Cover Page i THE DISASTER RECOVERY HANDBOOK A Step­by­Step Plan to Ensure Business Continuity and Protect Vital Operations, Facilities, and Assets MICHAEL WALLACE and LAWRENCE WEBBER Page ii Special discounts on bulk quantities of AMACOM books are available to corporations, professional associations, and other organizations. For details, contact Special Sales Department, AMACOM, a division of American Management Association, 1601 Broadway, New York, NY 10019. Tel.: 212­903­8316. Fax: 212­903­8083. Web site: This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional service. If legal advice or other expert assistance is required, the services of a competent professional person should be sought. Library of Congress Cataloging­in­Publication Data Wallace, Michael The disaster recovery handbook: a step­by­step plan to ensure business continuity and protect vital operations, facilities, and assets/ Michael Wallace and Lawrence Webber. p. cm. Includes index. ISBN 0­8144­7240­0 1. Emergency management—Handbooks, manuals, etc. 2. Crisis management—Handbooks, manuals, etc. 3. Computer security—Handbooks, manuals, etc. 4. Data protection—Handbooks, manuals, etc. 5. Data recovery (Computer science)—Planning—Handbooks, manuals, etc. 6. Business planning—Handbooks, manuals, etc. I. Webber, Lawrence, 1954­ II. Title. HD49.W36 2004 658.4’77—dc22 2004003905 © 2004 Michael Wallace and Lawrence Webber. All rights reserved. Printed in the United States of America. This publication may not be reproduced, stored in a retrieval system, or transmitted in whole or in part, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of AMACOM, a division of American Management Association, 1601 Broadway, New York, NY 10019. Printing Number 10 9 8 7 6 5 4 3 2 1 Page iii DEDICATION/ACKNOWLEDGMENTS Michael would like to dedicate this book to his lovely wife Tami, whose faith and support made this book possible. Michael would also like to make a dedication to his mentor and former teacher George Jenkins. George has been a great teacher and a good friend. Our special thanks to John Hiatt, who helped us start this project, and to Marilyn Allen, who never gave up on us. Thanks to Christina McLaughlin who helped us to make this a better book. Thanks also to Chuck Carlos, Mike James, Gregory Pinchbeck, Dan Holt, Tim McDaniel and Michael Noel for providing insight into disaster recovery planning from their unique points of view. Tim provided much of the material in Chapter 19—Health and Safety. Page iv This page intentionally left blank Page v CONTENTS Foreword ix Introduction xi THE PLAN This section shows you how to get started with the nuts and bolts of developing your disaster recovery plan. PART 1 CHAPTER 1 Getting Started: Overview of the Project 3 Some companies live and breathe proper project planning and the methodical construction of business processes. A team made up of the right people using proper project management processes will help ensure the success of your disaster recovery project. CHAPTER 2 Risk Assessment: Understanding What Can Go Wrong 29 A risk assessment is the key to your disaster plan. It identifies what risks you need to address. It breaks your risks into five layers ranging from natural disasters down to a crisis at your desk. CHAPTER 3 Build an Interim Plan: Don’t Just Sit There, Do Something Some projects are like a bad lunch—they never seem to go away. What can I do until the plan is completed? This chapter identifies actions that you can do today to assemble a useful interim plan to provide some initial protection. Everything you do here is needed in the final document. If you read no other chapter, at least read this one. 69 Page vi CHAPTER 4 Emergency Operations Center: Take Control of the Situation 87 In the event of a disaster, there must be a single place where people can call to report problems and find out what is going on. We will describe the sort of things required in an emergency operations center (sometimes called a “war room”), and how it might run. CHAPTER 5 Writing the Plan: Getting It Down on Paper 115 Here is where we lay a bit more groundwork for the plan. We establish a standard format for the documents and explain what needs to be included—and excluded—from a plan. CHAPTER 6 Testing: Making Sure It Works 129 A plan is a wonderful thing but until it is tested and debugged, it should not be relied upon. Testing can be formally done or can be incorporated with other maintenance activities. In either case, the results of using a plan should be recorded. Testing a plan is an excellent way to familiarize your team with your plan and to gain their ideas on improving it. THE ASSETS This section discusses the various assets most firms have to protect and tells you want you need to know to make sure they’re covered in your disaster recovery plan. PART 2 CHAPTER 7 Electrical Service: Keeping the Juice Flowing 143 It is hard to imagine work without electricity. We use it constantly at home (if for nothing else but to keep the clocks on time). We use it all day at work. We have all also experienced the effects of a power outage. What should our workers be doing if the lights go out? CHAPTER 8 Telecommunications: Your Connection to the World Few companies can quickly walk or drive to their customers’ or suppliers’ sites. Telecommunications makes coordination between companies quick and easy. It provides a medium for fax messages and also provides the data communications lines. How long can your company run without it? 163 Page vii CHAPTER 9 Vital Records Recovery: Covering Your Assets 183 There are many documents essential to your company’s operations, such as invoices, checks, software licenses, receipts, and on and on. Some of these documents you must safeguard to meet legal and regulatory requirements. What if, what if, what if . . . CHAPTER 10 Data: Your Most Irreplaceable Asset 211 Data is one asset that cannot be easily replaced. No one else has the same data you do. What are the unique issues encountered when planning for data processing recovery? CHAPTER 11 Networks: The Ties That Bind 223 Years ago, we used overnight batch programs to generate mounds of paper. Today we view our data in real time. We check inventory levels, the status of customer orders and many things we take for granted. This is all made possible by a very complex system called a data network. Lose this and it’s back to piles of last night’s reports for answers! CHAPTER 12 End­User PCs: The Weakest Link 237 The personal in personal computers means that many people can develop tools to make their job easier. Along with these tools is data. Lots of company data. If it is useful, then it needs to be backed up. PCs are also a source of virus attacks on your company. CHAPTER 13 Customers: Other People to Worry About 251 Customers have their own problems. In a time of lean inventories, they cannot tolerate a very long delay in getting their materials or their own efforts will enter a crisis. So if they hear that you have had a disaster, might they shift their orders to someone else? This is even more of a problem if the fire was in your offices and you have a warehouse full of goods that need to be sold. CHAPTER 14 Suppliers: Collateral Damage Suppliers extend credit to you in the form of goods. Their terms may be 30, 45 or 60 days. If they hear of a disaster, they may fear that your company will become insolvent and cease all shipments to you. They need to know the facts. You need to tell all of them. 259 Page viii PREVENTING DISASTER This section discusses threats to your organization and how to include mitigation plans in your disaster recovery plan. PART 3 CHAPTER 15 Fire: Burning Down the House 275 A thorough understanding of fire safety systems can help you to evaluate your company’s existing safeguards to ensure they are current, adequate and focused on employee safety. CHAPTER 16 Human Resources: Your Most Valuable Asset 295 Your Human Resources department has an important role to play in Business Continuity Planning. Major business emergencies are very stressful events. From a business perspective, stress reduces the productivity of the workforce. The Human Resources department ensures that the “people side” of an emergency is addressed for the best long term benefit of the company. CHAPTER 17 Backups: The Key to a Speedy Recovery 317 Making backup, or safety, copies of your vital computer files is a common business practice. They are made to speed the recovery of a failed or damaged computer system. Are you sure that they will work when you need them? CHAPTER 18 Virus Containment: High Tech Pest Control 333 Unfortunately, new computer viruses regularly make the rounds of our far­flung data networks. This plan lists steps for implementing a virus containment and remediation plan. CHAPTER 19 Health and Safety: Keeping Everyone Healthy 351 This should already be in place at your facility. Get a copy from your building security folks. Check it against the list we have here to see if all of the bases are covered. The safety of your workers is your number one concern. CHAPTER 20 Terrorism: The Wrath of Man 365 While not a new phenomenon, terrorism is making the headlines. Even if your organization is not a target, you can still be shut down even if you’re an innocent bystander. Appendix 377 Index 383 About the Authors 397 Page ix FOREWORD Few of us question the importance of having insurance, yet too often businesses fail to consider a Business Continuity Plan as invaluable protection against disasters. If you have delayed starting your business continuity plan because you think it will be too complicated, too costly, or too time consuming—or because you simply aren’t sure where to begin, The Disaster Recovery Handbook will provide the resources you need to get your plan up and running. Everyone, regardless of experience, can benefit from the authors’ insights and common sense tips in creating and updating viable business continuity plans. Down to earth, easy to read, and wonderfully (even surprisingly) interesting, this comprehensive “how­to” manual guides you step by step. The authors’ sequential and logical approach takes what can be a daunting challenge and breaks it down into manageable pieces. Michael Wallace and Lawrence Webber’s combined expertise pulses from the pages, as their relevant, real­life examples clarify the subject matter and bring home the topics to us. As you progress through the book, you’ll find your questions have already been anticipated and answered. Loaded with examples, references, statistics, and guidelines, the text addresses every detail. Through our business, Fireproof Records Center, which specializes in information management, business continuity and disaster recovery, we have Page x had the good fortune to have met and worked with Michael Wallace. He has been a keynote speaker at numerous seminars we sponsor, and we refer clients to him on a regular basis. We asked Michael what prompted his collaborative work with Lawrence Webber. He told us their search for reference material turned up significant information aimed primarily at people working in information technology—but nothing that covered all of the business processes for small and medium sized companies. So they joined forces to fill that need by sharing knowledge and insight gained from their unique and considerable experiences. At Fireproof, we think companies can never be too prepared—especially when it comes to business continuity. We are pleased that such a valuable tool has been developed by these highly qualified authors. If you can add but one reference to your corporate library, it should be this handbook. Michael James CEO Fireproof Records Center Page xi INTRODUCTION THE DISASTER RECOVERY HANDBOOK:A Step­by­Step Plan to Ensure Business Continuity and Protect Vital Operations, Facilities, and Assets, is designed to provide proven processes and techniques to help you develop a disaster recovery plan to protect your business in the event of a disaster. A disaster can mean anything from the loss of a critical machine to a natural disaster destroying your entire facility. Anything that can cause a disruption in the normal operation of your business can be a disaster. Without careful planning, most organizations do not survive a major interruption in the operation of their business. Business Continuity Plans are really nothing new to your life. They are grounded on basic actions you take on a daily basis. In fact, these actions are considered so normal that you probably don’t even think about why you do them. These actions fall into three general classes: mitigation, avoidance, and transference. MITIGATION is something you do to reduce the likelihood of occurrence or the amount of damage caused by an event that you could not avoid. AVOIDANCE is something you do to steer clear of an event. TRANSFERENCE is to shift your risk of an uncontrolled event to a third party. Page xii For example, if you owned a grocery store, you could mitigate the slowdown in business due to a snowstorm by buying your own snowplow to clear your parking lot. You avoid all damage from a snowstorm by moving your business to the Bahamas. You can transfer the risk of financial loss from your roof collapsing from too much snow by purchasing insurance. You practice risk avoidance, mitigation, and transference in your daily life. For example, take the car you drive. It has a spare tire and a car jack in it to mitigate the amount of time lost and cost due to a flat tire. Instead of the expense and time involved in calling a tow truck, you can change the tire yourself and return to the road for a drive to the repair shop. If you did not believe there was a possibility of a flat tire, you would have long ago removed the spare and jack from your car to save weight and get better gas mileage. Therefore, you believe that you cannot avoid a flat tire, but have devised a way to reduce its inconvenience. Throughout this book, we will frequently use the term Business Continuity Planning. In recent years, variations on this theme have included Business Recovery Planning and Disaster Recovery Planning. Strictly speaking, in the recovery business jargon, we will be detailing a Business Continuity Plan because it will handle any disruption to the normal operation of your business. We occasionally use the term disaster because, in data processing or business recovery planning, it is the more common term. We also use it because our plan will encompass everything from large natural events to smaller day­today inconveniences. The terms we will use and their meanings include these: Disaster Recovery Planning (DRP). The actions you would take to recover from a disaster. Includes the planning steps to avoid risks, to mitigate them, or to shift the risk to someone else through insurance or other means. DRP is applicable to all aspects of a business but usually used in the context of data processing operations. Business Recovery Planning (BRP). Takes Disaster Recovery Planning one step further and includes efforts by the rest of the company’s operations including customer and supplier relations to recover from the problem. Business Continuity Planning (BCP). These are plans that allow your business to function at possibly a reduced level during and immediately after an emergency. The goal of this book is to show you a systematic approach to analyzing your business situation and building written procedures for avoiding prob­ Page xiii lems or reducing the damage should they occur. These concepts apply equally to offices, factories, hospitals, hotels, transportation companies, and even your home. As we progress, you will see how in many areas you already practice disaster planning but never tied it all together into one big picture. Many firms have what we call the “resident expert.” This is the person everyone turns to when problems occur. Usually through sheer longevity in their current position, this person has amassed a wealth of information (but poorly documented) on how things really work. A good start to a business recovery plan is to simply document what this person has in their head and in notes scattered within their files. A common misconception of disaster planning is that we are out to build a know­all book of what to do when the great flood hits again. That is not our goal. Your final disaster plan will consist of a series of smaller plans to address specific issues (such as a loss of cooling in your telephone switch room). Additionally, there will be a section on natural hazards and how they will be dealt with. Some of these specific plans may only be a few pages. In the telephone room air conditioning example, we are not going to write a manual on repairing cooling systems. The plan should explain what to check before calling the technician and actions you might take to cool the room until the technician arrives. The plan documents who the contracted technician is, how to contact them, what sort of service agreement you have with them, etc. DO I REALLY NEED TO DO THIS? Disasters happen much more often than people realize. The big things that end up on the evening news are not frequent, but there are a multitude of smaller disasters that can do just as much damage. Things like computers failing, water leaking on paper files, a labor problem causing equipment to mysteriously malfunction, etc. It not a question of if something will happen, but when it will happen. Unless you can answer yes to all the following questions, you need this manual to help you develop your plan to survive a disaster: 1. Do you know how long your Uninterruptible Power Supply (UPS) will power your equipment if the electrical grid fails? Do you know which equipment can be shut down first? Page xiv 2. Do you know where you can get critical supplies if your primary supplier has a problem? 3. Do you know the location of all your software licenses? 4. Do you have a plan to contact customers to make sure they don’t immediately go to competitors if they hear you’ve had a disaster? 5. Have you tested your backups to ensure you can restore critical data? What about any custom applications? Is your backup software up to date? 6. Do our employees know who to call if they see on the news that your building had a fire? 7. Do you know what to do if a backhoe cuts your telecommunications cables? 8. Is your virus protection up to date? 9. Can you name the location of your warranty information, registration codes, and CD keys for all your hardware and software? 10. Do you have a plan for using alternative equipment until you can restore or replace your production equipment? These issues and more are covered in this manual. Although you can’t always prevent a disaster, you can have a plan in place to ensure that it doesn’t put you out of business. According to several recent surveys, almost 50% of all businesses that suffer from a disaster and do not have a disaster recovery plan in place never reopen for business. WHAT THIS MANUAL WILL DO FOR YOU No two organizations are alike, but many share some basic elements such as facilities, important documents, computer systems, and personnel. This manual defines the common threads that link all business operations, providing for a variety of situations—not as a “one size fits all” model, but instead as an updated guide and decision­ making reference that can help you devise a disaster recovery program tailored to the needs of your organization. Page xv The Health Insurance Portability and Accountability Act of 1996 requires any organization that processes health record information to have a documented disaster recovery plan. This includes hospitals, nursing homes, medical centers, doctor’s offices, pharmacies, and medical laboratories. ORGANIZED FOR QUICK ACCESS For fingertip access to the information you need on disaster recovery planning, this ready­reference desk­side manual is organized to help you find what you need quickly and easily. You or your staff can use the book itself as a model or a template to create similar documents for your own organization. The book consists of three major parts. Part 1: The Plan, details the steps you need to take to develop your plan; Part 2: The Assets, describes the various assets that drive your business and the steps you should take to protect them; Part 3: Preventing Disaster, gives you the information you need to help mitigate threats to your organization. “Simplicity is the ultimate design.” Often, a dearth of forms is included in disaster recovery handbooks, but this manual provides a multitude of forms that can jump­start your disaster recovery planning process. All the forms discussed in the book are included on the CD­ROM, so that you can quickly and easily put them to use. As an operation grows in complexity, the challenge to keep it running smoothly grows, and thus the need for a formal system of operations becomes a necessity. A disaster recovery plan can greatly improve your understanding of how the organization really works. Organizations that have a formal disaster recovery manual in place are noticeably more efficient. To build our plan, we will repeatedly ask the following questions: What are my critical assets? What are the risks to these assets? How can I reduce the likelihood of a threat occurring? How can I minimize the damage if it is unavoidable? What does the team do when it happens? Where can I find information on this to develop my plan? Page xvi ADDED STRATEGIC VALUE The real benefit of a Business Continuity Plan is how it forces you to look at the weaknesses in your business tools and processes and to strengthen them before a tragedy occurs. The analysis required in developing your plan will help you to better understand your business, and it almost invariably uncovers inefficient or unnecessary activities within the organization. A well­designed plan can also increase your competitive edge as part of the overall value chain. Many companies have reduced their in­house inventories and therefore require reliable suppliers to keep their own operations running. The more reliable your operation is, the higher your delivery credibility will be. This may be a distinct advantage over your competition; or they may already be at that level and you need to raise your delivery credibility just to stay in business. (This implies you should also check out the Business Continuity Plans of your key suppliers—especially if they deliver to you “just­in­time”). The Disaster Recovery Handbook: A Step­by­Step Plan to Ensure Business Continuity and Protect Vital Operations, Facilities, and Assets is a compilation of disaster recovery processes—the best practices within the industry—in current use. This manual is a process development tool that any seasoned business manager, working in a large or small organization, will find useful. SAVING YOU TIME To make the manual even more valuable, a CD­ROM is included, containing the manual’s forms and text. Use the included forms as a starting point for developing your own, by importing it into a word processor on a PC. Of course, you can also make needed changes and post the forms on a local area network or even on a company intranet site. In addition to this book, there is a wide range of help available for building your plan. Help is available from local and federal governments, from emergency agencies, from trade organizations, and on and on. Appendix A will give you a start in finding resources in your area. Whatever format you use to publish your plan, a well­designed disaster recovery plan will help ensure that your business is prepared to deal with whatever may happen in the uncertain world in which we live. Out of the blue? We all shared in the tragedy of New York City on September 11, 2001. Yet while many dedicated rescue workers were struggling to save those people that they could, the Business Continuity Plans for the com­ Page xvii panies affected immediately kicked into high gear. The disaster not only involved the World Trade Center, but many of the surrounding office buildings were also severely damaged. Traffic to that part of the city was cut off. Even if your business was several blocks away, the confusion and rushing of rescue equipment severely interrupted your workflow. Were you affected by this attack? Would your company have survived if it was in one of these buildings? Page xviii This page intentionally left blank Page 1 PART ONE THE PLAN Page 2 This page intentionally left blank Page 3 CHAPTER 1 GETTING STARTED Overview of the Project Nothing is impossible for the man who doesn’t have to do it himself. —A.H. Weiler INTRODUCTION Building a business continuity plan is much like any other business project. A formal project management process is necessary to coordinate the various players and company disciplines required to successfully deliver the desired results of the project. This chapter is a review of the process you should follow to successfully build your project plan. It will give you a high­level roadmap of what you should expect as you prepare to lead a business continuity project. A sample project plan is included on the CD­ROM accompanying this book. Adapt this chapter and the project plan to fit your business goals, company timeline, and the scope of your project. Most projects tend to run in a well­defined sequence. For example, to build a new house, first you clear the land, then build the foundation, then build a floor, etc. Many things cannot begin before the previous step has been completed. A business continuity plan project is a bit different; in its early stages most actions logically follow each other, but once the basic elements are in place, the project bursts out into parallel tracks as each department documents their own areas. How you proceed in your company is of course determined by your corporate culture, the resources you have to work with to complete the process, and the level of visible support from the project’s sponsor. Most business continuity projects follow these steps: Page 4 1. An executive within the organization decides that a business continuity plan is needed. This might be due to an auditor’s report or the result of a business disruption that was more painful than it would have been if a plan had been in place. Or it could be that an alert employee realized that a good plan did not exist and brought this to the executive’s attention. This executive normally becomes the sponsor for the project. 2. The first (and most important step) that the sponsor takes is to select someone to lead the project. This person is most often called the Contingency Planning Coordinator and is responsible for the successful completion of the project. 3. The project sponsor and the Contingency Planning Coordinator meet to clearly define the scope of the project, the project timeline, and expectations. The Contingency Planning Coordinator must be comfortable that the resources available are adequate to meet all the objectives of the project. 4. The Contingency Planning Coordinator selects the team that will work together to complete the project. Both technical and political considerations are important in selecting a team that can successfully develop a workable business continuity plan. 5. The Contingency Planning Coordinator together with the team now develops the project plan to be used in managing the project. Tasks are identified and assigned, task durations calculated, and activities are sequenced as the project plans are developed. 6. The project plans are executed. The Contingency Planning Coordinator oversees the project as the plan unfolds; keeping everyone focused on completing their tasks, and ensuring that milestones are met and that important stakeholders are kept informed as to the project’s progress. It is here where the actual continuity plans for the organization are created. 7. Once the business continuity plans have been developed and tested, the Contingency Planning Coordinator closes the project by making sure that everything was documented properly and handing the project results over to the individual(s) responsible for keeping the plan up to date. Each affected department will normally have someone responsible for keeping their portion of the plan current. A report is also generated for the sponsor recapping the project and documenting lessons learned. Page 5 In many organizations, the job of Business Continuity Plan Project Manager is not taken as seriously as it should be. Management in these organizations only wants you to write something, anything to make the auditors go away. That’s OK because as you build the plan, and as they begin to see the benefits, their interest and support will grow. If your management wants you to build a superficial plan, then don’t stop until you have at least finished Chapter 3. It won’t take you very long, and they’ll think you’ve written a super plan. A project plan organizes the team to focus their skills on specific actions to get the job done. This respects their time and brings the project to a prompt but successful solution. INITIATING THE PROJECT Every project starts with a sponsor. A sponsor should be a person with enough organizational influence to give the project credibility, financing, and strategic direction. They should also be in a position to ensure the willing cooperation of other departments and to ensure that the project is adequately funded. Building a business continuity plan in many cases involves changing people’s attitudes and some of their tried­and­true business processes. Business continuity planning is a logical step toward mistake­proofing a business. So, to suppress the reluctance to change or even participate in the project, it is important for the sponsor to be of sufficient stature as to overcome objections before they are raised. Ideally, the sponsor is the company’s CEO, or the Vice President in charge of the local facility. However, sometimes it is a department manager who realizes that something must be done. Whoever assumes this role, they must remain involved with the project throughout its lifetime. As the sponsor’s interest fades, so will the interest of your team. Find out why they want to sponsor the project. It will tell you how much support to expect. In some cases, the sponsor honestly believes the project is a good idea and is personally interested in seeing it is completed. In other cases, they were required to start this project due to an auditor’s citation of a poor business practice. In this situation, they may only want the minimum recovery plan to satisfy the audit citation. Spend some time early in the project digging out what is motivating them to support this project. By understanding what motivates Page 6 the sponsor, you can gauge how much time and money will be available to you. It is also possible for you to educate the sponsor on the many advantages in having a well­written company­wide plan. The sponsor’s first task is the selection of the Project Manager, usually called the Contingency Planning Coordinator. In most companies, the cynics say that if you raised the issue, then the job is yours! This isn’t a bad way to assign projects because only the people who believe in something would raise the issues. Still, the selection of the right Contingency Planning Coordinator will help make this project a success and the wrong one will make success much more difficult to attain. The sponsor has the additional duties of approving the plan’s objectives, scope, and assumptions. The sponsor must also obtain approval for funding. THE CONTINGENCY PLANNING COORDINATOR The selection of the person to spearhead this project is the single most important part of building a plan. The Contingency Planning Coordinator should be someone who can gain the willing cooperation of the team members and their supervisors. To help ensure the support of everyone in the organization, the Contingency Planning Coordinator should be publicly assigned to this task with the sponsor’s unqualified support. This is essential to overcome internal politics and to let everyone know that their assistance is important and required. As the project moves forward, regular public displays of support are required if the project is to result in a complete and usable plan. Form 1­1 on the CD­ROM is an example letter appointing the Contingency Planning Coordinator. Some sponsors begin a business continuity project by hiring an outside consultant to build the plan. This can be a good way to get the project started and to mentor someone in the organization to assume the Contingency Planning Coordinator position. Generally speaking, it takes more effort and expertise to organize and develop the plan than it does to administer it. As the plan is built, the consultant can teach the Contingency Planning Coordinator the ropes. Understand that even though the consultant is guiding the project, the consultant should not assume the role of Contingency Planning Coordinator. Every company, every facility, every computer site is unique. The actions necessary to promptly restore service are the result of the key people at each site writing down what to do and how to do it. Outside consultants can provide considerable insight into the basic services (electrical, telephone, water, data Page 7 processing) but lack in­depth experience at your company. They don’t know your business processes. They don’t understand the pulse of your business and what its key elements are. Building a solid plan will take a lot of time. An experienced consultant working with an internal Contingency Planning Coordinator can help move the project along quicker. The Contingency Planning Coordinator is also the logical candidate to become the plan’s ongoing administrator once the initial project is completed. This person will be responsible for keeping the plan relevant and current. Writing a plan and then filing it away is a waste of money. Whoever builds the plan will be intimately familiar with it. They can easily continue responsibility for maintaining it and teaching others how to keep their portion of it current. Using an outside consultant as a Contingency Planning Coordinator raises the possibility that no one has internal ownership to ensure it is updated and tested periodically. The plan must be kept up to date if it is to be useful when it is needed most. As the plan administrator, the Contingency Planning Coordinator will ensure that as new equipment enters the building, as new products are rolled out, as new business processes are implemented, they are reflected in the Business Continuity Plan. The Contingency Planning Coordinator also schedules and evaluates the ongoing testing of the plan by department, or by a specific threat, such as the loss of electrical power, to ensure it works. Once the plan is written, the Contingency Planning Coordinator’s role will evolve into ensuring the plan is an integral part of the company’s ongoing operations. No new company process or piece of equipment should begin operation until the mitigation and recovery plans have been tested and approved. SCOPE OF THE PROJECT One of the first tasks the Contingency Planning Coordinator must perform is to come to an agreement with the project sponsor as to the scope of the project. The scope of the project defines its boundaries. It identifies what is included in the project and what is not. If the project is too vast, it will probably fail. If it is too small, then it would be best assigned to a single person like any other office detail. The scope of the project must be given a lot of thought. If in doubt, start with a narrow focus on a specific department or function to demonstrate the plan’s value and build up from there. One guideline suggested is any event that would cost (in lost wages, sales, etc.) more than 5% of your quarterly revenues merits its own plan. So if a temporary outage of a critical machine stops the entire factory, then it needs a plan. If the same machine Page 8 stoppage means that three extra workers must drill holes with hand tools until the machine is repaired, then it probably does not need a plan. A good way to approach the plan is to address areas that everyone uses, such as security, data processing, electrical, etc. Don’t try to tackle too much, too fast. Start with building services, then security and safety, then data processing, etc. In this way, if the project is killed, you still have some useful documents. If your recovery plans will encompass many sites, or a large complex, then start with a pilot project for a single building, a business function, or even for your Data Processing department. This will build your team’s expertise and confidence, resulting in a very useful document, and demonstrate real value to top management. The scope of the project will drive the resource requirements for the project in terms of how many people it will involve, how long it will take, and the budget required to complete it. The project scope must be a written statement. Here are three examples with gradually narrowing requirements. As you read these scope statements, imagine what sort of implied tasks these statements carry (or as they say, “The devil is in the details!”). Follow up on the scope statement by clarifying the timelines, criteria for success, and overall expectations for this project. Otherwise, you would be digging up information and writing forever. Example #1 If you were in a factory’s Data Processing department, your scope statement might be: “Develop, implement and provide ongoing testing for a Business Continuity Plan for the factory’s automated systems to include the computer rooms, the internal and external telephone system, the shop floor control systems, and data connections to both internal and external sites. This plan will provide specific action steps to be taken up to and including emergency replacement of the entire computer and telecommunications rooms.” Note that this statement does not include the factory machines (drill presses, mills, conveyors, etc.) or the front offices. It is focused on the telephone system and the internal data processing processes. Page 9 Example #2 If you were the Director for Building Security, your scope might be: “Write an emergency contingency plan to address the possibility of fire, personal injury, toxic material spill, and structural collapse. Include escalation procedures, emergency telephone numbers, employee education, and specific emergency actions. Make recommendations concerning potential mitigation actions to take before a disaster strikes. Ensure the plan conforms to all legal, regulatory, and insurance requirements.” The project scope described in this statement does not include flood controls, security actions, etc. Although some security tasks may be implied, very little is called for. Example #3 An even narrower approach might be: “Document all the payroll procedures and recovery processes to ensure that paychecks are always on time and that the automated vacation balance tracking system is available even during an electrical outage.” Note that this scope statement does not include time clocks, exception reporting, or interfaces with your accounting system. Most people do not have any idea of what a disaster plan would look like. They imagine some large book just sitting on the shelf. In this situation, you could demonstrate the usefulness of the plan by building it a piece at a time. You might build the part that covers the core utilities for a facility (electricity, gas, telecommunications, water, and heating and air conditioning). As you review with the sponsor how these essential services will be recovered after a disaster, the sponsor will begin to see the usefulness of your work. If your company has multiple sites, it might work better for you to build the plan one site at a time. Timelines, Major Milestones, and Expectations The output of a scope statement is to build a list of goals for the project. These are specific results against which the success of the project will be judged. Detail any expectations as to a completion date or major milestone dates. If this Page 10 project is in response to an internal audit item, then the due date might be when the auditor is scheduled to return. If the Board of Directors required this to be done, then progress reports might be due at every directors meeting. Ensure all key dates are identified and explain why they were selected. The term “expectations” can also be described as the criteria for success. Be clear in what you are asking for. A business continuity plan should only include critical processes. A critical process is usually defined as a process whose interruption would cause a material financial and operational impact over some period of time that you define (5% or greater of quarterly revenues is standard). You can’t plan for what to do down to the front door being stuck open. That level of detail would be too difficult to maintain. Focus on the critical business functions and the processes that support them. Your long­run goal is that the business continuity planning process will become an integral part of how business will be conducted in the future. Example criteria for success: Every department’s continuity plan must provide for employee and visitor safety by detailing to them any dangers associated with this device or type of technology. Each department’s continuity plan must be understandable to anyone familiar with that type of equipment or technology. A business continuity plan will be submitted for every critical piece of equipment or critical process in the facility. At the end of the project, the Contingency Planning Coordinator will submit a list of known weaknesses in our processes or equipment along with long­term recommendations to address them. All continuity plans will be tested by someone other than the plan’s author and certified by the department manager as suitable for the purpose. This project shall commence on June 1 and be completed by December 31. By that time, all plans must be complete, tested and approved by the department managers. In terms of a timeline, the length of your project will depend on how supportive the team members are of this effort, how complex your operations are, and how detailed your plan must be. Generally, these projects have an initiation phase and then the various departments break off and work in parallel to write their respective plans. During this phase, they also perform initial test­ Page 11 ing of the plan. At the end, all the plans are compared and modified so to avoid duplicate mitigation actions and to ensure one person’s mitigation step doesn’t cause problems for someone else. The capstone event is the system­wide disaster test. As a general guideline, most plans can be completed in about 6 months, depending on the project’s scope, the degree of management support, the number of locations to be included in the plan, and the amount of resources available. One month is spent on the start­up administration and training. About 3 months are needed to draft and test the departmental plans. Be sure to stay on top of these people so they don’t forget about their plans! The final synchronization and testing should take an additional 2 months. However, as your team members are probably assigned to this project part time, their level of participation will vary according to their availability. The Contingency Planning Coordinator must be flexible but, in the end, is responsible for driving the project to its completion. ADEQUATE FUNDING One of the indicators of the seriousness of a project is the presence of a separate budget item to support its activities. It is the Contingency Planning Coordinator’s responsibility to track the funds spent on the project and to demonstrate the benefit they provided. If a separate budget is not available, then clear guidelines on a spending ceiling for the project must be set. Some of the items to include in the project budget are: The Contingency Planning Coordinator and key team members should attend formal business continuity planning training to obtain a thorough grounding in its principles. This speeds the project along and removes some of the guesswork of building a plan. You may need to pay a consultant to advise the project and mentor the Contingency Planning Coordinator as the plan is being developed. Sometimes the folks with the most knowledge about your processes are not available during normal working hours. For these people, you may need to schedule meetings on weekends or off­site to gain their full attention. This may incur overtime expense or the cost of a consultant to backfill the person while they work on the plan. Temporary help might be needed for administrative assistance, such as documenting the wiring of your data networks, transcribing notes for Page 12 those without the time or inclination to type, conducting an asset inventory, etc. It is amazing what a few pastries brought into a meeting can do for attendance. It is a good practice to build a team spirit for the project to carry you over the rough times. This might be shirts, hats, special dinners, performance bonuses, and many other things to build team cohesion. Visible recognition helps to maintain the team’s enthusiasm. Visible Ongoing Support If the goal of this project were to determine which employees deserved to have their pay doubled, you would be inundated with folks clamoring to join your team. Unfortunately, an assignment to a business continuity planning team may not be considered a high­profile assignment. This could discourage the enthusiastic support of the very people you need to make this project a success. To minimize this possibility, the visible, vocal, and ongoing support of the sponsor is very important. Once the sponsor and the Contingency Planning Coordinator have agreed on the scope, the sponsor should issue a formal memo appointing the Contingency Planning Coordinator in a letter to the entire organization. This letter should inform all departments of the initiation of the project and who has been appointed to lead it. It should also describe the project’s scope, its budget or budget guidelines, major milestones and timelines, and alert the other departments that they may be called upon to join the project and build their own recovery plans. This memo will detail who, what, where, when, why, and how the project will unfold. The closing paragraph should include a call for their assistance in ensuring the project will be a success. SELECTING A TEAM Once the sponsor and the coordinator have defined the scope of the project, the next step is to create a team. As you begin the project and start selecting your team, be ready for a chorus of resistance. Some departments will be indignant about being forced to join this project since they already have a plan (it’s just no one can find it). Even if they have a plan, it does not mean that it is a good plan, or it may have interdependences with other areas and needs Page 13 to be linked to other plans. Some will already have a plan being developed, but under scrutiny you see it has been under development for the last 10 years. So with the naysayers in tow, prepare to select your team. In the case of existing, workable plans, ask that a liaison be appointed. For the plans under development, ask that you be able to enfranchise these hard­working people. As for any parsimonious financial people trying to kill your project’s training request, ask the sponsor to override objections and allow the team to attend training on the latest business continuity best practices. Identify the Stakeholders As you form your team, take time to identify who the project’s stakeholders are. A stakeholder is anyone who has a direct or indirect interest in the project. Most stakeholders just want to know what is going on with the project. Stakeholders need to be kept regularly informed on the project’s progress or problems with which they need to assist. For each stakeholder, identify what their goals and motivation are for this project. Based on this list, you will determine what to communicate to them, how often, and by which medium. Some stakeholders’ interests are satisfied by a monthly recap report. Some will want to hear about every minor detail. Form 1­2 (see CD) is a Stakeholder Assessment Map. Use it to keep track of what the key stakeholders are after in this project so you do not lose sight of their goals. The strategy is an acknowledgment that you may need to apply some sort of specific attention to a particular person to keep them supporting this important project. Form the Team The size and makeup of your team depends on how you will roll out the project. In the very beginning, it is best to start with a small team. Always respect people’s time. Don’t bring anyone into the project before they are needed. The initial team lays the groundwork for the project by arranging for instructors, coordinating training on building disaster plans, helping to sharpen the focus of what each plan should contain, etc. The core team should consist of the sponsor, the Contingency Planning Coordinator, an Assistant Contingency Planning Coordinator, and an administrative assistant. This group will prepare standards, training, and processes to make the project flow smoother. Page 14 Several other key people will eventually need to join the team. You may want to bring them in early or as they are needed. This may include people such as: Building Maintenance or Facilities Manager. They can answer what mitigation steps are already in place for the structure, fire suppression, electrical service, environmental controls, and other essential services. Facility Safety and Security. They should already have parts of a disaster plan in terms of fire, safety, limited building and room access, theft prevention, and a host of other issues. If they are adequate, this may save you from writing this part of the plan. Be sure to verify that these plans are up to date and of an acceptable quality. Labor Union Representative. Human Resources. Line Management. Community Relations. Public Information Officer. Sales and Marketing. Finance and Purchasing. Legal. The next step is to make a few tool standardization decisions. The company’s technical support staff usually makes these for you. Announce to the group what the standard word processing program, spreadsheet, and, most importantly, the project management software everyone will need on their workstations. Most people have the first two but few will have the project management software already loaded. Be sure that as people join the team, copies of the software are loaded onto their workstations and training is made available on how to use this tool. You will get the best results by investing some time training the team on how to write their portion of the plan and providing administrative help if they have a lot of paperwork to write up (such as network wiring plans). Every person reacts differently to an unknown situation and being assigned to this team is no exception. If you will take the time to assemble a standard format for the plan and a process to follow to write it, then they will be a lot more comfortable being on the team. Page 15 A project of this type will generate a lot of paper. If possible, the accumulation of the various plans, wiring diagrams, manuals, etc. should be shifted from the Contingency Planning Coordinator to an administrative assistant. An administrative assistant will also free the Contingency Planning Coordinator from coordinating team meetings, tracking the project costs, etc. Although these tasks are clerical in nature, this person may also be the Assistant Contingency Planning Coordinator. Another value of appointing an Assistant Contingency Planning Coordinator is that it provides a contingency backup person in case something happens to the Contingency Planning Coordinator, as they will quickly learn about all aspects of the plan. Once you are ready to roll out the project plan to the world, you will need to pull in representatives from the various departments involved. When tasking the department managers to assign someone, ensure they understand that they are still responsible for having a good plan so that they send the proper person to work on the team. This person need not know every aspect of their department, but they should understand its organization, its critical hardware and software tools, and its major workflows. Depending on the project’s scope, you might end up with someone from every department in the company. This would result in too many people to motivate and keep focused at one time. Break the project down into manageable units. Start with an area you are most familiar with or that needs the most work. Involving too many people in the beginning will result in chaos. Plan on inviting in departments as you begin to review their area. An example is fire safety. Although it touches all departments, it is primarily a Safety/Security department function. Given all this, just what skills make someone a good team member? An essential skill is knowledge of their department’s processes. This allows the team member to write from personal knowledge and experience instead of spending a lot of time researching every point in the plan. They should also know where to find the details about their department that they don’t personally know. Another useful skill is experience with previous disasters. Even the normal problems that arise in business are useful in pointing out problem areas or documenting what has fixed a problem in the past. And of course, if they are to write a plan, they need good communications skills. Department managers should appoint a representative to the business continuity planning project team by way of a formal announcement. However, the Contingency Planning Coordinator must approve all team members. If someone with unsuitable qualifications is sent to represent a department, they should be sent back to that manager with a request to appoint someone who is more knowledgeable about that department’s processes. When reject­ Page 16 ing someone from the team, be sure to inform your sponsor and the originating manager as to why that person is unsuitable. The people on the initial project team are the logical ones to spread the good word of business continuity planning back to their departments. Time spent educating them on the continuity planning principles and benefits will pay off for the company in the long run. They can also learn more about the company by proofreading the plans submitted by the other departments. This has an additional benefit of broadening the company perspective of a number of employees. Use Forms 1­1 through 1­ 3 (see CD) to map out the responsibilities of each member of the team. Rolling Out the Project to the Team Team meetings are an opportunity to bring everyone together so they all hear the same thing at the same time. This is when you make announcements of general interest to everyone. It is also a good time to hear the problems that the team has been encountering and, if time permits, to solicit advice from the other team members on how to approach the issue. A properly managed meeting will keep the team members focused on the project and the project moving forward. In the beginning, conduct a project rollout meeting with an overview of why this project is important and an explanation of what you are looking for. This is your most critical team­building meeting (you never get a second chance to make a good first impression). In most meetings, you will work to bring out from the people their thoughts and impressions on the project. But at the first meeting, be prepared to do most of the talking. Lay out the roles of each player and set their expectations about participation in the project. Information makes the situation less uncertain and the people can begin to relax. This is your first big chance to teach, cheerlead, and inspire your team! Sell your project to them! Included on the CD is an overview of Business Recovery Planning written using Microsoft PowerPoint. It touches on the primary plan development activities of this book. Use it as a starting point for your own plan. Dates, contingencies, and departments covered all vary from place to place. The team members should leave the meeting with a clear idea that this project is of manageable size—not a never­ending spiral of work. Use this Page 17 meeting and every meeting to informally teach them a bit about business continuity planning. As the project progresses, you will be surprised how hard it is to get business continuity information out of people. Some people are worried that others will use it to dabble with their systems. Some folks just don’t know what they would do in a disaster and intend to ad lib when something happens, just like they always have. Have patience, ask leading questions, and get them to talk. When they have declared their plan complete (and you know it is only a partial plan), conduct a meeting with the team member, their manager, and the sponsor to review the plan. Step through it item by item. By the time that meeting is over, the team member will realize that they will be accountable for the quality of their plan. PLANNING THE PROJECT Refer to the sample plan included on the CD­ROM for ideas to include in your plan. Any plan that you use must be tailored to your site and management climate. Always keep your plan in a software tool like Microsoft Project. Such programs will recalculate the project’s estimated completion date as you note which tasks are complete. It can also be used to identify overallocated resources. OK, now it is time to build the project plan. This is best done with input from your team. There are four basic processes to building your plan: identifying the activities, estimating how long each task will take, deciding who should do what (or what skills this person should have), and then sequencing the tasks into a logical flow of work. The general term for this is a work breakdown schedule, which describes it quite nicely. Identifying the Activities What must be done? Your core project team can be a great help here by identifying the steps they see as necessary to complete this project. Although some tasks will logically seem to follow others, the focus here is to identify what needs to be done. How deeply you “slice and dice” each task is up to you. Unless it is a critical activity, you should rarely list any task that requires less than 8 hours of work (1 day). The times in the sample plan are calendar time, not how long the task will actually take. This is because your team members may only work on this project part time. Page 18 Write a brief paragraph about what each task involves. This will be very useful in estimating the time required to complete it. It also keeps the task’s scope from spiraling out of control. You may understand what you mean for a task, but remember, someone else will probably execute the task, so an explanation will be very useful. Always document your planning assumptions. When discussing the plan with others later, this explanation of what you were thinking at the time the plan was drafted will be very useful. By listing your assumptions, you can discuss them point by point with the team and your sponsor to avoid areas that the plan should not address and to identify why a specific course of action was followed. Along with the assumptions, list all the known constraints for the project. This might be a specific due date to meet a business or legal obligation, it might be project funding issues, or even a limit on the number of people available to be on the team. A major benefit of listing your project constraints is that upon examination they may be less than you think or can be used to prevent the scope of the project from expanding. Determining Activity Durations Once the tasks are laid out, estimate how much time should be set aside for each task to be completed. Creating reasonable time estimates for someone else is tough. You may think you know what needs to be done, but you could underestimate the true work required. Also, not everyone has your strengths­ or weaknesses. Therefore, the estimates you assign at this stage are a starting point. When a task is assigned to a team member, take the time to discuss with them what each task involves and see how long they think it will require. Be sure that they understand what each task entails so they can estimate accordingly. Update the plan with their estimated task durations and start dates. It is unfair to the team members to drop a task on them and demand a date without any further explanation. Once you negotiate the duration of a task with someone, encourage them to stick with it. Other people farther along in the project may be depending upon this task to be completed before they can start. Who Should Do It? Some tasks are easy to assign. If the task is to validate the key locker security, it will go to the security manager. If that person chooses to delegate it to some­ Page 19 one else, then it is still their responsibility to ensure the task is properly completed on time. Some tasks will be more general in nature and need to be spread around the team fairly. If a task is not needed, don’t hesitate to delete it. If it is necessary, don’t hesitate to assign it! This is a good time to identify any gaps in your available labor. If you see a large time commitment for the Data Network Manager and little likelihood that they will be available to do the assigned work, you might generate a task to bring in some temporary help to assist them. There may be other time issues on the horizon. For example, if you need to involve the Accounting Controller, and the project will run over the calendar time for closing the fiscal year accounts, then you would schedule their project participation so as to avoid this time period. Sequencing the Activities Now, put all the tasks in some sort of order. In this type of project, the beginning of the project is somewhat sequential and then there are many tasks running in parallel when the various groups break off to write their respective plans. Select an estimated start date and place some dates on your plan. With the plan held up against a calendar, check to see if any tasks need to be resequenced or noted that they conflict with some other critical company activity. If your task contingencies are in place, the project management software will fill in the plan dates for you. If when you save the plan you select the option to save without a baseline, you can easily change the start date later. Next, you should level your resources so one person isn’t asked to complete 40 hours of work in 1 day. This occurs when people are assigned too many tasks that are to run at the same time. Plan Risk Assessment So now that you have a rough plan, with time estimates and in some sort of a logical flow, it is time to scrutinize the plan for problems. Are there any labor resources overobligated? Look at each task area. What is the risk that an item won’t be completed on time? Yes, there is always a risk that a key person won’t be available. List any other underlying issues. Most projects share the same basic risks to their success. In addition, each project has its own risks unique to what you are trying to accomplish and to your environment. Common project plan risks include: Page 20 The amount of experience the Contingency Planning Coordinator has in leading this type of project. Low experience adds risk to the project. Extensive experience would make for a lower risk. The level of management support for the project. If you have low management support, you will have high project risk, and vice versa. Adequate funding to complete the project with a top­quality result. Don’t let needed training, support activities, or mitigation actions be cut from the budget. How many locations will this project involve at one time? The more locations that are involved, the greater the project’s risk of failure. If possible, run a separate project for each site, and do not attempt to do them all at the same time. The number of departments involved with the project at one time. Like trying to work across too many sites, trying to handle too many departments will fragment the Contingency Planning Coordinator’s time and increases the likelihood of failure. Consider tackling fewer departments at one time. The frequency and length of business interruptions to the project. This could be an upcoming ISO audit, it could be a quarterly wall­to­wall inventory, it might even be the end of the fiscal year, etc. The more interruptions to the project’s flow you can foresee, the higher the risk of failure. The time required to complete your business continuity plans will depend on the knowledge and quality of the people assigned by the various departments. Typically, the data processing department has the most to write and will take the longest. A mandated completion date may not be realistic. EXECUTING AND CONTROLLING Now you have your sponsor, your budget, your plan, and a core team assigned. It is time to get your project underway! A Contingency Planning Coordinator must be the inspiring force behind the project. At those times when everyone is piling work on your team members’ desks, you must be the driving force in keeping this job as a priority project until it is finished. Page 21 As the project progresses, you will make decisions as to what is included in your project charter and what is not. This is “scope verification” and it may mean that as you progress with your project, you see that it must involve specific actions that were not foreseen when the project was started. It may also involve the “nice­to­have” things that pop up as a project moves on. In either case, recognize these things as they occur and make a conscious decision to accept or reject them. Do not let anyone else add tasks to the plan without your approval or your tightly planned project will turn into an untamed monster! Communications Plan Every person within your organization has different information needs and preferred channels for receiving it. The sponsor shouldn’t be burdened with minute details. The department managers want to track what their people are doing, etc. To provide the right level of information to the right person, at the appropriate time, you need to build a communications plan. The more people involved with your project, the greater your need for communication. A communications plan details who needs to report about what, and when. For example, who should receive project status reports? Who needs copies of the team meeting minutes? Who needs to know about minor project delays, etc? To manage this, build a matrix that accounts for the information needs of all stakeholders. Your communications plan will address a wide range of audiences. Be sure to identify the person responsible for generating the communication and its major focus. Evaluate every report and every meeting in your communications plan as to whether it will be worth the effort to prepare for it. Some reports may require more effort than they are worth. Some meetings are just a waste of time. Effective communications is important for focusing a team to a goal, but you must strike a balance between enough communication and the time wasted generating too much. Use Form 1­4 (see CD) to plan out who is responsible for what communications. The communications plan will encompass more than memos floating around the office. It should include meetings with your team, meetings with your sponsor and presentations to the various departments. Another important communications task is to raise the awareness of the employees of your project and how it impacts them. Posters, newsletter articles, and open meetings all serve to answer their questions and are useful for instilling a business continuity culture in your company. Page 22 The information falls into three main categories: 1. Mandatory communications are things that must be done, such as status reports to the sponsor, meeting minutes to the team members, etc. Skipping a mandatory communication may affect your project’s support or credibility. 2. Informational communications includes reports to the interested and curious. Many people will see the plan under development and believe that it directly or indirectly will involve them. Your informational communications will pass on project accomplishments, testing schedules, and things that may not directly affect them but they would want to know about. Informational communications can help to shape expectations so the interested people can better understand what is next instead of being surprised or disappointed. 3. Similar to informational communications is marketing communications. Here you are out to build a positive image of your project to the rest of the company. Your marketing communications will help to educate the company as a whole on the business continuity planning principles (risk analysis, mitigation, documentation, etc.) and how they can relate to their own work processes. One effective method is to give a presentation on business recovery planning to each of the various department staffs. The more they understand it, the greater your support is across the company. Form 1­5 (see CD) is a sample stakeholder reporting matrix. Modify it to reflect your project team and business requirements. In this matrix, you will identify which persons might only want to see monthly status reports with summary comments, such as the sponsor. Who might need a weekly status report with specific accomplishments, like the department managers? Who might want short stories on accomplishments, like the facility’s employee newsletter? The stakeholder reporting matrix also indicates the best way to deliver these reports. Do some of your executives ignore their e­mail? Do some require face­to­face reports? Indicate the method of delivery to which they would be most receptive. Reporting Using the Communications Plan As the project progresses, you should occasionally revisit the project’s risk assessment. Things change; people come and go on a project and what was Page 23 once a looming challenge may at closer glance appear to be nothing at all. In addition, business conditions are in constant flux and that must also be figured into the update of your risk analysis. Controlling is the process used to identify variation from the plan in the areas of: Change control. Scope control. Cost control. Quality control. Performance reporting. Risk response. Your best tool for focusing the team on its goals will be a weekly team meeting. There are many fine books dealing with the proper way to conduct a meeting, but a few basics follow: First, always publish an agenda before the meeting. It acts as an anchor to keep people from drifting too far off the subject. Second, keep the meeting pertinent. Focus on recent achievements over the past 2 weeks and upcoming events of the next 2 weeks. Third, keep it under an hour. People lose focus the longer a meeting drones on. Side conversations should be stopped and taken outside the meeting. If you are finished in a half hour, cut it off! People will respect the meeting time limit as much as you do, so set a good example. Have your meeting at the same place and time every week, even if not much is happening. Try to make it a habit for them. When planning your team meetings, involve a bit of showmanship to keep people involved. If they sit there passively, ask specific people questions, but never to embarrass them if they are late. If the discussions seem tedious, jump in once in a while to keep them focused and interesting. Use slack time in the agendas to fill in with short training topics and visits by the sponsor or department managers. Publish a meeting recap as soon after the meeting as possible. Detailed meeting minutes may become too burdensome but a recap of the high Page 24 points gives you a document to talk from at the beginning of the next meeting. Always include a copy of the updated project plan. Test “Completed” Plans The quickest way to snap people out of lethargy is to publicly test the first plans submitted. You don’t need to pull the plug on a computer to do this. An easy test is to verbally walk through it. If the plan authors know that it is really going to be read and see how you test it, they will be more thorough. Do the first desktop walk­through with the plan’s author. You will uncover glossed­over steps where they clearly knew what to do but where, based on the plan, you had no clue as to what was next. After updating that version, do the same walk­through with the author’s manager (who may very well be called on to execute this plan) and look for gaps. Reward those contributors who complete their plans on time. This is where your sponsor comes in. Everyone likes to be appreciated, and some liberal rewards for the first few completed plans will go a long way toward motivating the rest of the team. You’d be surprised how fast this kind of word spreads throughout a company. Set Up and Enforce a Testing Schedule As the departmental plans roll in, update the project plan’s testing schedule. Testing will uncover gaps and inconsistencies in the current draft. Normally, this is a multiple step process: The team member and their manager initially check completed plans by using a desktop walk­through. The next level is to walk through the plan with someone familiar with the area, but not involved with the plan development. Run a departmental test. Once enough plans are ready, it is time to schedule a simulated major disaster. This might be over a holiday period or whenever the systems are lightly used. Testing will teach people some of what to expect in a disaster. It will also make them more familiar with the procedures of other functions. Page 25 Always follow testing or a disaster event with an “after action” meeting and report detailing the lessons learned and updates made to the plan. Be sure to praise its high points and to privately express what it is lacking. Depending on how well your group knows one another, you can use the team members for a peer evaluation. People must feel free to speak at these meetings without fear of retaliation or their full value will not be realized. After­action reviews are a very powerful learning tool. They require a moderator to keep them focused and moving through the following five questions. An after­action discussion follows a simple format: What happened? What should have happened? What went well? What went poorly? What will we do differently in the future? Appoint someone to take notes on these lessons learned. Send a copy to each participant, and the Contingency Planning Coordinator should maintain a file of these reports. Refer to this file when updating the plan. CLOSING THE PROJECT Once you have your plan written and the initial tests completed, it is time to close up the project. All good things come to an end as the plan is transformed from a project to an ongoing business process. The transition involves reporting the project results to management, closing out the project’s budget, identifying known exposures for future action, and thanking your team for their efforts. Closing the project involves the following steps: Turn All Files Over to the Plan Administrator. What was once your project may become someone else’s regular responsibility. If the Contingency Planning Coordinator is not to be the Plan Administrator, accumulate all files pertaining to this project and hand them over to the Plan Administrator. It is now their job to ensure the ongoing test plan is enforced, that plan updates are issued in a timely fashion, etc. Make a final update to the project plan. It may be useful if sister companies want to use it for building their own business continuity plans. You can also refer to it when estimating task duration for future projects. Page 26 Reporting Results to Management. To wrap up your project, draft a recap of the progression of the project to management. In this, point out any major successes that occurred during the project, such as low­cost solutions found to important problems, materials found stashed away in closets that could be put to good use, and so on. In the report, be sure to point out the benefit of the cross­functional training received by the project team as they worked with each other during plan development and testing. You should provide a final account of the funds spent on the project, broken down as to what part of the project they supported. This will assist in estimating the funds required for similar projects in the future. Identifying Known Exposures. A business reality is that not every worthwhile activity can be funded. During your risk analysis and mitigation efforts, you very likely uncovered a number of areas where there were single points of failure that called for redundant solutions, unmasked obsolete equipment that must be replaced, or other mitigation actions that would make your business processes more stable. Roll up these exposures into a report to management. List each item separately along with a narrative explanation of why it is important. Detail the advantages and disadvantages of this course of action along with estimated (or known) costs. These narratives may not be reviewed again for many months, so the clearer the business reasons behind funding this action, the better. When your capital budgeting cycle rolls around, use this list as input to the budget. Thanking the Team. Hopefully, careful notes were kept during the course of the project so that team members could be recognized for their contributions to the project. In particular, those team members who overcame major obstacles to complete their plan and thoroughly test them are due special recognition. Acknowledgement of a job well done should be made as soon as possible after the fact. At the end of the project, it is time to reac­knowledge these well­done jobs to remind everyone and management of the individual accomplishments during the project. CONCLUSION After reading this chapter, you should now have a good idea as to the overall strategy for developing a useful business continuity plan. Your odds for a suc­ Page 27 cessful project increase dramatically when you have a well­thought­out plan. The major steps for getting your project off to a good start are these: 1. Make sure the scope of the project is clearly defined. You need adequate time, funding, and support to be successful. 2. Carefully select the right team members. They must have a good understanding of the important processes within their departments and be able to clearly communicate the importance of the project back to their coworkers. 3. Identify the activities required, their durations, and who should do the work. 4. Communicate not only within the team but with the entire organization, as what you are doing is important for everyone’s survival. 5. Test, test, test. If a plan isn’t tested, you won’t know whether it will work until it’s too late. The remaining chapters in Part 1 drill down into the details of the process for meeting this objective. This chapter gave you the information you need to develop an effective infrastructure for developing your plan; now, it’s time to get down to the business of developing the plan. Page 28 This page intentionally left blank Page 29 CHAPTER 2 RISK ASSESSMENT Understanding What Can Go Wrong Luck: 1a, a force that brings good fortune or adversity; 1b, the events or circumstances that operate for or against an individual; 2, favoring chance. INTRODUCTION The heart of building a business continuity plan is a thorough analysis of events from which you may need to recover. This is variously known as a threat analysis or risk assessment. The result is a list of events that could slow our company down or even shut it down. We will use this list to identify those risks your business continuity plan must address. First, let’s define the terminology we’ll use when discussing risk: The potential of a disaster occurring is called its risk. Risk is measured by how likely this is to happen and how badly it will hurt. A disaster is any event that disrupts a critical business function. This can be about anything. A business interruption is something that disrupts the normal flow of business operations. Whether an event is a business interruption or a disaster sometimes depends upon your point of view. An interruption could seem like a disaster to the people to which it happens, but the company keeps rolling along. An example might be a purchasing department that has lost all telephone com­ Page 30 munication with their suppliers. It is a disaster to them because they use telephones and fax machines to issue purchase orders. The facility keeps running because their mitigation plan is to generate POs on paper and use cell phones to issue verbal material orders to suppliers. Risk is defined as the potential of something occurring. It could involve the possibility of personal injury or death. Insurance actuaries work to quantify the likelihood of an event occurring to set insurance rates. A risk could be someone you judge as reliable failing in his or her duties. It could be a machine failure or a spilled container of toxic material. Not all risks become reality. There is much potential in our world that does not occur. Driving to work today, I saw clouds that indicate the potential of rain. Dark clouds don’t indicate a certainty of precipitation, but they do indicate a greater potential than a clear sky. I perceive an increased risk that I will get wet on the long walk across the company parking lot, so I carry an umbrella with me. The odds are that it will not rain. The weatherman says the clouds will pass. I can even see patches of blue sky between the massive dark clouds. Still, to reduce my risk of being drenched, I carry an umbrella. Some risks can be reduced almost to the point of elimination. A hospital can install a backup generator system with the goal of ensuring 100% electrical availability. This will protect them against the risk of electrical blackout and brownouts. It also introduces new risks, such as the generator failing to start automatically when the electricity fails. It also does not protect the hospital against a massive electrical failure internal to the building. Some risks are unavoidable and steps can only be taken to reduce their impact. If your facility is located on the ocean with a lovely view of the sea, defenses can be built up against a tidal surge or hurricane, but you cannot prevent them. You can only minimize their damage. Some risks are localized, such as a failure of a key office PC. It directly affects at most a few people. This is a more common risk and is not directly addressed in the facility­wide business continuity plan. Localized plans should be developed and maintained at the department level, with a copy in the company­wide master plan. These will be most used within the department as they address these challenges as they arise. But if the problem is more widespread, such as a fire that burns out just those offices, all the combined small reaction plans for that office can be used to more quickly return that department to normal. Other risks can affect your entire company. An example is a blizzard that blocks the roads and keeps employees and material from your doors. We all appreciate how this can slow things down, but if you are a just­in­time sup­ Page 31 plier to a company in a sunnier climate, you still must meet your daily production schedule or close your customer down! In building the list we try to be methodical. We will examine things in your business environment that you take for granted. Roads on which you drive. Hallways you walk through. Even the air you breathe. In building the plan, a touch of paranoia is useful. As we go along, we will assign a score to each threat and eventually build a plan that deals with the most likely or most damaging events (see Figure 2­1). BUILDING A RISK ANALYSIS At this point we can differentiate between several common terms. We will begin with a risk analysis. A risk analysis is a process that identifies the probable threats to your business. As we progress, this will be used as the basis for a risk assessment. A risk assessment (sometimes called a business impact FIGURE 2­1: Attributes of risk. Page 32 analysis) compares the risk analysis to the controls you have in place today to identify areas of vulnerability. The recommended approach is to assemble your business continuity planning team and perform the layers 1, 2, and 3 risk analyses (see The Five Layers of Risk) together. Your collective knowledge will make these reviews move quickly. Such things as the frequency of power or telephone outages in the past, how quickly these were resolved, and types of severe weather and its impact are all locked in the memories of the team members. What Is Important to You? A risk analysis begins with a statement of the essential functions of your business. This should be a written statement, as it will set priorities for addressing these risks. Essential functions could be business activities, such as the availability of telephone service. It could be the flow of information, such as upto­the­second currency exchange rates. It is anything whose absence would significantly damage the operation of your business. Most functions of a business are nonessential. You may think of your company as being tightly staffed and the work tuned to drive out waste. But think about the functions whose short­term loss would not stop your essential business from running. One example is payroll. Losing your payroll function for a few days would be inconvenient, but should not shut your business down. Most people can’t delay paying their bills for long, so over a longer period of time, this rises to the level of critical. This illustrates how a short­term noncritical function can rise to be a critical function if it is not resolved in a timely manner. Another example is a manufacturing site that states its essential functions as building, shipping, and invoicing its products. Anything that disturbs those functions is a critical problem that must be promptly addressed. All other functions that support this are noncritical to the company, although the people involved may consider them critical. On a more local scale, there may be critical functions for a department or a particular person’s job. These are also important to resolve quickly. The difference is one of magnitude. Company­wide problems have company­wide impact and must be resolved immediately. Another aspect to consider is the loss of irreplaceable assets. Imagine the loss or severe damage to vital records that must be retained for legal, regulatory, or operational reasons. Safeguarding these records must be added to your list of critical functions. Included in this category are all records whose Page 33 loss would materially damage your company’s ability to conduct business. All other records are those that can be reproduced (although possibly with great effort) or whose loss does not materially affect your business. With all of this in mind, it is time to identify those few critical functions of your facility. These functions will be broad statements and are the primary purposes toward which this site works. The easiest way to start is for the top management team to identify them. Often the company’s Operations Manager has some idea of what these should be. They would have been identified so that business continuity insurance could be purchased. Another way to identify critical functions is for your team to select them. Based on your collective knowledge of the company, just what are they expecting you to provide? Another way to think of this is what is the essence of your site’s function? Some examples to get you thinking: A Factory. To build, ship, and invoice products. This implies that the continuous flow of products down the assembly line is critical, along with prompt shipment and invoicing (to maintain cash flow). A National Motel Chain Call Center. To promptly respond to customer calls, make accurate reservations, and address customer concerns in a timely manner. This implies that telephone system availability and speed of switching are critical, along with accurate databases to reserve rooms. A Public Utility. To provide electrical service to all the customers, all of the time. This implies that no matter what other crises within the company are underway, the delivery of this product is critical. SCOPE OF RISK The scope of risk is determined by the potential damage, cost of downtime, or cost of lost opportunity. In general, the wider the disaster, the more costly it is. A stoppage to a manufacturing assembly line can idle hundreds of workers, so of course this is a company­wide critical event. Even a 15­minute stoppage can cost many thousands of dollars in idled labor. Consequently, a problem of this nature takes priority on the company’s resources in all departments to resolve the issue. On a smaller scale, there may be a spreadsheet in the Accounting department that is used to generate reports for top management. If this PC stops working, work has ceased on this one function but the plant keeps building Page 34 products for sale. The Accounting Manager can request immediate PC repair support. The problem and support are local issues peripheral to the company’s main function of building, shipping, and invoicing material. When evaluating the likelihood of risks, keep your planning horizon to 5 years. The longer the planning horizon is, the greater the chance that “something” will happen. Since the purpose of the analysis is to identify areas of concentration for your business continuity plan, 5 years is about as far out as you can plan for building mitigation steps. If the risk analysis is updated annually, then 5 years is a sufficient planning horizon. Cost of Downtime Calculating the cost of downtime is critical to determining the appropriate investments to be made for disaster recovery. But calculating the costs due to the loss of a critical function is not a simple process. The cost of downtime includes tangible costs such as lost productivity, lost revenue, legal costs, late fees and penalties, and many other tangible costs. Intangible costs include things such as a possible damaged reputation, lost opportunities, and possible employee turnover. TANGIBLE COSTS The most obvious costs incurred due to a business interruption are lost revenue and lost productivity. If customers cannot purchase and receive your product, they may purchase from a competitor. Electronic commerce is especially vulnerable, because if your system is down, customers cannot make a purchase and can in many cases simply click on a competitor’s website. The easiest method to calculate lost sales is to determine your average hourly sales, and multiple that value by the number of hours you are down. While this can be a significant value, it is simply the starting point for calculating the total cost of downtime. Lost productivity is also a major portion of the total cost of downtime. It is usually not possible to stop paying wages to employees simply because a critical process is unavailable, so their salaries and benefits continue to be paid. Many employees may be idle while the process is unavailable, while others may continue to work at a much­diminished level of productivity. The most common method to calculate employee downtime cost is to multiply the number of employees by their hourly loaded cost by the number of hours of downtime. You may need to do this separately for each department, as their loaded cost and their level of productivity during the outage may vary. You will also need to include the employee cost for those who are assisting with any Page 35 recovery or remediation processes once the process is back up. These employees may be doing double duty once the system is back up, doing their regular job and also entering data that were missed or lost during the downtime. Other employee­related costs may include the cost of hiring temporary labor, overtime costs, and travel expenses. You may also incur expenses for equipment rental for cleanup or for temporary replacement of critical machinery, and extra costs to expedite late shipments to customers. If the business interruption was due to damages such as fire or flood, the direct loss of equipment and inventory must of course be added in. Other tangible costs may include late fees and penalties if the downtime causes you to miss critical shipments to customers. You may also incur penalties if the downtime causes you to miss deadlines for government­mandated filings. Stockholders may sue the company if a business interruption causes a significant drop in share price and they believe that management was negligent in protecting their assets. INTANGIBLE COSTS Intangible costs include lost opportunities as some customers purchase from your competition while you’re down, and may not return as customers. You don’t just lose the immediate sale, but possibly any future business from that customer. You need to calculate the net present value of that customer’s business over the life of the business relationship. If you have repeated problems with systems or processes being unavailable, some employees may become frustrated and leave the company. The cost to replace them and to train the new employee should be considered. Employee exit interviews can help determine if this is at least a factor in employee turnover. Other intangible costs can include a damaged reputation with customers, business partners, suppliers, banks, etc. who may be less inclined to do business with you. Your marketing costs may increase if customers defect to the competition during an outage and you need to work harder to win back their business. Calculating the true total cost of an outage is not easy, but it is important to know when determining the investment necessary to prevent and/or recover from a disaster. THE FIVE LAYERS OF RISK The impact of risks vary widely according to what happens to whom and when. Your reaction to a disaster that shuts down the entire company will be quite different from that which inconveniences a single office or person. Page 36 When considering risks, it is very helpful to separate them into broad categories (or layers) to properly prioritize their solutions. When evaluating risk we look at five distinct layers. The layers range from what affects everyone (including your customers) in Layer 1 down to the processes performed by each individual in Layer 5. The first layer concerns external risks that can close your business both directly and indirectly. These are risks from nature, such as flooding, hurricanes, severe snowstorms, etc. It can also include risks from man­made objects such as railroads or airplanes. Risks of this type usually disrupt our customers and suppliers as well as our own employees. The second layer examines risks to your local facility. This might involve one or more buildings—everything at this site. Some of these risks are due to the way your offices were constructed; some risks are a result of severe weather, etc. Second­layer risks include risks to basic services, such as electrical and telephone access to your building. We will also look into issues such as bomb threats, hazardous material spills, and medical emergencies. The third layer is your data systems organization. Everywhere throughout your organization are computers, talking through a data network, sharing information, etc. In addition to operational issues, loss of data can lead to severe legal problems. Most data can be recreated, but the expense for doing so can be quite high. This layer deserves its own chapter as its disasters can reach across your company. In most companies, if the computers stop working, so do the people. The fourth layer is the individual department. This will drive the main part of your plan. Fourth­level risks are the periodic crises we all confront on a weekly basis. Each department has critical functions to perform to meet their production goals and weekly assignments. These processes depend on specific tools to do this. Each department needs to identify the risk that might prevent them from performing their assigned work. These risks may not threaten the company’s primary functions but over time can degrade the overall facilities’ performance. The fifth and final layer is your own desk. If you can’t do your job in a timely manner, it may not stop the company from shipping its products, but it sure adds a lot of unnecessary stress to your life. Typically the risk assessment you perform on your own job will be more detailed (because you know more about it), make it easier for you to take time off (as you will be more organized), and making bouncing back from the crisis of the week look so very easy. Page 37 LAYER 1: EXTERNAL RISKS Many natural disasters are wide­area risks. That means they not only affect your facilities, but also the surrounding area. As an example, we will consider a hurricane. The damaging winds from a hurricane can cover hundreds of square miles and then slowly move up the seacoast. These winds can bring on tidal surges and torrential downpour, spawn tornados, and result in downed power lines and many other calamities all at the same time. Now consider your business in the midst of this. All companies are affected by this disaster including your customers, your suppliers, and your emergency services support. Damage can be widespread. Technicians and machinery you had counted on for prompt support are tied up elsewhere. Bridges may be out, your workers may be unable to leave the facilities, and fresh workers may be unable to come to work. Employees critical to your recovery may not be available due to damage to their homes or injuries to their families. The list of problems could go on and on. Don’t forget to consider how the disaster may affect your employees’ ability to respond to the disaster. After the terrorist attacks on the World Trade Center, many disaster recovery plans called for surviving employees to be at the recovery site the next day. After watching their friends and co­workers dying around them, getting to the recovery site was not at the top of their priority list! Don’t live in a hurricane zone? How different is this than a major snowstorm? Power lines snap, which cuts off the electrical heat to your building, which causes sprinkler pipes to freeze and burst, etc. Impassable roads mean that help is slow to move around the area. Extreme temperatures reduce the productivity of power line technicians. The risk to your site from natural …


(USA, AUS, UK & CA PhD. Writers)


The Best Custom Essay Writing Service

About Our Service

We are an online academic writing company that connects talented freelance writers with students in need of their services. Unlike other writing companies, our team is made up of native English speakers from countries such as the USA, UK, Canada, Australia, Ireland, and New Zealand.

Qualified Writers

Our Guarantees: