Singular, isolated business or service disruptions as well as large-scale, community-wide disasters have shown us that a well designed and tested organization-wide recovery and continuity of operations plan must be in place. The frequency and severity with which singular and regional disasters are occurring today prove that planning for the emergency response phase of disaster recovery alone is simply not enough.

As organizations look to extend their recovery planning efforts beyond the life safety and emergency response incident management issues and move beyond data center and critical applications recovery concerns to address 'continuity of operations', organization-wide planning can seem overwhelming. There are, however, certain planning elements which are common to all public and private sector organizations, no matter how large or small.

A successful planning methodology, which will assist you not only in recovering, but ensuring continuity of your core, strategic, revenue-generating business and service units, operations and processes, as well as their important administrative or staff support business units, will include:

Prevention:
Prevention addresses the positioning of those measures and activities that will lessen the possibility or the impact of an adverse incident occurring in your organization. The primary goals and objectives of the Prevention phase of a business continuity program are to protect the organization's assets and to manage risk.

Response:
Response is the reaction to an incident or emergency to assess the damage or impact and to ascertain the level of containment and control activity required. In addition to addressing matters of life safety, Response also addresses the policies, procedures and actions to be followed in the event of an emergency.

Resumption:
Resumption refers to the process of planning for and/or implementing the resumption of only the most time-sensitive business operations immediately following a disaster.

Recovery:
Recovery is the process of planning for and/or implementing expanded operations to address less time-sensitive business operations immediately following an interruption or disaster.

Restoration:
Restoration is the process of planning for and/or implementing procedures for the repair or relocation of the primary site and its contents and for the restoration of normal operations at the primary site.

Step 1: Project Initiation
When developing your business / service continuity program, you will need to determine its objectives, gain senior management support and allocate the necessary time and resources to develop, exercise and maintain the plan.

Your plan's objectives should include:

• Minimize interruptions to business/service operations
• Resume critical operations within a specified time after a disaster
• Minimize financial loss
• Assure clients/customers/community that their interests are protected
• Limit the severity of the disruption
• Expedite the restoration of services
• Establish awareness so that management and staff understand the implications of a disaster upon services
• Maintain a positive public image of the organization

As you begin to develop the plan, the following assumptions should be defined:

• The organization's business/service goals and objectives
• The organization's policy on business/service continuity planning
• Business / service interruption scenarios that pertain to each plan's functional area and/or location
• A "minor interruption" and "major disaster" in terms of business / service impact and anticipated duration of outage
• What will be reused / recovered and to what capacity levels over what period of time
• Which business / service operations will be resumed immediately
• Which business / service operations will not be resumed immediately and when they will be available
• Which business / service operations are expendable
• What resumption and recovery strategies are to be employed and what are the priority sequences associated with each
• What resources need to be pre-positioned and what are their interdependencies.

As you conduct your review, you will probably find that some levels of recovery planning exist in some business / service units. For example, the Safety / Security, Facilities, or Vital Records departments may have plans in place to recover their own operations. In many cases, the Information Systems or Information Technology department will have a documented contingency plan for information systems / technology functions. It is important to integrate these independent plans so that all critical and interdependent components are in place to ensure a successful recovery.

Can you expect to recover everything? Can each department's or business unit's needs be considered the number one priority? Of course not. What are the real priorities? What is the cost of risk to your organization or community? (Cost of risk is a way of measuring the degree of risk by examining several of the worst possible loss scenarios.)

Step 2: Business Impact Analysis
A Business Impact Analysis is a proven method of determining this cost of risk by identifying the impact of business or service disruptions and helping you to target those operations and processes which require recovery planning.

A Business Impact Analysis will identify:

• Financial and operational impacts -- when they begin and when they're most severe, for example: 

Financial Impacts

• Lost sales
• Loss trade discounts
• Contractual penalties/fines

Operational Impacts

• Negative public image
• Loss of shareholder confidence
• Employee morale

Extraordinary expenses

• Rental of temporary premises/equipment
• Moving equipment and supplies
• Media reconstruction

• Current state of preparedness
• Technology requirements for recovery
• Special recovery resources
• Critical information systems support

The key steps in conducting a Business or Service Impact Analysis are:

• Define the assumptions and scope of the project
• Develop a survey to gather the needed information
• Identify survey recipients and provide needed education
• Distribute the survey; collect and review responses
• Conduct follow-up interviews where needed
• Modify survey responses based on interviews
• Analyze survey data
• Verify results with business/service unit management
• Prepare a report -- present findings to management 

Today's automated technology can greatly expedite the data gathering and analysis process and help you present the information to senior management in professional charts and graphs which clearly indicate the analysis results.

Step 3: Plan Construction
When you've completed your Business or Service Impact Analysis, you will be ready to develop your recovery strategies and build your business / service continuity plans.

Consider the following when building your plans:

Note: This checklist encompasses only a portion of the business/service continuity planning effort.

• Write your plans so that you can recover equally well in a singular, community-wide or hazardous material disaster.
• Ensure that your emergency response plans are expanded to address 'continuity of operations' planning beyond the incident management and emergency response and business resumption and recovery phases.
• Ensure that your pre-qualified, critical suppliers of services and supplies will be available to you when you need them. Your vendors must have their own disaster recovery and business continuity plans and responding to your needs must be a part of their plans. Ask to see documentation of this response commitment.
• Establish a notification list that identifies who needs to be notified in the event of a disaster at any of your locations and provides procedural information on how they will be contacted (no matter whether or not there is power available).
• Pre-identify critical resources (communications equipment, supplies, hardware, specialized workforce, etc.) and determine the time frames needed to not only mobilize them but fulfill delivery commitments.
• Establish telecommunications recovery procedures for voice and data, including switching capabilities and backup networks.
• Address the possibility of denied access to your facility due to assessment of structural integrity, forensic investigations, and/or toxic contamination. (Plan for at least a 24 - 72 hour delay in getting back into your facility -- even for just site/damage assessment. If it is necessary to test for hazardous materials, your access can be delayed several weeks or longer.) · Determine the parameters for declaring a disaster and moving off-site to your hot site, cold site or internal warm site.
• Determine who authorizes this move and other emergency acquisitions and what special accounting procedures need to be established for tracking these disaster-specific costs.
• Determine the location of your command center(s), its requirements and what special security/access control procedures you need to establish in advance.
• Determine when you implement your Crisis Management Plan.
• Identify and arrange for the relocation of your strategic revenue-generating and administrative/staff support functions. Determine what special needs these departments and personnel have.
• Ensure that the pre-identified locations will be available in both a community-wide and singular disaster.  Research what real estate transactions need to be completed prior to a move.
• Determine how you will resume your production and distribution capabilities and get your finished goods to market. 
• Determine how your Crisis Communications Plan will address the continuity of positive communications to your clients, employees and the public regarding your recovery progress. 
• Determine what issues you must address to be sensitive to global cultural and philosophical differences.
• Identify your recovery teams and their tasks. 

Step 4: Exercising and Maintaining the Plan
The litmus test for any business / service continuity plan is that it works when executed. To ensure your plans work, exercise them. Make certain that the logistics, procedures and tactical strategies you developed are sound.

Plans must be exercised to determine whether:

• Your organization and its critical vendors are prepared to cope with a business/service interruption or disastrous event; anywhere in the world you have operations.
• Backed-up data and documentation stored off-site are adequate to support resumption, recovery and restoration operations
• Inventories, tasks and procedures are adequate to support resumption and recovery operations
• Plans have been properly maintained and updated to reflect actual resumption and recovery needs and, in particular, any changes to the organization. 

The information contained in a business/service continuity plan must be kept alive. Organizations are constantly changing --- businesses are acquired, merged and divested; new operations and processes begin, some cease; people leave, are hired, promoted, etc.; customer commitments and supplier relationships change; locations change; responsibilities change; priorities change; etc., You cannot rely on outdated information.

In today's constantly changing environment, where people are often asked to do more with less, it's a challenge to maintain a living plan. Although you may maintain the text portion of your plan, such as corporate policy in a word processing document, if a disaster occurs, you don't want to have to be searching through a manual looking for action lists, notification procedures, critical vendor information , etc. Automated planning systems are invaluable in developing and maintaining your continuity plans and helping you quickly access the information you need in the event of a disaster. We have available to us today, cutting edge technology which provides for easy integration and expansion of existing plans, as well as customization within these planning tools to address organization or industry specific terminology and needs.

The challenge of organization-wide planning can be more easily met through the utilization and implementation of the above recovery and continuity planning methodology.

This article may not be reprinted, reproduced or distributed in part, or in total, without the express written consent of the author. Copyright © Strohl Systems 1998 All Rights Reserved.