Disaster Survival Planning Network (DSPN)
Defining the Project
Every organization is unique in its structure, culture, processes, products and services, and physical facilities. To build an effective disaster recovery plan, each organization needs to create documents that will fit their own unique requirements and train key personnel for the kinds of disasters that they anticipate.
Copying other organizations’ plans, or producing plans from “cookie-cutter” formulas does not work. Unique vulnerabilities of the organization cannot be identified or addressed using either of the above techniques. Consequently, every disaster recovery project (commonly referred to as a business continuity plan) should begin with an initial assessment to determine what the right steps will be. Once the assessment is completed, an organization can proceed with the documentation, implementation, and testing required to ensure the plan will be effective.
The key to successful recovery is taking the proper steps before an event occurs. Creating effective plans and reducing or mitigating hazards and risks that exist in the environment are the two major activities that every organization should perform before disaster strikes. The plans that are created should address how the organization will manage through the two stages that occur after disaster strikes – emergency response and business recovery.
Approaching the Project in Three Phases
The best way to organize a disaster recovery project is to approach it in three phases.
Phase 1 – Assessment and Business Impact Analysis (BIA)
This phase determines the scope and design of the project, as well as identifies all activities required to document, implement, and test the plan. It should include an assessment of what the most critical functions are that the business needs to continue following an event, current system and communications recovery capabilities, and a risk analysis of both internal and external hazards. Business vulnerabilities should be identified and quantified to determine which should be minimized or eliminated during planning.
Phase 2 – Documentation and Implementation
During this stage of the project, all documents and plans are prepared, any additional equipment and supplies are identified and obtained that are needed to reduce the risks identified in the assessment, and all personnel are trained on their respective roles and responsibilities.
Phase 3 – Testing
Once documents have been prepared and people have been trained, drills and exercises should be conducted to ensure the plans will work and provide a continual means to
update the information to adjust for organizational changes.
Ongoing Maintenance of Plans
Once the initial project is completed, every organization should at least annually perform drills and exercises, identify necessary changes, and update their plans. A way to effectively maintain this ongoing process should be built into the documents that are created to make sure the information will be reviewed and updated in a timely manner
Creating the Project
Every organization needs to know what activities it must engage in to create an effective plan. That is the purpose of the Assessment Phase.
An initial assessment (business impact analysis) typically consists of the following steps. If you are the project coordinator, these are the steps you will want to take.
1. Review all existing written materials regarding disaster recovery your organization has created. These materials may include your Injury and Illness Prevention Program, Emergency Evacuation Procedures, IS Recovery Plans, or any other similarly related documents.
2. Interview the key managers of each major organization (depending on the complexity of the organization and the functions being performed.). Typically, each interview will last between 1 – 1 1/2 hours. During the interview, discuss the following:
• the organization’s normal functions
• what functions they would have to continue to perform during the first 72 hours following an event,
• what vulnerabilities they have in being able to perform these functions, and
• what vital records are not backed up and stored off-site.
After completing the interviews, you will have a clear understanding of what functions are vital that will need to continue, either manually, or by having the systems restored that support these functions.
3. Create a project timeline and GANTT chart. The chart should identify all of the activities that the organization needs to perform, who the appropriate people are to perform those activities, and the suggested sequence and timeframe for each activity.
This information should provide the organization with the ability to clearly see the scope of the project and anticipated resources that will need to be involved. It should also be used as the tool to make critical decisions on the proper pace of the project. The detail included in this assessment should equip the organization with the ability to make strategic decisions on the magnitude of funding that will be required, the number of personnel that will be involved, and the timing of critical milestones that need to occur. A typical business continuity project will take 9 months to 2 years to fully implement.
4. Present your findings to the key decision-makers and gain their support and buy-in before proceeding.
The Organization’s Actions Following the Assessment:
Once the coordinator has presented the material, the key decision-makers will need to decide how quickly they want to proceed.
Key Items to Consider:
1. The coordinator should always be used as the facilitator during Phases 2 and 3. They should not be the one to “write the plan”. A plan created solely by the coordinator will have little to no ability to be used when a real disaster strikes. Instead, the coordinator should be used to guide the project, work with the different organizations within the company, and provide expertise in all elements of the planning effort to minimize the time spent by others.
2. Pick the right person to be the project coordinator. Whoever is chosen should be relieved of other duties as much as possible for the duration of the project. They should possess a high amount of knowledge about the organization and wield enough clout to be able to talk with key decision-makers when necessary. They should also have strong
Why the Assessment is Important – It Saves You Dollars!
Business continuity plans cannot be created in a vacuum. Even though there are fundamental steps that every organization should take, each step can vary greatly in magnitude and financial impact. Therefore, the assessment phase provides the organization with a clear picture of exactly what they should do. Asking a coordinator to begin the project without performing an assessment leads to disaster for all. The coordinator needs to know all of the information gathered during the initial assessment to know what this project will really entail.
Using A Consultant
If your company is large enough to hire a consultant, they can be invaluable during the Assessment phase. A qualified consultant should be able to conduct an initial assessment and present you with information you can use to make decisions regarding the scope and extent of the effort your organization needs to engage in. This assessment should typically take no more than 30 to 60 days, depending on the size of your organization.
The cost of an initial assessment can vary greatly, depending on whether your organization needs to address both emergency response elements and business recovery aspects. Assessment can range anywhere from $20,000 to over $100,000, with most costing $25,000 to $45,000 plus travel expenses. The Initial Assessment should be a stand-alone contract so that you are able to evaluate their skills without committing to using the consulting firm for the entire project.
What to look for in a Consultant
This is a relatively new industry. In late 1995 several industry organizations formed the Alliance of Continuity Managers International (ACMI) to combine what exists – terminology, core competencies, education and minimum qualification requirements (certification) for emergency management and organization continuity professionals. They are striving to create standards and certification requirements throughout the industry. Today, there are standard questions that your organization should ask:
1. Are the principals of the firm certified, and by whom?
• The Disaster Recovery Institute International, which is a board of members within the industry, sponsors a series of courses and an examination to become a Certified Business Continuity Professional (CBCP). This program requires 2 years experience in the field and a 75% scoring on a certification exam. DRI offers classes to prepare applicants for the test. DRI has also introduced a new certification, Master Business Continuity Planner (MBCP), which requires a minimum of 5 years experience and an 85% or higher score on the examination.
• The most comprehensive certification is Certified Emergency Manager (CEM) awarded by the International Association of Emergency Managers (IAEM). This organization certifies consultants and emergency management professionals for both the public sector and private sector. To become certified, consultants must possess at a minimum a bachelor’s degree, go through an extensive certification process that includes 200 hours of college level courses on general and emergency management, demonstrate contributions to the industry, provide active leadership in industry associations, have at least 5 years of practical experience creating disaster recovery plans, and a variety of other qualifications.
• For emergency response planning, the only certification required for consultants today is the Los Angeles Fire Department Certified Life Safety Consultants Program. Their requirements qualify a consultant to prepare site plans, floor warden manuals, and employee information pamphlets. The consultants are also qualified to conduct floor warden training and conduct drills and exercises for high-rise buildings. Only qualified consultants and designated emergency directors for each building are authorized to conduct these programs within the City of Los Angeles in the 850 high-rise buildings within the city limits.
• Several colleges and universities have begun certificate programs in emergency management with varied success. A person who completes those programs should have working knowledge of what a disaster recovery program entails but may have limited practical experience in the field. Universities are just now beginning to introduce bachelor degree programs.
2. What other clients has this consulting firm prepared disaster plans for?
The consultant should be willing to show you examples of their work. Due to the confidential information contained in plans, the consultant should not be asked to provide you a copy. However, at your initial meeting, the consultant should bring example copies with them to show.
The consultant should provide you with a list of past clients and contact information for all of them. If they don’t provide you with a list of all their clients they have provided services for within the last two years, ask them to provide you that list. Call all of their past clients to get a good understanding of the consultant’s strengths and weaknesses. Ask about timeliness and completeness of material produced, as well as the consultant’s ability to provide proper recommendations.
3. What practical experience did the consultant have in disasters?
Test to find out if they have textbook knowledge, or practical experience. Were they in the private sector or the public sector, and what were their exact duties? Look for experience broad enough for them to be comfortable in working with your top executives as well as your safety committee, emergency response teams, and department managers.
4. How long has the consulting organization been in business?
What kind of personnel turnover do they have? Determine whether a consulting firm has trouble holding clients, or farms out a lot of its work to other consultants. If there are other consultants that will be used, what are their qualifications, and how does the principal consultant guarantee their work?
5. What is the consultant’s reputation with other members of the disaster recovery industry?
There are several organizations throughout the state that consultants in this field belong to. These associations consist of representatives from local governments and the private sector as well as consultants, emergency supplies providers, and other vendors who service this industry.
Call members of your local association or attend one or two of their meetings to find out who has a good reputation and who does not. Those in the industry know whom the good
And bad ones are, but as consultants, they cannot divulge this without appearing to be “bad-mouthing” their competition. It is wise to ask – some can present very professional credentials, yet their reputations and feedback from past clients is negative. Also, be aware that some consultants volunteer to become very active in these associations because it provides them high visibility. That may not have anything to do with their qualifications. Find out first hand from those who know them.
Some of the major active associations in California are:
• Association of Sacramento Area Planners – Sacramento area
• Business Recovery Managers Association – San Francisco
• Association of Contingency Planners – Los Angeles, Orange County, San Diego Chapters
• Business and Industry Council for Emergency Planning and Preparedness – Los Angeles
• California Emergency Services Association – 3 chapters in California (this is primarily public sector.)
What to Ask For in an Assessment Proposal
To make sure proposals you receive are comparable, ask the consultants to provide you a proposal that contains the following elements:
Contract Objectives
1. Complete an assessment of tasks necessary to design and document a sufficient set of procedures to assure continuation of the organization in the event of a disaster or organization interruption. The assessment should consider the organizational, managerial, and technical environments in which the disaster recovery plan must be implemented.
2. Assess the types and likely parameter of disaster that could occur and the resultant impacts of the organization’s ability to perform its mission. Major emphasis should be placed on the operational risks and impacts. The risk analysis process should include:
• Identification of the vital functions that are at risk, and their vulnerabilities.
• Identification of the threats to which the assets or functions could be exposed.
• Assessment of the vulnerabilities and points where assets or organizations lack sufficient protection from identified threats;
• Determination of the probable loss or consequences, based on quantitative and/or qualitative evaluation where available, of a realized threat for each vulnerability and an estimation of the likelihood of such occurrence;
• Identification and estimation of the cost of protective measures that would eliminate or reduce the vulnerabilities to an acceptable level
• Documentation of these risks as a portion of the overall assessment report.
3. Present the organization with a complete written assessment of where the organization is in its disaster planning efforts. Provide a recommended sequence of events to thoroughly address all future aspects of emergency planning efforts (this should be a Gantt chart that states activities, responsibilities, and estimated timing); recommendations for reducing identified risks; and, if requested, present an oral report to the organization’s key managers.
4. Include in the Overall Assessment Report an estimate of projected consultant time and cost that will be required to facilitate the ongoing development of the plans. This projection should be detailed based on the Gantt chart indicating hours required for each task identified.
Some Last Words of Advice
There is a lot more to preparing successful business continuity plans than picking a “hot site” or training employees on First Aid and CPR. Time and again, staggering percentages of companies have not recovered from disasters. (Industry statistics continue to indicate 60% who experience major disasters are not in business two years later.)
More and more organizations are beginning to realize that preparing an effective business continuity plan is no longer a discretionary budget item. Don’t be penny wise, and dollar foolish. Find out up front what it will take to put a complete program in-place. My own experience has shown that most projects die of their own volition for one or more of the following reasons:
• Little or no upper management support.
• Project was improperly funded at the start.
• Too little time or resources allotted to get the work done.
• Person picked to coordinate the project had little knowledge about what they were supposed to do, and nowhere to go to find out.
Make sure your efforts will count! Get the right help you need at the start. Plan Today…Survive Tomorrow!™