Chapter 4: Understanding Business Continuity Planning (BCP), Disaster Recovery Planning (DRP), and Continuity of Operations Planning (COOP) (4/17)

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

272 ◾ Ofﬁcial (ISC)

® Guide to the ISSMP® CBK®

Pre-Disaster Planning Issues

ere are two principles that are very important. e rst is communicat-

ing expectations. More than any function within an organization, the human

resource function is the keeper of the organization’s expectations. It is usually

through the human resource oce that company announcements are made and

company policies are announced that, in fact, the will of executive management

is enforced. It is through the human resource oce that we would expect very

clear goals, guidelines, and expectations set out for employees regarding busi-

ness continuity.

is should be communicated as part of an employee handbook. e hand-

book should

◾ Discuss continuity

◾ Describe the expectations of the company regarding the employee being pres-

ent and helping to restore the business in the event of a disruption

◾ Describe the employee’s responsibility for notifying management of condi-

tions that may lead to a disruption of work, e.g., re extinguishers that are not

charged, exit lights that are burned out, or other obvious possible hazards

BC and DR should also be covered as part of the induction program. Clearly

communicating expectations for employee response is the most important element

of pre-disaster planning.

e second principle involves planning for an emergency work environment.

ere are many issues to be resolved during the planning phase that will impact

your recovery plan execution. For example, your recovery plan may call for employ-

ees to be relocated at an alternate site in another town or another state.

When those people get there,

◾ Where will they live?

◾ How will their living costs and needs be cared for?

◾ How will they be paid?

◾ Will they work normal or extended shifts?

◾ Will they get overtime for extended shifts?

◾ Will they get compensatory time?

Exploring alternatives and preparing strategies in advance will promote a

smoother transition in the event of an incident occurring.

Emergency Response Issues

When planning for the emergency response phase, there are a number of issues to be

discussed. e important one for human resources is readiness. While other parts

Understanding BCP, DRP, and COOP ◾ 273

of the organization are evacuating and beginning the recovery response, human

resources is expected to be prepared and functional as a critical business unit.

One of the rst issues for the human resources function is employee life and

safety, and even fatalities. You must have some way within your organization to

know where employees are and what has happened to them. Any event that aects

the building to the extent that you may have to invoke your business resumption

plan may have also caused injuries or fatalities.

Questions to be asked include the following:

◾ Who is responsible for calling the emergency services?

◾ How will rst responders get into the building?

◾ What is the company’s role once employees are evacuated?

◾ What is the company’s responsibility to nd safe haven or medical treatment

for employees?

In your organization, whose responsibility is it to ensure an employee’s safe passage

to a hospital? Is it the role of HR or the role of the employee’s manager?

Another human resources issue has to do with notifying families of injured or

missing employees. Some companies leave it up to the individual supervisor; others

leave it to human resources to contact the family in any kind of event, whether it is

a fatality or an injury. It is important that human resources have the recovery items

it needs to do this job.

How the incident is communicated to the outside world is also important.

Clearly there will be communication with the media. Protecting the corporate

image is important; however, it may be the rst notice families of employees have

that an emergency has occurred. So the issue then becomes, “How do we notify

families in a conscientious way?”

Part of the issue is communicating with and accounting for employees. How

do you know that all of the employees are out of the building? If you don’t have a

very eective emergency response program that has regularly scheduled re drills

and oor monitors and those sorts of things, you may have a lot of work to do. It is

vitally important for that to be done.

Recovery Issues

To ensure maximum engagement by individual employees in the event of an inci-

dent, it is important to involve them in the planning process and tell them at the

business unit level what is expected of them during business recovery, and how they

are expected to respond. Involving the employees, at a variety of levels, in plan-

ning the response will ensure excellent ideas and an eective response; after all,

they work at the operational level and will have a clear understanding of the layout

of their work area and of people’s habits and activities that may not be ocially

recorded elsewhere.

274 ◾ Ofﬁcial (ISC)

® Guide to the ISSMP® CBK®

During recovery your organization will be working in an “organizationally

altered state.” For example, you may have very altered work schedules, some very

dierent than you normally have. Some plans call for recovery teams to work longer

days but fewer days per week, to avoid burnout. Such changes need to be reected

in the payroll system or in leave balance calculations, or absentee reports.

e work being processed in an emergency response is usually the most criti-

cal work; thus a change to shift patterns, extended days but shorter weeks, may be

more eective and result in greater productivity.

Locating an HR team at the command and control center optimizes eciency,

reducing the need for communications and having a single point of contact for

employees and families, and reducing duplication and the potential for ambiguity.

More importantly, it immediately creates a presence for carrying out the

plan, specically,

◾ Notifying employees when their business units are expected to resume partial

or full activity

◾ Filling critical vacancies through temporary services

◾ Coordinating employee assistance for those employees impacted by the outage

◾ Providing management with issues and concerns that may need their atten-

tion regarding employees

During recovery the human resource function also will be called on to assist

employees in a heightened manner. What kind of assistance might you plan

for? e literature is replete with all kinds of company assistance programs that

organizations have put together to handle major cataclysmic events, including

the following:

◾ Emergency food

◾ Emergency cash

◾ Providing cash

◾ Storage of household goods

ese factors are important to have considered in the recovery plan. e extent to

which employees’ basics needs and those of their families are taken care of will deter-

mine the extent to which the employee is able to focus on recovering the business.

Post-Disaster Issues

In the post-disaster environment, there are a number of human resource issues that

are better considered in advance as, alongside the practicalities of managing sta,

the issues often carry scal implications. At a time when the organization will be

experiencing a high level of spending to recover the business, unexpected added

costs would not be welcomed. If members of sta are not part of the recovery team

Understanding BCP, DRP, and COOP ◾ 275

and therefore not working, there should be a clear statement of policy regarding

pay, leave, and benets cover for the duration.

While often overlooked, the human resource part of business recovery is a vital

link between the employees who produce the recovery and the plan that guides it.

However, very little in the development of a business recovery plan can be ignored

by human resources. Careful consideration of the issues will allow those planning a

business recovery to protect and support its most critical resource—its employees.

Identifying the Strategy and Scope

Dening the strategy and scope for business continuity and disaster recovery will

be informed by the culture of the organization and its risk appetite. e level of risk

appetite is not static and will change according to the economic climate and the

number and magnitude of publicly published incidents. For example, no one would

have considered the prospect of two planes ying into the World Trade Center

before they did. However, as a consequence of that event, many executives raised

the “what if” questions. No one would have considered the consequences of ood-

ing before hurricane Katrina or the December 2004 Indian Ocean tsunami or even

the oods in Gloucestershire in the United Kingdom, which killed few people yet

almost took down GCHQ, a government central intelligence site. And who would

have expected the 100-year storm to present itself for two consecutive years?

Pandemics such as the plague do not seem possible in the industrialized world where

medical advances and health services cure impossible diseases. And yet SARS and Avian

Flu threatened to spread across the globe as passengers ew from country to country.

e UK government currently cites Pandemic u as the top risk on the National Risk

lishment of no-go zones restricting travel in various parts of the country.

Industrial action, strikes, and working to rule among labor forces seem to con-

ne themselves to the history books and yet the threat of action does not.

We will consider each of these triggers and more later in the chapter. ey are

introduced here, however, to demonstrate the wide range of issues that can impact

an organization’s risk appetite and its propensity to increase and decrease its view of

the importance of business continuity and disaster recovery preparedness drawing

on funds from a limited budget.

However, the process for the development of the strategy and policy remains

the same, whatever the extent of the appetite.

Project Planning

e term “project planning” for business continuity is anathema. A project implies

a specic start and end date, a budget, and a set objective. However, the concept of

BC and DR is that it is a continuous process, rarely is there a budget set, and further,

how can we measure the quality of our plans until the worst happens? However, we

276 ◾ Ofﬁcial (ISC)

® Guide to the ISSMP® CBK®

can take the principles and apply them well in order to provide us with a structure

or framework. us our project plans are not the business continuity and disaster

recovery plans themselves, but the formulation of those plans at the outset.

Our project plan needs to identify the major phases and the activities that com-

prise individual phases, the resources required to undertake the dierent activities,

and the governance to apply quality controls to the project. e governance should

identify the reporting structure, all of the documentation to support the project,

the schedule of meetings and who will attend them, the risks and issues associated

with the project, and the deliverables.

The Process for Developing the Plans

A top-down view in Figure4.4 provides four distinct stages in the development of

business continuity plans.

Understanding the organization requires a strategic understanding of the core

business functions, the organization’s risk appetite, and the information technology

infrastructure that supports the business.

Each of the plans as identied in the previous section should be considered as

living documents. As a consequence, we should not see their creation as linear but

as cyclic.

Figure4.5 illustrates a more detailed life cycle for the continuous development

and communication of strategic policies to mitigate business risks and address vul-

nerabilities in a dynamic environment where threats are constantly changing.

Further, each of the activities identied in the cycle is also cyclic and repeti-

tive in nature. You will notice that each of the activities has communication with

the central monitor, control, and communicate. e Business Continuity Security

Steering Group should undertake this function.

Understand the Organization

Deﬁne BCM Strategy

Develop and Implement the BCM Policy

Exercise, Review, and Maintain the Policy

Figure 4.4 The four distinct stages in the development of business continuity plans.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Chapter 4: Understanding Business Continuity Planning (BCP), Disaster Recovery Planning (DRP), and Continuity of Operations Planning (COOP) (4/17)

Create new playlist

Sign In

Sign Up

Table of Contents for
Chapter 4: Understanding Business Continuity Planning (BCP), Disaster Recovery Planning (DRP), and Continuity of Operations Planning (COOP) (4/17)