Not every Business Continuity Plan, IT Disaster Recovery Plan, Crisis Communication Plan or Incident Management Plan is guaranteed to work properly when it’s needed. Just because it’s been written doesn’t make it effective – even when it’s been tested. To improve the odds of a Plan’s ultimate success, here are eight simple rules to follow:
1. Assume responders are Subject Matter Experts
While starting to create Incident Response plans, assume that the people who are going to respond are Subject Matter Experts, not someone off the street, who are doing the same/similar kind of tasks on a daily basis.
2. Be Brief, but Thorough
Subject Matter Experts have enough knowledge and experience to work with brief instructions – even checklists. At the time of trouble nobody has the time or inclination to sit and read a mammoth tome. Leave the ‘fluff” out – or put it in an Appendix of your business continuity or disaster recovery plan if your auditors insist it be included. Incident Responders only have time to read what’s important – those instructions should be front and center, not hidden in a pile of details.
3. Identify dependencies
Success of the recovery effort is dependent upon knowing the upstream (and downstream) dependencies of each task – what needs to get done before the current task. Disaster Recovery or Business Continuity Plans that can be thought of as timelines (even Gantt Charts) will be easier to implement – and progress will be easier to track.
Whether the predecessor task is within the same Incident Response Plan, or in some other Plan (e.g. a task performed by some other Team that allows your Plan to progress) understanding upstream and downstream dependencies will take much of the guesswork out of Plan execution
4. Assign responsibility to Groups
Do not assume that any specific named Person will be available at the time the disruption, disaster or incident occurs. Give responsibilities to Teams – with enough members and geographic diversity to assure that at least a few will be available under all circumstances.
When tasks are assigned to an individual, and that individual fails to appear (regardless of the reason), those tasks may be ignored – until their lack of completion becomes an issue.
5. Leave out Senior Management
Don’t make members of your organization’s upper management part of the incident responder group. Let them manage the crisis response from on high. They should be prepared to make the big decisions – not the granular ones that will need to be decided quickly and decisively. Every Team needs a leader, but leadership need not be based on organizational seniority. Knowledge and experience trump rank when it comes to executing a Disaster Recovery or Business Continuity Plan.
6. Facilitate Decision Support
Business Continuity and other Incident Plans should contain the right level of information for decision support. The faster decisions get made, the quicker recovery occurs. Substantive data (such as the causality chain, true impacts, current capabilities, strategic alternatives) aid the decision-making process. Lists (of Processes, Servers, Alternate Locations, etc.) only provide a starting point for that process.
Give Recovery Teams the ability to quickly choose the right solution path for the present problem – don’t make them start the analysis from scratch.
7. Make Tasks Actionable
Business Continuity and Disaster Recovery Plans should be actionable. By focusing on the Assets on which the Process or IT Application or System depends, the strategy to recovery can include the task necessary to achieve that goal. Give incident responders actions to take (not lists). The granularity of those actions should be appropriate to the task. Some actions will require more detail than others.
Assign responsibility for each task (again, to a Team, not an individual)
Link tasks to their predecessor and successors – so responders will clearly understand the result of executing a task upon other downstream tasks. Assign an expected elapsed time for executing each task – that way you’ll be able to determine if your continuity plan execution is on track or behind schedule. Verify both the links and timelines through tests or exercises.
8. Test, Test, Test
The best way to train and create awareness is through testing. Exercises should be designed to fail -to identify gaps in the planning process. Don’t grade the results. As long as the objective of the Exercise is to find gaps, there is no ‘failure’. The only real failure is 100% success – since you didn’t make the test scenario hard enough to uncover any gaps!
Related blog:
