Plans within business continuity
By Michael Bratton
Even though plans represent just one component of a larger business continuity management system, they are what guide the organization through all phases of response and recovery following the onset of a disruptive incident – from the initial response and assessment to the eventual return to normal operations. Effective planning is meant to ensure that response and recovery efforts align to the expectations of all interested parties and provide a repeatable approach to minimize downtime.
This article explores different types of plans and examines their purpose within a wider business continuity strategy.
The crisis management plan
The crisis management plan has many different names depending on the organization using it. For example, the term ‘incident management plan’ is also commonly used. In reality, the name does not matter; what matters is the function that the plan serves. Crisis management plans provide a structured response to a disruptive incident that could threaten the survivability of an organization. An effective crisis management plan will typically represent high-level tasks that members of an organization will undertake to respond to and recover from an incident. In order to facilitate this response, effective crisis management plans:
Crisis management plans are designed with higher level managers in mind and reflect the coordination of response and recovery tasks throughout the organization. Crisis management plans typically do not focus on the recovery activities enabling a single business process or activity. Rather, they provide the resources and guidance to allow the organization as a whole, or perhaps a location or major business unit, to recover, and they serve to allow the redistribution of the organization’s resources, as needed, to execute a prioritized response and recovery. There is no rule on who should participate in a crisis team and who will lead the organization’s response, but in general it should be comprised of individuals that can make decisions on behalf of the organization.
The crisis communications plan
A crisis communications plan serves to supplement crisis management activities by coordinating two-way communications with key internal and external interested parties. Many different entities may be affected by, or could contribute to the recovery, including employees, customers, business partners, regulators, and suppliers. A crisis communications plan helps to minimize the communications burden and increase the timeliness of messaging and feedback by providing a framework that defines who (to communicate with), how (to deliver the message or receive information), and what (to say). In order to facilitate effective communications, crisis communications plans should:
Those serving in communications roles need to be familiar with the organization’s communications capabilities, any legal implications that may be associated with public communications, and key sources of information that could affect response and recovery. Ideally, organizations will have representatives from a communications, public affairs, and/or human resources department that would be natural participants for this role. In some cases, organizations may employ third-parties or public relations firms to assist with message development and delivery, but organizations should always remember that they are still ultimately responsible for the success or failure of any communications activities.
Crisis communications plans often contain communications reminders, as well as reference materials such as pre-defined audiences and holding statements. The type of situation will dictate those groups and requirements to be considered, but having an idea of possible audiences that would likely be affected and providing guidance on what to communicate can minimize reputational damage resulting from poor communication.
The business continuity plan
Business continuity plans focus on the recovery of business activities and resources that support the creation and delivery of products and services, or as ISO 22301 notes: “[business continuity plans] typically cover resources, services and activities required to ensure the continuity of critical business functions.” The orientation of a business continuity plan is also similar to a crisis management plan in some ways; however, the scope is the primary differentiator. While a crisis management plan seeks to recover an organizational entity by coordinating recovery activities, a business continuity plan works to restore a subset of related activities and resources. Effective business continuity plans often have the following characteristics:
The key to any successful business continuity plan is the focus on the resumption of business activities. A successful organizational recovery may resemble a series of business continuity plans being activated, working to recover business activities in a prioritized fashion, reporting progress and issues to the crisis management team, and allocating resources in accordance with the organization’s priorities. To support this process, phased or structured recovery activities in a business continuity plan should resemble those in the crisis management plans. Or to put this more simply, the business continuity plan should have a similar structure as the crisis management plan.
In some situations business continuity plans may be activated without the activation of a crisis management plan and vice-versa. Flexible, mature business continuity programs may allow for this type of activation, and successful execution depends on the maturity of business continuity plans and the experience of the plan owner. While these plan owners will be responsible for the business activities they oversee, they may be subject to higher level decision making authority exercised by the crisis management team. This relationship between the department level recovery team and the crisis management team is critical in maintaining an effective recovery during and following an interruption.
The IT disaster recovery plan
A simple search on the Internet for business continuity will typically yield two types of results. The first type of result is the more standard approach for business continuity as the discipline to continue operations and product and service delivery. The second type of result refers to business continuity as a very IT-centric system where plans do not necessarily recover departments and their activities but the IT systems, data, and communications assets that help enable these areas. These technology-centric plans are often known as IT disaster recovery plans.
IT disaster recovery plans are distinguishable from business continuity plans in key ways:
IT disaster recovery plans are also typically designed to be executed by IT practitioners, not participants in general business or operational areas. Although it is worth noting that end users of a given system or application may be involved with validation and testing.
Effective IT disaster recovery plans generally:
IT disaster recovery plans are very important when one considers how intertwined organizations are with technology, but it is important to note that IT disaster recovery plans are not, by themselves, a complete business continuity strategy.
The four types of plans presented in this article represent only a sampling of different types of plans that are available to organizations.
In addition to emergency response plans that address health/safety issues (e.g., evacuation or shelter-in-place), organizations may choose to create IT-specific crisis management plans or even plans based on different threat scenarios.
Planning documentation is important to business continuity strategy development, but plans should serve as tools to facilitate a response; they should never inhibit the decision-making of experienced personnel or trump common-sense.
•Date: 2nd April 2014 • US/World •Type: Article • Topic: BC general