Professional Documents
Culture Documents
For the purpose of this template, the crisis response phase has been defined as the overall phase
during which a crisis situation or disaster occurs. During the crisis response phase, several sub-
phases occur, namely, an emergency response phase, management response phase, and a business
area response phase.
During each phase one of several business continuity plan documents are utilized. The diagram
below depicts the crisis response sub-phases and plan documents associated with each sub-phase:
All SCMP’s are not alike. The following sections describe the structure and contents of a typical
SCMP that may be customized to suite your own organization’s requirements.
Scope
This crisis management policy applies to all members of [Company XX] crisis management
team. [Company XX] crisis management team shall define, approve, and implement a crisis
management plan which includes essential activities, procedures, and tasks necessary to ensure
critical operations and services are resumed after a business disruption.
Executive Sponsor
[Company XX] assigns a senior management member to be the “Executive Sponsor” who
approves, sponsors, and provides full support the development and implementation of the
organization-wide business continuity program and its constituent parts including this policy,
crisis management plan, and other associated business continuity plan documents. The executive
sponsor approves the budget and resources required, and delegates authority to the crisis
management team and team leader to manage, coordinate, and oversee the crisis management
plan design, development, implementation, maintenance, and assessment.
Document Manager
[Company XX] shall appoint a Document Manager to approve and authorize the BCP document
and changes including document revisions.
Rules Regulations
[Company XX – enter rules and regulations that are specific to you organization here]
Staff Responsible
[Company XX] business continuity and recovery teams have the responsibility to know this
policy and understand and adhere to the standards and procedures established in this policy.
Violations
Any employee and/or contractor or service provider found to have violated this policy may be
subject to legal actions such as termination.
Objectives
The primary objective of the site crisis management plan is to recover critical elements of
[Company XX] operations such as:
Assumptions
This plan has been developed with the following assumptions:
• [Company XX] has conducted a business impact analysis to determine the exposure and
impact that may result due to a disruptive event.
• [Company XX] has conducted a risk assessment and has implemented risk controls to
reduce or eliminate potential risks to its operations.
• [Company XX] has selected and implemented suitable recovery options in the event that
a disaster occurs.
During each phase one of several business continuity plan documents are utilized. The diagram
below depicts the crisis response sub-phases and plan documents associated with each sub-phase:
In this phase, business continuity plan procedures, tasks, and forms are used; the business
continuity coordinator and other members of the crisis management team are alerted; and
evacuation occurs and/or the disruption is contained.
During BCP execution, the Crisis Management Center will be opened and CMT team members
will gather to review the damage assessment report, and to determine if a disaster is to be
declared. The following diagram illustrates the relationship between the various plan documents:
The business continuity plan follows a sequence of activities specified in the following
documents:
This plan.
Business Unit/Department:
Maximum Tolerable
Business Function
Downtime
• Manage and control the execution of the emergency response plan, site crisis
management plan, business area recovery plans, and business unit plans.
• Approve the activation of the site crisis management plan and business area recovery
plan
• Declare a disaster based on the findings of the damage assessment report
• Provide updates on all company issues to external public and media
• Provide updates and review progress with Board of Directors
• Call insurance providers and key suppliers/vendors
• Contact families
Company Function/Role/
Work # Home # Cell # Email
Executive Alternates
CIO Crisis
Management
Team Leader
(CMTL)
Finance Crisis
Director Management
Team Leader –
Alternate
(CMTL)
Business Business
Continuity Continuity
Coordinator Coordinator
CFO Business
Continuity
Coordinator –
Alternate
In this sub-phase:
o The BCC is alerted
o The CMT Leader is alerted
o The damage assessment team is mobilized
o A damage assessment report is prepared
o The CMT proceeds to CMC
In this sub-phase:
o The CMT reviews the damage assessment report
o The CMT meets with DAT and physical security manager
o CMT monitors the disaster situation or
o CMT escalates and proceeds to the next phase to declare a disaster
In this sub-phase:
o CMT prepares the disaster declaration statement
o CMT Leaders assume other tasks such as advising news and media
o Recovery team leaders are notified
o Business area/unit recovery plans are activated
CMT oversees recovery efforts, performs recording functions, and provide assistance
where necessary.
In this sub-phase (Business Area Plan and Business Unit Plan execution activities):
o Execute Business Area Plan/Business Unit Plans such as the IT Area Recovery
Plan, Manufacturing Area Recovery Plan, etc.
Note, at the start of this phase, one or more of the following may have occurred:
• An emergency incident or disaster has occurred OR there is a threat of disaster
• The Emergency Response Team (ERT) has escalated the incident to CMT/BC
Coordinator. The Incident Assessment Report (generated during the Incident
Assessment and Escalation Phase of the Emergency Response Phase) has been provided.
• The Damage Assessment Team has been mobilized as is preparing a damage assessment
report
• Alert DAT Leader and ensure the DAT is mobilized (if not already mobilized) and that
they are aware of the situation.
• Call CMT Assistant to begin notification procedures (if not available, contact the backup
CMT Assistant)
o Provide brief description of situation
o Inform CMT Assistant to activate CMT call tree
o Inform CMT Assistant of location of Crisis Management Center where all CMT
members should meet
• Receive a call from CMT Assistant regarding [Company XX] disaster situation
If the event is one of the following conditions, the damage assessment team may opt to
report this immediately. In this case immediately proceed to the next sub-phase –
disaster declaration and declare a disaster:
o If the disaster impact is expected to last longer than [number of hours] (as pre-
determined by Company XX Executive]
o If there is external activity which prevents access to the facility, such as criminal
activity involving police, or if there is an extended evacuation of building caused
by gas leak.
• Receive the damage assessment report for the extent and impact of the damage
Example: if the event is one of the following conditions, the CMT may declare a disaster
o If the disaster impact is expected to last longer than [number of hours] (as pre-
determined by Company XX Executive]
o If there is external activity which prevents access to the facility, such as criminal
activity involving police, or if there is an extended evacuation of building caused
by gas leak.
• Meet with Facility Security Manager and DAT Leader to discuss alternatives
• Notify recovery team leaders, such as the IT Recovery Area Team Leader, Call Center
Recovery Area Team Leader, Manufacturing Area Recovery Team Leader, etc.
• Notify alternate recovery site to prepare for the arrival of recovery teams
• Recover and resume operations as per procedures and tasks in business area/unit plans.
o Commence IT Area Recovery Plan (IT Disaster Recovery Plan)
o Commence Business Area Recovery Plans
Detailed type and extent of damage (building structures, business units, types and number
of IT systems, infrastructure, etc):
Estimate of loss:
Recommendations/notes:
Commencing on [current time and date], [Company XX] sustained severe losses to its facilities
located at [Company XX location] due to [Description of Disaster].
[Disaster Recovery Level: Level 1 Recovery at Primary Site _____ ; OR Level 2 Recovery at
Alternate Site _____ ] (refer to SCMP 3 – Disaster Severity and Recovery Levels)
[Company XX] has switched to its recovery organization and is currently is the process of
recovering essential business operations.
[Company XX] [Crisis Management Team Leader] has the authority to issue this disaster
declaration statement.
____________________________________
In addition, there are 2 disaster recovery levels: Code YELLOW: disaster recovery level 1 –
recovery at primary site, and Code RED: disaster recovery level 2 – recovery at alternate site
(described below). These levels provide an indication as to the location of recovery efforts,
either at the primary site or alternate site, respectively. For the alternate site, this may be an
alternate work area, alternate IT recovery area, or an alternate manufacturing and production
area.
A minor level disaster is typically recovered at the primary site using minimal recovery staff. An
intermediate level disaster may or may not be recovered at the primary site and may require
some recovery teams and/or alternate site recovery support staff. A major level disaster is
recovered at the alternate site and requires all CMT, recovery teams, and alternate site support
staff.
Since recovery at an alternate recovery site can be costly, the CMT must determine whether to
involve alternate recovery facilities and support staff. The decision to recover at the primary or
alternate site depends on the following:
• Whether the disruption is expected to last more than a pre-determined length of time (e.g
12 hours)
• Whether the disruption impact is minor, intermediate, or major disaster severity level
This level may be declared if the disaster severity level is determined to be minor or intermediate
and the disruption is estimated to be less than [pre-determined number of hours e.g. 12- 24]
hours. The recovery of business processes, IT systems and applications may take place at the
primary site. The recovery team, alternate site facility and personnel, and off-site vendor should
be placed on alert for a possible escalation to level 2.
This level may be declared if the disaster severity level is determined to be intermediate or major
and the disruption is estimated to be greater than [pre-determined number of hours e.g. 24]
hours. The recovery of business processes, IT systems and applications are to take place at the
alternate site(s). The recovery team, alternate site facility and personnel, and off-site vendor are
to begin recovery procedures.
A disaster of this severity level occurs more frequently in normal day-to-day operations,
compared to the intermediate or major disaster. The severity level is considered minor because
the effects are often isolated to a small subset of critical business processes.
The cause of the disruption is often the failure of a single component, system, or service.
Example causes are failure of manufacturing equipment parts, system disks, and voice and
network hardware.
An intermediate level disaster occurs less frequently but with greater impact compared to minor
level disaster. This kind of event disrupts normal operations of some but not all critical business
units. The operational disruptions result from major failures of multiple systems and equipment.
Example causes are water leakage into computer room, structural damage, etc.
The possibility of this type of disaster occurring is small, but the extent of the impact is
significant compared to the minor or intermediate level disasters. The event disrupts operations
of most or all of the critical business processes. The operational disruptions are the result of
inaccessibility or failure of most or all of the systems and equipment.
Example causes are destruction of or inability to access company facilities due to fires,
earthquakes, storms, or sabotage.
Version control is required in order to maintain integrity and cohesion of this document. The
Document Manager should be the only person to approve and authorize changes and distribute
revised versions.
To reduce the risk that an old version is used, the Document Manager should collect all copies of
old versions before distributing new ones. This document shall not be photocopied. Additional
copies should be obtained from the Document Manager.