Charlie Maclean Bristol, FBCI, FEPS, explains how you can improve your business continuity plans by altering the format and following five key steps.
When developing business continuity plans, I try to make them accessible, practical and easy to use. For a long time, I followed a traditional format, with the first few pages being filled up with scope, assumptions, objectives and the like. The problem with this format is that you have to wade through several pages before getting to the bit of the plan which would actually be used during an incident.
After a while, it occurred to me that when you make use of the plan in anger, what you don’t need to read first is a set of assumptions in the plan. By then it is a bit too late to ponder on whether the assumptions are right! This is when the radical idea came to me, of putting what you need first early in the plan; and then other information and the reference material at the end. From this idea, five steps were born:
Step one: Emergency response or the immediate actions
This step involves all of the information needed for the immediate response to an incident. If the organization was an office-based company, then this would include all of the actions needed if the office had been evacuated. If the organization was manufacturing or oil and gas, then it would be the emergency response phase of an incident. The plan recognises that there are a number of incidents which don’t have an immediate response, or happen out of hours when there is nobody in the office. In these cases, you would go straight to step two.
Step two: Invoking the plan
One of the critical parts of a plan is recognising that an incident has taken place and that it needs to be managed using the business continuity plan, rather than within normal day-to-day operations. This step includes the criteria for when the plan should be invoked. If a member of staff gets a call at 3am, the criteria should be so clear that the decision as to whether to invoke the plan and get the other team members out of their beds to respond is straightforward. This section also covers how to call out the incident management team, who is on the team and two different locations of where they should meet. You might also have a conference call number, as the first meeting may be by conference call.
Step three: Incident management
This step covers the time from when the team forms, up until the incident team stands down. It includes how the team will manage the incident, information about setting up the incident room, how to conduct incident team meetings with a set agenda, how information should be shared and displayed on boards and the tasks to be carried out outside the incident. Outside incident team meetings we see a circle of tasks, including: communications and carrying out the actions agreed in the incident meetings; horizon scanning to identify risks and issues during the recovery and situational awareness, when those responding actively seek out information and attitudes from key stakeholders.
Step four: Communications and reputation management
This step sometimes starts before step two, if the organization needs to inform key stakeholders of the incident or if the team need to acknowledge on social media that an incident has occurred. The content of this section will depend on the level of plan, whether it is operational, tactical or strategic. If the plan is operational, it will contain a list of possible stakeholders that may need to be contacted during an incident, instructions for contacting staff and information on the company’s view of the incident – ‘the message’ - will get sent to them. If the plan is strategic, then it will contain a full communications strategy/plan or a signpost to a separate crisis communications plan.
Step five: Recovery
This section deals with the recovery of the organization. Whilst steps one to four are generic for any incident, this section contains plans for specific incidents. So, it may have the recovery plan for loss of office, staff or IT. It could also contain other scenarios, such as a cyber response plan or a pandemic plan. This section should cover the recovery strategy which would be used if the event occurred, a checklist or a set of actions which need to be implemented to carry out the recovery and information from the BIA which covers resources needed or recovery numbers.
In the appendix I tend to put reference materials, so it could contain:
- Roles and responsibilities of each member of the team in the organization
- Team member’s responsibilities
On the front page of the plan I put the scope, so that when it is picked up there is no doubt that you are going to use the right plan! At PlanB, we use this format for all plans and we find it works for operational, as well as tactical and strategic plans.
Charlie Maclean-Bristol, FEPS, FBCI, is Director of Training at PlanB Consulting.