If anyone in any organization was in any doubt about the importance of having a Disaster Operations Plan, that has surely changed since the outbreak of the Covid-19 pandemic. Some organizations have coped better than others, but every organization should either be working on developing a Disaster Operation Plan or on improving the one they already have by identifying where the plan did and did not work well.
Design a plan based on resources you already have
A Disaster Operation Plan is a crisis-specific plan that builds off what an organization should already have in place. The following established elements in business and IT management can help provide the foundation of your plan for worst-case scenarios that could threaten the business.
- Business Continuity Management is a management-level strategy commonly focused on major IT issues, local catastrophes, etc. This is the closest discipline to Disaster Planning and Operations.
- Incident Response Management is an IT discipline targeted at efficiently responding to cyber and/or IT incidents. However, the methodologies used in Incident Response Management can be helpful when reacting to something unknown or unprecedented, like Covid-19.
- Emergency Planning is another common management-level approach, but usually narrowly focused on the unexpected absence or loss of all general management.
- IT Infrastructure and Security is an operational-level discipline which ensures that IT infrastructure remains available and that security is at the required level.
- Supply Chain Management is an operational-level discipline that ensures that the supply chain is adequately managed, and should include strategies to keep it working even during a crisis, with a particular focus on the cyber supply chain, especially for digital businesses. For more on this topic, see the webcast: Necessary Components of an Effective Cyber Supply Chain Risk Management (C-SCRM)
- Business Resilience Management is a cross-functional and inter-disciplinary approach to align all the protective disciplines listed above to achieve the goal of resilience.
Business resilience is an extremely important part of day-to-day business operations, particularly as a growing number of businesses become highly IT-dependent and transform themselves into digital businesses. Business resilience, which includes all the other protective disciplines, is aimed at enabling a business to adapt quickly to risks and disruptions, while maintaining key business workflows and safeguarding employees, assets, and brand reputation. A Disaster Operation Plan, therefore, is an important part of business resilience, supported by all the other protective disciplines.
What to include in your Disaster Operations Plan
Disaster Operations Plans should consist of eight elements:
- Plan Activation: Who activates the plan, and when? Responsibility must be clearly designated, and there should be a backup for this decision.
- Crisis Management: Who is responsible for managing which tasks during a crisis? Who is the backup? The responsibility and accountability for all crisis-related tasks should be clearly defined.
- Crisis Communication (Internally and Externally): Who communicates? Those responsible for communication should be clearly designated to keep the message coherent and consistent for the appropriate channels and recipients. Training in crisis communication is highly recommended. External support may be required. Don’t forget that internal communication during a crisis is also essential!
- Crisis Organization: How does the organization change during a crisis? Crisis teams should address the changing role of critical departments such as management, finance, HR, production, IT, supply chain, etc. These departments may merit their own crisis teams.
- Business Continuity: Planning for continuity during a crisis includes knowing what can be shut down or cut, and what the impact of these actions will be. This may be done on a per department basis.
- IT Continuity: Draw upon existing Incident Response Management capabilities to map business functions to their IT impact, to keep as many essential systems and services running as possible, and to put processes in place for recovery. There should be some anticipation of transitions required in different crisis scenarios, such as working from home during a pandemic to ensure maximum possible business continuity and resiliency.
- Improvement: Preparing for every crisis scenario is not possible, but it is always possible to learn from experience. Incorporate the experience of everyone in the organization into the rapid decision-making required in a crisis.
- Return to Normal: Plan for how to transition from disaster operations back to normal operations. Ask questions such as what, who, how, and when, e.g. designating roles to appropriate people, identifying signals, or proposing processes.
As stated earlier, a Disaster Operation Plan is one of the elements contributing to business resilience, which should be the overall goal of every organization to ensure their ability to survive and thrive in an increasingly competitive, digital and sometimes hostile and unpredictable global business environment.
The Business Resilience Management approach to stronger organizations
Any organization that has not done so already should make business resilience the focus of everything it does, from its business model and organizational structure to IT investments and business processes. This can be done by adopting a Business Resilience Management (BRM) approach, which is the comprehensive and standardized management of all processes to identify and mitigate any risks that threaten an organization. BRM, therefore, is a cross-functional and inter-disciplinary approach that involves risk, business, and security professionals.
This approach underlines the importance of closer collaboration between Business Continuity and Cyber Security teams. For more on this topic, please see our Advisory Note Business Continuity in the age of Cyber Attacks.