CRITICAL ELEMENTS OF A DISASTER RECOVERY & BUSINESS/SERVICE CONTINUITY PLAN

By Pat Moore

The numerous community-wide disasters, as well as singular disasters that municipalities, institutions, businesses and government agencies have suffered in the last dozen or so years have shown us that planning for disaster recovery only is simply not enough. We must also plan beyond the emergency response phase for business and service resumption and continuity. In addition to planning for the recovery of critical information services and applications, we must address equally important issues such as human resources, vital records, telecommunications, risk management, loss control, security, environmental concerns, and the facility which houses the work environment itself.

More often today it is the Emergency Response Coordinator, Risk or Insurance Manager, Administrator, Facility or Safety Manager who is being asked to complete the plan. These additional issues also directly affect the bottom line, including service and business interruption, and loss of public confidence.

Where do you begin, and what issues must you address? I am going to assume that your Emergency Response Plan, addressing fire brigade, evacuation, health and safety issues is well in place and has been tested many times. No plan is more important than that for human health and safety. As you now address business and service issues concerning disaster recovery, business/service resumption and business/service continuity, let's take a look at some of the areas of concern you must include in your contingency plan.

SINGULAR–COMMUNITY WIDE DISASTERS:

You must write your plan so that your recovery procedures and processes can be switched instantly from one disaster scenario to the other. For example, the same resources that you depend upon to respond to your needs from a singular disaster such as a fire, or water damage at your building, must be able to respond equally well to your needs and your community's needs in a regional or community wide disaster. How thoroughly have you identified and pre-qualified your resources and alternates in this area? It would be helpful to discuss with your resources their own disaster recovery plans to see whether or not they are going to be able to respond if they are disabled by the same geographical disaster which affects you.

You will have major notification, mobilization and acquisition concerns that may be more difficult to address in a community wide disaster than in a singular one. Your planning process must identify your needs and resources in both situations. Make sure your pre-qualified resources are able to respond 24 hours a day, 7 days a week with sufficient personnel and supplies, and your contacts with them are updated. If they are local resources only—make sure they have a regional or national arm of their company that can come in to assist them in assisting you, or in providing you with the necessary supplies if they are affected by the same disaster. Always consider singular, community wide and hazardous material incidents when qualifying resources.

NOTIFICATION PROCEDURES

Some of the critical notification concerns you must address involve determining who gets notified, how are they notified (and you must consider whether or not the phone lines are operable), who notifies them, how often is your notification list updated, where is a copy of that notification list kept (always keep a backup copy offsite) and what mobile communications equipment will you need to provide in advance?

In addressing notification concerns, it is also important to have an updated listing of which facilities you own, lease space in, or are joint ventures. This information is critical in understanding who has legal responsibility for the physical recovery procedures and costs involved.

DELAYED ACCESS/SITE ASSESSMENT

Do not write your plans assuming the moment the fire is put out, or the water contained, that you will be allowed right back in the building or even into the geographical area in which your facility(s) is located. When damage occurs, and once the loss is stabilized, there can be a need for assessment of structural integrity, forensic investigations, or testing for toxic contamination, and this can delay your re-entry. Allow for at least a 24–72 hour delay in accessing your facility and if hazardous materials are involved, you may not have access for several weeks or longer.

Also identify in advance those areas of the building that you would need priority access to in order to do an initial emergency damage assessment, and make sure your special hazmat resources have the required training and certifications. Establish a dialogue in advance with the proper authorities, and perhaps, depending on the type of damage involved, it may be possible for you or your special resource to go in to the building, under proper escort and assess certain specified areas fairly quickly. This would provide you with initial assessment information, allowing you to activate certain areas of your disaster recovery plan more quickly.

It is also important to keep a current inventory of any hazardous chemicals or materials you may have on site, facility by facility and make sure you are in compliance with SARA Title III. Your disaster recovery planning process must allow access to this information immediately.

Your disaster recovery and business continuity plans must address potential extended recovery time frames. For example, as you look at structural recovery, if a portion of your building can be made tenable, which departments will go back into the facility first, and what will their needs be? All this must be identified in your plan.

RELOCATION

At what point do you temporarily relocate your employees and processes, and in what time frame must you consider a permanent relocation? Your organization probably has a plan in place to bring up your critical business applications offsite, but where will you relocate the remainder of your business units, and what are the time frames in which you must do this?

It is important to identify in advance not only the specific building or buildings you will utilize, but whether or not they can provide you with at least your minimum requirements in the areas of:

• Sufficient Square Footage
What is the minimum amount you will need for each of your departments to function in? Which departments will need to be in close physical proximity to each other?

• Voice/Data Communications
Does your new site provide you with the necessary capacity, circuits, etc?

• Security
Does the new site offer you the potential for a secure environment?

What additional security provisions would you need in this new site?

• Fire Protection
Is the building properly configured to meet your minimum requirements?

• Environmental Controls
Can the building meet your needs for a clean room, data center, vital records area, etc.?

• Production Area, Warehouse Space, Chemical Storage Area, Shipping & Receiving Capability
What are your minimum requirements for these, and can the new site provide them to you?

• Parking & Public Transportation
What are your minimum requirements here, and can your employees or customers easily get to your new location? Where do they park?

• ADA Compliance
Will your new site meet these requirements immediately?

• Employee Needs
If you are presently providing food access and/or day care at your facility, will your new site have the same capability?

As you review these, and other questions, in relation to your own specific needs, make sure, in advance, that the alternate facilities you identify can provide you with at least your minimum requirements in these and other areas you identify. Begin identifying alternate facilities, costs involved in acquiring alternate space, and legal arrangements that must be put in place for acquisition. Do not identify an alternate site in close proximity to your existing one. There is a very good chance that this close alternate site could be affected by the same geographical disturbance as your existing facility.

EMERGENCY AUTHORIZATION PROCEDURES

As you review your list of emergency supply and acquisition requirements, also consider who can authorize major emergency purchases, at what dollar levels do those authorizations change and will the authorized individuals be available when you need them? Set procedures in place with backup authorization to help facilitate your recovery.

You should also determine in advance if special accounting procedures need to be in place for these emergency purchases. For example, it will be important for you to document that these purchases had to be made as a result of the damage that occurred. In addition, in order to make the building tenable, did you have to keep it open 24 hours so that the proper personnel could perform necessary repair and restoration, thus increasing your utilities and labor costs for that period of time? This data will be important for your loss documentation.

INSURANCE

Insurance considerations, both before and after the disaster, must address all possible disaster scenarios, including coverage for delayed access back to the facility if the geographical area surrounding the building is inaccessible. An example of this type of incident occurred four years ago in downtown Philadelphia, where officials were concerned that a building which had just suffered severe fire damage could fall down. General access to about a one square block area was denied until the structural integrity of the building was determined, and this took almost thirty days due to the tremendous amount of damage involved.

The individual who handles this critical risk management area should be an integral part of the Crisis Management Team. It will also be important to let members of the recovery teams know what documentation on the loss will be needed for settlement from each one of their areas.

PUBLIC RELATIONS

All too often, the individual(s) who is to act as the municipal or corporate spokesperson has not been identified in the plan, or if they have been, identification of that individual(s) has not been communicated thoroughly to all employees.

In addition to the media, it is equally important to address both internal, as well as external public relations so that your employees and community will feel comfortable with the way the recovery is being handled. For example, it will be important to let your employees and resources know quickly that they will still receive payment for their services.

It will also be important to let the community know that your plans are for continuing your community services. The designated spokesperson(s) should be responsible for communicating all necessary information.

COMMAND CENTER REQUIREMENTS

It is recommended that you have two disaster recovery command centers, along with your Incident Command Center. If your responsibilities include equipping these centers, here is a suggested list of some of the items you will want to include. One center is normally dedicated to the recovery of the service or business operations, and a second command center would manage the actual recovery.

Command Center For Recovery Of Service/Business Operations will normally require a subset of current operational equipment, such as LANS, sufficient communications, including phones, terminals, shared print capability, such as high speed laser printers, fax machines (individual or a fax pool), sufficient cabling, etc. These equipment and capacity needs will be driven by your current service and business operations. You will also need cubicles, furnishings, lighting, and will want to set up desk supply kits for recovery teams so that they can be immediately functional. Of course, food and bathroom facilities must be available. If at all possible, you should consider showering facilities as well.

Command Center For Managing The Recovery should include the necessary configured computer equipment, including PCs, printers, fax machines (outgoing and incoming), software to manage the recovery, a news intercept program, paper forms for itemizing problem issues and resolutions (separate forms for each), wall boards to track the progress of the recovery teams and to list problem areas, a building board specifically for facility restoration issues, and an environmental board on which you can track transportation exposures and utility issues.

Sufficient communication equipment will be critical and should include phones (at least one shared incoming line and one outgoing line per EOC member, monitors, scanners, TV & VCR, radio, pagers, cellular phones, and any other equipment which is specific to your organization's recovery.

Many recovery plans also include planning for a War Room which is fully equipped to handle voice and data, has a subset of the necessary computer equipment, radio, TV and VCR, news intercept, and in many cases includes a direct link such as an intercom to the other two command centers. This War Room is normally occupied by such individuals as the City Manager, County Commissioner, Risk Manager, Legal Counsel, and Public Information Officer.

The Command Center or War Room might be set up in advance, fully equipped and utilized during normal business operations as a regular conference room. Most important of all, there must be an area designated for your Emergency Operations Center, (how ever many you have) and you must know and plan in advance what your requirements for operating that center(s) will be. You will, of course, have already determined what your own security incident command center or facility management command center will require.

VITAL RECORDS RECOVERY

Although many of your vital records may be backed up and stored offsite, your facilities house numerous paper records containing information critical to the continuation of your services and business. Those documents could include vendor contracts, deeds, permits, tax records, administrative records, personnel files, building engineering drawings and updates, material safety data sheets, fire safety evacuation plans, compliance documentation for EPA, OSHA, DOT, asset inventories, etc., as well as other archival documents which are required, through legal retention schedules, to be saved for specific periods of time.

In addition, what work in progress, which is not yet backed up and stored offsite and is critical to the continuity of your business or services, remains in your facilities each night? How, for example, would you plan for the recovery of your claims files, litigation files, financial information, pending applications, contracts, administrative orders, etc.?

It will be important in your disaster recovery and business/service continuity planning process for you to interact with your Vital Records Manager so that you will know what you have stored on site and what retrieval systems to have in place in the event you need to move those records out quickly. Has your Vital Records Manager identified for you which records would need to be recovered and relocated first? Have they pre-qualified their resources for providing physical restoration of the vital records, whether they are paper, magnetic media, micrographic, etc.? Have they located an alternate site for these records once they are restored if your original or new facility is not available immediately? What procedures or alternate facilities and equipment do they need you to have in place for them?

MANAGEMENT'S COMMITMENT TO THE RECOVERY PLANNING PROCESS

As we review this partial list of concerns which must be addressed (and we have not even begun to address in this article the critical areas of information systems (including LAN/WAN recovery), electronics and telecommunications recovery, and establishing of a crisis team and their tasks), it is easy to see the amount of manhours which will be involved in accomplishing the development of the plan. As time is money, how important is this planning process?

We must understand what is the true nature of cost of risk to an organization or community. We know that cost of risk is a way of measuring the degree of risk by examining several of the worst possible loss scenarios.

Once identified, these scenarios should be communicated to upper management so they, too, can begin to see and support the value of disaster recovery/business continuity planning efforts. Failure to support these efforts can directly affect the business or the business and community's public image and bottom line.

A business impact analysis (BIA) is a proven method of determining this cost of risk. A business impact analysis (BIA) can also assist you in accomplishing this enormous disaster recovery and business continuity planning process in an expeditious and cost-effective manner.

As you begin the planning process for your organization, whether from the entire institution structure, or for individual departments or locations, it will obviously be important to initially define the impact of business or service disruptions, and target those operations and processes which require recovery planning. This entire data gathering and analysis process can be accomplished quickly and easily by utilizing the latest technology in business impact analysis tools. The output of this critical information will also need to be presented to your management in professionally designed graphs and charts so that the impacts are easily understandable. This should be part of any BIA product.

Once your critical areas have been identified, your software planning product should enable you to easily and quickly develop the plans, enter and maintain the data critical to your recovery and provide you with a swift and successful plan activation. Although many plans start out in a word processing document, if a disaster occurs, you don't want to have to be searching through a manual looking for action lists, notification procedures, recovery team members names, numbers and tasks. Automation of the planning process allows one to more thoroughly create the plan, maintain it and, when necessary, activate it in a constantly changing and downsizing environment.

A well designed, implemented and tested contingency plan is a teamwork effort. Through thorough input from the managers of the areas we have discussed here, as well as others, (including the possible use of external consultants) your plan can be successfully responsive to unexpected circumstances and their requirements for business/service resumption and continuity.

About the author:
Pat Moore is Vice President—Business Continuity Education for Strohl Systems, headquartered in King of Prussia, Pa. and is a Certified Disaster Recovery Professional (CDRP), as well as a Fellow of the Business Continuity Institute (FBCI). Strohl Systems and its global network of distributors provide disaster recovery, business continuity, and business impact analysis software and consulting services. Pat is known internationally for her real world expertise and experience in the disaster recovery and business and service continuity industry, and lectures worldwide on these subjects.

For more information call Pat Moore at (800) 634-2016 or (610) 768-4120. Fax (610) 768-4135. This article is an excerpt from one of the author's additional works. You can also visit the website Strohl Systems.

This article may not be reprinted, reproduced, distributed, reduced to any electronic medium or machine readable form in part, or in total, without the express written consent of the author. All Rights Reserved. Copyright ©Strohl Systems 1996