All risk managers/business continuity practitioners put a lot of time and effort into developing programs and plans to avoid or mitigate risks. We put a lot of time and effort into developing response plans to recover from an event. Personnel are trained and plans are exercised, critiqued, and the plan adapted as necessary.
We know if something goes bump in the night, the well-trained staff will be able to maintain at least a minimum level of service while restoring the organization to business as usual.
What most of us fail to consider is the well-being of the responders.
I would like to borrow Norm Harris’ worst -case scenario. “There’s only one scenario,” I remember my mentor telling me, “and that’s when you go to work and there’s nothing there.”
Let me set the stage to introduce an often-overlooked subject: recovery-related policies and procedures.
Aren’t standard policies and procedures (P&Ps) sufficient? In a word, “no.”
Recovery P&Ps need to include, among other things:
- authorizations to purchase equipment
- communications with family
- family visits
- furloughs (pay, insurance)
- incidentals
- insurance assistance
- lodging
- maximum allowable time before a required break
- payroll
- per diem expenditures (lodging, food)
- record keeping (time, expenses)
- travel at the recovery site
- travel between “home” and recovery site
- work authorizations (if out-of-country)
The Whys of the Puggested P&Ps
Let’s look at each item and see why this scrivener thinks it’s a concern.
Authorizations to purchase equipment
Who is authorized to purchase hardware, software, and services at the recovery site? As with all things “business continuity,” there needs to be at least two people authorized to make needed local purchases. No matter how well prepared, there always is something that is missing from the “go” bag.
Do different people have different limits? Can any responder charge something costing $5, $10, $20, or $50? What’s the limit and what is the process to exceed the limit? Who (by title) has to approve?
Communications with family
The responders need to talk to the folks left behind. While most of us now have cell phones and most cell phones have “free” long distance, there are those few who have avoided the opportunity to be available 24x7. There also are limitations to available minutes on personal cell phones.
Will the organization provide cell phones for common/shared use so responders can call home? Will the organization pay for “over-the-limits” cell usage on personal phones? What about calls from the lodging? Using the company switchboard or PBX to route calls from incoming “8**” numbers to home phones probably won’t be an option: if the building went away, the telephone switch went with it.
Family visits
If the recovery or work away from home will last for more than a couple of weeks, smart organizations will make arrangements for family visits or “home R&R.” Does the organization pay (in full or in part) for the responder to go home for a long weekend or for the responder’s family to come to the recovery site?
Just who is considered “family?” Traditional families? Nontraditional families? Immediate family members or extended family members (and how “extended” is “extended,” anyway)? If the responders are sharing quarters with other responders, will the organization pay or subsidize private quarters for the family reunion?
Furloughs (pay, insurance)
What about the folks who stay home? They lack any responder functions, but they need to be available when things return to normal. Will they be paid? Is it full pay or partial pay? Will they be forced to take unpaid leave or told to take vacation time? Will the organization continue the furloughed workers’ benefits? Are there any union considerations?
Incidentals
Will responder incidentals such as toiletries, laundry, and dry cleaning be reimbursed? Will receipts be required for all expenditures or only over a certain limit? Is the limit set on a daily, weekly, or monthly basis?
Insurance assistance
Typically, the employee handles all the insurance paperwork for the family. (Enlightened companies have HR staff who are insurance experts available all year long.) Should a responder worry that an insurance claim won’t get filed or paid while he or she is away from home? Or will the responder know there is someone close to home (e.g., an HR person) who can help deal with the insurance companies?
Lodging
Will responders each have their own quarters, or will they be required to share space with other responders (and how many to a space)? Will mangers have more space than rank-and-file? Who will make lodging arrangements? HR via a travel agency? Recovery-site managers? Individual responders (also see per diem)?
Maximum allowable time before a required break
There are Type A people who have to “do it all.” After about 36 hours, their ability to make decisions deteriorates, as does their manual dexterity. But these people won’t listen to anyone who tells them to take a break.
The organization has to set limits on the maximum number of work hours before an enforced rest period. I won’t suggest the rest period duration; I would think that the more stressful the job, the shorter the work period and the longer the needed break.
Payroll
This is more than just getting the checks cut. It means assuring that the checks get to the responder’s family, either directly or through direct deposit. Consider that some leftbehind family members have jobs, others are caregivers. Some are caregivers with jobs. Stopping their routines to collect pay normally collected by the employee spouse may not be a desirable option.
Per diem expenditures (lodging, food)
How much may be spent on food and lodging? Will per diem be the same as the GSA rates or GSA plus a percentage? Are personnel aware of the GSA rates (and GSA Web site with those rates)? Are the rates based on someting other than GSA?
Record keeping (time, expenses)
What records must be kept and by whom (obviously responder time and all financial expenditures)? Are there forms to collect this information (where are they)? If they are only available online, they might not be available at all. Are there controls to prevent abuse?
Travel at the recovery site
How will local-to-recovery site transportation be handled? Rental vehicles? How many to carry how many passengers? A taxi (and are tips covered)? If recovery is performed in shifts, will a vehicle be needed for each shift?
Travel between “home” and recovery site
How will personnel travel to and from the recovery site? How many people can travel on the same conveyance, be it commercial carrier or private vehicle? If it is a commercial carrier, who will make the arrangements (individuals or HR via a travel agent)? How will the transportation be paid (personal or organization credit card, PO)?
Work authorizations (if out-of-country)
It’s probably the least likely of things to consider, but if the responder has to work out of the country where he/she has citizenship, can the person legally work at the recovery site? This could be a problem for a person working on a visa at the production site. If the person leaves the country, can that person return?
To Publish or Not – Opinions Vary
It’s this practitioner’s opinion that the business continuity P&Ps – in fact all P&Ps – should be published and distributed to all personnel. I know some practitioners who disagree with my thinking, believing that published P&Ps can tie the hands of management. Given the reasoning behind SOx and other “transparency” moves, perhaps an openness should be preferred.
John Glenn, MBCI, (JohnGlennMBCI.com) is an enterprise risk management - business continuity practitioner with more than 13 years experience; he invites comments on this article and others at his Web site to Planner@ JohnGlennMBCI.com.
