Exercise in a Box
Looking for an economical way to deliver a tabletop exercise?
The Vanguard EMC Exercise in a Box provides a step by step methodology to prepare, conduct, and report on a tabletop exercise. This kit contains 40+ comprehensive tools. Leverage our plans, templates, and checklists to coach your team through the exercise process with greater confidence.
Tips and Tricks
10 Ways to Improve Project Initiation and Management
As the foundation of Business Continuity Management at your organization, a solid program initiation can help you to avoid many structural issues later on. While you may be eager to demonstrate progress, investing sufficient time and energy into program planning will help to avoid costly delays and remove obstacles. This article will outline ten tips that can be used to improve your program initiation and management.
Tip # 1: Assess current state of the business continuity program
You must be able to clearly describe where your business continuity program currently stands. Clarify whether any business continuity plans exist and when they were written. Examine how your organization currently manages corporate risks and how this is evolving. Determine how comfortable upper management is with their risk management maturity level. Outline what has changed in the risk and business environment that warrants a change in the company’s business continuity program. Find out what peer organizations are doing and whether the public, regulators or shareholders would be satisfied with your entity’s current state of business resiliency. The executive sponsor will need this information in order to grant robust support.
Tip # 2: Establish an executive mandated business continuity program
Successful business continuity planning must have executive level support from the beginning. Without this any program is doomed to failure. The business continuity program must have a designated executive sponsor who will sign-off as each milestone is reached. Ideally the program should be visible to the board of directors or to the deputy minister through annual or quarterly reports. The project sponsors name must carry enough political weight to open up key doors throughout the organization.
Tip # 3 Develop a strong policy and governance structure
The policy must contain every aspect of the program including a: Risk and threat assessment Business Impact Analysis Comprehensive set of plans (including emergency response, recovery, restoration and crisis communications) Training and awareness program Annual Exercise Audit Maintenance program The business continuity program scope and objectives must be included in the policy. Policy language should spell-out the classical plan–do–check–act cycle and indicate that business continuity management is a continual process. Do not forget to perform a risk assessment. Before you start looking for risks to the organization’s critical processes, look for risks to the success of your business continuity management program.
Tip # 4 Tie program objectives to the organization’s strategic priorities
Understand the strategic goals and operational priorities of your establishment. The business continuity program objectives need to fit into these goals and priorities if you hope to obtain wide spread upper management support.
Tip # 5 Control scope and clarify objectives
Never allow the program to become unmanageable due to a scope that is too broad or objectives that are ambiguous.
Tip # 6 Obtain strong commitments and adequate funding
Again, successful business continuity planning must have executive level support and commitment from key staff. This is a corporate investment and must have a budget that reflects the scope of the program. Include in your budget money for adequate exercise and maintenance programs. Include in your requirements staff time commitment requirements which should include any additional staffing requirement or workload redistribution where business continuity planning responsibilities are added to existing staff.
Tip # 7 Lay out a roadmap for implementation of the program
Frame the implementation. It doesn't need to be a detailed program plan (that can come later) but it has to demonstrate that you have thought things through. Outline the program sequence including what needs to happen first and when projects will begin and end. Show how will they rollout across your organization and who will be responsible for each rollout. List any ‘quick wins’.
Tip # 8 Set realistic target dates and clear accountability for meeting them
Set realistic target dates based upon consultation with your key partners and obtain their support for meeting them. Performance measurement is often missed by many business continuity programs as they overlook establishing critical success factors. Demonstrate the value of your program. Indicate how you and your stakeholders will measure success. Determine where you need to be in six months, one year, or even five years in order to achieve your overall goals. Verify how often and in what manner you will report results to your program's stakeholders.
Tip # 9 Establish clear communication channels among project members
Do not allow the program to get off course due to poor communication among members. Try to set up regular team meetings in the same location and at the same time. If possible, book the meeting room for the next year. Establish an escalation process if team members are encountering roadblocks, are not meeting target dates or are missing meetings.
Tip # 10 Ensure your planning team has the necessary technical expertise
The business continuity program manager should obtain comprehensive business continuity management training. They should have the skills needed to share their expertise with the team members. Project management experience or training can be a very useful but is not absolutely necessary. Designated members of the planning team should have the technical expertise needed to represent their business unit. What differentiates the amateur from the business continuity planning professional? The professional has a clearly formed plan to create and manage the business continuity program. The amateur does not. Effective use of these ten tips will improve your program initiation and management and help you to avoid many structural issues, costly delays and obstacles and further demonstrate your dedication to professionalism.
10 Ways to Improve Risk Evaluation and Control
Identifying new risks and additional controls can provide visible and evident benefits to the organization but can initially seem daunting. By following these tips, you can expedite this step and grow your network while enhancing your organization’s defences.
Tip #1 Establish the risk evaluation as a small project
Manage the risk evaluation as a mini-project within the Business Continuity Planning Program with its’ own scope, objectives, and milestones. Clearly identifying the scope of the risk assessment will make it more manageable and more accurate. Clarify the meaning of key terms that will be used in the risk evaluation. The following are some sample definitions:
Risk is the potential for exposure to loss which can be determined by using either qualitative or quantitative measures.
Risk Categories are risks of similar types are grouped together under key headings, otherwise known as ‘risk categories’. These categories include reputation, strategy, financial, investments, operational infrastructure, business, regulatory compliance, outsourcing, people, technology and knowledge.
Risk Control is all methods of reducing the frequency and/or severity of losses including exposure avoidance, loss prevention, loss reduction, segregation of exposure units and non-insurance transfer of risk. Make sure to exclude certain categories of risk that will be outside of the scope of this evaluation (such as strategic risks). Your organization’s risk tolerance level must come from senior management, ideally from their corporate risk council or chief risk officer.
Tip #2 Coordinate with other risk management groups within the organization
Use your resources wisely. Currently, most organizations contain various individuals that have some responsibility for identifying, measuring and controlling risks to the entity. Research your internal resources and leverage completed risk assessments. Look for expertise in your risk management (and/or insurance), internal audit, physical and data security teams and on your health and safety committee. In addition to creating organization-wide methods of information collection and distribution, you may want to add the following research methods to your information gathering activities.
Tip #3 Examine the facility inspection While speaking with the risk manager, ask for a copy of any recent inspection of the facilities conducted by your insurance carrier. If one has not been completed recently, your contact may be able to request one. Ideally, you should accompany the insurance inspector as he/she examines the facilities. Analyze the report and follow-up with the inspector on any questionable details.
Tip #4 Analyze risk data from hazard maps Economical online hazard maps are available usually on a regional or national scale. More detailed hazard maps and further risk information should be available from local municipalities. Take this opportunity to connect with the local officials involved with emergency management.
Tip #5 Conduct research on historical experience of similar organizations
Most organizations are not unique. Devote some time to researching the historical loss history of organizations similar to your own. Your insurance professionals can also provide insight. Insurance companies track loss data according to industry. Professional associations, trade shows, and the chamber of commerce might provide some industry risk information as well as a forum to discuss loss experience with colleagues. While direct competitors may not be forthcoming, others in your industry may also provide information on their incidents.
Tip #6 Examine risks from outsourced activities
Globalization has lead to cost savings but can expose your organization to many hidden risks. Do not overlook the threats to overseas outsourced services or key suppliers. Some categories of risk such as war, terrorism and political risks are more frequent outside of Canada. Once you have compiled a list of risk categories and exposures from both internal and external sources, each possible event should be rated according to the probability that it will occur and what possible impact it could have on your organization. Define your rating terms for example: Probability is the likelihood of this event impacting our organization in the next 10 years. Severity is the maximum financial loss to our organization that could be caused by this event. The size and complexity of your organization will determine how you develop the rating system. A small simple organization should use a simple rating system such as this: Probability Severity 1 Low 01% to 35% 1 Low Up to $99,999 2 Medium 36% to 70% 2 Medium $100,000 to $999,999 3 High 71% to 99% 3 High Over $1,000,000 A larger, more complex organization might want to have a more layered approach: Probability Severity 1 Low Up to 35% 1 Low Up to $99,999 2 Medium 36% to 59% 2 Medium $100,000 to $999,999 3 High 60% to 79% 3 High $1,000,000 to $9,999,999 4 Very High Over 80% 4 Very High $10,000,000 to 99,999,999 5 Catastrophic Over $100,000,000 Always use both words and numbers to quantify the exposures/risks. Risks should be ranked according to their risk number (probability multiplied by severity) and charted on a graph that clearly indicates all risk/exposures outside of the entities risk tolerance. Rating of the risks can be done by a small group of key personnel or a larger survey. The larger survey can also be used to identify loss controls and safeguards.
Tip #7 Arrange a small fund to deal with low-cost control measures
Depending upon the culture of your organization, you might want to arrange in advance for a small discretionary fund (small relative to the size of your organization) to be used for low-cost loss control measures uncovered by your team. By avoiding red tape and company politics, you are able to quickly demonstrate to employees a corporate commitment to risk control. This should increase their willingness to provide your group with accurate risk information. Your final recommendations will not be cluttered with these low-cost control measures.
Tip #8 Rank recommendations for prevention measures in order of cost-effectiveness
More expensive loss control measures should be submitted to upper management with cost analysis and your recommendations based upon the level of risk to the organization.
Tip #9 Give senior management final risk ranking approval
Your risk assessment report to senior management should include the methodology, the risk chart, a list of your organization’s top risks (within the scope of your assessment), and any recommendations for loss control measures including your cost benefit analysis of these measures.
Tip #10 Label and treat risk evaluation as confidential or privileged information
For those in government organizations the risk evaluation should be protected from any ATIP requests. To avoid lawsuits and other issues, legal council should advise private companies on treatment of the highly sensitive information in the risk report and their due diligence responsibilities. The information gathered during the risk evaluation and control phase will be used to inform many of the latter stages of your program. A summary of the top ten risks should be presented to those participating in the business impact analysis to give them an understanding of how operations would most likely be disrupted. The risk evaluation should be validated annually. The business continuity management maintenance program should also include a risk evaluation of any major new project undertaken by the organization.
10 Ways to Improve Business Impact Analysis
A successful Business Impact Analysis (BIA) will harness knowledge from throughout the organization to compile accurate comprehensive data needed create practical business continuity plans. These tips will help the business continuity management professional focus their efforts on collecting valid data from credible sources.
Due to the magnitude and scale of the Business Impact Analysis, treat it as a separate project. Document the BIA project scope, objectives, timeline, resources and milestones. Understand and manage the BIA project risks. Our certified business continuity professionals can help with this.
Tip #1 Closely define the scope of each Business Impact Analysis
The first BIA completed does not have to cover all business functions and gather every bit of information. Objectives should list the products of this Business Impact Analysis which may include Recovery Time Objectives, Recovery Point Objectives, resource requirements and/or dependencies. A BIA that takes longer than three months will start to contain outdated information and can stall the planning process for the recovery strategies. In large organizations conducting multiple targeted BIAs will expedite plans and allow for testing of your methodology. Establish a Business Impact Analysis project team that represents all the areas within scope of the BIA. Team members need to be appointed by their senior management and have time to devote to this project. Provide training to the team members on the methodologies and products of a Business Impact Analysis as well as limited business continuity plan management. Create a scenario for the BIA. The scenario must affect; People, Information, Technology and the Workplace and result in an interruption foreseen to have at least 30 days duration.
Tip #2 Obtain written executive commitment for the Business Impact Analysis
Many people in your organization will be involved at this stage. To obtain their valuable time and cooperation a short letter or e-mail from your executive sponsor can be very effective. This can be attached to the survey or invitation to a workshop or distributed to each participant individually. Have the executive sponsor sign off on the scope and objectives of the BIA as well as on every milestone as it is reached. Course corrections along the way will ensure that you arrive at the right destination. Design a methodology to gather the information required to fulfil your objectives. Test the methodology with a small team to help validate the data gathering process.
Tip #3 Create an inventory of business functions within the scope
Prepare the inventory based on the most recent organization chart. Before moving ahead, validate the list of business functions with department leaders or the BC Steering Committee. For each business function you will need to determine where it occurs, who can perform it and what technology and information it requires. Dependencies and vital resource requirements must be determined. Format the data to collect into a list: RTO, Priority within the RTO, RPO, MSL, Dependencies, Resources. Flowcharts should be used to get a strong understanding of how the functions are connected. Simple spreadsheets can be used to contain and sort through the information.
Tip #4 Conduct interviews or facilitated workshops
Sending BIA questionnaires to employees can lead to widespread confusion because respondents may not comprehend the context of the question or may provide information based on emotion rather than fact. If a questionnaire is the only option, prepare an accompanying guide. Test the guide with a control group before its widespread distribution. Conducting interviews or facilitated workshops allows the BIA team to clear up any confusing language and clarify questions. They are available to answer any inquires, set expectations and raise awareness. Interviews and workshops also allow the BIA team to drill down on any surprising or inconsistent information. Remember that every question should provide information that will be used in the business continuity plan.
Tip #5 Determine if previous events have resulted in an operational interruption Find out if the organization has had an outage previously. How long did it last? What was the financial, operational or reputational impact on the organization? Use this experience to start participants thinking about the duration before an interruption becomes intolerable.
Tip #6 Question staff on manual aspects of operations
Every organization applies mechanized systems for a wide variety of tasks. Following an interruption, it may be advantageous to use a manual method for a short period of time. Manual methods can be effective as a stop-gap measures while waiting for a formal recovery strategy to come on-line. Ask BIA participants what could be done with a pad, pen and a telephone. Discuss other manual procedures.
Tip #7 Focus questions on the consequences of non-performance
Avoid questions that speak about value or importance and concentrate on time-sensitivity and prioritization; the topics in Tip 3 should always be the focus of BIA data collection. Don’t ask questions for the sake of asking; every question must be pertinent to the ultimate recovery solutions in the recovery plan. Alleviate any concerns about how the information will be used by explaining how the results will constitute the input to the development of recovery strategies. Explain that resources could be substantially limited by a disaster and priority will be given to time sensitive functions but ultimately all functions will be brought back. For each business function you will need to explore How much data stored on computers can be lost. The answer will establish the Recovery Point Objective (RPO) or the tolerable amount of data loss measured in minutes, hours or days. How far under normal operating levels the function can operate during a disaster. This will give you a Minimum Service Level (MSL) or the level to which the process must be recovered during the recovery period. It is worth noting that the MSL can be a value expressed as a percentage above the normal level of operations; examples might be found in civil response organizations that will increase their capacity following a disaster. RTO: This determines the Recovery Time Objective or the period of time within which systems, applications, or functions must be recovered after an outage (e.g. one business day). Each function should be placed within a Recovery Time Objective category. Define the category according to a restoration time frame (e.g. within 2 hours of a disaster) and prioritize the functions within each category. Prioritization should take into account dependencies, reputation issues and client expectations. The RTO is the primary determining factor when examining recovery strategies.
Tip #8 Sound out key clients regarding their expectations
Performing according to clients expectations is important to maintaining their business long term. Local clients, who may be impacted by the same event, may have lower expectations than national or international clients. Some customers may have service level expectations built into their contracts. Determine what would be the impact on your organization if these levels are not maintained. Priority will be given to restoring functions were service disruption will cause clients the most pain. For example: a delay in the new release of a product will postpone revenue but not providing customer support could irrevocably damage your customer relationship.
Tip #9 Prepare a comprehensive report with recommendations
Business Impact Analysis reports will include an executive summary of the data, the data examination method and the data’s purpose. Also outline the next steps in the process and seek approval for the next business continuity planning phase. Without senior management agreement and approval of the recovery time objectives and return time objectives funding will not be available to meet the objectives. The report should present the information gathered in a logical, organized manner and not just a large spreadsheet. Conclusions should be developed and offered with respect to the next steps. Avoid speculation regarding the cost of recovery strategies. The goal of the report is to obtain Steering Committee and Executive approval of the Recovery Time Objectives, Recovery Point Objectives and Minimum Service Levels.
Tip #10 Give participants a chance to review your analysis of the BIA results before submission
Participants need to verify the report. With additional time to think, people may have changed their mind on key conclusions, information could have been misconstrued, or simply overlooked. Do not publish the entire BIA report in the business continuity plan. A prioritized list of your business functions should be available somewhere in your plan; typically an appendix. A business continuity plan based on a poorly researched or a phantom BIA will not have any relevance to the way that your organization operates. A strong and focused business impact analysis will provide the data needed to evaluate business continuity strategies and build a credible plan.
10 Ways to Improve Business Continuity Strategies
"When planning for war, I have always found plans to be useless, but planning to be invaluable." General Eisenhower
Your program is now moving along smoothly. The risk evaluation and the business impact analysis (BIA) have produced valuable information and senior management has signed off on your recovery time and return point objectives. Now you must establish how your organization will meet these objectives. These ten tips will hone your skills at devising business continuity strategies for your organization.
Tip# 1 Build strategies based upon the needs outlined in the BIA, not on a specific disaster
Building a continuity strategy based upon a specific scenario is often cited as a reason for the failure of planning. The all-risk plan focuses on the possible effects of a disaster and uses the BIA data. Evaluate possible strategies that will meet minimum service levels, return point and return time objectives and rescue or restore critical resources. Ensure loss of people, of technology, of information and of the workplace are taken into consideration when developing the strategy. If there is an existing business continuity strategy, conduct a ‘gap analysis’ to identify where current performance is measured against the required performance as outlined in the BIA.
Tip # 2 Examine alternate strategies that could meet the BIA requirements
Prepare to make recommendations by reviewing the various types of recovery alternatives. Begin by examining the following traditional recovery methods: Alternative site or business facility Cold, Warm or Hot Sites Drop Ship/Quick ship agreements Manual Procedures Mitigation Mobile Trailer Reciprocal agreements Work from Home This list is not exhaustive and your search should not be limited by it. Review internal assets for use in the recovery. Search out external business resources using tactics such as Requests for Information (RFI), queries and professional organization reviews. Validate your understanding with other business continuity professionals. Discuss business continuity strategies with vendors that provide critical goods and services to your business. How do they plan to service you? Can you leverage their continuity strategies?
Tip# 3 Ensure that you develop a comprehensive strategy for protecting vital records
Any business continuity strategy must include both electronic and paper vital records. These should have been defined by your organization during the BIA. Compile a list of all vital records within the scope of this plan. Understand your regulatory, statutory or business record retention requirements. Key issues to address are confidentiality, integrity, availability, currency of data and resumption speed. Ensure that senior management accepts the program for vital records retention. Develop system and data back up strategies that will meet the Return Point Objective from the BIA requirements for each critical system identified.
Tip# 4 Compare the cost ranges, as well as the relative merits, of implementing each strategy
Eliminate any methods that will not meet your BIA requirements. Decide on your top priorities (up front investment, annual fees, costs during event, time to implement, reliability, etc) and rate each strategy accordingly. Understand current and future operational initiatives that could be linked to business continuity. Leverage new initiatives wherever possible. Be prepared to explain where and why any initiatives do not align with your business continuity strategy.
Tip# 5 Present concise and specific recommendations to senior management Recommendations must include: a gap analysis (where are we now) clear consequences for meeting continuity expectations (where will we be) a basic project plan for implementing the recommended strategy (how to get there) a risk assessment for your recommended strategy budget estimates resource requirements an estimate of the implementation time When making your presentation to senior management, be prepared to offer some real alternatives to your recommendations. Ensure the agreed options are approved by the executive management.
Tip# 6 Develop a Request for Proposal (RFP) where warranted
Preparing an RFP for large procurements is often required in organizations. When preparing your business continuity strategies, it is essential. Clearly specify your objectives. Develop an RFP which includes: Redundancy capabilities Alternate staff Work-arounds Surge capacities (ie: cross training of critical resources, stockpiling of critical supplies) Minimum hardware requirements Networking requirements (from alternate locations to home site) Plan exercise options Your request must include a confidentiality clause, a priority clause and a guarantee of delivery clause.
Tip# 7 Be exhaustive in checking out vendors of business continuity services Understand any risks associated with your vendors. Begin your research by reviewing the press releases usually readily available on their websites. Explore the financial stability, management team, focus, and technology claims of prospective vendors. Check references and try to determine whether they have experience providing these services during an actual emergency. Avoid the gimmicks! Select a service provider you can trust by eliminating those who use questionable sales tactics.
Tip# 8 Seek approvals for funding Senior management should not see any surprises at this stage.
If your research was sound, quotes should come in within your estimates.
Tip# 9 Ensure contracts are tightly-worded
Ensure contracts have clearly defined technical specifications and service requirements and are supplemented by a service level agreement. Understand your vendor’s business continuity plans and risk of being impacted by the same event.
Tip# 10 Determine who will manage the implementation
A separate project manager may be needed for each of the large initiatives. The business continuity professional may or may not be involved in the implementation. Where the business units are leading, regular progress reports need to be made to the business continuity team. The business continuity professional is than free to move on to the next stage in the BCM process. A review to ensure that the appropriate continuity options have been selected for each activity should be carried out at least every 12 months. However, re-examine the BCM Strategy when a BIA revision identifies significant changes in business priorities or processes including: key technology, telecommunications, accommodation, staffing, service suppliers new products or services regulatory or legislative requirements or after an acquisition or merger.
Choose the business continuity strategy that is right for your organization at this time. As BCM continues, exercising may show that new strategies are needed to bring your organization resiliency in line with the BIA expectations. Remember that you will never develop the perfect strategy on the first try. Following these tips should help you to improve your techniques for devising business continuity strategies for your organization.
10 Ways to Improve Emergency Response and Operations
After business continuity strategies have been developed, it is time for the professional to take a look at how the organization is prepared to deal with the emergency itself. While the continuity of operations is key to the continued financial well-being of your organization, emergency preparedness saves lives and therefore can be the most rewarding aspect of your career.
Two priorities dominate the emergency preparedness and response area: protecting your people and property and establishing command and control. Emergency teams lead by an incident response commander will immediately begin protecting people and property at the affected site while the command and control team moves to the Emergency Operations Centre (EOC).
Tip #1 Gain a broad understanding of potential in-house emergency resources
Perform a gap assessment. Create an emergency resource register that lists what resources your organization has that could be used during an emergency. Each section of the register would consider one aspect of dealing with an emergency situation at that location. List the resources that might be useful in the event of a fire, flood or other emergency. Determine what should be surplus to your response requirements and could be useful to others. Find out what you are missing but might need in an emergency and how it should be obtained. Use the register to train all members of the emergency response team.
Tip #2 Promote wide spread first-aid training
Most organizations have minimum requirements for first aid training under Health and Safety legislation. Provide basic first aid training to any employee who is willing to participate and provide annual refresher courses. Advertise this benefit to new employees as part of the orientation package. All emergency response team members must have first aid and CPR training.
Tip #3 Create office “go” bags
Create a grab bag and place it at the main entrance to the building or at the reception desk and ensure the bag is taken out of the building as part of the standard evacuation procedure. The grab bag should contain, as a minimum, a copy of the response plan preferably laminated. You should also consider including essential contact details, any directions to recovery sites and other emergency reference material, recovery plans and supplies to suit your needs. Also include a current copy of the emergency resource register.
Tip #4 Plan for shelter-in-place scenarios
Often the evacuation scenario blinds us to the idea that our staff could be trapped inside our facilities. Create plans for securing the building, turning off heating ventilation and air conditioning (HVAC) systems and dealing with inevitable communication issues.
Tip #5 Develop the ability to assess damage quickly
To identify the damage, designate a Damage Assessment Team which could include contingency planners, security personnel, building engineers, branch managers, custodians, and representatives from critical function areas. Quarterly inspections of the facilities should be undertaken by the team members so that they become familiar with potential hazards and the current “pre-disaster” conditions. Photographic documentation during these inspections will help with damage assessment and with insurance claims. Be sure that the damage assessment team is involved in the business continuity exercises. Create damage survey forms for use during assessments. Damage survey forms should include both a situation damage assessment (a description of what has happened); and a needs assessment (a statement of what needs to be done). Forms can be used to report the information to the EOC as it is needed. For example a Flash Report would be submitted very quickly to briefly describe the event, the steps being taken to cope with it, and to give a first indication of what relief may be needed. The Initial Report would follow the flash report as soon as possible (within a matter of hours). Its purpose is to inform the EOC of the severity of the disaster and to provide the information needed to start mobilizing resources. The report should therefore briefly summarize: the severity of the disaster (without necessarily providing precise figures); actions being taken at the site; on site available resources; the immediate priorities for relief, where it is required and in approximately what quantities; and suggest the best logistical means of delivering that relief; a forecast of possible future developments including new risks. A reporting schedule should be set-up as the situation, needs and priorities will change over time.
Tip #6 Define the services provided by the EOC
Services provided by the EOC should be based on its mission and continuity requirements. During the planning phase, determine which services are offered only during emergencies and whether services will be performed by the EOC on an ongoing basis. Plan for a worst case scenario with damage to your workplace, data, people and technology. Determine how many people will need to be accommodated and for what length of time. Document methods of changing the scale of the response.
Tip #7 Perform a risk analysis on the EOC location
The EOC location should be far enough away from your main facilities to insure that it is not affected by the same event. It should be close enough that a rapid response can occur. Investigate transportation and housing issues. Determine how long it will take and who will be responsible for the set up. Vendors that supply emergency operations centre should be able to have basic set-up completed by the time your people arrive. Vendor facilities usually have multiple customers who may need the facilities at the same moment. On a first come basis you find you intended site occupied. Designate an alternate EOC that overcomes limitations of your initial EOC. For example, the alternate EOC may be further away, in the opposite direction or larger.
Tip #8 Determine which conditions require full activation of the EOC
Activation of the EOC can be very expensive. Determine what level of emergency constitutes a disaster for your organization. Authority to declare a disaster must be understood prior to the event and a chain of command must be established. Determine if other special conditions could require activation of the EOC. For example, you may want to activate the crisis communications centre for specific types of events.
Tip #9 Restrict and monitor access to the EOC
Use coloured vests to clearly identify members of each team in the EOC. Security personal should be put in place to restrict access to the EOC to those who are actively working the emergency. Identification cards may be needed if the response team is large. The media should never be given access to the EOC. Press conferences should be done elsewhere.
Tip #10 Support the families of key employees and members of the response team
Employees will need to secure their family before any thought can be given to supporting the organization. Offer emergency preparedness home kits to key employees and BC response teams. Emergency preparedness home kits are not expensive and can help your employees be available when needed during a disaster. You may save time by purchasing kits produced by the Red Cross or another reliable organization.
Plan to offer relief services to the families of key employees and response teams. They may need temporary shelter, babysitting services or simply a place to wash-up. Helping them deal with their home responsibilities will allow them to concentrate on restoring the business. It will also create goodwill and strengthen employee loyalty.
Emergency preparedness and response is an attempt to bring some order and control into the chaos following a disaster. As you exercise your plans you may gain some insight into how your response teams will perform. Confidence comes with preparation, training and exercise. Following these ten tips will help protect your people and property and strengthen your ability to re-establish command and control.
10 Ways to Improve Business Continuity Plans
It is time to sit down, put pen to paper and write your business continuity plans. They should be straightforward: easy to read, easy to reference and easy to use. These ten tips will help you to compose a practical plan that you will be proud to publish.
Tip #1 Prepare an outline
Preparing a framework will help you to organize the procedures and to identify major steps and potential redundancies.
Tip #2 Keep your plans concise and divided into meaningful sets
Keep your plans brief but assume the plan will be implemented by personnel unfamiliar with the function. It is easy to get carried away when writing business continuity documentation. Core information can get lost. Staff should not be confused as to when to apply Disaster Code A, B or C. These codes should be clearly defined in the document or not be there at all. The essence of a business continuity plan is to explain which tasks should be undertaken, when and by whom. Don't write a novel when a punch list will do. Divide the plan into meaningful sets. Avoid including background analysis and history with actual procedures. Contained in the first set should be general information such as the business continuity planning policy, risk evaluation and business impact analysis. The second set should contain your response plans and include all instructions on the function of the emergency operations centre. The third set should lay out your recovery activities, how you will deliver service to your clients and how you will meet your recovery time objectives. Use lots of appendixes to brake down the information. This will help with distribution during an event as well as maintenance of the plans.
Tip #3 Sequence information logically
Work through each section of your plan to ensure it is in sequence and that there is a flow to the data. Too many plans have information in no logical sequence. Keep all the pertinent background information together at the back. Begin with activation and response followed by long term recovery. Present the information in a logical progression.
Tip #4 Write for your audience
Understand the audience for each set. Design a response plan for people who may be panicked, rushed or distracted. Deliver a strong clear message. The recovery plans can contain more complexity as the audience has more time to digest the information. The set of general information will be read by management, by future business continuity planners and sometimes by members of the various teams during their training period, but rarely during a crisis. Here you can explain and justify the instructions contained in the other two sets. Language in the response and recovery plans must be clear. Try to follow this writing advice: Avoid gender nouns and pronouns Use descriptive verbs Avoid jargon Avoid passive voice sentences Use the present tense Use the imperative mood Keep paragraphs simple and begin each with a clear topic sentence Use both sides of the page Sentences should contain a single idea or instruction. All terms must be applied consistently throughout the document. Editing of the plan should be done by a technical writer or someone in your organization that has very strong writing skills.
Tip #5 Use position titles rather than personal names of individuals
Reduce plan maintenance by not including perishable information. Plans should never contain actual names or phone numbers. Include them and your plan becomes obsolete as soon as someone moves or leaves the organization. Use job titles in the plan. Highly variable data should be contained in the appendixes.
Tip #6 Use product and process flows, graphics, illustrations, charts and checklists
If the sequence of events in the business continuity plan can be displayed graphically, it will help to illustrate when different parts of the plan are executed and when resources are needed. Use product and process flows, graphics, and illustrations as needed to identify the sequence of activities in the plan implementation. Validate product and process flows with the management team to ensure they are accurate and consistent with the business activities being recovered.
Tip #7 Define any terms not commonly known in a glossary appendix
The glossary should include any terms defined within the plan, all business continuity terms and any function specific terms. If in doubt, define it in the glossary.
Tip #8 Review and confirm plans with the functional managers and obtain senior management approval
The functional representatives on the business continuity planning team should be the first to review the document. They should bring it to their functional managers to ensure that the plans are accurate and should obtain a sign-off. Present the document to senior management only after the functional management has approved it.
Tip #9 Identify plan and all plan contents as “Confidential” and protect them
Clearly mark each page of the plan as “Confidential”. Government departments should apply appropriate security classifications to each section of the plan. This document is now one of your vital records and should be treated as such. On and off site paper copies need to be held in a locked container. Digital copies need to be held in a secure environment.
Tip #10 Automatically back up plans and make them accessible
Plans must be secure but also available during a disaster. Remember to place a laminated copy in your go bag and at the emergency operations centre. Keep track of all copies to ensure that they are updated and that old versions are secured or destroyed. Researching and analysing the data can take months and involve many people. The task of writing the plan must fall on a small number or even a single person. This article has provided valuable tips on creating a document that will be useful when a disaster impacts your organization. They should be easy to read, easy to reference and easy to use. You can be pleased with your accomplishment.
10 Ways to Improve Awareness and Training
Now your organization has a thoroughly researched, well written business continuity plan sleeping on a shelf somewhere. Time to get the word out! All employees need to be aware of their role in the plan. The various team members need to be given some training before they can start to exercise the plan.
Tip #1 Give them something physical
Wallet cards are a great way to give employees a physical item that continuously reminds them of key business continuity information. Typically wallet cards contain information such as key numbers and tools to use in the case of emergency. Most employees will keep wallet cards with them throughout the day, enabling them to participate effectively in crisis communications and initial response activities. Other great ideas include magnets, desk mats or even emergency bags with key supplies. Offer emergency preparedness home kits to key employees and BC response teams. Emergency preparedness home kits are not expensive and can help remind your team members of their business continuity responsibilities. You may save time by purchasing kits produced by the Red Cross or another reliable organization.
Tip #2 Get the word out online
Business Continuity should have a website linked to your employee’s homepage that provides ongoing information on business continuity activities as well as phone numbers and instructions for what to do during an emergency. Provide regular e-newsletters offering a summary of business continuity activities (including testing results) and reminders on how to respond effectively. Make recent and back issues of these available on the website. A business continuity blog could be an option, but only if you are disciplined enough to maintain it. Blogs must be updated regularly to keep peoples attention. In addition to the requisite informational website, new tools allow online training to be developed once and delivered to thousands of employees on demand. This training can be built with your content, your pictures, and your logo, meeting your specific training objectives. These tools can also provide the ability to develop an awareness “quiz” as a method of measuring awareness or compliance. Common tools used for this type of development include Adobe Presenter (formerly Breeze), Captivate and Articulate.
Tip #3 Present “lunch and learn” live or web-based seminars
The business continuity planning team can provide “lunch and learn” live or web-based seminars on key topics. On-demand, web-based training modules are also a great way to provide training on a detailed process to a large group of people. Many organizations have a training department that can help with the development of these training modules or you can have a third party develop them for you. Occasionally, set up an information booth at the entrance to your facilities, at corporate retreats or in the cafeteria. Here you can: Re-distribute or update wallet cards or other physical materials Ask interested employees to complete short business continuity quizzes and award a small emergency preparedness prize for the most accurate responses Advertise upcoming training and exercises This is also a great time to speak with employees about their concerns with the program.
Tip #4 Involve business continuity teams in drills and inspections
Fire drill evacuations are a great time to provide regular employees with additional information on disaster preparedness, emergency response and business continuity. Take advantage of their free time as they mill about the parking lot. It will provide you with an audience already thinking about emergency response and business continuity. Take fire drills one step further for your emergency response teams and exercise the plan. Instead of a table top exercise try a trunk top exercise or have a team travel to your Emergency Operations Center and perform a set-up. Damage inspection teams should be present for any inspections.
Tip #5 Take key people on visits to the Emergency Operations Center and recovery sites
Taking key people on visits to the recovery sites will familiarise them with the location, the working environment and the facilities available there. Challenge them to choose a different route or a different time of day for each visit or exercise. This will make route change requirements simpler during an actual emergency. It will also expose time relative traffic issues. All members of the EOC team should be taken on a tour of your Emergency Operations Center including the executive and the crisis communications team. The EOC director and back-up should also be given the opportunity to tour the operations center of another organization and speak with experienced EOC directors.
Tip #6 Provide business partners with a manual that summarizes performance expectations during a disruptive event
To train business partners, provide them with a manual or procedures that summarize performance expectations during a disruptive event. Involve them during exercises to reinforce lines of communication. Also ensure that business continuity expectations are included in negotiations and contracts during the beginning of the relationship with the third party.
Tip #7 Incorporate business continuity activities into other processes
Consider activities that embed business continuity into the organization’s processes. For example, incorporate business continuity activities into your vendor selection, change management, and human resources process.
Tip #8 Have business continuity expectations included in job descriptions of key positions
In the plan you have designated certain responsibilities to employees according to their job title. Have human resources add these responsibilities to the job description. This has several important benefits: Job postings will include this responsibility giving an advantage to job seekers that are already trained for this role Performance reviews will include a review of business continuity responsibilities New employees taking over the role will seek out training if they are not prepared for the responsibility Business continuity will no longer be “in addition to my job” but a part of it Make sure that you include updating these job descriptions as part of your maintenance program.
Tip #9 Get involved in new employee orientations
Orientations are a great time to provide employees with a general understanding of your business continuity program and to make them aware of ways that they can obtain further information. Wallet cards or other items should be part of their orientation package. If you are able to make a live presentation during the orientation, find out if any of the new employees has specific business continuity responsibilities. Be prepared to give these people specific training information including training times and expectations. A disaster could occur on their first day on the job! Book time with new executives to provide them with a briefing on the business continuity program, the plan and any required training. Make certain to offer a tour of the EOC.
Tip #10 Conduct an annual executive briefing and an annual report on the state of the program
The best method to keep executives up to date on program strategies is to include this information during executive or steering committee meetings so the same people that make decisions regarding risk management strategies are the ones that implement them during a disruptive event. This also gives board members or ministers the opportunity to question senior management on their responsibilities during an event. Be prepared with answers or training opportunities. Training and testing are intertwined. After an exercise you may find an increase in demand for further training. Take advantage of any momentum and schedule training immediately following the exercise while the need is still clear in the minds of participants. If you are able to use these ten tips to promote awareness and training in your organization, your business continuity program will start to have real energy, your people will start to possess strong BC plan understanding, and your teams will be ready for a challenging exercise. Congratulations! Business continuity is now a serious endeavor in your organization.
10 Ways to Improve Exercise, Audit, and Maintenance
Your organization has now invested valuable time and money developing business continuity plans. As a professional business continuity planner, you know that the next steps - exercising, auditing and maintaining the business continuity plans - are all important to successful resilience in the event of a disaster. In this article, I will provide 10 tips to advance your business continuity plan exercise, audit and maintenance program.
Tip #1: Budget for Exercise, Audit and Maintenance
Make sure that you include money for these activities within the initial Business Continuity Management budget and document your request for an annual expense for these programs. Don’t spring surprises on upper management after the plans have been developed by asking for a new budget for these essential items. Before proceeding, validate the exercise, audit and maintenance program and schedule established during the program initiation stage. EXERCISE The true value of a business continuity plan will not be recognized by an organization until it is exercised. Each exercise can give participants a chance to see the plan in action and recognize its importance. It will also provide opportunities for training and plan enhancement which will increase the effectiveness of the plan in the event of a real disaster.
Tip #2: Develop a clear scope statement and a set of objectives for every exercise
If you are unable to communicate a clear exercise purpose, you cannot expect to obtain ever-elusive budget dollars, time commitment in key staff’s hectic schedules or agreement from upper management to proceed. A clear scope statement enables the exercise to be structured and organized so that the results can be measured and your plan fine-tuned. A typical scope statement will outline what will be included as well as what will be excluded from the exercise: Scope of the exercise Date, time and duration Exercise type: tabletop The exercise players will be:_________________ This exercise will be focused on actions found in Section aa.bb the Business Continuity plan This exercise activity will be contained within the designated room Out of Scope The response component found in Section xx.yy of the Business Continuity plan Multiple locations Real simulation Communications outside of the exercise room Each exercise should have at least three but not more than six objectives. Objectives must be measurable after the exercise. A typical set of objectives might be: To provide an opportunity to practice business continuity or emergency response skills To validate specific parts of the business continuity plans (example) To validate assumptions within the plan document Determine if the recovery time objective is obtainable To identify areas for improvement in the plan, strategy, procedures and resources To validate establish timings for activities outlined in the business continuity plans Discuss and debate these objectives with those managers who have responsibility for business continuity activities and modify or extend them accordingly. Try to engage as wide an audience as possible in this debate as this will help to raise the level of awareness and support for the whole Business Continuity Management program. Make certain that the list of objectives is approved by the executive sponsor.
Tip #3: Establish a design team
Design team members should be drawn from each of the groups that will be represented in the exercise. The design team leader should be someone who is familiar with the plan, understands the participating organizations and can devote significant time to this project. The design team leader should not be a key operational member.
Tip #4: Start with a simple straightforward exercise
Effective exercising is about learning to ‘walk before you run’. It is important that the type and scale of exercise is in line with the organization’s Business Continuity Management maturity. Participants should come away with a positive feeling, believing that they have reached a challenging goal. Raise the bar over time as the skill set of the organization develops. Construct exercise scenarios using several different levels of complexity. Jim Burtles, FBCI, of Automata Global Business Continuity Services, identifies five distinct levels of exercise complexity: Level One - Single site; simple scenario involves a single location which is affected by one impact on its premises, infrastructure or systems. Level Two - Single site; complex scenario involves a single location which is affected by more than one impact on its premises, infrastructure or systems. Level Three - Multiple site; simple scenario involves multiple locations which are affected by the same single incident or its ramifications. More than one target team is likely to be involved at this level. Level Four - Multiple site; complex scenario involves multiple locations, which are affected by the same complex set of impacts or their ramifications. Several target teams are likely to be involved at this level. Level Five - Multiple site; multiple scenario involves a number of separate incidents occurring at a number of sites during the period of the exercise. These incidents may occur more or less simultaneously in different countries and in differing time zones. Many teams are likely to be involved in an exercise of this scale. As your teams progress through each level, their confidence and their understanding of their role in the business continuity plan will grow.
Tip # 5: Choose a scenario that is stimulating and vivid, yet credible
The scenario needs to explore the exercise objectives and to engage your people. Begin by reviewing your threat and risk assessment and choose a scenario that has a medium to high probability of occurring. If you choose an implausible event such as a meteor impact you will lose credibility and team discussions may centre on the unlikelihood of the event versus realizing the objectives of the exercise. Like any action-packed Hollywood blockbuster, an exciting scenario will draw the participants in. In order to create a challenging exercise for the crisis communication team, the story should be one that the media would pick up on. However, the scenario should not be overwhelming and should not contain obscure or technical implications which might confuse the team or open the way for you to lose control or credibility. It should set up a challenge which is likely to stretch the team’s capabilities. You might want to create your own database of possible scenarios. Research famous events or track unique current incidents. Take note of reported details and understand the effects on the organization, so that you can incorporate realistic details. Follow the story over several days and note how the organization responded. Finally, do not forget to use both your reason and imagination in developing the plot of the exercise.
Tip # 6 Create Realism for the Participants
Realism can make a positive lasting impression on the participants increasing their knowledge retention as well as your credibility. Add authenticity by creating news broadcasts, radio weather warnings, or video footage. Be imaginative in injecting details through actual telephone calls or e-mails, or even an interactive web portal. Hold mock interviews with journalists, emergency services personnel, suppliers, customers or other interested parties. Realistic details will make things easier and more relevant to your teams.
Tip # 7 Prepare well researched problem sets or injects
Create injects (a set of problems or complications) that the team may encounter as the scenario plays out. They can be used to create realism or to guarantee certain areas of the plan are tested. If the team seems well prepared to handle the initial complexity of the scenario, injects can create a more challenging exercise. They can also be used to bring the exercise back on track if it seems to be slipping. Have a few extra up your sleeve and use as necessary. There is no substitute for thorough research prior to the event. Reference material may be required wherever you introduce any aspect of a scenario that may be challenged. If the scenario includes responding to damage caused by a letter bomb, you must be prepared with an authoritative response to any number of questions, including how the bomb was prepared and delivered and the extent of the damage it would have caused. Without an appropriate response, you will lose the attention and support of participants. A good exercise script will also require thorough research on the language and terminology to be used in any given scenario. You may need to develop checklists, along with reference materials, to support the script. Checklists are a convenient way of collecting data in order to avoid relying on memory alone to cover each detail of the exercise.
Tip # 8 Debrief the participants after a short break
At the conclusion of the exercise scenario, it is always good to allow the exercise participants a short break before proceeding with the exercise debrief. This allows for time needed to get minds and thoughts out of the exercise scenario and focused back in the ‘real’ world. The purpose of the exercise debrief is to seek feedback regarding: * What was learned during initial incident response? * What was learned during the operational relocation, restart and recovery? * Feedback from observers: • What happened? • What went well? • What could we improve? * What have you learned about exercising? * What are the next steps? Get this information while it is fresh in the minds of participants. You should also follow up the next day. People will have valuable things to add after a night’s sleep. AUDIT
Tip #9 Arrange an Audit
An audit in the private sector can be powerful for obtaining senior management support for business continuity upkeep and improvement. Executives are familiar with the audit process and are likely to see the merit in the recommendations of an auditor. You can also successfully argue that an audit should be presented by the sponsor to the Board of Directors. Audits can also be high-profile in public sector organizations. Some have mandatory audits. Your department may post the results publicly, or details of any audit may be requested through Access to Information legislation. Certainly any audit could receive media scrutiny. It is vital that you prepare well in advance for the assessment, given its overall importance. Understanding what the auditors or reviewers are looking for will help the audit run smoothly. It will also help you to enrich the business continuity management program in your organization in the process. Ideally, the plan should be audited by an independent auditor to ensure objectivity. During the engagement process, you should review plan expectations with the auditor and determine what set of standards will be used. Together with the auditor, you should set audit objectives and scope, and assess and select the audit method. The audit process should examine the administrative aspects of the BCM process, the plan's structure, contents and actions sections, and the plan's documentation control procedures. An audit should be conducted at least annually. MAINTENANCE PLAN If a proper maintenance plan is not in place, your plans could become outdated quickly.
Tip #10 Arrange to review and update the plan just prior to audits and annual exercises
If the results of the exercise and audit are given the appropriate attention by the organization, those involved in the plan will be motivated to prepare for these events by updating business process information. If you schedule one minor exercise per business section, an annual major exercise and an annual audit, it translates into three major updates of the plan per year. Add in some method of determining turnover in key business continuity roles and your plan will continue to be relevant year after year. One simple suggestion is a monthly business continuity plan e-mail newsletter sent to everyone named in the plans. When an e-mail bounces back, you should follow-up with your other contacts in the unit for a staffing update. When other colleagues find themselves in a new role, they will often contact you to redirect the newsletter. Also try to work with your organization’s Project Management Office and other change managers to play an advisory role in meeting the organization’s business continuity standards before new projects “go live”. The upfront time investment is much less when compared to working on plans and strategies after the project is operational. Following these ten manageable tips will have a constructive impact on your business continuity plan exercise, audit and maintenance programs. Please speak with us for further information on any of these ideas. “Mastering Exercise Development”, Jim Burtles, Automata Ltd, March 22, 2005, Continuity Central
Managing the Crisis from the EOC
Many organizations have more than one crisis management team. Just as governments have federal, state/provincial and municipal response organizations, large corporations also require a tiered response capability. One of the common errors seen when analyzing a crisis response (or conducting practical training for one) is a "muddling" of the roles and responsibilities between these various levels. Typically, the superior level crisis management organization takes charge of the activities that should clearly be a local responsibility, while neglecting the key strategic problems that need to be addressed at the higher level.
This "characteristic" of crisis response within large organizations is also not handled well by many exercise designers. All too often, a corporate organization is defined and resources are allocated for a corporate level exercise which simulates physical damage at the corporate level headquarters requiring re-deployment of the corporate team to a backup facility. This is valuable training of course, however it does not present a crisis that requires a corporate level response - it is a facility level crisis that happens to be where the corporate HQ is located.
Consider the example of a corporate crisis management team in a large national company in the fast food services sector dealing with a natural gas explosion at one of its major distribution centres. The corporate role in this situation would be dealing with corporate wide implications of this loss: the ability to fill existing orders, support for injured employees and families, communications strategies to the public etc. But instead, the team debates for thirty minutes (during the initial stage of the event which is most crucial in terms of crisis response) on where specifically to station company security personnel around the perimeter of the casualty property! In most functional organizations, this would be a facility level problem - and solution.
This lack of separation between levels of command and control within organizations is a natural tendency for several reasons. Many within the corporate group will have come up through the ranks of the company from the facility level. So the problems at a facility (or single location) will be much more familiar to them. Under stress, it is common for responders to concentrate on what they know best. Instead of dealing with unfamiliar issues, there is a tendency to revert back to what they are most comfortable with; notwithstanding the stated roles and responsibilities at the superior level.
Secondly, the role at the superior level is inherently more difficult. At the scene of the disaster, the challenges can be dangerous (saving lives, evacuations etc) but they are usually specific and clear; normally executing emergency operating procedures (which should be pre-defined in most cases) and dealing with immediate problems. The strategic challenges at a superior level are more difficult to define. It will most often mean a longer look ahead and a responsibility to predict what the future effects will be and how to handle them.
In the immediate term, the superior team has to figure out how to provide appropriate support to the subordinate team but at the same time stay out of the way so the other level organizations can fulfill their responsibilities. In all but well trained and experienced teams, the tendency will be to unnecessarily get into the weeds and consequently cause an adverse effect on the organization's overall response effort. The superior level has to concentrate on seeing "the whole forest" and not let their view be obstructed by "individual trees."
The best way to ensure this does not become a damaging flaw in an organization's crisis response is: to define and publish clear and concise roles for each level of response, to train to this standard, and to rigidly enforce these standards during an exercise or a real event.
The superior level role will be one of support and leadership. In the support role, the superior team will normally be responsible for mobilizing whatever resource is required and getting it to the scene of the event, so that the subordinate crisis response team can do its job and directly respond. The superior team will also have authority to allocate resources required to deal with the event which exceed the expenditure limits of the local level. Most superior teams understand these types of responsibilities. Where they run into problems is in staying focused on the overall organizational issues that need to be addressed during crisis.
The Crisis Management Team Leader at each level must be aware of this phenomenon and keep his team focused on the problems that need to be sorted out by that particular level of command. In addition to observing the clear roles defined in the crisis management plan, the Team Leader should also compare the ongoing activity to that conducted by the normal line operation of the organization at that level.
Remember, a crisis management team is simply a group of key decision makers who are brought together to be served the best information available so they can develop good situational awareness and provide effective decision-making. The requirement is for rapid decision making in situations that require immediate action and deployment of resources. But the level of decision-making should be much the same as in normal business operations. If it is not a corporate responsibility to check if a facility shut off its ventilation system in the day to day organization, it should not be a corporate responsibility to order this in the event of a fire or hazmat spill - that would remain a local issue. The corporate issues would be more appropriately focused on public relations, measures to protect employees etc - policy issues that would be a corporate responsibility day-to-day. While not always a perfect fit, it is a good check to ensure the teams focus is at the appropriate level.
The other "trick" the Team Leader has at his or her disposal, is ruthless control of the communication lines. In an ICS based organization, these lines are very clearly defined and senior personnel within the team cannot simply call whoever they wish at a lower level to demand information. A clear reporting structure must be implemented and the various types of communication and connections between levels must be followed. In doing so, it will be easier for the Team Leader to keep all his Team Members focused on their responsibilities. The alternative; bypassing the reporting chain; adversely affects the information management system you are trying so hard to maintain and degrades the lower levels ability to manage because they are tied up making unnecessary reports to a senior level.
Roles and responsibilities at different levels of command and control within large crisis management organizations can get "muddled". While this is almost never from the bottom up, it is common for a superior level crisis management team to micro manage the lower level, thus neglecting its own roles and responsibilities. Proper training, a disciplined response and an alert Team Leader providing direct control should be enough to ensure that this "characteristic" does not become a crippling problem.
Lunch and Learn
Lunch & Learns can be a convenient and low budget opportunity to get your message out.
Ideas for you: Invite an industry author or expert to speak on each of your top four risks each day and then on Friday run a mini tabletop exercise using one of these events as the incident Offer a 45-60 minute interactive presentation focusing on a specific topic of risk (pandemics, psychology of risk, etc.). Present general introduction sessions to BCM for your organization Create a pep rally for your upcoming BCP Exercise, briefing the organization on your plans and the outcome of last years success Offer a a session on creating a "Go bagfor home or the office Employee surveys could be performed prior to and following each session to help you gather helpful information on emerging organizational trends and changes.
One of the best ways to gain some interest in Business Continuity is to make the learning fun. Host quizzes to enhance Business Continuity awareness across your organization Hold a Valuable Documents Scavenger Hunt Plan an Interdepartmental "race" to your back-up site Host a "Before the Storm" tournament.