Disaster Recovery & Business Resumption Planning
by Dana Turner
A disaster is any event that will significantly -- and negatively -- affect the institution's operations. Anything. Examples of "traditional" disasters include fires, floods, hurricanes and earthquakes. Examples of "non-traditional" disasters include terrorist strikes, toxic waste dispersions, computer system crashes and labor strikes.
Losses caused by a disaster are often disproportionately costly in relationship to the size and complexity of the actual event -- and many of the losses are preventable. Disasters actually result from three (3) types -- or combinations -- of incidents, caused by:
What Should A Disaster Recovery & Business Resumption Plan Do?
- Natural or cataclysmic events (e.g., earthquakes, fires, floods and storms);
- Human behavior (e.g., robberies, bomb threats, acts of arson, hostage events or transportation strikes); and
- Technological breakdowns (e.g., power outages, computer crashes and virus attacks).
This is actually a two-part exercise:
So what is disaster recovery planning supposed to do for the institution? It's all about:
- "Disaster recovery" is the process of restoring the entire institution's ability to operate; and
- "Business resumption" is the process of re-opening each of the institution's components -- and testing and revising the process based upon the results.
What is the institution's Disaster Recovery & Business Resumption Plan supposed to do for the community? It's all about:
- Making do -- with whatever's left;
- Buying time -- time to:
- Recover from the initial impact;
- Restore basic operations;
- Resume normal operations; and
- Replace damaged equipment & facilities; and
- Redundancy -- a duplication of critical people, places and things.
Usual security and operations policy and procedures are simply not enough to adequately protect your personnel, customers and other persons, facilities, assets and records from disasters -- and the predictable aftermath. Targeted techniques that work well for natural or cataclysmic, human-caused and technological disasters are necessary create a consistently safe and secure working environment within the entire institution -- and to close the "windows of opportunity" to losses often caused by:
- Stability -- ensuring the survival and livelihood of at least its own personnel;
- Appearance -- remaining a visible and integral part of the community's infrastructure; and
- Cash flow -- using the institution's operations and resources to:
- Store, transport and disburse cash;
- Negotiate payable instruments; and
- Accept deposits
National events occurring daily demonstrate that it is not a matter of if -- but when -- a disaster will significantly affect your institution's operations. This will naturally cause an interruption of customer services. And your customers will need your services during a disaster. Consider that -- if a natural, technological or human-caused disaster strikes your institution -- are you now prepared to successfully:
- Misunderstandings; and
- Criminal acts.
No one is exempt from a disaster, and most people are unprepared if a disaster erupts. We should prepare as if the disaster will exceed our ability to respond effectively. In other words, prepare for a "worst-case" scenario.
- Insure the continuity of organizational leadership and the effective management of all personnel, functions, facilities, assets and records?
- Notify your employees of new work locations, telephone numbers and critical persons to contact -- and of changes in the organization's leadership structure, duties and responsibilities and safety concerns?
- Notify your customers of new business locations, telephone numbers, critical persons to contact and the evolving customer service changes?
- Notify your vendors and service providers of new delivery schedules and locations, critical persons to contact and order new equipment and supplies?
- Recover your critical hard-copy documents, such as contracts, charters, licenses, accounting records and other printed business records?
- Recover your computerized data files, such as accounting and inventory programs, personnel, member and vendor databases and word processing files -- such as form letters, marketing and advertising information and general correspondence?
What Are The Best-Recognized Types Of Disasters?
A disaster may also result from a sudden, unexpected occurrence that poses a significant threat to the institution's personnel, customers, facilities, assets, records, or its delivery of services. These events are categorized as:
What Are The Most Commonly Reported Disasters?
- Localized (e.g., likely to affect only the institution);
- Community based (e.g., likely to affect an expanded area contained within a three-mile radius from the disaster epicenter);
- Regional based (e.g., likely to affect several adjoining cities and counties); and
- Statewide based (e.g., likely to affect the state and adjoining states).
The most common -- and preventable -- disasters for which insurers pay often unnecessary claims each year are caused by:
What Will Likely Happen During A Disaster?
- Water leaks;
- Power outages;
- Virus attacks;
- Premises liability issues; and
- Human errors.
The key to recovering successfully from a disaster is to have a plan in place when the disaster strikes -- a set of simple, effective guidelines and procedures for all people to follow. Just as a ship without a rudder is at the mercy of the tides, an institution without a plan is at the mercy of events.
Human beings often make inappropriate decisions during a crisis. If we have a plan for coping with most emergencies already prepared and shared with others, we stand a better chance of surviving any emergency and recovering rapidly. A contingency plan helps an institution respond to a regional disaster that follows this logic:
What Should Be The Goals Of The Disaster Recovery & Business Resumption Plan?
- It is not a matter of if -- but when -- a disaster will occur;
- The effects of a disaster will likely exceed the community's and the institution's response capabilities;
- The evolution of events following a disaster will be predictable and cyclic;
- The community and the institution will likely be without outside help -- including emergency services agencies, vendors and service providers -- for 11 - 14 days, including
- Basic emergency and transportation services, such as police, fire and medical assistance, and both public and private forms of transportation: Routine calls for service may not be answered -- and the agencies' priorities will likely involve life-threatening or life-saving situations only;
- Food and survival supplies: Deliveries to food stores and hospitals may be interrupted or hijacked -- and citizens will immediately strip stores of existing supplies of all kinds, while stockpiling their own reserves;
- Water supplies and sanitation: Water and sewer pipes may break, crack or clog -- reducing or eliminating water flow;
- Electrical power: Power lines may be destroyed, overloaded or collapse -- causing every electrically-dependent device to become unusable;
- Products and services delivered by vendors and service providers: The geographical area affected by the disaster may be closed to outside traffic -- or the vendors will be too busy answering calls for service from other clients who have also been affected by the disaster;
- Telecommunications services: Telephone trunks and switching stations will become overloaded by people trying to call into or out of the affected area; and
- Transportation services: Freeways, highways and surface streets will become gridlocked by people trying to get into or out of the affected area.
- The greatest losses will occur because of the community's and the institution's inability to react to the disaster -- appropriately and immediately;
- The governor of the state or another competent authority will declare the community a disaster area;
- Martial law will be declared, the National Guard will be activated and basic civil rights will be suspended;
- Traditional roles and routine activities within the community will be temporarily suspended, causing the reassignment of personnel to fulfill necessary roles and functions, with temporary powers, duties and responsibilities;
- The institution will not be able to recover or restore all functions at the same time;
- Only 35% of the institution's staff will likely be available during the first three (3) days following the disaster;
- Critical people (including the board of directors) will likely be unavailable;
- Critical places will likely be uninhabitable;
- Critical things will likely be unusable; and
- Employees who are proficient in normal times will likely exceed performance expectations during emergencies.
The three (3) primary goals of disaster recovery and business resumption planning are to:
What Issues Should The Disaster Recovery & Business Resumption Plan Address?
- Eliminate or reduce the potential for injuries or the loss of human life, damage to facilities, and loss of assets and records. This requires a comprehensive assessment of each department within the institution, to insure that appropriate steps have been taken to:
- Minimize disruptions of services to the institution and its customers;
- Minimize financial loss;
- Provide for a timely resumption of operations in case of a disaster; and
- Reduce or limit exposure to potential liability claims filed against the institution, and its directors, officers and other personnel.
- Immediately invoke the emergency provisions of Disaster Recovery & Business Resumption Plan to stabilize the effects of the disaster, allowing for appropriate assessment and the beginning of recovery efforts. We then minimize the effects of the disaster and provide for the fastest possible recovery.
- Implement the procedures contained in the Disaster Recovery & Business Resumption Plan according to the type and impact of the disaster. When we implement these procedures, we must prioritize all recovery efforts as follows:
- Employees: Not only must we help to ensure their survival as a basic human concern, but because of their anticipated performance in helping other persons on the institution's premises when the disaster strikes;
- Customers: As we do with employees, we must help to ensure the survival of or care for customers affected by the disaster: physically, mentally, emotionally and financially;
- Facilities: After ensuring the safety of employees and customers, we then secure each facility as shelter for both people and assets;
- Assets: Conducting a damage assessment will determine which assets have been destroyed, which ones are at risk and what resources that we have left; and
- Records: Documenting the disaster and the actions taken by the institution's personnel -- when combined with comprehensive videotapes of facilities that are obtained during routine facility inspections -- reduce the likelihood of legal actions while helping to assess the responsibility for losses.
To be effective and to remain in compliance with regulations, the institution's Disaster Recovery & Business Resumption Plan should contain at least:
How Should The Disaster Management Team Be Created?
- The institution's philosophy, mission statement and goals regarding disaster recovery and business resumption;
- Written and approved executive succession instructions;
- The appointment of a temporary Disaster Management Executive Committee for the term of the emergency that is empowered to act in the absence of the institution's Board of Directors;
- Clearly defined guidelines and scope of all disaster recovery and business resumption efforts, based upon a thorough risk-assessment;
- Clearly defined duties, authorities and responsibilities for each employee classification, with designated primary and alternate department leaders and staff personnel to manage critical functions;
- A business recovery plan for each branch, department, facility and function within the institution -- and for essential service providers;
- Designated and equipped sites for assembling personnel and for housing specific operations;
- A well-documented testing and evaluation process conducted at specified intervals -- and at least annually;
- A comprehensive training program for all personnel at all facilities, conducted at specified intervals -- at least annually -- that may also include the:
- Identification and operation of utility shut-off devices;
- Location of emergency staging areas;
- Basic first aid and survival techniques; and
- Emergency responsibilities and re-assignment plans for all positions; and
- Written copies of the final Disaster Recovery & Business Resumption Plan distributed to branch and department leaders -- including a complete list of appropriate emergency response agencies and facilities.
The members of the institution's Disaster Management Team are drawn from the institution's available personnel resources -- and they may also be board members, vendors and service providers. The Disaster Management Team functions as a strategic planning and tactical response unit. Team members are often assigned temporary duties, responsibilities and levels of authority beyond their normal employment classification. The Disaster Management Team usually contains the executives, managers and department heads who have functional responsibilities involving branches, departments or facilities. There is no one "right" way to develop and implement a Disaster Recovery & Business Resumption Plan -- nor to assign emergency responsibilities. The variables will be affected by the:
Condensing and streamlining business operations during a disaster is critical to getting the institution "back up and running" -- quickly and smoothly. This also means using the fewest personnel to accomplish the greatest amount of tasks. A suggested format for assigning responsibilities includes:
- Type and asset size of the institution;
- Number and qualifications of personnel;
- Number and configuration of facilities; and
- Thoroughness of the risk assessment.
- The Disaster Management Executive Committee, which is the temporary legal body that's responsible for creating and implementing a comprehensive Disaster Recovery & Business Resumption Plan for the entire institution, in the absence of the Board of Directors. The Committee usually consists of the institution's President/CEO, selected executives and senior managers -- and it may also contain members of the institution's Board of Directors.
- The Disaster Management Team Chairpersons, who are responsible for assigning the research, development and implementation of the Disaster Recovery & Business Resumption Plan throughout the institution. The Chairpersons are also responsible for assuming control over business operations during and after the disaster, until business operations return to normal. The Chairpersons are responsible for providing effective leadership and administration of the institution's recovery efforts -- and for making decisions and giving directions.
- The Disaster Management Team Coordinators, who are responsible for creating a comprehensive Disaster Recovery & Business Resumption Plan for the institution -- and for following the directions and implementing the decisions made by the Chairpersons and the Disaster Management Executive Committee during a disaster. The Coordinators are responsible for providing effecting management and implementation of the institution's recovery efforts -- and for monitoring and adjusting the process flow.
- The Disaster Management Team Department/Branch Leaders, who are responsible for acting as Coordinators for their respective areas of responsibility -- and they report directly to the Disaster Management Team Coordinators.
- Service providers, vendors, insurance representatives and legal counsels, who are responsible for providing guidance and advice regarding their particular areas of expertise -- and they report directly to the Disaster Management Team Coordinators.
It's common to underestimate the importance of having a Disaster Recovery & Business Resumption Plan. It's also a common -- and mistaken -- belief that the effectiveness of such a plan should be judged by the number of pages it contains or its weight. The only true means to gauge a plan's effectiveness is: "Did it work?"
Ill-conceived beliefs and overlooked issues often cause a project to fail. As you prepare to develop and implement a Disaster Recovery & Business Resumption Plan -- or reassess an existing one -- consider using these simple guidelines to enhance your success:
Note: This article is derived from Security Education Systems' Disaster Recovery Manual.
- Get the board's full and complete support to do whatever it takes to put the plan in place -- and update and train board members periodically;
- Place your best leaders in charge of administration -- regardless of the positions that they normally hold -- and train them;
- Place your best managers and supervisors in charge of operations -- regardless of the positions that they normally hold -- and train them;
- Involve your best employees in the development and implementation process -- and train them about the decision-making process and their respective roles;
- Hold everyone personally responsible for results;
- Keep the plan simple and logical and use it as a bullet-point guide for experienced personnel to use -- it's not supposed to be an operations manual;
- Flow-chart every business process so that any manager can re-install any function;
- Make certain that the risk assessment process includes a thorough analysis of those issues that are most likely to be affected by a disaster, including:
- Telecommunications (e.g., voice, fax, modem and cellular);
- Transportation (e.g., highways, rental vehicles and public transportation);
- Essential services (e.g., government, medical and child care); and
- Essential supplies (e.g., food, money and fuel);
- Don't reject an idea simply because of the projected cost because you'll either pay for it now, or you'll pay for it later -- with interest; and
- Document the entire planning and implementation process, particularly tests.
© Security Education Systems 1983 - 2001