The department (process) level business continuity plan is the ‘cookbook’ to recovering a department and sub-departments (sub-processes). There is no one ‘right way’ to document a plan. If you do some research you will find well over 100 styles of business continuity plans. Decide on a style that meets the needs of your management and your process owners. I hope some of the ideas I present below will be beneficial to you.
I have created thousands of business continuity plans in my career (yes thousands – not hundreds) and the information in this post has worked well for me. More importantly, this information and simple straight-forward plans have worked for my department owners during disruptive events including hurricanes, tornadoes, earthquakes, blizzards, power outages, pandemics and more. Remember, it is all about ‘them’ – the people that must use the plans.
Please do not feel you must use this information exactly as presented. In fact, I would be quite surprised if this information is exactly mapped to the needs of your organization. I suggest you extract what makes sense for your organization, and disregard the rest.
Listed below are examples of departments and teams I have created plans for in various organizations. Please customize for your organization:
- Accounting
- Auditing
- Brokerage
- Business Continuity (somehow this process is often forgotten)
- Compliance
- Customer Service
- Delivery
- Executive management
- Facilities
- Factory Operations
- Human Resources
- Information Technology
- Legal
- Marketing
- Purchasing
- Research and Development
- Risk Management
- Safety
- Sales
- Security
- Securities Trading
- Upper Management
- Warehouse Operations
Each department can have one or more sub-departments. For example, Human Resources may be comprised of:
- Benefits
- Employee on-boarding
- Recruitment
- Training
The department and sub departments would have been identified during the Business Impact Analysis (BIA). The data captured during the BIA should automatically flow into your business continuity plans, provided you are using a good BCM tool. If not, you can do it manually.
Tip – Keep the department level plans as simple and clean as possible. During the stress of a disruptive event a 150 page ‘kitchen sink’ plan, beyond the goal of recovering the process, will be counterproductive and often useless.
If you are using a BCM tool it should provide simple ready-to-use templates for department (process) level plans. If the system is designed properly it will easily roll department information up to wider scope location, division and even to the enterprise level plans. There should be zero manually effort in doing this. We discuss wider scope plans in the next post.
In addition, you should be able to view functional plans across your organization, such as a plan for all of customer service encompassing multiple sites. The ability to automatically ‘cut the data’ various ways will provide management with a holistic view of your organization. More on that when we dig deeper into BCM tools and ‘how a database works 101’ in the technology category on Ultimate Business Continuity.
Tip – Succession planning is sometimes overlooked. Plan the orderly succession for ALL key executives and managers. The primary person may not be available at time of crisis. People also leave, retire, etc. Do a holistic review of your succession related risk.
Tip – Where it adds value I suggest you break out dependency requirements at the sub-department (component) level, rather than at the department level. You do not have to do this for every dependency as some dependencies will not easily map to sub-process granularity. Do it where it adds value.
You can then configure your BCM tool to automatically summarize the sub-departments at the department level (and above). Dependencies can be described over a series of time recovery time buckets. I typically break these buckets down to <4 hours, 24 hours (Day 1), 48 hours (Day 2), 72 hours (Day 3), 168 hours (1 Week) and finally ‘Defer’. You should decide on time buckets that make sense for your organization’s recovery goals.
This type of time-line implementation can be very useful in many ways. For example, to fuel a dynamic employee recovery seat requirement report in which you can map recovery employees to the capability of each of your recovery locations to understand if any locations have been oversubscribed to. For example, recovery site A has 40 seats but processes using that as their primary recovery location require 100 seats in total. Your system can automatically analyze this each time a piece of data changes and it can email you if there is a gap. I describe this dynamic, automatic, real-time process in detail in the assessment category on Ultimate Business Continuity.
You can still do this analysis manually in word processing documents or spreadsheets, etc. but it is much more difficult, error prone, time consuming and will provide far less value in the short and long term. Most importantly, instead of being real-time it will often be outdated and wrong.
Tip – In addition to dynamic data in the plans, department business continuity plans should include maps, directions and any static instructions that will help recover the department. I once had a very dedicated Vice President map out detailed public transportation routes to the recovery site – by walking part of the route and then riding a bus to the site!
However, you are not getting paid by the word. It is more difficult to make the plans simpler, but you should strive to make them as brief, clean and simple as possible without losing functionality. There will be a lot of stress at crisis time and people only want and need information that helps them recover.
Tip – Use checklists wherever possible. I am a great proponent of checklists. If you think checklists will not cut it, you may be interested to learn that airline pilots use simple checklists before every flight to insure they do not miss any safety steps prior to takeoff. Medical professionals use simple checklists before every operation. In each case, they provide great value or they would not still be used.
If you need more proof that checklists are beneficial, I recommend you read, ‘The Checklist Manifesto: How to Get Things Right’ by Atul Gawande. It describes various types of checklists and the impact they have on many professions. Also please read the post on Ultimate Business Continuity – ‘How Checklists Can Change Your Life and Supercharge Your Program ‘
Tip – Plans are ‘living documents’ and MUST be kept current. All plans must be maintained on a regular basis during an official maintenance period – I would recommend quarterly. In addition, plans should be updated whenever there is a change to the department. Reinforce the importance of keeping plans accurate during tabletops and recovery exercises. Also, create awareness using all of the tools we will discuss in the awareness category on Ultimate Business Continuity.
Tip – Plans must be assessed whenever changes are made to them to determine the probability of recovering the department and to ascertain new risks that might be raised by the changes. Assessment after the regular maintenance period is a step in the right direction but we want to do much better. In the plan assessment post I will describe where we want to go in achieving real-time world-class assessment!
Tip – It is critical to test the department level plan on a regular basis. We talk about that in detail in the Testing category on Ultimate Business Continuity.
Tip – Awareness of plans and the roles people are responsible for during a disruptive event must be part of your corporate culture. The details cannot be buried in the plan and not understood until time of crisis. That won’t work!
Tip – Keep in mind all crisis events have their own defining wrinkles. The business continuity plan probably will not be perfect. The plan must provide for resilience through adaptability. Build out a resilient culture and you will have a great chance to survive and thrive.
Below is a list of entities I have included in department plans. You should add, delete and modify to match your needs:
- Crisis team contact information
- Crisis communications policy and public agency contact information (police, fire, hospitals…)
- A brief description of the department
- Assumptions
- Department manager and alternate manager contact names and contact information.
- Department RTO’s and RPO’s
- Department inputs (upstream)
- Department outputs (downstream)
- Alternate recovery strategies. For example – on day two – three employees will work from home. On day three – five employees will work from ABC site… I maintain this in a narrative field and as structured data elements to produce gap analysis reports against recovery space, etc.
- Recovery employee contact info. You may also be able to map the employees to your mass notification tool thru an API (application programming interface) that can enable you to access their contact information and to initiate notifications. This type of data integration aligns to our mantra of maintaining the same data in as few places as possible which has many advantages. I discuss this throughout the posts on Ultimate Business Continuity as it relates to data quality, integrity and normalization.
- Telecom section. DID’s (local exchange phone numbers) and critical customer facing toll free phone numbers. To properly recover toll free numbers routing procedures must be implemented in telecom routing tables and tested prior to a disruption. When new toll free’s are added to plans in the telecom section, it should trigger an email to your team so you can research if the toll free has been accounted for in the telecom routing table and properly tested. I discuss this in-depth in the Recovery Strategies category on Ultimate Business Continuity. You do not want to learn at time of crisis that a critical customer facing toll free telephone number has to be re-routed and it is not properly set up
- Software application section – all critical applications must be listed with RTO and RPO. You can develop application impact analysis (AIA) reports to identify business recovery requirements versus the actual recovery capability of the systems defined by the information technology department
- Equipment section – all critical equipment must be listed in the plan. You should store critical equipment such as MICR printers, scanners, rubber stamps, forms… at the recovery site or in a central location to be delivered at time of crisis to one of many recovery locations. I store equipment in various locations depending on my company’s location assets. We discuss specialized equipment storage ideas in the Recovery Strategies category on Ultimate Business Continuity.
- Vendors section – all critical vendors AND backup vendors should be listed with full contact information included down to the rep level
- Customers section – if you have a small number of customers consider documenting them in the body of the plan with contact information. If a department has thousands of customers perhaps you can give them the option of attaching a customer list to the plan. You also might want to add your customers to your mass notification tool for proactive notification during a crisis. Customers appreciate status notifications
- Vital records section – Is there anything in the production site (e.g. case folders, tracking spreadsheets, etc.) that would be critical to recovery?
- Team Leader, Alternate Team Leaders and Team Members – These roles and the people appointed to them will have responsibility for performing tasks to recover the department. Always plan for the possibility that department owner and Team Leader may not be available during an event. Tasks must be understood by the backups. Everyone on the team that is assigned a task should understand exactly what they must do.
- Tasks – step-by-step list of action items that will guide the department owner and recovery team through the crisis response and recovery phases. Task development will most likely be an iterative process. I suggest using team roles rather than individual names when attaching responsibilities to each of the tasks. Try to include manual workarounds, where possible, in the event software systems are not available. Have someone other than the person that built the task list read through the tasks to see if they can follow the progression and if anything has been left out of the plan. Keep it as simple as possible
- Location of your process ready-box(s). Options include: at a sister-site, 3rd party recovery vendor, Iron Mountain…The box(s) can contain forms, rubber stamps and anything else that will be required to recover the process. If these are only available at the production site and it is gone, you have a single point of failure. You need redundancy
- Location address and detailed directions to the alternate recovery site(s). Include public transportation if it exists
- Attachments. Very important. Get process owners thinking about attaching supporting documents to their plan. Word processing, spreadsheets, etc. that will be critical to recover their process. If you are using a BCM system, it should provide an option to simply and securely store the attachments in the cloud and to optionally have them printed as part of the plan
- Confidentiality Statement – use care when distributing the plan. It contains employee contact information and other sensitive process information. It should only be distributed to people with responsibility to carry out the overall plan. Individual section contributors will only need specific information to do their job. Information should be published on a need-only basis
Plan Availability:
- Plans should be kept at home and in the office
- Plans should be kept in the command center
- Information from the individual plans should be rolled-up in higher level regional and enterprise plans
Tip – The plans must be easily accessible always. Both digital and paper versions are ideal. On other posts I describe some new ideas to make plans more accessible than simply available in the traditional 8 1/2 x 11 format.