11.0 Practice Advisory - Part One
The Business Continuity Guideline is comprised of two sections: (1) the planning process and (2) successful implementation and maintenance.
Note: Business continuity planning is cyclical; rigorous plan administration and maintenance, as well as any events experienced, will necessitate revisions and/or plan additions.
Developing the Plan
This section addresses the process of preparing a Business Continuity Plan (BCP), including readiness, prevention, response, and resumption/recovery. It details the specific BCP elements and provides step-by-step plan preparation and activation guidance. The specifics of this guideline are appropriate for a mid- to large-sized organization. By understanding the concepts and procedures described, it will be possible to effectively adapt the guideline to smaller-sized organizations. The level of effort may vary widely, but the basic approach of preparedness and response should be constant.
11.1.1 Assign Accountability
It is essential that senior leadership of the organization sponsors and takes responsibility for creating, maintaining, testing, and implementing a comprehensive Business Continuity Plan (BCP). This will insure that management and staff at all levels within the organization understand that the BCP is a critical top management priority. It is equally essential that senior leadership engage a “top down” approach to the BCP so that management at all levels of the organization understand accountability for effective and efficient plan maintenance as part of the overall governance priorities.
11.1.1.a Corporate Policy
In the event of a crisis, an organization-wide BCP Policy committed to undertaking all reasonable and appropriate steps to protect people, property, and business interests is essential. Corporate policy should include a definition of a “crisis.”
11.1.1.b Ownership of Systems, Processes, and Resources
A Business Continuity Planning Team with responsibility for BCP development that includes senior leaders from all major organizational functions and support groups should be appointed to ensure wide-spread acceptance of the BCP.
11.1.1.c Planning Team
A Business Continuity Planning Team with responsibility for BCP development that includes senior leaders from all major organizational functions and support groups should be appointed to ensure wide-spread acceptance of the BCP.
11.1.1.d Communicate BCP
The BCP should be communicated throughout the organization, to ensure employees are aware of the BCP structure and their roles within the plan.
11.1.2 Perform Risk Assessment
Step two in the creation of a comprehensive BCP is completion of a Risk Assessment, designed to identify and analyze the types of risk that may impact the organization. Assessment should be performed by a group representing various organizational functions and support groups. More detailed information on Risk Assessments can be found in the ASIS General Security Risk Assessment Guideline.
11.1.2.a Review Types of Risks That Could Impact the Business
Using available information about known or anticipated risks, the organization should identify and review risks that could possibly impact the business, and rate the likelihood of each. A risk assessment matrix can aid identification of risks and prioritization of mitigation/planning strategies.
The sample matrix below illustrates threat examples, and demonstrates how risks can be categorized and quantified. Note: this list is not exhaustive and should be tailored to reflect the organization’s operating environment. Additional variables such as onset speed (1=slow, 2=fast), forewarning (1=sufficient, 2=insufficient), duration (1=short, 2=long) and intensity (1=low, 2=high) can also be added as additional columns and entered in the formula: e.g. likelihood x (onset speed + forewarning + duration + intensity) x impact = relative weight.
11.1.3 Conduct Business Impact Analysis (BIA)
Once risks have been identified, any organizational impacts that could result from an interruption of normal operations should be examined in a BIA.
11.1.3.a Identify Critical Processes
Business critical processes should be identified and documented. They could include purchasing, manufacturing, supply chain, sales, distribution, accounts receivable, accounts payable, payroll, IT, and research and development. Once the critical processes are identified, an analysis of each can be made using the evaluation criteria described below. Processes should be ranked as a High, Medium, or Low.
11.1.3.b Assess Impact if Crisis Were to Happen.
- Human cost: physical and psychological harm to employees, customers, suppliers, and other stakeholders.
- Financial cost: equipment and property replacement, downtime, overtime pay, stock devaluation, lost sales/business, lawsuits, regulatory fines/penalties, etc.
- Corporate image cost: reputation, standing in the community, negative press, loss of customers, etc.
11.1.3.c Determine Maximum Allowable Outage and Recovery Time Objectives
- Determine how long process can be nonfunctional before impacts become unacceptable.
- Determine how soon process should be restored (shortest allowable outage restored first).
- Determine different recovery time objectives according to time of year (year-end, tax filing, etc.).
- Identify and document alternate procedures to a process (manual workarounds or processes, blueprints, notification/calling trees, etc.).
- Evaluate costs of alternate procedures versus waiting for system to be restored.
11.1.3.d Identify Resources Required for Resumption and Recovery.
Such resources can include personnel, technology hardware and software (including telecommunications), specialized equipment, general office supplies, facility/office space and critical and vital business records. Identifying, backing-up, and storing critical and vital business records in a safe and accessible location are essential prerequisites for an effective business continuity plan.
The Risk Assessment and BIA provide the foundation on which the organization’s BCP will rest, as strategies will be formulated and plans will be developed to meet the needs identified in them. These analyses should be repeated on a regular basis and/or in response to significant changes to the organization’s operating environment.
11.1.4 Agree on Strategic Plans
Strategic planning addresses the identification and implementation of:
- Methods to mitigate the risks and exposures identified in the BIA and Risk Assessment (see 11.2 Prevention).
- Plans and procedures to respond to any incident that does occur.
A BCP may include multiple strategies that address a variety of probable situations, including the duration of the business interruption (short versus long term), the period in which it occurs (peak versus low), and the extent of the interruption (partial versus complete). It is important that the strategies selected are:
- Highly probable to be successful,
- Verifiable through tests and exercises,
- Cost effective, and
- Appropriate for the size and scope of the organization.
11.1.5 Crisis Management and Response Team Development
It is necessary that an appropriate administrative structure be put in place to effectively deal with crisis management. Clear definitions must exist for a management structure, authority for decisions, and responsibility for implementation. An organization should have a Crisis Management Team to lead incident/event response. The Team should be comprised of such functions as human resources, information technology, facilities, security, legal, communications/media relations, manufacturing, warehousing, and other business critical support functions, with all under the clear direction of senior management or its representatives.
The Crisis Management Team may be supported by as many Response Teams as appropriate taking into account such factors as organization size and type, number of employees, location, etc. Response Teams should develop Response Plans to address various aspects of potential crises, such as damage assessment, site restoration, payroll, human resources, information technology, and administrative support. Response Plans should be consistent with and included within the overall BCP. Individuals should be recruited for membership on Response Teams based upon their skills, level of commitment, and vested interest.
11.1.5.a Contact Information
Contact information for personnel assigned to crisis management and response teams should be included in the plans. Personal information such as unlisted phone numbers and home addresses should be protected. The organization should establish procedures to ensure that the information is kept up to date. Consideration should be given to a BCP software tool that supports effective change management. (See also 12.2 Evaluation and Maintenance.)
11.2.1 Compliance with Corporate Policy
Compliance audits should be conducted to enforce BCP policies and procedures. Policy and procedures violations should be highlighted and accountability for corrective action assigned in accordance with organizational governance regimes.
11.2.2 Mitigation Strategies
11.2.2.a Devise Mitigation Strategies
Cost effective mitigation strategies should be employed to prevent or lessen the impact of potential crises. For example, securing equipment to walls or desks with strapping can mitigate damage from an earthquake; sprinkler systems can lessen the risk of a fire; a strong records management and technology disaster recovery program can mitigate the loss of key documents and data.
11.2.2.b Resources Needed for Mitigation
The various resources that would contribute to the mitigation process should be identified. These resources, including essential personnel and their roles and responsibilities, facilities, technology, and equipment, should be documented in the plan and become part of “business as usual.”
11.2.2.c Monitoring Systems and Resources
Systems and resources should be monitored continually as part of mitigation strategies. Such monitoring can be likened to simple inventory management.
The resources that will support the organization to mitigate the crisis should also be monitored continually to ensure that they will be available and able to perform as planned during the crisis. Examples of such systems and resources include, but are not limited to:
- Emergency equipment
- Fire alarms and suppression systems
- Local resources and vendors
- Alternate worksites
- Maps and floor plans updated/changed due to construction and internal moves
- System backups and offsite storage.
11.2.3 Avoidance, Deterrence and Detection
Avoidance has the goal of preventing a crisis from happening. The potential crisis should be identified, understood, and addressed and, in doing so, avoided. The Risk Assessment can be used to identify the specifics of potential crises, including any precursors and warning signs.
Deterrence and Detection
The purpose of deterrence and detection is to make a hostile act (or activity) more difficult to carry out against the organization or significantly limit, if not negate, its impact. The BCP should address and include overall deterrence and detection measures.
Examples of crises that can have warning signs include, but are not limited to:
- Workplace violence (erratic or threatening employee behavior)
- Natural disasters (hurricanes, wild-fires, etc.)
- Activism, protests, riots
- Product or manufacturing failure
- Hostile takeover
11.2.3.a. Employee Behavior to Support Avoidance and Deterrence and Detection
Employees should be appropriately motivated to feel personally responsible for avoidance and deterrence and detection. Through the proper corporate climate, operational plans, and management objectives, employees should support avoidance and deterrence and detection policies and procedures.
11.2.3.b Facility Security Programs to Support and Enhance Avoidance and Deterrence and Detection
- Architectural: natural or manmade barriers.
- Operational: security officers’ post orders; employee security awareness programs; counter surveillance and counter intelligence as avoidance, detection and deterrence measures; and Protective Security Operations for the protection of the leadership and their families.
- Technological: intrusion detection, access control, recorded video surveillance, package and baggage screening, when appropriate.
11.3.1 Potential Crisis Recognition
The first element in a response program is to determine if a potential crisis exists. The organization should know and be able to easily recognize when specific dangers occur that necessitate the need for some level of response. A strong program of detection and avoidance policies and procedures as outlined above will support this process.
11.3.1.a Identification and Recognition of Danger Signals
Identification of danger signals coupled with the likelihood of an event is often indicative of an imminent crisis. Warning signs may include, but are not limited to:
- Unusual or unexplained changes in sales volume
- Legislative changes
- Corporate policy changes
- Changes to competitive environment
- Changes to supply based environment
- Warnings of natural disasters
- Imminent or actual changes in Homeland Security Advisory System threat level
- Cash flow changes
- Potential for civil or political instability
- Impending strike or likely protests
- Hostile labor negotiations
11.3.1.b Responsibility to Recognize and Report Potential Crises
Certain departments or functions are uniquely situated to observe warning signs of an imminent crisis. Personnel assigned to these departments or functions should be trained appropriately. The responsibility to report a potential crisis (including the notification mechanism) should be communicated to all employees. The general employee population may also be an excellent source of predictive information when there is a documented reporting structure and where attention is paid to what the employee reports.
11.3.2 Notify the Team(s)
A potential crisis, once recognized, should be immediately reported to a supervisor, a member of management, or another individual tasked with the responsibility of crisis notification and management.
11.3.2.a Parameters for Notification
Specific notification criteria should be established, documented, and adhered to by all employees (with the timing and sequence of notification calls clearly documented). The actual activation of a response process should require very specific qualifications being met.
11.3.2.b Custody and Updates to Contact Information
Qualified personnel should have ready access to the updated, confidential listings of persons and organizations to be contacted when certain conditions or parameters of a potential crisis are met.
11.3.2.c Types of Notification
Notifications in a crisis situation should be timely and clear and should use a variety of procedures and technologies, with recognition that devices used have advantages and limitations.
Remember: In some types of crises, the notification systems are themselves impacted by the disaster, whether through capacity issues or infrastructure damage. Thus, it is important to have redundancies built into the notification system and several different ways to contact the listed individuals and organizations.
11.3.3 Assess the Situation
Problem assessment (an evaluative process of decision making that will determine the nature of the issue to be addressed) and severity assessment (the process of determining the severity of the crisis and what any associated costs may be in the long run) should be made at the outset of a crisis. Factors to be considered include the size of the problem, its potential for escalation, and the possible impact of the situation.
11.3.4 Declare a Crisis
The point at which a situation is declared to be a crisis should be clearly defined, documented, and fit very specific and controlled parameters. Responsibility for declaring a crisis should also be clearly defined and assigned. First and second alternates to the responsible individual should be identified.
The activities that declaring a crisis will trigger include, but are not limited to:
- Additional call notification
- Evacuation, shelter, or relocation
- Safety protocol
- Response site and alternate site activation
- Team deployment
- Personnel assignments and accessibility
- Emergency contract activation
- Operational changes
In certain situations, there may be steps that can and should be implemented, even without officially declaring a crisis.
11.3.5 Execute the Plan
BCPs should be developed around a "worst case scenario," with the understanding that the response can be scaled appropriately to match the actual crisis. When initiating a response, it is important to insure that the goals protect the following interests listed in order of their priority:
- Save lives and reduce chances of further injuries/deaths
- Protect assets
- Restore critical business processes and systems
- Reduce the length of the interruption of business
- Protect reputation damage
- Control media coverage (e.g. local, regional, national or global)
- Maintain customer relations.
Prioritized classifications can be set up as relative indicators of the magnitude, severity, or potential impact of the situation:
These levels may aid organizations that are developing response plans and implementation "triggers" for use during a crisis. Determining the initial level of the crisis and the progression from one level to the next will normally be the responsibility of the Crisis Management Team.
Remember: Effective communication is one of the most important ingredients in crisis management.
11.3.6.a Identify the Audiences
Internal and external audiences should be identified in order to convey crisis and organizational response information. In order to provide the best communications and suitable messages for various groups, it is often appropriate to segment the audiences. In this way, messages tailored specifically for a group can be released.
11.3.6.b Communicating With Audiences
The following items should be taken into account in the crisis communications strategy:
- Communications should be timely and honest.
- To the extent possible, an audience should hear news from the organization first.
- Communications should provide objective and subjective assessments.
- All employees should be informed at approximately the same time.
- Give bad news all at once – do not sugarcoat it.
- Provide opportunity for audiences to ask questions, if possible.
- Provide regular updates and let audiences know when the next update will be issued.
- Treat audiences as you would like to be treated.
- Communicate in a manner appropriate to circumstances:
- Face-to-face meetings (individual and group)
- News conferences
- Voice mail/email
- Company Intranet and Internet sites
- Toll-free hotline
- Special newsletter
- Announcements using local/national media
Preplanning for communications is critical. Draft message templates, scripts, and statements can be crafted in advance for threats identified in the Risk Assessment. Procedures to ensure that communications can be distributed at short notice should also be established, particularly when using resources such as Intranet and Internet sites and toll-free hotlines.
11.3.6.c Official Spokesperson
The organization should designate a single primary spokesperson, with back-ups identified, who will manage/disseminate crisis communications to the media and others. This individual should be trained in media relations prior to a crisis. All information should be funneled through a single source to assure that the messages being delivered are consistent. It should be stressed that personnel should be informed quickly regarding where to refer calls from the media and that only authorized company spokespeople are authorized to speak to the media. In some situations, an appropriately trained site spokesperson may also be necessary.
11.3.7 Resource Management
126.96.36.199 The Human Element
People are the most important aspect of any BCP. How an organization’s human resources are managed will impact the success or failure of crisis management.
188.8.131.52.a Accounting for All Individuals
A system should be devised by which all personnel can be accounted for quickly after the onset of a crisis. This system could range from a simple telephone tree to an elaborate external vendor’s call-in site. Current and accurate contact information should be maintained for all personnel. Consideration should be given to engaging the company’s travel agency to assist in locating employees on business travel.
184.108.40.206.b Notification of Next-of-Kin
Arrangements should be made for notification of any next-of-kin in case of injuries or fatalities. If at all possible, notification should take place in person by a member of senior management. Appropriate training should be provided.
220.127.116.11.c Family Representatives
The organization should implement a Family Representative program in case of severe injury or fatality. The Family Representative should be someone other than the person who performed the notification. This Representative should act as the primary point of contact between the family and the organization. Comprehensive training for the Representative is a necessity.
18.104.22.168.d Crisis Counseling
Crisis counseling should be arranged as necessary. In many cases, such counseling goes beyond the qualifications and experience of an organization’s Employee Assistance Program (where available). Other reliable sources of counseling should be identified prior to a crisis situation.
22.214.171.124.e Financial Support
A crisis may have far reaching financial implications for the organization, its employees and their families, and other stakeholders; these implications should be considered an important part of a BCP. Implications may include financial support to families of victims. Additionally, there may be tax implications that should be referenced and clarified in advance.
The payroll system should remain functional throughout the crisis.
Logistical decisions made in advance will impact the success or failure of a good BCP. Among them are the following:
126.96.36.199.a Crisis Management Center
A primary Crisis Management Center should be identified in advance. This is the initial site used by the Crisis Management Team and Response Teams for directing and overseeing crisis management activities. The site should have an uninterruptible power supply, essential computer, telecommunications, heating/ventilating/air conditioning systems, and other support systems. Additionally, emergency supplies should be identified and kept in the Center.
Where a dedicated Center is not possible, a designated place where the Teams may direct and oversee crisis management activities should be guaranteed. Access control measures should be implemented, with the members of all Teams given 24x7 access.
A secondary Crisis Management Center should also be identified in the event that the primary Center is impacted by the crisis event.
188.8.131.52.b Alternate Worksites
The organization should have alternate worksites identified for business resumption and recovery. In the absence of other company facilities being available and/or suitable, access to alternate worksites can be arranged through appropriate vendors. Planning concerning the identification and availability of alternate worksites should take place early in the BCP process. Alternate worksites should provide adequate access to the resources required for business resumption identified in the BIA.
184.108.40.206.c Offsite Storage
Offsite storage is a valuable mitigation strategy allowing rapid crisis response and business resumption/recovery. The off-site storage location should be a sufficient distance from the primary facility so that it is not likely to be similarly affected by the same event. Items to be considered for off-site storage include critical and vital records (paper and other media) critical to the operations of the business. Procedures should be included in the plan to ensure the timely deliver of any necessary items from offsite storage to the Crisis Management Center or the alternate worksites.
220.127.116.11 Financial Issues and Insurance
If appropriate, existing funding and insurance policies should be examined, and additional funding and insurance coverage should be identified and obtained. Policy parameters should be established in advance, including pre-approval by the insurance provider of any response related vendors. Where possible, the amount of funds to help ensure continuity of operations should be determined in the planning process. Additionally, any cash should be stored in an easily accessible location to assure its availability during a crisis, and some cash and credit should be available for weekend and after-hours requirements.
All crisis related expenses should be recorded throughout the response and recovery periods.
Insurance providers should be contacted as early as possible in the crisis period, particularly in instances of a wide-reaching crisis, where competition for such resources could be vigorous. All insurance policy and contact information should be readily available to the Crisis Management Team and backed up or stored offsite as appropriate.
Transportation in a time of crisis can be a challenge. Provisions should be arranged ahead of time, if possible. Areas where transportation is critical include, but are not limited to:
- Evacuation of personnel. This may be from a demolished work-site or from a satellite facility in another country
- Transportation to an alternate worksite
- Supplies into the site or to an alternate site
- Transportation of critical data to worksite
- Transportation for staff with special needs.
18.104.22.168 Suppliers/Service Providers
Critical vendor or service provider agreements should be established as appropriate and their contact information maintained as part of the BCP. Such information could include phone numbers, contact names, account numbers, pass-codes (appropriately protected), and other information in the event that someone unfamiliar with the process would need to make contact.
In some instances, it may be appropriate to request and review the BCP, or a summary of such, of the critical vendors, in order to evaluate their ability to continue to provide necessary supplies and services in the case of a far-reaching crisis. At a minimum, the vendor or service provider roles and service level agreements should be discussed in advance of the crisis.
22.214.171.124 Mutual Aid Agreements
Mutual aid agreements identify resources that may be borrowed from other organizations during a crisis, as well as mutual support that may be shared with other organizations. Such agreements should be legally sound and properly documented, clearly understood by all parties involved, and representative of dependable resources as well as a commitment to cooperation.
11.4 RECOVERY AND RESUMPTION
11.4.1 Damage and Impact Assessment
Once the Crisis Management Team has been activated, the damage should be assessed. The damage assessment may be performed by the Crisis Management Team itself or a designated Damage Assessment Team. Responsibility should be assigned for the documentation of all incident related facts and response actions, including financial expenditures.
11.4.1.a Crises Involving Physical Damage
For situations involving physical damage to company property, the Crisis Management Team or its designated Damage Assessment Team should be mobilized to the site. The Team will gain entry if permission from the public safety authorities is granted, and make a preliminary assessment of the extent of damage and the likely length of time that the facility will be unusable.
11.4.1.b Crises Not Involving Physical Damage
Certain types of crises do not involve immediate physical damage to a company worksite or facility. These would include the business, human, information technology, and societal types of crises. In these crises, the Team will likely assess the damage or impact as the crisis unfolds.
11.4.2. Resumption of Critical and Remaining Processes
11.4.2.a Process Resumption Prioritization
Once the extent of damage is known, the process recovery needs should be prioritized and a schedule for resumption determined and documented. The prioritization should take into account the fundamental criticality of the process and other factors, including relationships to other processes, critical schedules, and regulatory requirements, as identified in the BIA. Decisions regarding prioritization of processes should be documented and recorded, including the date, time, and justification for the decisions.
11.4.2.b Resumption of Critical Processes
Once the processes to be restored have been prioritized, the resumption work can begin with processes restored according to the prioritization schedule. The resumption of these processes may occur at either the current worksite or an alternate worksite, depending on the circumstances of the crisis. Documentation should be kept of when the processes were resumed.
11.4.2.c Resumption of Remaining Processes
Once the critical processes have been resumed, the resumption of the remaining processes can be addressed. Where possible, decisions about the prioritization of these processes should be thoroughly documented in advance, as should the timing of actual resumption.
11.4.3. Return to Normal Operations
The organization should seek to bring the company “back to normal.” If it is not possible to return to the pre-crisis “normal,” a “new normal” should be established. This “new normal” creates the expectation that, while there may be changes and restructuring in the workplace, the organization will phase back into productive work. Each step of the process and all decisions should be carefully documented.