The latest business continuity news from around the world

Operations resumption planning: a managerial approach

An operations resumption plan is an important aspect of the business continuity management toolkit. In this article Alberto G. Alexander, Ph.D, MBCI, explains what an ORP is and provides a detailed description of the structures, phases and activities of an ORP.

Introduction

An operations resumption plan contains predetermined recovery procedures and guidelines which organizations can follow during a crisis situation to minimize impact to business. The predetermined procedures and guidelines prevent organizations from making on the spot critical decisions in the middle of a crisis.

To a certain extent, an “ORP is similar to the ways planning occurs in our personal lives,” (Syed, 2004). Imagine planning a long distance driving trip with the objective to reach a certain destination within a certain time frame. The travel plan contains phases such as preparation, travel, and stopovers; as well as resources and sequence of activities and tasks involved in each phase such as obtaining maps, finding directions, driving, eating meals and resting. A travel plan is often based on a strategy, which helps to select various travel options such as fastest routes versus safest routes or renting a car versus using an owned car.

An ORP shares the following similarities compared with the travel-planning example:

  • Planning is designed to achieve an objective at a future point in time.
  • Planning deals with the complexity of the problem by dividing the solution into phases.
  • Planning identifies resources, activities and tasks needed to complete each phase.
  • Planning relies on certain strategies for achieving the objective.

It is very important to be clear that “the objective of the ORP, is to recover critical processes within a certain time frame” (Alexander, 2009). The ORP is composed of a series of phases as presented in figure one: initial response and assessment, interim contingency measures, resource provisioning, operations resumption and normalization.

All these phases specify different types of resources needed such as: “people, information and data, buildings, work environment associated utilities, facilities, equipment, information and communication technology, transportation, finance, partners and suppliers” (ISO 22301:2012 Societal Security Business Continuity Management Systems Requirements.)

“All these resources and activities implement the recovery options selected by the business continuity strategy,” (Cornish, 2011). This is a very dynamic process. For instance, the recovery options can consist of either pre-established, pre-arranged resources, or can be obtained as needed.

Disaster definition and types

Within the context of an ORP, defining a disaster is beneficial both during the plan development stage and immediately following a business disruption. A concise disaster definition provides clear focus during an ORP development. Following a business disruption, a pre-established definition of a disaster helps to determine whether or not the disruption qualifies as a disaster situation.

Figure one

A “disaster is an event that disrupts mission-critical business processes and degrades their service levels to a point where the resulting financial and operational impact to an organization becomes unacceptable,” (Alexander, 2009).

Disasters can be classified according to their severity level. “The purpose of disaster classification is to help the business continuity teams determine appropriate responses in a timely manner during a crisis situation,” (Charters, 2011), According to the severity of the event, disasters could be classified in: minor, intermediate and major. This classification is described below.

Minor level disaster
This type of disaster occurs more frequently in normal day-to-day operations, compared to an intermediate or a major disaster. The severity level is considered minor because the effects are often isolated to a small subset of critical business processes. The business units that depend on these critical processes can still continue to operate for a certain length of time.

The cause of the disruption is often the failure of a single component, system or service.

Intermediate level disaster
An intermediate level disaster occurs less frequently but with greater impact compared to the minor level disaster. This event disrupts normal operations of some but not all critical business units. The operational disruptions result from major failures of multiple systems and equipment.

Major level disaster
The possibility of this type of disaster occurring is very small but the extent of the impact is very significant compared to the minor and intermediate level disasters. This event disrupts normal operations of most or all of the critical business processes. The operational disruptions are the result of inaccessibility to or failure of most or all of the systems and equipment.

As was mentioned previously, a concise disaster definition provides clear focus during plan development. Regardless of the severity level of the disaster, an ORP has to be invocated.

Designated business continuity teams

An ORP will work only if designated business continuity teams (BCT) are selected, trained and organized to perform the procedures and work instructions developed. “It is very important to define the organization of the business continuity teams, and their roles and responsibilities,” (Hiles, 2011). The size and the number of BCT depend on the scope and complexity of the ORP.


Figure two

Figure two describes a typical business continuity team structure. In this structure, teams are classified into three layered groups: the Strategic Group, Tactical Group and Technical and Operational Recovery Group.

The members of the teams are chosen based on their knowledge and experience of activities, procedures and tasks assigned to the team. Ideally, teams are staffed with the personnel who perform the same or similar tasks under normal conditions. Team members are expected to be familiar with the goals and procedures of other teams, to facilitate intra – team activities.

Each team has a leader, who directs overall team operations, acts as the team’s representative to management and liaises with other team leaders. The team leader disseminates information to team members and approves any decisions that are made within the team.

The following gives a brief description of the teams and their responsibilities.

Strategic Group
The main component of the Strategic Group is top management. A typical strategic group consists of:

  • Crisis Management Team (CMT)
  • Business Continuity Coordinator (BCC)
  • Notification Team (NT)
  • Emergency Response Team. (ERT)

The CMT manages and controls the execution of the ORP, emergency response plan and crisis communication plan. The CMT leader, who should be top management, has the final decision and authority to invoke the ORP. The company CEO should direct the CMT.

The BCC has the overall responsibility for managing the operation resumption execution phases: initial response and assessment, interim contingency measures, resource provisioning, operations resumption and normalization. BCC coordinates the activities and provides a critical communication link between the CMT and other teams.

The NT is responsible for notifying business continuity teams and personnel needed for execution of the ORP and its recovery procedures.

The ERT is responsible for conducting emergency operations immediately after a disruption in order to protect life, property and the environment. The ERT facilitates personnel evacuations, internal rescue operations, medical assistance, and incident containment. The ERT performs all the activities of the first phase of an ORP: initial response and assessment.

Tactical Group
The tactical group consists of the User Management Team (UMT) and a number of Business Unit Teams (BUT).

The UMT’s role is to conduct an overall assessment of user departments’ immediate needs; monitor the recovery progress and status; and coordinate the recovery activities between BUT and the IT technical recovery teams.

The BUT represents a single business unit. Its membership consists of key users of critical systems and resources. Its main role is to assess the current needs of the unit, and assist the IT technical recovery team to recover lost data and resources. The BUT validates the successful recovery.

Technical and Operational Recovery Group
This group consists of IT and non-IT resource recovery teams. Some of them could be the following:

  • IT Technical Recovery Teams
  • Manufacturing and Production Technical Recovery Team
  • Safety and Hazardous Material Handling Team.

Contact information
Usually in organizations contacting people spread across the firm tends to be difficult under normal conditions. A disaster situation can prove to be even more difficult for notifying the teams and its members. It is critical to maintain accurate and up-to-date contact information within the ORP. Critical suppliers, service providers and customers should be part of the contact list.

Operations resumption execution phases

The ORP is composed of a series of phases as presented in figure one: initial response and assessment, interim contingency measures, resource provisioning, operations resumption and normalization. Each phase is a grouping of activities used to provide a logical structure for each team’s plan. Each phase represents a critical stage in the OPR. Each teams plan should contain:

  • A strategy overview for each incident type (disaster scenario)
  • A list of minimum recovery requirements
  • Team membership and contact information
  • Activity lists (organized by phase and scenario)
  • Activity details.

An activity is the operating unit of the plan. Each activity describes:

  • What has to be done
  • How it can be done
  • Who can do it
  • What is needed to do it
  • Where it can de performed from
  • When it can start
  • How long it should last
  • When it should end

Each activity represents a logical, self-contained unit of work that may need to be performed by a single team for a given scenario.

A brief description of the nature and responsibilities of each of the phases of an ORP follows:

Initial Response and Assessment 
This phase begins immediately after the disruption. In this phase the business continuity coordinator is alerted. The Emergency Response Team (ERT) is activated.  The ERT takes immediate actions warranted by the event and assesses the impact of the event on business operations. If possible, the ERT solves the problem. The damage and extent of the impact is assessed at a high level; and notification is sent to the crisis management team, and the notification team, following a preliminary problem report format. At this stage the disaster level is determined. If the problem has not been solved, the CMT invokes the appropriate ORP.

Interim Contingency Measures
In this phase the ERT, with the appropriate business unit team, implement short-term measures to limit the impact of the event. The actions taken at this stage could be things such as: transferring work to staff at another location, or having key staff work from home.

Resource Provisioning
In this phase the business continuity coordinator is responsible for providing the minimum resources needed to resume operations at an alternate location.

Operations Resumption
The business continuity coordinator coordinates all the activities of this phase. The activities deal with the resumption at an acceptable level of operations at the alternate location. This phase might require the relocation of staff, recreation of lost data, processing of backlogs, etc.

Normalization
In this phase the business coordinator, with the appropriate business unit teams, plans the arrangement to return the environment and operations to pre-disaster conditions.
The CMT is in charge of ordering the initiation of the normalization stage.

Summary

One of the main objectives of an ORP is to increase the likelihood of an organization surviving a business critical threat, should such an event occur.

An operations resumption plan contains predetermined recovery procedures and guidelines which organizations can follow during a crisis situation to minimize impact to business. The predetermined procedures and guidelines prevent organizations from making on the spot critical decisions in the middle of a crisis.

There needs to be a strong team spirit within an organization that implements an ORP, where staff work across organizational boundaries to solve problems in a timely manner.

A firm that wants to become resilient has to develop an organizational culture that will allow individuals to be empowered to make decisions and take sometimes-drastic action without seeking approval. This requires authority levels and decision-making structures to be in place well in advance of a potential event.

The author

Alberto G. Alexander, PhD, MBCI, is a managing director and international consultant with Eficiencia Gerencial y Productividad SAC. He is a professor at The Graduate Business School at ESAN. Contact him at: alexander@eficienciagerenial.com

References

  • Alexander, Alberto “A Methodology for Developing a Business Impact Analysis” The Business Continuity Journal, Volume Three, Issue Four 2009, UK
  • Syed, Akhtar Business Continuity Planning Methodology Sentrix, 2004
  • ISO 22301:2012 Societal Security Business Continuity Management Systems Requirements
  • Cornish, Malcolm “Business Continuity Management Methodology” The Definitive Handbook of Business Continuity Management. 2011. John Wiley & Sons UK
  • Charters, Ian “Risk Evaluation and Control: Practical Guidelines for Risk Assessment” The Definitive Handbook of Business Continuity Management. 2011. John Wiley & Sons UK
  • Hills, Andrews “Developing and Implementing the Written Plan” The Definitive Handbook of Business Continuity Management. 2011. John Wiley & Sons UK


Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

   

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.