Chapter 3 – Plan Administration and Maintenance

Folks, we are in the home stretch now.  Our BCP app fun meter shows we are roughly 2/3rds of the way to spiking the football on our plan.  Let’s take a minute to reflect on the journey so far.  In Chapter 1 we defined the scope, policy, initial assumptions, and objectives to set the rails for our plan.  From there, we performed a risk assessment and business impact analysis.  After that we were able to clarify our business continuity strategy and start to organize our plan based on the roles in our organizational chart and physical facilities.

Chapter 2 had use identify and document our teams, outline essential tasks and actions during a crisis, and compile lists of key contacts and mission-critical equipment, software, and supplies.  As a result of the work thus far, we have a plan and we know what we know and what we need.  This should inform how we stage or maintain ready access to the minimum items and information required to sustain business operations.  Now we will shift gears into the administration and maintenance of the plan.  This part is what will make the difference between an old dusty binder on the shelf versus a living and active process that is strategic to the health and sustainability of the organization when the worst happens.

In the first section of Chapter 3 we define the high-level guidance to govern the actions of the Business Continuity Team Leads (non-Service management in our case).  We adopted the sample text in our case with slight modifications.  Specifically for TCS, we will not need an alternate recovery site as our work from home process is sufficient to maintain operations through the recovery period.  A key recommendation is, “The most successful planning teams are limited in size, have a formal membership, regularly scheduled meetings, and members are designated in writing.”  Since we use EOS as our management framework, we can incorporate the ongoing maintenance of our plan into our quarterly planning sessions which will support turning identified “Issues” into quarterly goals (“Rocks”) or shorter term action items (“To Dos”).  This provides the linkage we need to bake this into our ongoing process and meetings to give the plan its proper attention and focus.

3.1  Functional Teams Responsibilities

In this section we define pre and post-disaster responsibilities.  Pre-disaster items include areas like: awareness and training, evacuation drills, and developing alternate site capabilities.  We do not want an actual disaster to be the first time we have thought about these things.  General George Patton said, “You fight like you train.”  Another sentiment expressed by one-time professor at the Royal Academy of Music, Harold Craxton stresses, “Amateurs [musicians] practice until they can get it right; professionals practice until they can’t get it wrong”  Pick your inspiration, but the point remains – we need to pay more than lip service to the preparation and practice of our plan in order to expect it to pay dividends when we put it into action.

3.2  Business Continuity Plan Administration

In this section we define who is responsible for developing training materials and how often training and drills will be conducted.  Your mileage may vary, but we opted for annual training and biannual drills.  The reality for TCS is working remotely is so engrained into our normal process, and our systems are mostly cloud hosted, that we routinely operate in a similar manner as we would in a business continuity situation.  This allows the main thing, Service delivery, to be somewhat assumed and frees management to focus on communication, coordination, and recovery which significantly enhances the capabilities of our small management team by not spending vital energy fixing operations to support Service.  The other benefit is our clients will be less impacted by an event affecting TCS and we don’t want to minimize the importance of that.

3.3  BCP Awareness & Training

Here we will outline the annual events and supporting documentation for our ongoing awareness and training.  To not reinvent the wheel, the guidance provided in the app is solid: “Employee newsletters are a great tool to keep awareness high in between annual events. They are also the perfect venue to remind employees about seasonal hazards like severe winter storms, flooding, hurricanes, tornadoes, etc. Helping to keep your employees personally prepared and resilient will help the company be more resilient as well. The Federal Emergency Management Agency (FEMA) has an excellent Web site: http://www.ready.gov that provides free resources for both personal and business preparedness. In addition, FEMA is the executive agent for the Department of Homeland Security’s National Readiness Month in September of each year. This is a great time to work with local emergency response agencies to give special presentations that focus on personal and business readiness.”

Having a folder content ready to go for employee onboarding, quarterly employee emails, and annual training we ensure you can easily maintain the ongoing effort without much hassle.  These resources can be found online, as mentioned above, so download some posters, graphics for emails, and pdf one-page handouts and you should be set.  Don’t spend time developing anything you can find free on the web.

3.4  Exercising (Testing) the BCP

This section is straightforward and simply documents the date, type of exercise, purpose, and participants of each BCP test.  This can be a “Table Top” test where you verbally talk through a scenario and discuss how your plan would apply, noting any deficiencies.  On the other end of the spectrum you can do a full live BC drill where you will operate in the same manner as if a disaster actually occurred.  These routine tests will help pressure test your plans and find areas where improvement is needed.  I have conducted a number of BCP tests for clients and have written After-Action Reports (AARs)  to document the good, the bad, and the ugly.  This is good to do on an annual basis and this is a requirement for some of our regulated clients.  Feedback from testing will help inform necessary improvements your plan and capabilities to better support the organization in a real disaster.

3.5  Business Continuity Plan Maintenance

Very simple – document the revision history of your plan along with a brief summary of changes to the plan.  Nothing more to do or add here.

3.6  Business Continuity Plan Approvals

Much like section 3.5, this is a straightforward, but essential step – someone in senior management needs to sign-off on each revision of the plan.

At this point we have a Business Continuity Plan, we have documented the supporting details to execute the plan, and have incorporated the ongoing administration and maintenance of your plan into your strategic business management process.  We have a way to train, test, and update the plan.  Next week we will take a deeper dive into exercising our plans and producing after-action reports.  TTFN!