This week Charlie discusses how you can improve your business continuity plans by altering the format and following five key steps.
Last night I was at the CIR awards where I saw Ewan Donald, Principal Consultant at BC Training’s sister company PlanB Consulting and BCT tutor, win the award for “Adviser of the Year’, so well-done Ewan. I also met with Scott, who said he was a fan of the bulletin and liked bulletins covering practical business continuity information. So, this one is dedicated to you Scott!
When developing business continuity plans, I try to make them accessible, practical and easy to use on the day. For a long time, I followed a traditional format, with the first few pages being filled up with scope, assumptions, objectives and the like. The problem with this format is that you have to wade through several pages before getting to the bit of the plan which would actually be used on the day of an incident occurring.
After a while, it occurred to me that when you make use of the plan in anger, what you don’t need to read first, is a set of assumptions in the plan. By then it is a bit too late to ponder on whether the assumptions are right! This is when the radical idea came to me, of putting what you need first in the plan and then what you need last and the reference material at the end. From this idea, five steps were born.
Step 1 – Emergency response or the immediate actions
This step involves all of the information needed for the immediate response to an incident. If the organisation was an office-based organisation, then this would include all of the actions needed if the office had been evacuated. If the organisation was manufacturing or oil and gas, then it would be the emergency response phase of an incident. The plan recognises that there are a number of incidents which don’t have an immediate response or happen out of hours when there is nobody in the office. In these cases, you would go straight to step 2.
Step 2 – Invoking the plan
One of the critical parts of a plan is recognising that an incident has taken place and it needs to be managed using the business continuity plan, rather than within normal day-to-day operations. This step includes the criteria for when the plan should be invoked. If a member of staff gets a call at 3am, the criteria should be so clear that the decision as to whether to invoke the plan and get the other team members out of their beds to respond is straightforward. This section also covers how to call out the incident management team, who is on the team and two different locations of where they should meet. You might also have a conference call number, as the first meeting may be by conference call.
Step 3 – Incident management
This step covers the time from when the team forms, up until the incident team stands down. It includes how the team will manage the incident, information about setting up the incident room, how to conduct incident team meetings with a set agenda, how information should be shared and displayed on boards and the tasks to be carried out outside the incident. Outside incident team meetings we see a circle of tasks, including; communications and carrying out the actions agreed in the incident meetings, horizon scanning to identify risks and issues during the recovery and situational awareness, when those responding actively seek out information and attitudes from key stakeholders.
Step 4 – Communications and reputation management
This step sometimes starts before step 2, if the organisation needs to inform key stakeholders of the incident or if the team need to acknowledge on social media that an incident has occurred. The content of this section will depend on the level of plan, whether it is operational, tactical or strategic. If the plan is operational, it will contain a list of possible stakeholders that may need to be contacted during an incident, instructions for contacting staff and information on the company’s view of the incident – “the message” - will get sent to them. If the plan is strategic, then it will contain a full communications strategy/plan or a signpost to a separate crisis communications plan.
Step 5 – Recovery
This section deals with the recovery of the organisation. Whilst steps 1 to 4 are generic for any incident, this section contains plans for specific incidents. So, it may have the recovery plan for loss of office, staff or IT. It could also contain other scenarios, such as a cyber response plan or a pandemic plan. This section should cover the recovery strategy which would be used if the event occurred, a checklist or a set of actions which need to be implemented to carry out the recovery and information from the BIA which covers resources needed or recovery numbers.
In the appendix I tend to put reference materials, so it could contain:
- Roles and responsibilities of each member of the team in the organisation
- Team member’s responsibilities
On the front page I put the scope, so that when the plan is picked up there is no doubt that you are going to use the right plan! At PlanB, we use this format for all plans and we find it works for operational, as well as tactical and strategic plans.