Every organization faces risks – and some of those risks may result in disruptions or other ‘incidents’. An effective response to an incident requires many things. We’ve combined them into a 5-part “Incident Horizon”: Planning, Preparedness, Initial Response, Planned Response and Extended Response. In this blog we look at the Extended Response phase of the Incident Horizon.
It is common for Business Continuity to focus on RTO’s (Recovery Time Objectives) and Plan to do whatever is needed to meet them. It is easy to assume that once you’ve met that RTO, everything else will progress smoothly. After all, you’ll be back in business, right?
It is also common to assume that the resources you’ll need to recover will be available; and that once you’ve met your RTO that your supply chain of those resources will be able to deliver.
And hardly any Plan assumes it will be necessary to coordinate with others (other than your own supply chain and customers).
Unfortunately, circumstances could prove every one of those assumptions wrong.
- Your minimum acceptable level of production may not be ‘business-as-usual’.
- You may have to scramble for resources if recovery drags on for days, weeks or months?
- An event that disrupts your region, locale or multi-tenant building could require working with – or under direction of – others.
Sometimes there’s No Quick Solution
Just because RTO’s keep getting shorter doesn’t mean Business Recovery won’t take time. If your building is damaged you may be able to recover your critical applications in the cloud – but what about your products, people and services? A major disruption requires long-term planning; but you can’t plan for every possible eventuality. But there are important components you can address – rather than ‘winging it’ under trying circumstances later.
Many Plans assume a single Team will manage the Incident (or recovery of a Facility). But is that appropriate? How long can Responder work effectively before they need to be replaced? Planning for Operational Periods (‘changing of the guard’ if you will) with sufficient trained staff will make a longer term Recovery process much smoother.
What other vital Recovery resources might be – or become – scarce? Generator fuel? Envelopes? IT hardware? (Water, coffee?) Plan to allocate scarce resources – and replenish vital supplies – in advance. Then when the time comes, you’ll know what, when, where and how to get what you need.
Sometimes is isn’t Only About You
The poet John Donne said “No Man is an island, Entire of itself.” The same can be said for any enterprise – and it’s Business Continuity Plans. Yet there is a tendency to plan as though there will be no interaction with others – as though the enterprise is an island unto itself.
Realistically, many (but not all) business disruptions involve others: our Customers, or Vendor, neighbors, local emergency responders and government agencies (not to mention government regulators). Whether we plan for it or not, it is likely that cooperation with others will be necessary if our enterprise is disrupted.
Every organization should plan in advance who will coordinate with Emergency Responders. This interaction needs to be performed locally, not by some distant corporate Team. Local coordinators should be trained to understand their role and the limitations of those responsibilities.
US Organizations with NIMS responsibility should be well-versed in the Incident Command System (ICS) and use of required ICS documentation. Having those documents available and an Incident Management organization structured to integrate with ICS will make cooperation with external agencies easier and more effective.
Even organizations that are not mandated as participants in NIMS may find it advisable to be aware of their role in any local incident (many non-US countries use a similar command system). An Incident Management Team with an understanding of ICS structure will make cooperation easier in the likely event of an incident involving more than the business organization.
Your Extended Response doesn’t require the level of preparation of Initial Response and Planned Response phases, but it does require awareness and understanding:
- What will you need if recovery takes longer than anticipated?
- How will you handle manpower needs over a long recovery period?
- Plan for cooperation with local emergency and government agencies
- Be aware that your organization is part of a larger community – and what that may mean to your ability to respond and sustain a response to a disruption.
