Business Continuity Planning: Components of the recovery strategy
In Part 12 of our Business Continuity Planning series, we discussed the key inputs you need to define your organization’s recovery strategy, as well as the advantages of having a secondary physical location that can be used as a recovery site. In this article, we will discuss the components of the recovery strategy that are necessary to document and operationalize.
Figure 01: High level components of the recovery strategy
Organization structure
As we briefly discussed in the previous article, for each of the sub plans that make up your overall business continuity plan (BCP), you need to define or review multiple organization structures. You should also define the organization structure that’s used when the BCP is fully activated. Note that most of the time, the core leadership team engaged in your plans won’t change. Hence, you need to ensure the right disaster threshold is defined and that you’ve identified the appropriate members from your leadership team — be it directors or executives. This leadership team will also be the one you engage when executing a cybersecurity response plan or crisis management plan.
For example, in an IT Disaster Recovery Plan (ITDRP), the restoration tactics are usually very technical and therefore, involve a specific technical team that supports a specific information system. However if you determine that the technology disaster is a significant threat, you may opt to invoke the entire BCP, or at least get the leadership team involved. Hence, using classification systems like “Low,” “Medium,” and “High”, as defined in the BCP strategy, is extremely helpful in determining when the full BCP organization structure should be activated.
Such tactics must be followed for the Cybersecurity response plan and the Crisis management plan as well. Being able to quickly classify the threat level of the incident makes elevating the incident to the appropriate level of your Business continuity objective.
Typically your organization structure for the BCP will include:
A leadership team
A business continuity team
A crisis management team
An incident response team
A business recovery team
An IT disaster recovery team
A cybersecurity response team
Some of these teams (such as the IT disaster recovery team) might have another specialized team when the respective sub plan is invoked, but your BCP consists of a single team with the SMEs or the leadership.
Roles and responsibilities
Once you have identified the organization structure, you need to define the roles and responsibilities of each team.
For example, the role of the Leadership Team is to:
Direct the crisis management activities
Direct the business recovery processes
Communicate with shareholders and the media
The leadership team’s responsibilities are to :
Provide direction to mitigate the disaster based on the recommendations provided by the responsible team
Be the public face of the organization to respond to the shareholders and media
Make the final decisions about the configuration of the crisis management and business continuity teams
Make decisions to mitigate the impact of a disaster, based on the recommendations provided by the respective department heads
Oversee the progress made by the crisis management, business recovery teams and provide appropriate direction as required
The above provides a clear picture of the roles and responsibilities of the leadership team. Similarly, you need to start defining the roles and responsibilities for each team you have identified. Once defined, you will have to review this with the committee members and the directors.
Initiation process
Another step you should take as part of your BCP is to develop an initiation process, to be used during the aftermath of the disaster. The initiation process must be simple enough to allow some flexibility when required, since disasters can be unpredictable, regardless of your preparation. The initiation process makes it easy to establish a control during the aftermath of a disaster, despite the chaos.
The initiation process must address the below questions:
Where and how should you report when you find an incident?
When should you use the hotline to report an incident?
Who are the members of the team that should be notified about an incident and how should they be notified?
What happens once the incident response team is notified about an incident?
Which team is involved in the initial investigation process to determine whether the BCP must be invoked or the respective individual sub plan must be invoked instead?
To which team should the incident response team provide their recommendations?
What happens when the recommendation is to invoke the complete BCP and activate the recovery site?
What happens when the recommendation is to invoke a sub plan instead?
When are the stand-down procedures executed?
The answers to the above questions will drive your initiation process for the business continuity. Once you draft a process, discuss with your teams, make any necessary changes and then finalize it.
Business continuity guidelines
You should develop general guidelines that will be followed by each team, as applicable. The guidelines are suggestions rather than something to be enforced. Disasters are unpredictable, and so the teams must have some freedom to manage the situation as they seem fit. However, having guidelines can be of great help during the first few hours of an incident.
The guidelines must provide:
Identification of the channels to which the staff and the management team must be tuned to receive updates
Recommendations on how to keep staff informed during the timeline of a disaster
Recommendations on what to watch for mental trauma during a disaster that involves human loss or significant destruction of a building
Guidance on what Information that the HR must receive, in case of human loss, so they can notify the next of kin
Suggestions to the department heads, to be used during the first few hours of a disaster
The guidelines must be short and concise, and some of them must be included in the respective departmental business continuity plan.
Sub plans
As discussed in the previous article, each sub plan must be revised (if they already exist) to ensure they are in alignment with the BCP. You need to pay particular attention to:
the places where the same teams are involved to make sure one person is not part of more than two teams at the same time (e.g. an individual who is part of the crisis management team shouldn’t also be part of the IT disaster recovery technical team)
Thresholds to execute the sub plans that are ambiguous (e.g. one sub plan defines Low as something that would qualify as Medium in another plan or the overarching BCP)
Organization structure during a crisis (the sub plan not allowing the organization structure to be flexible enough to allow the organization structure defined in the BCP to take over in a crisis where the BCP is invoked)
management processes that were not designed with BCP or other dependent plans in mind
Making sure that your Crisis communication plan is fully integrated with the BCP and the other sub plans with a flexibility that helps with crisis communication even when you invoke the sub plans individually.
You should ensure all the sub plans are well aligned with the BCP, based on what we have discussed so far.
Business recovery priorities
Business recovery priorities are the key processes for the overall business that were identified during a business impact analysis (BIA). You should have a list of business processes, sorted according to their recovery priority level, so that the business recovery teams know the order in which they should be restored. Once the plan is approved, it must be printed out and kept at the recovery site or whichever hot site that has been selected to manage the BCP. In some cases, this hot site may be a virtual one where everyone participates through video conferencing or telephones, from wherever they are).
Department recovery tasks
These are the key business processes specific to each of your organization’s departments (ranked by order of priority), as identified during the BIA. There is no definite format you should use when listing the key processes, but we recommend using a table format. This table can show the priority level of each process, including its stand-down instructions for when the business is fully restored.
Once the BCP is approved, these departmental recovery tasks and the general guidelines must be printed and provided to the department heads (and their deputies). It will be useful for them to refer to the guidelines and understand their responsibilities and the activities they must perform.
Resource requirements
You must list the general resource requirements to be kept at the recovery site (if applicable) and the remote locations. The resources requirements must be minimal, and based on the processes identified during the BIA. The names of the staff who will be involved in recovery site operations can be maintained in a separate document, since they are bound to change frequently, depending on the organization. Typically, this separate document should also include the staff requirements for executing the critical processes from the recovery site (or remote locations) and the hardware requirements such as laptops, desktops, printers and others.
When you are done listing the staffing requirements, you will know whether you need to set up a new recovery site or if you can manage with a preexisting alternate building of your own. You should also list the resource requirements needed at the hot spot where your business continuity teams will be present to direct the business recovery.
Staff contact information
In the event of a disaster, you should have a hotline that can be used to disseminate important updates via mass phone calls, text messages and emails. With the help of the HR, you should add the contact information of all your organization's staff to this hotline.
Some of your staff will be reluctant to share their personal email and mobile phone numbers. You must provide necessary assurance and seek their consent before adding their details to the emergency management system. Their consent must follow your local privacy law and the contact information collected should only be used during a disaster. This information must not be allowed to be mixed with your corporate address book.
Such a list must be maintained on a software that is designed to manage the BCP or on a spreadsheet in a portal, where it can be easily accessed and updated. This contact info should be updated often, so be sure to develop processes for this.
Information systems
Another important step in building your recovery strategy is to list the information systems and their RTOs and RPOs, as per the ITDRP. This should be very brief — just enough to provide some guidance to the business continuity team, so they understand the information systems requirements, as per the priorities of the business and the timelines. Listing this information will help the BCP team coordinate with the IT department.
Maintenance
Although you will have a larger maintenance and operational plan as part of your Business Continuity Management System, it is a good idea to have a maintenance summary as part of the BCP. This should be brief and list the maintenance requirements and the schedule to keep this plan up to date.
Templates
You also need to determine the templates that your organization must use in the aftermath of a disaster. Some of these templates will also be used by departmental heads, so they can log the problems they encounter during the recovery process and submit them to the BCP team.
At a minimum, you should have the below templates:
An initial assessment and recommendation form
Progress logs for the Business continuity team and departments
A communications template (this can be kept as part of the communications plan, if required)
A management decisions log that captures the decisions made by the management with a time stamp
Conclusion
When planning the recovery strategy stage of your BCP, it’s crucial you take a good look at your organization structures and the relevant management processes, to ensure that the right plan is invoked for the right incident. The sub plans must be aligned with the BCP, so that they can be executed as individual plans or as part of the overarching BCP. You will also need to discover the general manpower and resource requirements for your recovery operations.
When navigating through a disaster, you must have general guidelines for the teams involved and the department heads.. Additionally, appropriate templates must be developed, so you can analyze the effectiveness of your recovery strategy.