The Business Continuity Institute held their international Business Continuity Awareness Week in May. This may have gone unnoticed by many in the Security, FM and Property Management industries, which echoed the message that the BCI were promoting as part of their newly launched manifesto;
Increase awareness through developing Online Resilience Tools;
Increase education through championing academic research;
Increase resilience through developing global and local alliances;
Increase collaborative approach through a series of Next Practice Groups
The process for developing a Business Continuity Plan is well established and mirrors many similar processes that organisations use daily in their Risk Management, Health & Safety processes and even in their Project Management Life Cycles and that is to:
Identify the risk to the organisation and where they may emanate from (terrorism, natural or man-made incidents)?
Identify the most important and vulnerable assets that could be impacted by these risks and what effects it may have on your organisation?
How can you reduce the risk from occurring but also how can you manage the situation when it does go wrong? (Remember - keep it simple)
Identify the procedures and resources that need to be available and established to:
a) manage the incident and
b) assist the return to 'business as usual', as quickly as possible.
Make sure everyone who needs to know the plan is told and that they understand their role in it;
Train key personnel in their role and train all your staff in what to do, where to obtain information, etc. prior to an incident occurring;
Rehearse, rehearse and rehearse again. Make these plans / actions second nature so in an actual event, people know what to do or where to find information. This includes those who have 'deputy' roles in an incident because, almost guaranteed, they'll be on-call when the real thing happens;
Test yourselves, make mistakes and learn. During drills put yourself under time pressure or add an unusual situation into the drill. All this can bring out some good learning points that can aid the development of your team & plans;
Review and assess plans, what worked and what didn't? Amend the plans if needs be and then retrain / test to make sure it works.
None of this is ground breaking and follows the principle of Plan-Do-Check-Act. However, it is surprising that so much of this, especially the training, testing and learning phases, are not undertaken thoroughly or pushed home by some organisations.
During the recent BCAW seminars on emergency planning, a number of key lessons were raised by delegates that can significantly enhance the way an organisation responds to an incident.
Have a Communications Plan:
How will you communicate to your staff about the various incidents you may have to deal with? Especially if it's a fluid situation whereby you may have a lock-down followed by a necessary evacuation.
How can you account for your staff if implementing a dispersal / 'Run-Hide-Tell' response?
What communications need to go out to your staff, customers, stakeholders if evoking your business continuity plan?
How do you advise next of kin or advise concerned people of emergency contact numbers?
If your office / building is classed as a crime scene how do you advise staff not to come to the office and when they can re-occupy? Will it be a phased reoccupation?
DO NOT bypass the Communication Plan when managing an incident
Once the Emergency Response Team is established, then ensure the communication between the Bronze (On-Scene Commanders) all the way through to your Silver (Tactical) and Gold (Strategic) levels is clearly structured and organised to give relevant and timely briefings as well as ensuring there is time for the incident to be managed effectively.
Bypassing this communication channel causes a number of issues:
Confusion to all levels / misguidance on instructions and prioritisation;
Hearsay or rumours infiltrating the clear, accurate and concise passage of information;
Distraction of key personnel from the task of managing an incident.
Ensure ALL Key Personnel are fully equipped to manage an incident.
The key individuals appointed to be on-call or manage an incident should be prepared and equipped to perform that role at any time as incidents do not occur Monday – Friday whilst at your desk. Therefore, ensure members of the Emergency Management Team can:
Get access to all required information when required;
Do laptops need to be taken home or can that individual remotely access the organisation’s server from home?
Are dedicated Conference/Bridge calls available and set up for the EMT?
Has this arrangement been tested outside of an emergency?
Resilience in your Emergency Management Team
Due to the random nature of incidents, organisations should ensure that there is resilience within their Emergency Management Team. Members of the EMT need to ensure holidays do not coincide with their deputies or secondary-responsibility team members. If applicable a roster should be in place so there is always a quorum of an EMT that can react to an incident. And through thorough training, identify the quantity of team members required for a protracted incident. If the incident runs for 12+ hours, there will be a requirement to start rotating team members to ensure individuals do not burn-out before the incident is complete.
Additionally, think of all the relevant teams / departments needed to manage an incident? Often the likes of IT & Finance Dept are considered whereas they can quickly resolve matters of IT connectivity or additional expenditure on resources in the time of an incident. And so including them within the EMT ensures they are aware of issues that may need resolving and can establish procedures in advance.
Business Continuity and Emergency Planning is not a dark art, but it does take some lateral thought process and consideration. However, through exercising of those plans and individual’s roles and responsibilities, those key areas can quickly be identified and managed, so as not to be a hindrance in a real-time event.