|
Contemplate Crises When They're Still Theoretical Emergence Response Plans Critical for Business Continuity
September, 2008
By Brett Reddock
Disasters do occur and the impact can be both operationally and financially devastating. Yet, many organizations and business owners are ill prepared or not prepared at all to manage an event that can have a negative impact to the organization. Some startling findings include:
( 93% of companies that experience a disaster without a recovery plan close within five years.
( 50% of companies that lose critical business systems for more than 10 days never recover.
( A recent Gartner Group study found that 70% of companies that suffer a major IT disaster, without a suitable recovery plan in place, collapse within the next year. Of those that do survive, only 10% make a full recovery.
( 89% of corporate executives believe that some crisis is inevitable, but 50% of that group admitted to having no plan in place to deal with a crisis.
( Of the respondents whose company had experienced a serious crisis, 42% still had not developed an Incident Plan.
Perceived complexity and conflicting plan terminologies could pose some obstacles to preparedness. The various plans to mitigate, sustain and speed recovery from an incident tend to have different names, resulting in a somewhat confusing number of acronyms. However, the process can be simplified.
Disaster Recovery Plans (DRP) currently refer to the recovery of IT services, while Business Recovery Plans (BRP) tend to be a subset of the DRP and include the recovery of IT and all other aspects of the business, such as human resources and finance. Business Continuity Plans (BCP) are a more holistic approach to BRPs that takes into account the assessment of vulnerabilities that can cause further business losses - such as poor security practices and incomplete or nonexistent corporate policies and procedures.
An Emergency Response Plan (ERP) amalgamates all the elements of the previously mentioned plans, plus considers evacuations, security, medical care and support. Fittingly, this also tends to encompass the everyday practice, functions and responsibilities of property owners and managers.
DEFINE PURPOSE CLEARLY
The most important thing in developing a plan is to be very clear about how the plan will be used, by whom, for what purpose, and under what circumstances. In preparing a plan, consider the following:
( Executive leadership buy-in and support is required. This helps ensures effective and timely completion of the plan and ongoing resources to maintain the plan. An effective plan must be embraced by the corporate culture and that starts with organization's leadership.
( Developing a plan and eventually adopting mitigation strategies requires access to corporate financial resources - not necessarily exorbitant amounts of money, but some nonetheless - as well as human resources to assist in the development of the plan. If the plan is sanctioned and supported by corporate leadership, the required resources are more likely to be made available.
( The plan is the initiation of a program within the organization or at the property. The plan is a living document that should not be stored away on a shelf somewhere and only taken out in the time of crisis. The plan should be regularly reviewed, updated and the strategies tested.
( Plans don't prevent or always account for everything - another reason why they are living documents. As risks, vulnerabilities, and the business environments change, and new lessons and experiences are gained, the plan should also evolve.
DEVISING THE STRATEGY
Developing a plan involves a series of steps.
1. Conduct an assessment of the risks and vulnerabilities to which the company and or property is exposed. Some factors to consider are:
· People
· Business processes
· Man-made and natural
· Vendor and third party
· Criminal
· Administration
· Legal requirements/compliance
· Reputation
2. Conduct an impact analysis. This step is the process of weighing the identified risks and vulnerabilities against the tolerance capabilities of the organization's essential business functions. The process includes:
· Identifying essential functions and business units of the organization
· Understanding the failure thresholds of the essential business units
· Highlighting the minimum downtime and recovery period of the essential business functions
3. Identify, explore and institute a series of mitigation strategies and programs to reduce the impact of an emergency/disaster on the organization. When adopting strategies consider the following:
· Essential services that will have the greatest impact on continued business if they are not available or disrupted
· Acceptable and/or unacceptable risk and vulnerabilities
· Resources currently existing within the organization
· Currently absent business processes that can be instituted
· Available equipment and external resources
4. Develop a series of response protocols to outline what actions are to be taken, when and by whom, to address and further mitigate the impact of an emergency/disaster - including the continuity and recovery of business services as the event unfolds and when it ends. When preparing response protocols, keep in mind the following:
· Keep the assignment of tasks to persons who may normally carryout a task - i.e. don't have a security person do an accountant's role, unless resources are limited
· Ensure people are fully trained and aware of their responsibility
· Identify any task thresholds/time minimums and or maximums
· Organize the tasks by: Command (who will oversee the response and render support to this person and or team); Control (what resources and when must they be available to help contain and slow down the evolution and impact of the event); and Communication (how, when and what will be communicated and to whom, as well as available tools and methods that will support effective and timely communications)
· The first 72 hours following an incident will be the most important in response and recovery efforts. The most important hour is the one immediately following the realization of the incident.
TEST & UPDATE
Once the plan is completed, carry out a test of what has been documented - i.e. specific response protocols, telephone lists and equipment. The most common test is a tabletop exercise where team members meet - normally in a boardroom type setting - and re-enact and recite the steps and tasks to be carried out as identified in the plan.
This method is best carried out against the backdrop of a sample event. Lessons learned from this exercise should be tracked, and the plan updated to reflect the lessons gained.
A maintenance and upkeep program should also be developed to ensure the plan is regularly reviewed and kept up to date. Include this program as part of the existing equipment maintenance and inspection schedules.
Brett Reddock is the President of RKG (REDD KNIGHTS GROUP INCORPORATED) an advisory firm specializing in providing standards-based and defensible solutions for the protection of people and assets. He has a Masters In Science (M.Sc.,) in Risk, Crisis and Disaster Management and is Co-chair of BOMA Toronto's sub-committee on emergency management. He can be contacted at 647-435-4437 (ext 222) or at breddock@reddknightsinc.com.
|