Issue Archive: May/June 2009

Continuity Trends: How Many Plans Do You Really Need?

What types of plans do I need, and how many plans is the right number for my organization? It is a question often asked by continuity practitioners, and it doesn’t have an easy answer. As with so many issues in our field, the answer starts with “it depends.” And the discussion should start with basic types of plans, as follows:

Incident Response Plans - In my opinion, the first type of plans you need is incident response plans. These plans address the initial stages of any event, including evacuation, damage assessment, emergency procedures, and plans associated with a specific event, such as a fire, explosion, or workplace violence event. They often already exist, out of necessity, so you probably don’t need to develop them as much as you need to know where they are and who owns them. It’s also important to understand their boundaries, so you can build other plans around them.

Crisis Management Plans - Once the incident has been initially triaged, there is a need to get a management-level team involved to oversee and coordinate any required response to the incident via a crisis management plan. These plans help senior management understanding the incident. What happened? How serious it is? What do we do next? The crisis management plan also should provide an oversight plan to monitor any recovery efforts.

Business Continuity Plans - Depending on how your organization is structured, you probably have a number of facilities that are “people” facilities—office complexes. Business continuity plans cover these locations and focus on getting critical business units or processes back up and running at an alternate site. They also include the transition back home or to a new location once the disaster has run its course. These plans address a multitude of people related issues, such as where to move people, access to food services, temporary housing, how to run a mail room, how to ship and receive, and other every day business issues.

IT Systems Disaster Recovery Plans - This plan addresses how companies would move their data center to a backup site and resume operations. The options for IT systems recovery have expanded to include internal sites and colo centers, not just a traditional hot site.

Site Restoration Plans - Site Restoration Plans are a critical but often overlooked part of the process, as continuity planners assume “someone” will fix problems at home. These plans are often part of the facilities group or an engineering function.

Network Recovery Plans - Networks, whether they are data networks supporting computer or Internet connectivity, or voice networks, are critical to the operation of any business. They must be available if an outage occurs or if a disaster requires relocation of a business unit or data center. Network recovery plans are most often a “sub plan” of IT systems recovery or business continuity plans, but they also must be able to stand alone if the outage is just at the network level. As network criticality increases, I think we need to consider these as separate plans to ensure viability.

Vital Records Protection Plans - Vital records are the lifeblood of any organization, and they must be protected and recovered when an IT systems or business interruption occurs. Vital records plans need to address both protection and restoration. Much like network recovery plans, vital records plans are often imbedded in the IT systems and business plans, but it is important to think of them as having a “seat” at the recovery planning table.

Operating Entity Recovery Plans - Operating entity recovery plans deal with recovering an operating entity, such as a distribution center or manufacturing plant. These plans are not all that different, in concept, from IT systems or business recovery plans, except for the fact that providing an alternate site may be a more complex issue. In addition, supply chains and logistics play a large part.

Recovery Change Management Plans - Most organizations fail to keep recovery assets updated when production changes occur, and they find this out when they try to recover. Recovery change management plans require the “production” folks to think about and support the DR/BCP efforts every time a change occurs. The best places to address this issue are in the production change control process to capture hardware, software, network, and information changes as well as in the systems development lifecycle to address changes to critical systems.

Testing and Validation Plans - Testing and Validation plans are sometimes built into the IT systems or business continuity plans, but the trend is for them to be stand-alone plans, often developed or at least overseen, by risk management or internal audit. The key issue with these plans is to make them realistic, so that they help uncover issues.

Continuity of Operations Plans - I am including this plan type, even though in my mind, it resembles the business continuity plan. I find this term gaining in popularity, especially in the public sector. These plans are all about how to keep business operating when an event occurs.

In Conclusion - These concepts are intended to get you thinking about the types of plans your organization has and needs. All of these issues need to be addressed, but that doesn’t necessarily mean you need each plan as an individual document.

     As you read through the list, think about how those issues are handled in your own organization. Maybe you have one IT systems DR plan, which includes network, information, testing, and change control. And that’s fine, as long as all issues are addressed.

     Maybe your business is your operating entity, as is likely the case in an IT-centric business. If so, your BCP and operating entity plan can be one, but if you’re a manufacturer, I suggest you need both. Also, be sure to leverage any existing, well-maintained plans, such as evacuation or site restoration plans rather than creating your own. The issue isn’t where the plans are. What’s important is that they do exist, you know how to access them, and they are owned and updated.

     As always, let me know what you think, and if you have taken a different approach or identified unique plans I didn’t discuss. CI

John Jackson is a co-founder of Fusion Risk Management and a member of the Continuity Insights Editorial Advisory Board. He is an expert in the fields of business continuity, disaster recovery, and high availability. His 30 years of experience includes running all aspects of IBM, HP, and Comdisco’s disaster recovery businesses and participating in over 500 actual recoveries for client companies. He can be contacted via e-mail at jj@fusionriskmgmt.com.