Thank you for downloading this AMACOM eBook.
Sign up for our newsletter, AMACOM BookAlert, and receive special offers, access to free samples, and info on the latest new releases from AMACOM,
the book publishing division of American Management Association.
To sign up, visit our website: www.amacombooks.org
To learn more about the American Management Association visit: www.amanet.org
The copyright information for this title may be found at the end of this eBook file.
http://www.amacombooks.org
http://www.amanet.org
THE
DISASTER RECOVERY HANDBOOK
| THIRD EDITION |
THE
DISASTER RECOVERY HANDBOOK
A Step-by-Step Plan to Ensure Business Continuity and Protect Vital Operations, Facilities, and Assets
TH I R D E D ITION
MICHAEL WALLACE LAWRENCE WEBBER
AMERICAN MANAGEMENT ASSOCIATION
NEW YORK • ATLANTA • BRUSSELS • CHICAGO • MEXICO CITY • SAN FRANCISCO SHANGHAI • TOKYO • TORONTO • WASHINGTON, D.C.
CONTENTS
Acknowledgments ix
1. Getting Started: Overview of the Project 1
2. Building the Business Case: Measuring the Impact on the Business 25
3. Evaluating Risk: Understanding What Can Go Wrong 39
4. Selecting a Strategy: Setting the Direction 77
5. Building an Interim Plan: Don’t Just Sit There, Do Something 91
6. Writing the Plan: Getting It Down on Paper 109
7. Administrative Plan: Orchestrating the Recovery 123
8. Technical Recovery Plan: Putting Humpty Dumpty Back Together Again 143
9. Work Area Recovery Plan: Getting the Office Up and Running 159
10. Pandemic Plan: The Wrath of Nature 175
11. Crisis Management Plan: Minimizing the Damage 197
12. Emergency Operations Plan: Taking Control of the Situation 215
13. Testing Your Plans: Test, Test, Test 241
14. Certifications: How Does Your Plan Measure Up? 269
15. Policies and Procedures: Get Everyone Moving in the Same Direction 287
16. Electrical Service: Keeping the Juice Flowing 305
17. Telecommunications and Networking: Your Connection to the World 323
18. Vital Records Recovery: Covering Your Assets 349
CONTENTSvi
19. Information Security Response: Always Vigilant 375
20. Data: Your Most Irreplaceable Asset 399
21. Workstations: The Weakest Link 421
22. Customers: Other People to Worry About 435
23. Suppliers: Collateral Damage 443
24. Fire: Burning Down the House 455
25. Human Resources: Your Most Valuable Asset 473
26. Health and Safety: Keeping Everyone Healthy 493
27. Terrorism: The Wrath of Man 509
Glossary 521
Index 527
About the Authors 533
Sample Chapter from Leading at the Edge by Dennis N.T. Perkins with Margaret P. Holtman and Jillian B. Murphy 535
About AMACOM Books 551
PDF files for the supplementary materials are available to purchasers of this book at: www.amacombooks.org/go/DisasterRecovery3E.
http://www.amacombooks.org/go/DisasterRecovery3E
SU PPLE M E NTARY MATE R IALS
www.amacombooks.org/go/DisasterRecovery3E
CHAPTER 1 Form 1-1: Example Letter Appointing the Business Continuity Manager Form 1-2: Stakeholder Assessment Map Form 1-3: Team Member Responsibilities Map Form 1-4: Communications Responsibility Plan Form 1-5: Sample Stakeholder Reporting Matrix
CHAPTER 2 Form 2-1: Department Function Identification Form 2-2: Business Impact Analysis Questionnaire
CHAPTER 3 Form 3-1: Layer One Risk Assessment Tool Form 3-2: Layer Two Risk Assessment Tool Form 3-3: Critical Process Impact Matrix Form 3-4: Critical Process Breakdown Matrix Form 3-5: Risk Assessment Form Layer 3 Form 3-6: Risk Assessment Form Layer 4 Form 3-7: Risk Assessment Form Layer 5
CHAPTER 5 Form 5-1: List of Service Agreements Form 5-2: Vendor List Form 5-3: Emergency Contact List Form 5-4: Vendor Matrix Form 5-5: Emergency Equipment List
CHAPTER 6 Form 6-1: Sample Business Continuity Action Plan Form 3-3: Critical Process Impact Matrix Form 3-4: Critical Process Breakdown Matrix
CHAPTER 7 Form 7-1: Sample Administrative Plan Form 7-2: Business Continuity Manager Job Description
http://www.amacombooks.org/go/DisasterRecovery3E
viii SUPPLEMENTARY MATERiALS
CHAPTER 8 Form 8-1: Technical Recovery Plan Form 8-2: IT Team Leader Recovery Plan Form 8-3: Technician Tracking Log Form 8-4: Recovery Activity Log Form 8-5: Hour-by-Hour Recovery Plan
CHAPTER 9 Form 9-1: Sample Work Area Recovery Plan
CHAPTER 10 Form 10-1: Sample Pandemic Management Plan
CHAPTER 11 Form 11-1: Sample Crisis Management Plan Form 11-2: Skill Matrix by Technical Skill Form 11-3: Skill Matrix by Job Process Form 11-4: Skill Matrix by Job Function
CHAPTER 13 Form 13-1: Log Sheet Form 13-2: Observation Log
CHAPTER 18 Form 18-1: Shelf List Form 18-2: Recommended Supplies List
CHAPTER 19 Form 19-1: Sample Incident Management Plan
CHAPTER 20 Form 20-1: Recovery Plan Distribution List Form 20-2: Recovery Plan Change Record
CHAPTER 22 Form 22-1: Inventory of Key Customers
CHAPTER 23 Form 23-1: Supplier Data
CHAPTER 24 Form 24-1: Sample Fire Poster
CHAPTER 25 Form 25-1: Skill Matrix by Job Process Form 25-2: Skill Matrix by Technical Skill Form 25-3: Skill Matrix by Job Function
ACKNOWLEDGMENTS
The authors would like to express their appreciation to Matt Curtin of Interhack, Michael James of Fireproof Records Center, and Alice Kaltenmark of Reed Else- vier for sharing their experiences in business continuity. Their wisdom and insights were extremely valuable in creating this updated edition.
We would also like to express our appreciation to our wives Tami and Nancy for their support while developing this and other books. Any successes that we’ve had would not have been possible without their support.
1
1 GETTING STARTED
Overview of the Project
Nothing is impossible for the man who doesn’t have to do it himself.
—A. H. WEILER
INTRODUCTION
The job of a business executive requires coordination of the many activities neces- sary to create a successful business. Markets must be analyzed, potential customers identified, strategies for creating and delivering products and services must be de- veloped, financial goals established and reported, legislative mandates followed, and many different stakeholders satisfied. To ensure that these objectives are met, businesses eventually develop a series of processes designed to produce the desired result. But the world is a dangerous place. Earthquakes, floods, tornadoes, pan- demics, snowstorms, fire, and other natural disasters can strike at any time and interrupt these important processes. Terrorism, riots, arson, sabotage, and other human-created disasters can also damage your business. Accidents and equipment failures are guaranteed to happen. As an executive responsible for the well-being of your organization, it is critical that you have a plan in place to ensure that your business can continue its operations after such a disaster and to protect vital oper- ations, facilities, and assets.
You do this just like you do any other important task; you analyze the situation and create a plan. A disaster recovery plan keeps you in business after a disaster by helping to minimize the damage and allowing your organization to recover as quickly as possible. While you can’t prevent every disaster, you can with proper
THE DISASTER RECOVERY HANDBOOK2
planning mitigate the damage and get back to work quickly and efficiently. The key is having a well-thought-out and up-to-date disaster recovery plan. This chapter will lead you through the creation and implementation of a project plan for creating an effective disaster recovery plan.
Disaster recovery is to recover from a significant disaster, such as a roof collapse in
the computer room or a fire in a significant portion of the offices. A disaster almost
always requires rebuilding a portion of the business in a recovery area in a very short
time. Business continuity, also known as business resilience, involves identifying and
mitigating critical machines that may fail. For example, a failure of the database server
may close down online customer orders, so a second server is clustered and the disk
storage is mirrored to provide redundancy.
THE DISASTER RECOVERY PLAN PROJECT
Building a disaster recovery or business continuity plan is much like any other busi- ness project. A formal project management process is necessary to coordinate the various players and company disciplines required to successfully deliver the de- sired results of the project. This chapter will give you a high-level roadmap of what you should expect as you prepare to lead or manage a disaster recovery project. A sample project plan is included in the companion url accompanying this book. Adapt this chapter and the project plan to fit your business goals, company time- line, and scope of project.
Most projects tend to run in a well-defined sequence. For example, to build a new house, first you clear the land, then build the foundation, then build a floor, and so on. Many things cannot begin until the previous step is completed. A busi- ness continuity plan (BCP) project is a bit different. In the project’s early stages, most actions logically follow each other. However, once the basic elements are in place, the project bursts out onto parallel tracks, as each department documents its own area. How you proceed in your company is, of course, determined by your corporate culture, the resources available to work with to complete the process, and the level of visible support from the project’s sponsor. Most business continuity projects follow these steps:
1. An executive within the organization decides that a business continuity plan is needed. This might be due to an auditor’s report or the result of a business dis- ruption that was more financially painful than it would have been if a plan had been in place. Or it could be that an alert employee realized that a good plan
GETTiNG STARTED 3
did not exist and brought this to the executive’s attention. This executive usually becomes the sponsor for the project.
2. The first (and most important) step that the sponsor takes is to select someone to lead the project. This person is most often called the Business Continuity Man- ager and is responsible for the successful completion of the project.
3. The project sponsor and the Business Continuity Manager meet to clearly define the scope of the project, the project timeline, and expectations. The Business Continuity Manager must be comfortable that the resources available are ade- quate to meet all the objectives of the project.
4. The Business Continuity Manager selects the team that will work together to com- plete the project. Both technical and political considerations are important in se- lecting a team that can successfully develop a workable business continuity plan.
5. The Business Continuity Manager together with the team now develops the project plan to be used in managing the project. Tasks are identified and as- signed, task durations calculated, and activities are sequenced as the project plans are developed.
6. The project plans are executed. The Business Continuity Manager oversees the project as the plan unfolds, keeping everyone focused on completing their tasks and ensuring that milestones are met and that important stakeholders are kept informed as to the project’s progress. It is here where the actual continuity plans for the organization are created.
7. Once the business continuity plans have been developed and tested, the Business Continuity Manager closes the project by making sure that everything was docu- mented properly and handing the project results over to the individual(s) respon- sible for keeping the plan up to date. Each affected department will usually have someone responsible for keeping their portion of the plan current. A report is also generated for the sponsor recapping the project and documenting lessons learned.
In many organizations, the job of Business Continuity Manager is not taken as seriously
as it should be. Management in these organizations only wants you to write something,
anything to make the auditors go away. That’s okay because as you build the plan, and
as they begin to see the benefits, their interest and support will grow.
A project plan organizes the team so members focus their skills on specific ac- tions to get the job done. This respects their time and brings the project to a prompt, but successful, solution.
THE DISASTER RECOVERY HANDBOOK4
INITIATING THE PROJECT
Every project starts with a sponsor. A sponsor should be a person with enough or- ganizational influence to give the project credibility, financing, and strategic direc- tion. The sponsor should also possess the management clout to ensure the willing cooperation of other departments and to ensure that the project is adequately funded. Building a business continuity plan in many cases involves changing peo- ple’s attitudes and some of their tried-and-true business processes. Business conti- nuity planning is a logical step toward mistake-proofing a business. So, to suppress the reluctance to change or even participate in the project, it is important for the sponsor to be of sufficient stature as to overcome objections before they are raised.
Ideally, the sponsor is the company’s CEO, or the Vice President in charge of the local facility. However, sometimes it is a department manager who realizes that something must be done. Whoever assumes this role must remain involved with the project throughout its lifetime. As the sponsor’s interest fades, so will the interest of your team. Find out why they want to sponsor the project. It will tell you how much support to expect.
In some cases, the sponsor honestly believes the project is a good idea and is personally interested in seeing it is completed. In other cases, the sponsor may have been required to start this project due to an auditor’s citation of a poor business practice. In this situation, the sponsor may only want the minimum recovery plan to satisfy the audit citation. Spend some time early in the project digging out what is motivating support for this project. By understanding what motivates the sponsor, you can gauge how much time and money will be available to you. It is also possible for you to educate the sponsor on the many advantages of having a well-written company-wide plan.
The sponsor’s first task is the selection of the Business Continuity Manager, who will act as the project manager. In most companies, the cynics say that if you raised the issue, then the job is yours! This isn’t a bad way to assign projects because only the people who believe in something would raise the issues. Still, the selection of the right Business Continuity Manager will help make this project a success and the wrong one will make success much more difficult to attain.
The sponsor has the additional duties of approving the plan’s objectives, scope, and assumptions. The sponsor must also obtain approval for funding.
THE BUSINESS CONTINUITY MANAGER
The selection of the person to spearhead this project is the single most important part of building a plan. The Business Continuity Manager should be someone who
GETTiNG STARTED 5
can gain the willing cooperation of team members and their supervisors. To help ensure the support of everyone in the organization, the Business Continuity Man- ager should be publicly assigned to this task with the sponsor’s unqualified support. This is essential to overcome internal politics and to let everyone know that their assistance is important and required. As the project moves forward, regular public displays of support are required if the project is to result in a complete and usable plan. Form 1-1 (see companion url) is an example of a letter appointing the Busi- ness Continuity Manager.
Some sponsors begin a business continuity project by hiring an outside con- sultant to build the plan. This can be a good way to get the project started and to mentor someone in the organization to assume the Business Continuity Manager position. More effort and expertise is needed to organize and develop the plan than to administer it. As the plan is built, the consultant teaches the Business Continuity Manager the ropes.
Understand that even though the consultant is guiding the project, the consul- tant should not assume the role of Business Continuity Manager. Every company, every facility, every computer site is unique. The actions necessary to promptly re- store service are the result of the key people at each site writing down what to do and how to do it. Outside consultants can provide considerable insight into the basic services (electrical, telephone, water, data processing), but lack in-depth ex- perience at your company. They don’t know your business processes. They don’t understand the pulse of your business and what its key elements are.
Building a solid plan will take a lot of time. An experienced consultant working with an internal Business Continuity Manager can help move the project along quicker. The Business Continuity Manager is also the logical candidate to become the plan’s ongoing administrator once the initial project is completed. This person will be responsible for keeping the plan relevant and current. Writing a plan and then filing it away is a waste of money. Whoever builds the plan will be intimately familiar with it. That person can easily continue responsibility for maintaining it and teaching others how to keep their portion of the plan current. Using an outside consultant as a Business Continuity Manager raises the possibility that no one has internal ownership to ensure it is updated and tested periodically. The plan must be kept up to date if it is to be useful when it is needed most.
As the plan administrator, the Business Continuity Manager will ensure that as new equipment enters the building, as new products are rolled out, and as new business processes are implemented, they are reflected in the business continuity plan. The Business Continuity Manager also schedules and evaluates the ongoing testing of the plan by department, or by a specific threat, such as the loss of elec- trical power, to ensure it works. Once the plan is written, the Business Continuity Manager’s role will evolve into ensuring the plan is an integral part of the company’s
THE DISASTER RECOVERY HANDBOOK6
ongoing operations. No new company process or piece of equipment should begin operation until the mitigation and recovery plans have been tested and approved.
SCOPE OF THE PROJECT
One of the first tasks the Business Continuity Manager must perform is to come to an agreement with the project sponsor as to the scope of the project. The scope of the project defines its boundaries. It identifies what is included in the project and what is not. If the project is too vast, it will probably fail. If it is too small, then it would be best assigned to a single person like any other office detail. The scope of the project must be given a lot of thought. If in doubt, start with a narrow focus on a specific department or function to demonstrate the plan’s value and build up from there. One guideline commonly used is any event that would cost (in lost wages, sales, etc.) more than 5 percent of your quarterly revenues merits its own plan. So, if a temporary outage of a critical machine stops the entire factory, then it needs a plan. If the same machine stoppage means that three extra workers must drill holes with hand tools until the machine is repaired, then it probably does not need a plan.
A good way to approach the plan is to address areas that everyone uses, such as se-
curity, data processing, electrical, and so on. Don’t try to tackle too much, too fast. Start
with building services, then security and safety, then data processing. In this way, if the
project is killed, you still have some useful documents.
If your recovery plans will encompass many sites or a large complex, then start with a pilot project for a single building, a business function, or even for your Data Processing department. This will build your team’s expertise and confidence, re- sulting in a very useful document, and demonstrate real value to top management. The scope of the project will drive the resource requirements for the project in terms of how many people it will involve, how long it will take, and the budget re- quired to complete it.
The project scope must be a written statement. Here are three examples with gradually narrowing requirements. As you read these scope statements, imagine what sort of implied tasks these statements carry (or as they say, “The devil is in the details!”). Follow up on the scope statement by clarifying the timelines, criteria for success, and overall expectations for this project. Otherwise, you would be digging up information and writing forever.
GETTiNG STARTED 7
EXAMPLE #1
If you were in a factory’s Data Processing department, your scope statement might be:
Develop, implement, and provide ongoing testing for a business continuity plan for the factory’s automated systems to include the computer rooms, the internal and external telephone system, the shop floor control systems, and data connec- tions to both internal and external sites. This plan will provide specific action steps to be taken up to and including emergency replacement of the entire computer and telecommunications rooms.
Note that this statement does not include the factory machines (drill presses, mills, conveyors, etc.) or the front offices. It is focused on the telephone system and the internal data processing functions.
EXAMPLE #2
If you were the Director for Building Security, your scope might be:
Write an emergency contingency plan to address the possibility of fire, personal injury, toxic material spill, and structural collapse. Include escalation procedures, emergency telephone numbers, employee education, and specific emergency actions. Make recommendations concerning potential mitigation actions to take before a disaster strikes. Ensure the plan conforms to all legal, regulatory, and insurance requirements.
The project scope described in this statement does not include flood controls or security actions. Although some security tasks may be implied, very little is called for.
EXAMPLE #3
An even narrower approach might be:
Document all the payroll procedures and recovery processes to ensure that pay- checks are always on time and that the automated vacation balance tracking system is available even during an electrical outage.
Note that this scope statement does not include time clocks, exception reporting, or interfaces with your accounting system.
Most people do not have any idea of what a disaster plan would look like. They imagine some large book just sitting on the shelf. In this situation, you could demonstrate the usefulness of the plan by building it a piece at a time. You might
THE DISASTER RECOVERY HANDBOOK8
build the part that covers the core utilities for a facility (electricity, gas, telecommu- nications, water, and heating and air conditioning). As you review with the sponsor how these essential services will be recovered after a disaster, the sponsor will begin to see the usefulness of your work. If your company has multiple sites, it might work better for you to build the plan one site at a time.
Timelines, Major Milestones, and Expectations
The output of a scope statement is to build a list of goals for the project. These are specific results against which the success of the project will be judged. Detail any expectations as to a completion date or major milestone dates. If this project is in response to an internal audit item, then the due date might be when the auditor is scheduled to return. If the Board of Directors required this to be done, then progress reports might be due at every directors meeting. Ensure all key dates are identified and explain why they were selected.
The term “expectations” can also be described as the criteria for success. Be clear in what you are asking for. A business continuity plan should only include critical processes. A critical process is usually defined as a process whose interruption would cause a material financial and operational impact over some time interval that you define (5 percent or greater of quarterly revenues is standard). You can’t plan for what to do down to the front door being stuck open. That level of detail would be too difficult to maintain. Focus on the critical business functions and the processes that support them. Your long-run goal is that the business continuity planning process will become an integral part of how business will be conducted in the future.
Some example criteria for success include:
Every department’s continuity plan must provide for employee and visitor safety by detailing to them any dangers associated with this device or type of technology.
Each department’s continuity plan must be understandable to anyone familiar with that type of equipment or technology.
A business continuity plan will be submitted for every critical piece of equip- ment or critical process in the facility.
At the end of the project, the Business Continuity Manager will submit a list of known weaknesses in the processes or equipment along with long-term recom- mendations to address them.
All continuity plans will be tested by someone other than the plan’s author and certified by the department manager as suitable for the purpose.
GETTiNG STARTED 9
This project shall commence on June 1 and be completed by December 31. By that time, all plans must be complete, tested, and approved by the department managers.
In terms of a timeline, the length of your project will depend on how supportive the team members are of this effort, how complex your operations are, and how detailed your plan must be. Generally, these projects have an initiation phase and then the various departments break off and work in parallel to write their respective plans. During this phase, they also perform initial testing of the plan. At the end, all the plans are compared and modified to avoid duplicate mitigation actions and to ensure one person’s mitigation step doesn’t cause problems for someone else. The capstone event is the system-wide disaster test.
As a general guideline, most plans can be completed in about six months, de- pending on the project’s scope, the degree of management support, the number of locations to be included in the plan, and the amount of resources available. One month is spent on the start-up administration and training. About three months are needed to draft and test the departmental plans. Be sure to stay on top of these people so they don’t forget about their plans! The final synchronization and testing should take an additional two months. However, as your team members are prob- ably assigned to this project part-time, their level of participation will vary based on their availability. The Business Continuity Manager must be flexible but, in the end, is responsible for driving the project to its completion.
ADEQUATE FUNDING
One of the indicators of the seriousness of a project is the presence of a separate budget item to support its activities. It is the Business Continuity Manager’s respon- sibility to track the funds spent on the project and to demonstrate the benefit they provided. If a separate budget is not available, then clear guidelines on a spending ceiling for the project must be set.
Among the items to include in the project budget are:
The Business Continuity Manager and key team members should attend formal business continuity planning training to obtain a thorough grounding in its principles. This speeds the project along and removes some of the guesswork of building a plan.
You may need to pay a consultant to advise the project and mentor the Business Continuity Manager as the plan is being developed.
THE DISASTER RECOVERY HANDBOOK10
Sometimes the folks with the most knowledge about your processes are not avail- able during normal working hours. For these people, you may need to schedule meetings on weekends or off-site to gain their full attention. This may incur over- time expense or the cost of a consultant to backfill the person while they work on the plan.
Temporary help might be needed for administrative assistance, such as docu- menting the wiring of your data networks, transcribing notes for those without the time or inclination to type, or conducting an asset inventory.
It is a good practice to build team spirit for the project to carry you over the rough times. This might be shirts, hats, special dinners, performance bonuses, and many other things to build team cohesion. It is amazing what bringing a few pastries into a meeting can do for attendance. Visible recognition also helps to maintain the team’s enthusiasm.
Visible Ongoing Support
If the goal of this project was to determine which employees deserved to have their pay doubled, you would be inundated with folks clamoring to join your team. Unfortunately, an assignment to a business continuity planning team may not be considered a high-profile assignment. This could discourage the enthu- siastic support of the very people you need to make this project a success. To minimize this possibility, the visible, vocal, and ongoing support of the sponsor is very important.
Once the sponsor and the Business Continuity Manager have agreed on the scope, the sponsor should issue a formal memo appointing the Business Conti- nuity Manager in a letter to the entire organization. This letter should inform all departments of the initiation of the project and who has been appointed to lead it. It should also describe the project’s scope, its budget or budget guidelines, and major milestones and timelines, as well as alert the other departments that they may be called on to join the project and build their own recovery plans. This memo will detail who, what, where, when, why, and how the project will unfold. The closing paragraph should include a call for their assistance in ensuring the project will be a success.
The sponsor should provide periodic updates to senior management on the progress of this project, which should include milestones met and problems that need to be overcome. Regular visibility to senior management can go a long way toward the continued support of each department with which you’ll be working.
GETTiNG STARTED 11
SELECTING A TEAM
Once the sponsor and the coordinator have defined the scope of the project, the next step is to create a team. As you begin the project and start selecting your team, be ready for a chorus of resistance. Some departments will be indignant about being forced to join this project since they already have a plan (it’s just no one can find it). Even if they have a plan, it does not mean that it is a good plan, or it may have interdependences with other areas and needs to be linked to other plans. Some will already have a plan being developed, but under scrutiny you see it has been under development for the last 10 years.
So, with the naysayers in tow, prepare to select your team. In the case of existing, workable plans, ask that a liaison be appointed. For the plans under development, ask that those hardworking people join the project team. As for any parsimonious financial people trying to kill your project’s training request, ask the sponsor to override objections and allow the team to attend training on the latest business continuity best practices.
Identify the Stakeholders
While forming your team, take time to identify the project’s stakeholders. A stake- holder is anyone who has a direct or indirect interest in the project. Most stake- holders just want to know what is going on with the project. Stakeholders need to be kept regularly informed about the project’s progress or problems with which they need to assist.
For all stakeholders, identify their goals and motivation for this project. Based on this list, you will determine what to communicate to them, how often, and by which medium. Some stakeholders’ interests are satisfied by a monthly recap report. Some will want to hear about every minor detail. Form 1-2 (see companion url) is a Stake- holder Assessment Map. Use it to keep track of what the key stakeholders are after in this project so you do not lose sight of their goals. The strategy is an acknowl- edgment that you may need to apply some sort of specific attention to an essential person to keep them supporting this important project.
Form the Team
The size and makeup of your team depends on how you will roll out the project. In the very beginning, it is best to start with a small team. Always respect peo- ple’s time. Don’t bring anyone into the project before they are needed. The initial team lays the groundwork for the project by arranging for instructors, coordinating
THE DISASTER RECOVERY HANDBOOK12
training on building disaster plans, or helping to sharpen the focus of what each plan should contain.
The core team should consist of the sponsor, the Business Continuity Manager, an Assistant Business Continuity Manager, and an administrative assistant. This group will prepare standards, training, and processes to make the project flow smoother.
Several other key people will eventually need to join the team. You may want to bring them in early or as they are needed. This may include people such as:
Building Maintenance or Facilities Manager. They can describe what mitiga- tion steps are already in place for the structure, fire suppression, electrical ser- vice, environmental controls, and other essential services.
Facility Safety and Security. They should already have parts of a disaster plan in terms of fire, safety, limited building and room access, theft prevention, and a host of other issues. If these plans are adequate, this may save you from writing this part of the plan. Be sure to verify that these plans are up to date and of an acceptable quality.
Labor Union Representative. In union shops, the support of the union makes everyone’s job easier. Show union leadership how a carefully created plan will help keep their members working and they will be very helpful.
Human Resources. The HR people have ready access to up-to-date information about the individuals who are important to the plan.
Line Management. These individuals tend to know the most about what is crit- ical for getting the work done in their areas of responsibility.
Community Relations. A disaster may affect more than just your operations. You may need help from the surrounding community while recovering from a disaster.
Public Information Officer. This is your voice to the outside world. The role is critical in getting accurate information out to customers and vendors when dealing with a disaster.
Sales and Marketing. These people know your customers the best and can provide insight on what level of service is required before customers begin to fade away.
Finance and Purchasing. These people know your vendors the best and can provide insight on what kind of support you can expect from vendors while recovering from a disaster.
GETTiNG STARTED 13
Legal. You need more than just common sense during an emergency. Your legal team can provide important insight on the legal ramifications of activities per- formed in response to an emergency.
The next step is to make a few tool standardization decisions. The company’s technical support staff usually makes these decisions for you. Announce to the group the standard word processing program, spreadsheet, and, most important, the project management software everyone will need on their workstations. Most people have the first two, but few will have the project management software al- ready loaded. Be sure that as people join the team, copies of the software are loaded onto their workstations and training is made available on how to use this tool.
Provide example templates for the recovery documents. This step will ensure that the same type of information is found in all plans under the same headings. Also, it is easier to start writing if the basic document layout is already determined.
You will get the best results by investing some time training team members on how to write their portion of the plan and providing administrative help if they have a lot of paperwork to write up (such as network wiring plans). Every person reacts differently to a new situation, and being assigned to this team is no exception. If you will take the time to assemble a standard format for the plan and a process to follow to write it, then people will be a lot more comfortable being on the team.
A project of this type will generate a lot of paper. If possible, the accumulation of the various plans, wiring diagrams, manuals, and so on should be shifted from the Business Continuity Manager to an administrative assistant. An administrative assistant will also free the Business Continuity Manager from having to coordi- nate team meetings and track the project costs. Although these tasks are clerical in nature, they may also be given to the Assistant Business Continuity Manager. Another value of appointing an Assistant Business Continuity Manager is that it provides a contingency backup person in case something happens to the Business Continuity Manager, as this person will quickly learn about all aspects of the plan.
Once you are ready to roll out the project plan to the world, pull in representatives from the various departments involved. When tasking the department managers to assign someone, ensure they understand that they are still responsible for having a good plan so that they send the proper person to work on the team. This person need not know every aspect of their department, but they should understand its organization, its critical hardware and software tools, and its major workflows.
Depending on the project’s scope, you might end up with someone from every department in the company. This would result in too many people to motivate and keep focused at one time. Break the project down into manageable units. Start with an area you are most familiar with or that needs the most work. Involving too many people in the beginning will result in chaos. Plan on inviting in departments as you
THE DISASTER RECOVERY HANDBOOK14
begin to review their area. An example is fire safety. Although it touches all depart- ments, it is primarily a Safety/Security department function.
Given all this, just what skills make someone a good team member? An essential skill is knowledge of the department’s processes. This allows the team member to write from personal knowledge and experience instead of spending a lot of time researching every point in the plan. Members should also know where to find the details about their departments that they don’t personally know. Another useful skill is experience with previous disasters. Even the normal problems that arise in business are useful in pointing out problem areas or documenting what has fixed a problem in the past. And of course, if team members are to write a plan, they need good communications skills.
Department managers should appoint a representative to the business continuity planning project team by way of a formal announcement. However, the Business Continuity Manager must approve all team members. If someone with unsuitable qualifications is sent to represent a department, they should be sent back to that manager with a request to appoint someone who is more knowledgeable about that department’s processes. When rejecting someone from the team, be sure to inform your sponsor and the originating manager as to why that person is unsuitable.
The people on the initial project team are the logical ones to spread the good word of business continuity planning back to their departments. Time spent edu- cating them on the continuity planning principles and benefits will pay off for the company in the long run. They can also learn more about the company by proof- reading the plans submitted by the other departments. This has an additional ben- efit of broadening the company perspective of many of the employees. Use Form 1-3 (see companion url) to map out the responsibilities of each member of the team.
Rolling Out the Project to the Team
Team meetings are an opportunity to bring everyone together so they all hear the same thing at the same time. This is when you make announcements of general interest to everyone. It is also a good time to hear the problems that the team has been encountering and, if time permits, to solicit advice from the other team mem- bers on how to approach the issue. A properly managed meeting will keep the team members focused on the project and the project moving forward.
In the beginning, conduct a project rollout meeting with an overview of why this project is important and an explanation of what you are looking for. This is your most critical team-building meeting (you never get a second chance to make a good first impression). In most meetings, you will work to bring out from the people their thoughts and impressions on the project. But at the first meeting, be prepared to do most of the talking. Lay out the roles of each player and set their expectations
GETTiNG STARTED 15
about participation in the project. Information makes the situation less uncertain and the people can begin to relax. This is your first big chance to teach, cheerlead, and inspire your team! Sell your project to them!
The team members should leave the meeting with a clear idea that this project is of manageable size—not a never-ending spiral of work. Use this meeting and every meeting to informally teach them a bit about business continuity planning.
As the project progresses, you will be surprised how hard it is to get business continuity information out of people. Some people are worried that others will use it to dabble with their systems. Some folks just don’t know what they would do in a disaster and intend to ad lib when something happens, just like they always have. Have patience, ask leading questions, and get them to talk. When they have declared their plan complete (and you know it is only a partial plan), conduct a meeting with the team member, their manager, and the sponsor to review the plan. Step through it item by item. By the time that meeting is over, team members will realize that they will be accountable for the quality of their plans.
PLANNING THE PROJECT
Refer to the sample plans included in the companion url for ideas to include in your plan. Any plan that you use must be tailored to your site and management climate. Always keep your plan in a software tool like Microsoft Project. Such programs will recalculate the project’s estimated completion date as you note which tasks are complete. It can also be used to identify overallocated resources.
Okay, now it is time to build the project plan. This is best done with input from your team. There are four basic processes to building your plan: identifying the activities, estimating how long each task will take, deciding who should do what (or what skills this person should have), and then sequencing the tasks into a log- ical flow of work. The general term for this is a work breakdown schedule, which describes it quite nicely.
Identifying the Activities
What must be done? Your core project team members can be a great help here by identifying the steps they see as necessary to complete this project. Although some tasks will logically seem to follow others, the focus here is to identify what needs to be done. How deeply you “slice and dice” each task is up to you. Unless it is a critical activity, you should rarely list any task that requires less than eight hours of work (one day). The times in the sample plan are calendar time, not how long the task will take. This is because your team members may only work on this project part-time.
THE DISASTER RECOVERY HANDBOOK16
Write a brief paragraph describing each task. This will be very useful in esti- mating the time required to complete it. It also keeps the task’s scope from spi- raling out of control. You may understand what you mean for a task, but remember, someone else will probably execute the task, so an explanation will be very useful.
Always document your planning assumptions. A planning assumption is some- thing that you believe is likely to be true but you are not sure. Each assumption has a risk of being false. Assumptions enable planning to move forward. For example, one assumption is that specific people will be available at a specific date to perform a task in the plan. This is not a fact because there is a risk they will quit, become ill, etc. Still it is reasonable to assume it is true. As assumptions are proven to be true or false, they can be marked as “complete” on the list.
When discussing the plan with others later, this explanation of what you were thinking at the time the plan was drafted will be very useful. By listing your as- sumptions, you can discuss them point-by-point with the team and your sponsor to avoid areas that the plan should not address and to identify why a specific course of action was followed. The sponsor may also confirm assumptions as true.
Along with the assumptions, list all the known constraints for the project. This might be a specific due date to meet a business or legal obligation; it might be project funding issues or even a limit on the number of people available to be on the team. A major benefit of listing your project constraints is that upon examination they may be less than you think or can be used to prevent the scope of the project from expanding.
Determining Activity Durations
Once the tasks are laid out, estimate how much time should be set aside for each task to be completed. Creating reasonable time estimates for someone else is tough. You may think you know what needs to be done, but you could underestimate the true work required. Also, not everyone has your strengths—or weaknesses. There- fore, the estimates you assign at this stage are a starting point.
When a task is assigned to a team member, take the time to discuss with them what each task involves and see how long they think it will require. Be sure that they understand what each task entails so they can estimate accordingly. Update the plan with their estimated task durations and start dates. It is unfair to the team members to drop a task on them and demand a date without any further explanation.
Once you negotiate the duration of a task with someone, encourage them to stick with it. Other people further along in the project may be depending on this task to be completed before they can start.
GETTiNG STARTED 17
Who Should Do It?
Some tasks are easy to assign. If the task is to validate the key locker security, it will go to the Security Manager. If that person chooses to delegate it to someone else, then it is still his responsibility to ensure the task is properly completed on time. Some tasks will be more general in nature and need to be spread around the team fairly. If a task is not needed, don’t hesitate to delete it. If it is necessary, don’t hesi- tate to assign it!
This is a good time to identify any gaps in your available labor. If you see a large time commitment for the Data Network Manager and little likelihood that team members will be available to do the assigned work, you might generate a task to bring in some temporary help to assist them. Other time issues may be on the horizon. For example, if you need to involve the Accounting Controller, and the project will run over the calendar time for closing the fiscal year accounts, then you would schedule their project participation to avoid this time.
Sequencing the Activities
Now, put all the tasks in some sort of order. In this type of project, the beginning of the project is somewhat sequential. Later, many tasks will run in parallel when the various groups break off to write their respective plans. Select an estimated start date and then place some dates on your plan. With the plan held up against a cal- endar, check to see if any tasks need to be resequenced or if they conflict with some other critical company activity.
If your task contingencies are in place, the project management software will fill in the plan dates for you. If when you save the plan you select the option to save without a baseline, you can easily change the start date later.
Next, you should level your resources so that one person isn’t asked to complete more than eight hours of work in one day. This occurs when people are assigned too many tasks that are running simultaneously.
Plan Risk Assessment
So now that you have a rough plan, with time estimates and sequenced in some sort of a logical flow, it is time to scrutinize the plan for problems. Are there any labor resources overextended? Look at each task area. What is the risk that an item won’t be completed on time? Yes, there is always a risk that a key person won’t be avail- able. List any other underlying potential problems.
Most projects share the same basic risks to their success. In addition, each project has its own risks unique to what you are trying to accomplish and to your environ- ment. Common project plan risks include:
THE DISASTER RECOVERY HANDBOOK18
The amount of experience the Business Continuity Manager has in leading this type of project. Less experience adds risk to the project timeline. Extensive ex- perience lowers the risk.
The level of management support for the project. If you have low management support, you will have high project risk to the budget and timeline for team co- operation, and vice versa.
Adequate funding to complete the project with a top-quality result. Don’t let needed training, support activities, or mitigation actions be cut from the budget.
The number of locations involved in the project at one time. The more locations there are involved, the greater the project’s risk of failure. If possible, run a sep- arate project for each site and do not attempt to do them all at the same time.