Once your company defines its level of risk acceptance, you can begin to identify any business process changes that would reduce those exposures. These may be simple policy changes such as identifying alternate suppliers, or complex physical changes such as installing alternate power feeds and telecommunication lines.
The next phase is dedicated to defining expectations and protecting assets. Defining the Contingency Mission will summarize the mission, outline the scope of responsibilities, identify the basic assumptions and relevant success factors, and determine funding level requirements. You should also establish the mission’s visibility within the corporate goals and objectives, and define your cultural integration goals that make contingency strategies part of your everyday operations.
Service Level Agreements are used in daily operations to measure capacity and throughput expectations. Examples include how much capacity and at what times your business has telecommunications transmissions, or how many product orders are processed per day.
Defining the Contingency Service Level Expectations simply applies these same disciplines to your contingency implementation strategies. It is possible that the Contingency Service Levels would require the same or higher number of business-critical orders be processed each day, while the overall capacity of the mainframe is smaller due to "non-critical" business functions being placed on hold. Contingency Service Levels should also provide a clear understanding of recovery priorities, identifying when specific resources or business functions are expected to become available. This allows your front line Customer Service contacts to provide accurate information about when services will be resumed.
Note that your recovery sequence priorities may differ slightly from the business priorities in order to maximize the efficient use of recovery resources, or due to the time required to fully implement a specific strategy.
Asset Protection ensures asset and resource availability, business process integrity and hazard protection. Ensuring assets and resources is more than taking a backup to an offsite location. It includes contracting for alternate facilities or equipment, integrity protection, data security and virus protection, policies on protecting data within laptop computers, building entrance controls, material asset fire suppression and protection, personnel life safety protection, plans for a facility or regional evacuation, alarm systems, etc.
The next phase is dedicated to the planning, development, maintenance, and testing of your contingency reaction strategies. The Contingency Action Teams are your cornerstone for this effort. They assist in strategy development, process documentation and implementation integration into the corporate culture. There are a variety of ways to structure the function and composition of your Contingency Action Teams, but the best approach will follow the functional efforts and goals of your plan. Examples include Emergency Management (life safety and hazard protection), Damage containment and assessment, Decision management (when and how to initiate contingency strategies), Event management (contacting response teams, maintaining documents of damage assessments and decisions made, statements to the public media, etc.), Business continuity (moving to an alternate Data Center, alternate office space, etc.), and logistics (transition and relocated operations support).
Many of these activities may already be performed by areas within your corporation (i.e. Public Relations may already have Crisis management scripts), but would need to be pulled together into a planned reaction strategy.
Plans for Internal Components focus on the contingency procedures for a specific site, and will primarily use local personnel. These include the functions of damage containment and assessment, decision management, crisis management / public relations, and business continuity.
Plans for External Components focus on contingency / emergency action procedures involving agencies outside of the site, including emergency services, contingency vendors, and other company owned facilities.
Example procedures include having facility layouts for the fire and rescue workers, stored hazardous materials information, action steps and expectations for business contingency services vendors, programs for the short-notice shipment of equipment or supplies, action strategies for local and long-distance telecommunications carriers, plans for using other corporate resources, and transition logistics.
Once some strategies are adopted and procedures developed, Action Plan Exercise & Process Testing is essential. Contingency Action Team procedures and strategies are exercised to ensure they are current, realistic, and meet the service level expectations.
Automated protection systems and processes are tested for readiness and daily procedures that ensure asset and resource availability are audited for effectiveness.
Remember, this is a continuous loop by which the results of having exercised your contingency Action Plans will lead you to re-examine your understanding of the business and your internal contingency vision and goals. As our contingency planning industry continues to evolve, we’ll begin to see clearer definitions of "best practices" within each of these phases and sections.
Jeff Nicolet is Senior Contingency Analyst at American Greetings Corporation, President of the Contingency Planners of Ohio, and is participating in several consortiums to develop industry standards and best practices.
Disaster Recovery World© 1999, and Disaster Recovery Journal©
1999, are copyrighted by Systems Support, Inc. All rights reserved. Reproduction in whole or
part is prohibited without the express written permission form Systems Support, Inc.