Part 2 of a Business Continuity plan commences when management returns the planner's recommendations with an implementation schedule.

Policies & procedures - missing link

Every organization needs published policies and procedures (P&Ps). They need P&Ps for normal operation and they need P&Ps, or In the Event Of modifications, for emergency operations.

Lacking well-publicized P&Ps, or at least the Procedure part, can cause untold woe after the fact, woe ranging from hard feelings to legal action or work actions. Some emergency P&P considerations include

• Authorizations and reporting: Who is authorized to manage what; who can authorize overtime; who is authorized to spend the organization's money; is cash OK or only a corporate credit card; what is the spending limit for what products and services? How are the authorizations recorded, by whom and when?
• Mandated time off: If the organization tells J. Employee "Go home until you are called back," will J. Employee be paid; for how long and how much.
• Responder compensation: Will responders be paid regular time for the first 8, time and a half for the next 4, and double-time for the last 4 hours? (After 16 hours the person should be sent away to rest.) What about meals and lodging? What if the organization caters meals but the responder has special dietary requirements?
• Payroll: Will everyone be paid a based salary or the last pay roll? How will they be paid - check to home, direct deposit (must be pre-planned), hand delivered - to whom - spouse, children, other upon what proof of authorization?
• Travel: Who arranges, pays, cost limits, means of transportation; local rentals, taxi, or organization shuttle bus/van? What about tips, receipts?

Responding to an event

"There is only one scenario: You go to work and there is nothing there; everything else in included in this scenario." Norm Harris (http://www.atp-ohio.org/Harris.pdf). If a building collapses, it collapses on the servers, making them so much crushed metal to be replaced. If a server fails, it must be replaced or repaired. Same difference, regardless of the building's condition.

There are two parallel response efforts:

• Maintaining at least a minimum level of service by the business units
• Restoring the organization to business as usual

Maxim: If there is no profit center to restore, there is no need to restore anything else.

The organization, all organizations no matter what their reason to exist, must maintain at least a minimum level of service; they must meet their Service Level Agreements (SLAs).

The plan must include means for the profit centers to continue to meet SLAs from an alternate location or locations. Office operations usually can be relocated with relative ease. Production lines are a different story, but not an impossibility.

In order for a profit center to meets its SLA, its resources - external and internal "vendors" - the profit center resources, must meet their SLAs to the profit center.

The resources required by the profit centers to meet the SLAs must be restored as efficiently and economically as possible. If a facility cannot be inhabited, another location, or locations, must be found to house them, What are these resources? They include, but are not limited to: Accounting, Communications, external, Communications, internal, Facilities, Finance, HR, Legal, InfoTech, Mail Room, Sales & Marketing, Shipping & Receiving, Vendor liaison (Purchasing).

As response documentation is created, the planner or amanuensis is well advised to follow the KIS(S) principle: Keep It Simple (Stupid). The readers may not be as familiar as they could be with the emergency response situation, and the pressure to respond quickly may cause even the best qualified person to overlook something. Verbosity is counter-productive.

The players - and where to put them

Appendices or addenda are the ideal place to put all information which is "subject to change."

For on-line use, Access or similar searchable field databases are ideal; Excel and similar spreadsheets also are satisfactory and make for convenient printouts.

Personnel information should include the standard contact information, including physical address in case it is necessary to send a messenger. The person's skills also should be listed; primary job skills, secondary job skills, and any "hidden" skills which might prove useful in an emergency situation.

Each critical vendor - since no one knows who will be critical, this list should include all vendors - needs at least two contacts, including out-of-office contact information. It might be wise to include an alternate vendor if one is available - just in case.

Media are critical. National TV can be a blessing or a curse, but in most cases after the first 24 hours, it goes away. The critical media are the local press, radio, and TV, the trades, and the financials Other Important People include financial backers, insurance carriers, and regulators.

Keeping track of important documents

Knowing which documents are needed and where both the original and copies are house is critical. Some of the documents which need attention are

• Regulatory: Manuals, etc.

• Hardware and software docs: Licenses, configurations, serial numbers

• Inventory - anything insured: models, serial numbers, specifications, configurations

• Forms: What forms are used, how long does it take to replace them; is the stockpile sufficient?

• Procedural docs: The "how to" material that comes with a product and the home-grown document that tells how a process if performed. (Some of this will also appear in the response tasks.)

• Response related forms: finance, time line, what was good, what needs improvement

Training 

Training often is overlooked. Mandated fire evacuations are, for many organizations, are the only training personnel receive. Yet training is critical to the plan's success if it is ever invoked.

Plan exercises

There are several reasons to have training exercises.

Exercises, not tests. Tests imply pass or fail; that is not the purpose of an exercise.

First, to discover any plan deficiencies. There never has been a "perfect plan" the first time out; not even mine. Documentation errors are included in the "plan deficiencies" category.

Second, to develop the responders' confidence; a high level of confidence will help overcome surprises which are bound to happen. Moreover, a responder's high level of confidence in other responders means the responder can trust that related tasks will be handled as practiced.

Third, exercises may uncover a better way of doing a task.

Fourth, as exercises become more and more realistic, management can determine if the person assigned to a specific function can handle the tasks under pressure.

Fifth, managers who normally yell and scream for an immediate response can see that their actions are counter-productive; they may even be convinced to help rather than hinder.

What about external vendors? Involve them. Contact the vendors and ask if they are prepared to meet their emergency commitments - can either of the vendor contacts be reached? Does the vendor have parts and services available according to contract?

Personnel awareness and safety

Personnel are at once the organization's most important resource and its first line of defense against many risks.

Personnel, trained to be aware of their environment and anything that is "out of synch" with the norm. Smell burning wire? Look for an electrical overload. Smell smoldering paper? Check the trash cans. Sky turning green? Check for tornadic activity. Container truck parked in an unauthorized area? Where is the driver? (If no one knows, consider the possibility of a terrorist attack. A rental truck brought down the Alfred P. Murrah Federal Building in Oklahoma City (April 19, 1995) and the U.S. Air Force barracks in Khobar, Saudi Arabia (April 19, 1995).)

Personnel awareness and safety includes development of a "buddy system" to assure that all personnel can move to assigned in-place sheltering and evacuation locations and are accounted for when emergency responders arrive on the scene.

Fire wardens, hall monitors, and advanced first aiders

Fire wardens, hall monitors, and advanced first aiders must be carefully selected and may require certification to perform certain functions (such a use a portable fire extinguisher). These people must be respected by their peers and supported by management to assure that people will what these people require and, in the case of first aiders, will not interfere the with responder's actions.

Plan maintenance

Plan maintenance, easily overlooked, means that if anything changes in the plan; if someone is promoted or retires, if a procedure or vendor is changed, if a product or service is added or discontinued - or any of 100 other possible changes are made - the plan is updated to reflect the change. If the change is significant, the revised plan needs to be exercised.

How often to update the plan? A "gap analysis" or thorough plan review should be performed at least annually. For very dynamic organizations, more often.

The hardest part of plan maintenance is assigning responsibility to do the job. If there is a resident planner, the planner should maintain the plan; if not, perhaps personnel or Change Management.

---

Parts of a plan - Part 1

 

 

---

John Glenn, MBCI, has been helping organizations of all types avoid or mitigate risks to their operations since 1994. Comments about this article, or others at http://JohnGlennMBCI.com/ may be sent to Planner @ JohnGlennMBCI. com.