Read an Excerpt
CHAPTER 1
GETTING STARTED
Overview of the Project
Nothing is impossible for the man who doesn't have to do it himself.
— A. H. WEILER
INTRODUCTION
The job of a business executive requires coordination of the many activities necessary to create a successful business. Markets must be analyzed, potential customers identified, strategies for creating and delivering products and services must be developed, financial goals established and reported, legislative mandates followed, and many different stakeholders satisfied. To ensure that these objectives are met, businesses eventually develop a series of processes designed to produce the desired result. But the world is a dangerous place. Earthquakes, floods, tornadoes, pandemics, snowstorms, fire, and other natural disasters can strike at any time and interrupt these important processes. Terrorism, riots, arson, sabotage, and other human-created disasters can also damage your business. Accidents and equipment failures are guaranteed to happen. As an executive responsible for the well-being of your organization, it is critical that you have a plan in place to ensure that your business can continue its operations after such a disaster and to protect vital operations, facilities, and assets.
You do this just like you do any other important task; you analyze the situation and create a plan. A disaster recovery plan keeps you in business after a disaster by helping to minimize the damage and allowing your organization to recover as quickly as possible. While you can't prevent every disaster, you can with proper planning mitigate the damage and get back to work quickly and efficiently. The key is having a well-thought-out and up-to-date disaster recovery plan. This chapter will lead you through the creation and implementation of a project plan for creating an effective disaster recovery plan.
THE DISASTER RECOVERY PLAN PROJECT
Building a disaster recovery or business continuity plan is much like any other business project. A formal project management process is necessary to coordinate the various players and company disciplines required to successfully deliver the desired results of the project. This chapter will give you a high-level roadmap of what you should expect as you prepare to lead or manage a disaster recovery project. A sample project plan is included in the companion url accompanying this book. Adapt this chapter and the project plan to fit your business goals, company timeline, and scope of project.
Most projects tend to run in a well-defined sequence. For example, to build a new house, first you clear the land, then build the foundation, then build a floor, and so on. Many things cannot begin until the previous step is completed. A business continuity plan (BCP) project is a bit different. In the project's early stages, most actions logically follow each other. However, once the basic elements are in place, the project bursts out onto parallel tracks, as each department documents its own area. How you proceed in your company is, of course, determined by your corporate culture, the resources available to work with to complete the process, and the level of visible support from the project's sponsor. Most business continuity projects follow these steps:
1. An executive within the organization decides that a business continuity plan is needed. This might be due to an auditor's report or the result of a business disruption that was more financially painful than it would have been if a plan had been in place. Or it could be that an alert employee realized that a good plan did not exist and brought this to the executive's attention. This executive usually becomes the sponsor for the project.
2. The first (and most important) step that the sponsor takes is to select someone to lead the project. This person is most often called the Business Continuity Manager and is responsible for the successful completion of the project.
3. The project sponsor and the Business Continuity Manager meet to clearly define the scope of the project, the project timeline, and expectations. The Business Continuity Manager must be comfortable that the resources available are adequate to meet all the objectives of the project.
4. The Business Continuity Manager selects the team that will work together to complete the project. Both technical and political considerations are important in selecting a team that can successfully develop a workable business continuity plan.
5. The Business Continuity Manager together with the team now develops the project plan to be used in managing the project. Tasks are identified and assigned, task durations calculated, and activities are sequenced as the project plans are developed.
6. The project plans are executed. The Business Continuity Manager oversees the project as the plan unfolds, keeping everyone focused on completing their tasks and ensuring that milestones are met and that important stakeholders are kept informed as to the project's progress. It is here where the actual continuity plans for the organization are created.
7. Once the business continuity plans have been developed and tested, the Business Continuity Manager closes the project by making sure that everything was documented properly and handing the project results over to the individual(s) responsible for keeping the plan up to date. Each affected department will usually have someone responsible for keeping their portion of the plan current. A report is also generated for the sponsor recapping the project and documenting lessons learned.
A project plan organizes the team so members focus their skills on specific actions to get the job done. This respects their time and brings the project to a prompt, but successful, solution.
INITIATING THE PROJECT
Every project starts with a sponsor. A sponsor should be a person with enough organizational influence to give the project credibility, financing, and strategic direction. The sponsor should also possess the management clout to ensure the willing cooperation of other departments and to ensure that the project is adequately funded. Building a business continuity plan in many cases involves changing people's attitudes and some of their tried-and-true business processes. Business continuity planning is a logical step toward mistake-proofing a business. So, to suppress the reluctance to change or even participate in the project, it is important for the sponsor to be of sufficient stature as to overcome objections before they are raised.
Ideally, the sponsor is the company's CEO, or the Vice President in charge of the local facility. However, sometimes it is a department manager who realizes that something must be done. Whoever assumes this role must remain involved with the project throughout its lifetime. As the sponsor's interest fades, so will the interest of your team. Find out why they want to sponsor the project. It will tell you how much support to expect.
In some cases, the sponsor honestly believes the project is a good idea and is personally interested in seeing it is completed. In other cases, the sponsor may have been required to start this project due to an auditor's citation of a poor business practice. In this situation, the sponsor may only want the minimum recovery plan to satisfy the audit citation. Spend some time early in the project digging out what is motivating support for this project. By understanding what motivates the sponsor, you can gauge how much time and money will be available to you. It is also possible for you to educate the sponsor on the many advantages of having a well-written company-wide plan.
The sponsor's first task is the selection of the Business Continuity Manager, who will act as the project manager. In most companies, the cynics say that if you raised the issue, then the job is yours! This isn't a bad way to assign projects because only the people who believe in something would raise the issues. Still, the selection of the right Business Continuity Manager will help make this project a success and the wrong one will make success much more difficult to attain.
The sponsor has the additional duties of approving the plan's objectives, scope, and assumptions. The sponsor must also obtain approval for funding.
THE BUSINESS CONTINUITY MANAGER
The selection of the person to spearhead this project is the single most important part of building a plan. The Business Continuity Manager should be someone who can gain the willing cooperation of team members and their supervisors. To help ensure the support of everyone in the organization, the Business Continuity Manager should be publicly assigned to this task with the sponsor's unqualified support. This is essential to overcome internal politics and to let everyone know that their assistance is important and required. As the project moves forward, regular public displays of support are required if the project is to result in a complete and usable plan. Form 1-1 (see companion url) is an example of a letter appointing the Business Continuity Manager.
Some sponsors begin a business continuity project by hiring an outside consultant to build the plan. This can be a good way to get the project started and to mentor someone in the organization to assume the Business Continuity Manager position. More effort and expertise is needed to organize and develop the plan than to administer it. As the plan is built, the consultant teaches the Business Continuity Manager the ropes.
Understand that even though the consultant is guiding the project, the consultant should not assume the role of Business Continuity Manager. Every company, every facility, every computer site is unique. The actions necessary to promptly restore service are the result of the key people at each site writing down what to do and how to do it. Outside consultants can provide considerable insight into the basic services (electrical, telephone, water, data processing), but lack in-depth experience at your company. They don't know your business processes. They don't understand the pulse of your business and what its key elements are.
Building a solid plan will take a lot of time. An experienced consultant working with an internal Business Continuity Manager can help move the project along quicker. The Business Continuity Manager is also the logical candidate to become the plan's ongoing administrator once the initial project is completed. This person will be responsible for keeping the plan relevant and current. Writing a plan and then filing it away is a waste of money. Whoever builds the plan will be intimately familiar with it. That person can easily continue responsibility for maintaining it and teaching others how to keep their portion of the plan current. Using an outside consultant as a Business Continuity Manager raises the possibility that no one has internal ownership to ensure it is updated and tested periodically. The plan must be kept up to date if it is to be useful when it is needed most.
As the plan administrator, the Business Continuity Manager will ensure that as new equipment enters the building, as new products are rolled out, and as new business processes are implemented, they are reflected in the business continuity plan. The Business Continuity Manager also schedules and evaluates the ongoing testing of the plan by department, or by a specific threat, such as the loss of electrical power, to ensure it works. Once the plan is written, the Business Continuity Manager's role will evolve into ensuring the plan is an integral part of the company's ongoing operations. No new company process or piece of equipment should begin operation until the mitigation and recovery plans have been tested and approved.
SCOPE OF THE PROJECT
One of the first tasks the Business Continuity Manager must perform is to come to an agreement with the project sponsor as to the scope of the project. The scope of the project defines its boundaries. It identifies what is included in the project and what is not. If the project is too vast, it will probably fail. If it is too small, then it would be best assigned to a single person like any other office detail. The scope of the project must be given a lot of thought. If in doubt, start with a narrow focus on a specific department or function to demonstrate the plan's value and build up from there. One guideline commonly used is any event that would cost (in lost wages, sales, etc.) more than 5 percent of your quarterly revenues merits its own plan. So, if a temporary outage of a critical machine stops the entire factory, then it needs a plan. If the same machine stoppage means that three extra workers must drill holes with hand tools until the machine is repaired, then it probably does not need a plan.
If your recovery plans will encompass many sites or a large complex, then start with a pilot project for a single building, a business function, or even for your Data Processing department. This will build your team's expertise and confidence, resulting in a very useful document, and demonstrate real value to top management. The scope of the project will drive the resource requirements for the project in terms of how many people it will involve, how long it will take, and the budget required to complete it.
The project scope must be a written statement. Here are three examples with gradually narrowing requirements. As you read these scope statements, imagine what sort of implied tasks these statements carry (or as they say, "The devil is in the details!"). Follow up on the scope statement by clarifying the timelines, criteria for success, and overall expectations for this project. Otherwise, you would be digging up information and writing forever.
EXAMPLE #1
If you were in a factory's Data Processing department, your scope statement might be:
Develop, implement, and provide ongoing testing for a business continuity plan for the factory's automated systems to include the computer rooms, the internal and external telephone system, the shop floor control systems, and data connections to both internal and external sites. This plan will provide specific action steps to be taken up to and including emergency replacement of the entire computer and telecommunications rooms.
Note that this statement does not include the factory machines (drill presses, mills, conveyors, etc.) or the front offices. It is focused on the telephone system and the internal data processing functions.
EXAMPLE #2
If you were the Director for Building Security, your scope might be:
Write an emergency contingency plan to address the possibility of fire, personal injury, toxic material spill, and structural collapse. Include escalation procedures, emergency telephone numbers, employee education, and specific emergency actions. Make recommendations concerning potential mitigation actions to take before a disaster strikes. Ensure the plan conforms to all legal, regulatory, and insurance requirements.
The project scope described in this statement does not include flood controls or security actions. Although some security tasks may be implied, very little is called for.
EXAMPLE #3
An even narrower approach might be:
Document all the payroll procedures and recovery processes to ensure that paychecks are always on time and that the automated vacation balance tracking system is available even during an electrical outage.
Note that this scope statement does not include time clocks, exception reporting, or interfaces with your accounting system.
Most people do not have any idea of what a disaster plan would look like. They imagine some large book just sitting on the shelf. In this situation, you could demonstrate the usefulness of the plan by building it a piece at a time. You might build the part that covers the core utilities for a facility (electricity, gas, telecommunications, water, and heating and air conditioning). As you review with the sponsor how these essential services will be recovered after a disaster, the sponsor will begin to see the usefulness of your work. If your company has multiple sites, it might work better for you to build the plan one site at a time.
(Continues…)
Excerpted from "The Disaster Recovery Handbook"
by .
Copyright © 2018 Michael Wallace and Lawrence Webber.
Excerpted by permission of AMACOM.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.
