We all know the famous phrase “no man is an island.” The same holds true within every organization. No function stands alone.
Every organization – commercial endeavor, nonprofit, and government agency – needs a business continuity plan. Businesses must make a profit to stay in business; non-profit and government agencies must meet their mandates to sustain funding.
While we have been concerned with business functions and IT, we have tended to ignore the other support services such as human resources, accounting, purchasing, shipping, and others, which contribute to the daily operation and sustainability of the organization as a whole, albeit in the background.
Even with a minor hiccup in the IT operations, assistance may be required from several other departments – purchasing to order a replacement part, shipping and receiving to accept it, accounting to approve payment.
Now imagine a major disaster event that makes the facility uninhabitable.
Suddenly the organization needs to:
• Look for temporary facilities while the original facility is restored, and delegate staff to perform the following tasks:
• Find suitable space; who knows what “suitable space” means
• Meet with facility inspection people, typically municipal building department staff to determine if the building is safe; what needs to be restored, if the building be restored on site or have local laws changed and now prohibit building
• Contract with clean-up crews
• Contract with architects, builders, etc.
• Handle employee relocation to new facilities – housing, transportation, meals
• Assure the families of distant workers have their needs met in the absence of the employee
• Establish work-around mechanisms and replenish work-around tools
• Acquire office supplies and furnishings
• Contract with printer suppliers for forms
• Arrange for the replacement or refurbishing of desktop equipment and supplies
• Replace damaged hardware
• Write the specifications; are they for replacement equipment or updated equipment
• Send out urgent RFQs
• Approve the budget
• Approve the purchase
• Receive the resources; where, and via what method
It may seem to some that the only people who need to be involved in the business continuity plan are business function managers and the IS/IT executives, but none of these people have the skills or personnel to do everything that may be needed in the event of a major disaster condition. We should also mention that existing employees will be very busy trying to maintain contact with clients, and provide a minimum level of service, and may not have the time or ability to provide recovery support.
In addition, the CIO or CEO of the company may not be aware of specific requirements in remote areas of the organization. For example, the janitor may have dangerous cleaning fluids and chemicals stored in an inappropriate manner, or he may have specific regulations to follow in the disposal of garbage. And certainly, he should be aware of new requirements in the case of a disaster – the site must be kept secure and nothing should be removed until all inspections, insurance, police, fire, etc. … have been completed.
For the record, and for the purposes of this article, a disaster is an event which seriously injures or kills people, or that contributes to the failure of an organization. A disaster event or disaster condition is an event or condition that interrupts normal operations.
• A tornado which destroys a manufacturing facility can be a “disaster event” providing:
• (a) There are no serious injuries or death and
• (b) The operation continues to meet a minimum level of service to maintain its client base.
Do all of these people need to be on the “disaster recovery” or “business continuity” teams?
In a small organization, possibly.
In a large organization, each department should be represented on each team.
No one can be aware of all the risks all the time.
We live and work in niche environments. Rarely will you find an administrative assistant on a factory floor or a production line employee in the executive suite. The night security patrol sees empty offices, while the day guard, if any, sees personnel at work.
It would be nice to write “things were safer before Sept. 11, 2001,” but they really were not.
Ever since there have been vehicles, there have been people using them to attack their neighbor. Does the Trojan Horse ring a bell with anyone? How about the Murrah Building in Oklahoma City?
Risk awareness is more than the myopic view of simply considering risks to processes, the way most planners have been doing for years. Risk awareness needs to expand beyond our small work unit, to our complete work environment. That means being aware of things that are “out of synch” with the norm.
Are rental trucks normally parked by the building? If not, it might be worth telling security.
“In most ... situations there are often, but not always, early warning signs that trigger a state of alert before there is a specific alarm,” said Jim Burtles, FBCI, OLJ.
Bomb threats, of course, are not the only reason for awareness training.
Awareness also means knowing the normal sounds and smells; the odor of something burning can lead an alert person to a fire that easily can be extinguished before a spark turns into an inferno. Awareness also includes the establishment of reporting mechanisms so that all employees know how to report a suspicious or inconsistent event. It is also important to audit the process on a regular basis to ensure each and every event of this nature is acted upon in the best possible manner.
Often overlooked in “the plan” is personal safety – for employees and for clients of the organization.
True, most planners check for exits, fire extinguishers, alarms, and appropriate signage. We even include “Call 911” in the plan.
That is not enough.
There were emergency exits on the roof of the World Trade Center towers. The exits were of no use since rescue helicopters were unable to land due to smoke, updrafts, and obstructions.
Exits must be checked for accessibility and ease of egress. Safe-rooms – hardened areas within a building – deserve consideration but their accessibility also must be carefully checked.
Employees with mobility or access problems must be considered. What about a person in a wheelchair? Is the exit wide enough? Are there obstructions – step up/step down? Once outside, is there a hard path away from the building to a safe area – a path that remains hard even when wet? Is the exit checked regularly for signs of deterioration that could place an employee at risk?
Finally, where should people go to get away from danger? Are there primary and secondary assembly areas? Are there blast barriers to protect people from flying debris? Getting to a safe area is one time when a straight line may not be the best route.
Everyone in an organization – and some outside the organization – can contribute to organizational safety (risk identification and elimination, business continuation and disaster recovery). In order to be efficient and effective, everyone needs to be empowered, to know they have a role to play and to know that what they do is of benefit to both the organization and themselves.
All hands plans, with related awareness training (in conjunction with business continuation and disaster recovery team training), can go a long way to enhancing an organization’s survivability.
Judi Besharah, CBCP, is a Certified Business Continuity Planner and the vice chair of the Certification Committee for DRI Canada. She resides in Nova Scotia, Canada, and can be contacted at firstname.lastname@example.org.
John Glenn is a certified business continuity/disaster recovery planner. He has been involved with business continuity planning since 1994. You may contact him at JGlennCRP@yahoo.com.