Site Crisis Management Plan (For Company XX

)
Crisis Management Team Leader ( ) Business Continuity Coordinator ( ) In the event of a business disruption go to: Site Crisis Management Plan Flow: Management Response Phase Sub-phase 1 – Initial Response & Notification (page YY)

Table of Contents
ABBREVIATIONS.......................................................................................................................................................4 DEFINITIONS..............................................................................................................................................................5 ABOUT THIS PLAN TEMPLATE.............................................................................................................................6 Business Continuity Plan Documents & Crisis Response Phase..........................................................................6 INTRODUCTION.........................................................................................................................................................8 CRISIS MANAGEMENT POLICY............................................................................................................................9 Purpose.................................................................................................................................................................9 Scope.....................................................................................................................................................................9 Executive Sponsor.................................................................................................................................................9 Document Manager...............................................................................................................................................9 Review and Compliance........................................................................................................................................9 Rules Regulations..................................................................................................................................................9 Staff Responsible...................................................................................................................................................9 Violations.............................................................................................................................................................10 SITE CRISIS MANAGEMENT PLAN ...................................................................................................................11 Purpose................................................................................................................................................................11 Objectives............................................................................................................................................................11 Assumptions.........................................................................................................................................................11 Scope...................................................................................................................................................................12 BUSINESS CONTINUITY PLAN DOCUMENTS & CRISIS RESPONSE PHASE..........................................13 Business Continuity Plan Documents.................................................................................................................14 BUSINESS CONTINUITY PLAN HIGH-LEVEL PROCESS FLOW.................................................................15 RECOVERY TIME REQUIREMENTS...................................................................................................................16 CRISIS MANAGEMENT TEAM STRUCTURE....................................................................................................17 CRISIS MANAGEMENT TEAM AND RESPONSIBILITIES..........................................................................................................17 IT AREA RECOVERY TEAMS AND RESPONSIBILITIES...........................................................................................................18 BUSINESS UNIT TEAMS AND RESPONSIBILITIES..................................................................................................................18 CRISIS MANAGEMENT TEAM CONTACT INFORMATION..........................................................................19 MANAGEMENT RESPONSE PHASE SUB-PHASES..........................................................................................21 SITE CRISIS MANAGEMENT PLAN FLOW.......................................................................................................23 MANAGEMENT RESPONSE PHASE SUB-PHASE 1 – INITIAL RESPONSE & NOTIFICATION..........................................................................................................23 Sub-phase 1 - Business Continuity Coordinator Tasks.......................................................................................23 Sub-phase 1 - Crisis Management Team Leader Tasks.......................................................................................24 Sub-phase 1 - Crisis Management Team Member Tasks.....................................................................................24 Sub-phase 1 - CMT Assistant Tasks....................................................................................................................25 Sub-phase 1 - Damage Assessment Team (DAT) Tasks.......................................................................................25 MANAGEMENT RESPONSE PHASE SUB-PHASE 2 – PROBLEM ASSESSMENT & ESCALATION.....................................................................................................27 Sub-phase 2 - Business Continuity Coordinator Tasks .............................................................................................................................................................................27 Sub-phase 2 – Crisis Management Team Leader Tasks .............................................................................................................................................................................27 Sub-phase 2 - Crisis Management Team Member Tasks.....................................................................................27

©Sentryx 2007 All rights reserved

2

Sub-phase 2 - Damage Assessment Team Leader (DAT) Tasks..........................................................................28 Sub-phase 2 - Human Resource Director Tasks..................................................................................................28 Sub-phase 2 - CMT Assistant Tasks....................................................................................................................29 MANAGEMENT RESPONSE PHASE SUB-PHASE 3 – DISASTER DECLARATION.........................................................................................................................30 Sub-phase 3 - Crisis Management Team Member Tasks.....................................................................................30 Sub-phase 3 - Business Continuity Coordinator Tasks.......................................................................................30 Sub-phase 3 - Human Resource Director Tasks..................................................................................................30 MANAGEMENT RESPONSE PHASE SUB-PHASE 4 – BUSINESS AREA RESPONSE PHASE............................................................................................................32 Sub-phase 4 - Business Continuity Coordinator Tasks.......................................................................................32 Sub-phase 4 - Crisis Management Team Member Tasks.....................................................................................32 Sub-phase 4 - Business Area Recovery Team Leader Tasks................................................................................32 Sub-phase 4 - Recovery Team Tasks....................................................................................................................32 APPENDICES.............................................................................................................................................................34 SCMP 1 – Damage Assessment Report Form.....................................................................................................34 SCMP 2 – [Company XX] Disaster Declaration Statement Example................................................................35 SCMP 3 – [Company XX] Disaster Severity and Recovery Levels....................................................................36 SCMP 4 – News Media Procedure......................................................................................................................38 SCMP 5 – Summary of Risk Assessment Information.........................................................................................39 SCMP 6 – Summary of Business Impact Analysis Information..........................................................................40 SCMP 7 – Summary of Business Continuity Strategy Information.....................................................................41

©Sentryx 2007 All rights reserved

3

Abbreviations
BCP CMC CMT BCP ERP ERT ERTL ERTDM SCMP Business continuity plan Crisis management center Crisis management team Business continuity plan Emergency response plan Emergency response team Emergency response team leader Emergency response team deputy manager Site crisis management plan

©Sentryx 2007 All rights reserved

4

Definitions
Executive Sponsor Senior management member who approves and provides full support for the development and implementation of the organization’s business continuity program Person who approves and authorizes the BCP document including document revisions.

Document Manager

©Sentryx 2007 All rights reserved

5

About This Plan Template
This site crisis management plan (SCMP) template is one template in a series of templates designed to provide comprehensive, practical, and structured guidance to those responsible for developing a crisis management plan and other related business continuity plan documents. This template contains a recommended structure, outline, and contents for a typical crisis management plan document. Where possible, instructions for completing specific sections provided and sample text is given as a suggestion of the type of information required. The template contents may be customized and tailored to suite your organization’s specific BCP requirements. It is recommended that a Document Manager be assigned the responsibility of overseeing updates and revisions to this document. Please refer to the section “Version Change Control” for more information on how to manage and distribute changes to this document.

Business Continuity Plan Documents & Crisis Response Phase
For the purpose of this template, the crisis response phase has been defined as the overall phase during which a crisis situation or disaster occurs. During the crisis response phase, several subphases occur, namely, an emergency response phase, management response phase, and a business area response phase. During each phase one of several business continuity plan documents are utilized. The diagram below depicts the crisis response sub-phases and plan documents associated with each sub-phase:

©Sentryx 2007 All rights reserved

6

This business continuity plan template follows a phased approach as a response to a disaster or disruptive event. The [Company XX] business continuity plan consists of several plan documents as follows: 1. Business continuity plan (referenced) 2. Emergency response plan (referenced) 3. Site crisis management plan (this plan) 4. Business area recovery plan(s) (referenced)

©Sentryx 2007 All rights reserved

7

Introduction
This Site Crisis Management Plan (SCMP) is intended to be used by the Crisis Management Team (CMT) to oversee and direct recovery operations for [Company XX] in the event of an emergency or disaster situation. This document is one of several documents that serve as a repository for information, activities, and tasks necessary for a timely and effective response. All SCMP’s are not alike. The following sections describe the structure and contents of a typical SCMP that may be customized to suite your own organization’s requirements.

©Sentryx 2007 All rights reserved

8

Crisis Management Policy
Purpose
[Company XX] is committed to safeguarding the interests of shareholders, clients, customers, and vendors in the event of an emergency or business disruption. [Company XX] has therefore established a comprehensive organization-wide business continuity program to protect staff, safeguard corporate assets and environment, and to ensure continuous availability of its products and services. To support the business continuity program, [Company XX] recognizes the need for an effective business continuity capability and provides this corporate crisis management policy as part of the overall organization business continuity program policy.

Scope
This crisis management policy applies to all members of [Company XX] crisis management team. [Company XX] crisis management team shall define, approve, and implement a crisis management plan which includes essential activities, procedures, and tasks necessary to ensure critical operations and services are resumed after a business disruption.

Executive Sponsor
[Company XX] assigns a senior management member to be the “Executive Sponsor” who approves, sponsors, and provides full support the development and implementation of the organization-wide business continuity program and its constituent parts including this policy, crisis management plan, and other associated business continuity plan documents. The executive sponsor approves the budget and resources required, and delegates authority to the crisis management team and team leader to manage, coordinate, and oversee the crisis management plan design, development, implementation, maintenance, and assessment.

Document Manager
[Company XX] shall appoint a Document Manager to approve and authorize the BCP document and changes including document revisions.

Review and Compliance
The corporate business continuity program policy has established an annual review and assessment for this policy and for the business continuity plan.

Rules Regulations
[Company XX – enter rules and regulations that are specific to you organization here]

Staff Responsible
[Company XX] business continuity and recovery teams have the responsibility to know this policy and understand and adhere to the standards and procedures established in this policy.
©Sentryx 2007 All rights reserved

9

It is the responsibility of all staff to be aware of their departments and/or business unit’s business continuity plan and its associated documents.

Violations
Any employee and/or contractor or service provider found to have violated this policy may be subject to legal actions such as termination.

©Sentryx 2007 All rights reserved

10

Site Crisis Management Plan
Purpose
The purpose of the business continuity plan is to: 1. Recover essential or critical business operations in a fast and efficient manner 2. Provide a mechanism for management to direct recovery efforts

Objectives
The primary objective of the site crisis management plan is to recover critical elements of [Company XX] operations such as: 1. work area/office services; 2. information technology services; and 3. manufacturing and production services. Additional objectives are to: 1. ensure that staff are aware of alternate arrangements 2. ensure that recovery teams have sufficient resources

Assumptions
This plan has been developed with the following assumptions: • • [Company XX] has conducted a business impact analysis to determine the exposure and impact that may result due to a disruptive event. A summary of the critical functions and processes, maximum tolerable downtimes, recovery time and point objectives, workaround procedures, and critical IT systems, resources, and services have been determined and are listed in this plan. [Company XX] has conducted a risk assessment and has implemented risk controls to reduce or eliminate potential risks to its operations. [Company XX] has selected and implemented suitable recovery options in the event that a disaster occurs. The business continuity plan has been tested and approved. The recovery teams will be comprised of sufficient number of staff to ensure a satisfactory turnout in the event of a business disruption.

• • • •

©Sentryx 2007 All rights reserved

11

Scope
The scope of this SCMP is the [Company XX] facility/site located at [Company XX facility].

©Sentryx 2007 All rights reserved

12

Business Continuity Plan Documents & Crisis Response Phase
For the purpose of this template, the crisis response phase has been defined as the overall phase during which a crisis situation or disaster occurs. During the crisis response phase, several subphases occur, namely, a disaster response phase, management response phase, and a business area response phase. During each phase one of several business continuity plan documents are utilized. The diagram below depicts the crisis response sub-phases and plan documents associated with each sub-phase:

Each crisis response sub-phase is described below: 1. Emergency Response Phase This phase is the first phase in managing a crisis. It comprises of the initial few hours after an actual disaster, or after the threat of a disaster is first identified. The business continuity plan is the primary document used during this phase. In this phase, business continuity plan procedures, tasks, and forms are used; the business continuity coordinator and other members of the crisis management team are alerted; and evacuation occurs and/or the disruption is contained.

©Sentryx 2007 All rights reserved

13

2. Management Response Phase In this phase, the crisis management team manages and coordinates all site recovery activities. This phase begins after the initial response is received by the crisis management team. The crisis management plan is the main document used during this phase. 3. Business Area Response Phase In this phase, business area teams recover and resume business operations. Depending on how large you organization is, you may opt to develop Business area recovery plans and business unit recovery plans or just business unit recovery plans. Business area recovery plans may be used to invoke business unit plans. Note that this breakdown allows for a more modular structure of activities and is especially useful if your organization is large has many business department and units.

Business Continuity Plan Documents
Below is a list of plan documents and an explanation of each: • Site Emergency Response Plan (ERP) o The ERP is used to respond to a disaster or disruption. The primary plan objectives are to:  Protect life  Provide shelter  Evacuate premises  Mitigate threat and control extent of damage Site Crisis Management Plan o This plan. The SCMP is used to manage and coordinate all site recovery activities including activities such as:  Supervising recovery effort  Declaring a disaster  Invoking other plans  Monitoring recovery, resumption, and normalization activities Business Area/Department/Unit Recovery Plan o Plan used to manage and recover business operations within each business area/department/unit.

©Sentryx 2007 All rights reserved

14

Business Continuity Plan High-level Process Flow
During BCP execution, the Crisis Management Center will be opened and CMT team members will gather to review the damage assessment report, and to determine if a disaster is to be declared. The following diagram illustrates the relationship between the various plan documents:

The business continuity plan follows a sequence of activities specified in the following documents: 1. Emergency Response Plan Refer to [Company XX] Emergency Response Plan 2. Site Crisis Management Plan This plan. 3. Business Area Recovery Plan(s) Refer to [Company XX] Business Area Recovery Plan(s).

©Sentryx 2007 All rights reserved

15

Recovery Time Requirements
[Company XX] business unit/department, business functions, and maximum tolerable downtimes. Business Unit/Department: Business Function Maximum Tolerable Downtime

See Appendices for additional Business Impact Analysis information.

©Sentryx 2007 All rights reserved

16

Crisis Management Team Structure
A sample CMT structure is provided below. This diagram also shows the IT Area Recovery Teams, Business Unit Teams, and Implementation & Logistics Team.

Crisis Management Team and Responsibilities
The crisis management team (CMT) consists of a number of [Company XX] executives and team leaders that manage the overall recovery process. The members of the CMT must be able to act quickly during a crisis situation. If a disaster occurs, the CMT will likely be called out at an early stage to manage the recovery process. Examples of CMT responsibilities include: • • • • • • • Manage and control the execution of the emergency response plan, site crisis management plan, business area recovery plans, and business unit plans. Approve the activation of the site crisis management plan and business area recovery plan Declare a disaster based on the findings of the damage assessment report Provide updates on all company issues to external public and media Provide updates and review progress with Board of Directors Call insurance providers and key suppliers/vendors Contact families

©Sentryx 2007 All rights reserved

17

Monitoring disaster. For example to: • Ensure evacuation has occurred, • If there is potential for injury, put emergency response team on standby • Assess effect of damage on working conditions

IT Area Recovery Teams and Responsibilities
The IT Area Recovery Teams consist of a number of different teams, each focused on the recovery of a specific technical area. Example of these teams include • • • • • • • Operating Systems Platform Team, Networking and Telecommunications Team, Database Systems Team, Applications Team, Systems Backup Team, Security Control Team, and Integration and Testing Team

Examples of IT Area Recovery Teams responsibilities include: • Recover, restore, and test systems and operating systems on workstations and servers • Recover and restore LAN and WAN • Restore from backup tapes • Install critical applications and data • Test restored systems, network connectivity, and integrity of data.

Business Unit Teams and Responsibilities
A business unit team represents a single business unit or operation for [Company XX]. Its membership consists of key users of critical systems and resources. The role of these teams is to assess the current needs of the unit, and assist the IT Area Recovery Teams to recover lost data and resources, re-enter manually recorded data, and to validate successful recovery.

©Sentryx 2007 All rights reserved

18

Crisis Management Team Contact Information
Crisis Management Team Company Executive Executive Administrative Assistant CFO Administrative Assistant CIO Function/Role/ Alternates CMT Assistant 1 Work # Home # Cell # Email

CMT Assistant 2

Crisis Management Team Leader (CMTL) Crisis Management Team Leader – Alternate (CMTL) CMT Member

Finance Director

Risk Assessment Manager Business Continuity Coordinator CFO

Business Continuity Coordinator Business Continuity Coordinator – Alternate CMT Member

Facility Security Manager IT Director

CMT Member (Head of IT Area

©Sentryx 2007 All rights reserved

19

Teams) Human Resource Director Company Health and Safety Coordinator IT Manager CMT Member

CMT Member (ERP Team Leader) CMT Member (Damage Assessment Team Leader) CMT Member (Notification Team Leader)

Facility Security Manager Secretary

©Sentryx 2007 All rights reserved

20

Management Response Phase Sub-phases
During a disaster situation, [Company XX]’s top priority is the health and safety of its employees and staff. Therefore, the emergency response plan was executed in the Emergency Response Phase, the first phase of a crisis. This plan, the site crisis management plan (SCMP), is executed in the second phase, Management Response Phase. Note that this plan may be executed in parallel to the Emergency Response Plan. Tasks for Sub-phase 4 are also outlined in the SCMP. The Management Response Phase follows several sub-phases: • Management Response Sub-phase 1 – Initial Response & Notification In this sub-phase: o The BCC is alerted o The CMT Leader is alerted o The damage assessment team is mobilized o A damage assessment report is prepared o The CMT proceeds to CMC • Management Response Sub-phase 2 – Problem Assessment & Escalation In this sub-phase: o The CMT reviews the damage assessment report o The CMT meets with DAT and physical security manager o CMT monitors the disaster situation or o CMT escalates and proceeds to the next phase to declare a disaster • Management Response Sub-phase 3 – Disaster Declaration Phase In this sub-phase: o CMT prepares the disaster declaration statement o CMT Leaders assume other tasks such as advising news and media o Recovery team leaders are notified o Business area/unit recovery plans are activated • Management Response Sub-phase 4 – Business Area Response Phase CMT oversees recovery efforts, performs recording functions, and provide assistance where necessary. In this sub-phase (Plan Implementation & Logistics activities): o Recovery team leaders mobilize respective teams o Equipment is ordered

©Sentryx 2007 All rights reserved

21

o Recovery teams travel to recovery site o Recovery teams prepare for recovery and resume critical services In this sub-phase (Business Area Plan and Business Unit Plan execution activities): o Execute Business Area Plan/Business Unit Plans such as the IT Area Recovery Plan, Manufacturing Area Recovery Plan, etc.

©Sentryx 2007 All rights reserved

22

Site Crisis Management Plan Flow
The following sections provide example tasks for the Management Response Phase and Business Area Recovery Phase. Additional tasks may be added as required.

Management Response Phase Sub-phase 1 – Initial Response & Notification
This is the first sub-phase of the Management Response Phase. In this phase the business continuity coordinator and the crisis management team leader are alerted, crisis management team and damage assessment team are notified. The CMT proceeds to the CMC and assumes their assigned tasks. Note, at the start of this phase, one or more of the following may have occurred: • An emergency incident or disaster has occurred OR there is a threat of disaster • The Emergency Response Team (ERT) has escalated the incident to CMT/BC Coordinator. The Incident Assessment Report (generated during the Incident Assessment and Escalation Phase of the Emergency Response Phase) has been provided. The Damage Assessment Team has been mobilized as is preparing a damage assessment report The Crisis Management Center may or may not be opened.

• •

Sub-phase 1 - Business Continuity Coordinator Tasks
• Receive a call from Emergency Response Team regarding [Company XX] disaster situation Note the following: o Name, Phone Number o Obtain brief description of problem o Has Public Authorities been contacted? o Receive Incident Assessment Report (Emergency Response Plan execution) • • • Alert DAT Leader and ensure the DAT is mobilized (if not already mobilized) and that they are aware of the situation. Alert CMT Leader and assess situation, at a high-level. Proceed to the CMC.

©Sentryx 2007 All rights reserved

23

Resume activities in sub-phase 2 “Problem Assessment & Escalation”

Sub-phase 1 - Crisis Management Team Leader Tasks
• Receive a call from Business Continuity Coordinator OR Emergency Response Team regarding [Company XX] disaster situation Note the following: o Name, Phone Number o Obtain brief description of problem o Has Public Authorities been contacted? o Receive Incident Assessment Report (Emergency Response Plan execution) • • Meet with BC Coordinator to assess situation, at a high-level. Call CMT Assistant to begin notification procedures (if not available, contact the backup CMT Assistant) o Provide brief description of situation o Inform CMT Assistant to activate CMT call tree o Inform CMT Assistant of location of Crisis Management Center where all CMT members should meet Advise corporate board and shareholders of event Proceed to the CMC. Resume activities in sub-phase 2 “Problem Assessment & Escalation”

• • •

Sub-phase 1 - Crisis Management Team Member Tasks
• Receive a call from CMT Assistant regarding [Company XX] disaster situation Note the following: o Address of where to meet the rest of the CMT o Obtain brief description of problem

©Sentryx 2007 All rights reserved

24

• •

Proceed to the CMT Resume activities in sub-phase 2 “Problem Assessment & Escalation”

Sub-phase 1 - CMT Assistant Tasks
• • • • Activate CMT contact list (call tree) Advise CMT member of situation status Advise CMT member of location and time to meet at CMC Begin log of events. Record the following: o Problems encountered o Expenses o Additional events/incidents Resume activities in sub-phase 2 “Problem Assessment & Escalation”

Sub-phase 1 - Damage Assessment Team (DAT) Tasks
• Prepare damage assessment report (use Damage Assessment Report Form): Note this activity may have already commenced. If the event is one of the following conditions, the damage assessment team may opt to report this immediately. In this case immediately proceed to the next sub-phase – disaster declaration and declare a disaster: o If the disaster impact is expected to last longer than [number of hours] (as predetermined by Company XX Executive] o If there is loss of power and heating or loss of computing services. o If there is severe damage to the company facilities such as structural damage, or collapsed roof, making it inaccessible. o If there is external activity which prevents access to the facility, such as criminal activity involving police, or if there is an extended evacuation of building caused by gas leak. Consider the following when preparing the damage assessment report: o Determine disaster level o Estimate financial loss

©Sentryx 2007 All rights reserved

25

o Determine source of damage such as fire, flood, earthquake o Determine extent and magnitude of damage such as  Building structures  Business units  Types and number of IT systems, infrastructure, etc  Number of critical processes disrupted o Assess physical condition of the original site o Establish safety status of the original facility o Determine presence of hazardous contaminants o Assess risk of further damage o Estimate length of recovery • Resume activities in sub-phase 2 “Problem Assessment & Escalation”

©Sentryx 2007 All rights reserved

26

Management Response Phase Sub-phase 2 – Problem Assessment & Escalation
This is the second sub-phase of the Management Response Phase. In this phase the damage assessment report is reviewed to determine the extent of the problem, and a decision is made to either declare a disaster and escalate to the next sub-phase or to continue to monitor the situation using tasks in the emergency response plan. Activities in this phase are typically conducted at the CMC.

Sub-phase 2 - Business Continuity Coordinator Tasks
• • • • Ensure that the CMC is accessible Meet with CMT members Follow CMT Member tasks Resume activities in sub-phase 3 “Disaster Declaration”

Sub-phase 2 – Crisis Management Team Leader Tasks
• • • • Meet with corporate board and shareholders, if required Meet with CMT members Follow CMT Member tasks Resume activities in sub-phase 3 “Disaster Declaration”

Sub-phase 2 - Crisis Management Team Member Tasks
• • • • Meet with CMT members Receive the damage assessment report for the extent and impact of the damage Review disaster severity levels and disaster recovery levels Review conditions that warrant declaration: Example: if the event is one of the following conditions, the CMT may declare a disaster

©Sentryx 2007 All rights reserved

27

immediately: o If the disaster impact is expected to last longer than [number of hours] (as predetermined by Company XX Executive] o If there is loss of power and heating services or loss of computing services. o If there is severe damage to the company facilities such as structural damage, or collapsed roof, making it inaccessible. o If there is external activity which prevents access to the facility, such as criminal activity involving police, or if there is an extended evacuation of building caused by gas leak. • • Meet with Facility Security Manager and DAT Leader to discuss alternatives Determine if there is impact to critical processes o If yes, proceed to the next sub-phase (Sub-phase 3 - DISASTER DECLARATION). o If no, continue to monitor situation and use (EMERGENCY RESPONSE PLAN).

Sub-phase 2 - Damage Assessment Team Leader (DAT) Tasks
• Meet with CMT to discuss damage assessment report and alternatives.

Sub-phase 2 - Human Resource Director Tasks
• • • • Prepare statement for the news and media, if required o Refer to the News Media Procedure Recommend and approve staff related concerns and issues Procure any replacement staff, if required Ensure headcount procedures have been conducted

©Sentryx 2007 All rights reserved

28

Sub-phase 2 - CMT Assistant Tasks
• • • • Ensure all CMT members have business continuity plan documents Ask CMT Leader for any assistance Continue event logging. Resume activities in sub-phase 3 “Disaster Declaration”

©Sentryx 2007 All rights reserved

29

Management Response Phase Sub-phase 3 – Disaster Declaration
This is the third sub-phase of the Management Response Phase. In this phase, a decision to declare a disaster is made based on the review of the damage assessment report. A suitable recovery strategy is selected, a disaster declaration statement is prepared, and appropriate teams are notified.

Sub-phase 3 - Crisis Management Team Member Tasks
Review the disaster severity and disaster recovery levels in Appendix SCMP 3 – Disaster Severity and Recovery Levels. • Prepare DISASTER DECLARATION STATEMENT by: o Reviewing extent of damage to premises o Reviewing effect of damage on staff working conditions o Reviewing impact to critical processes o Reviewing estimated time to repair o Select a Disaster Severity Level (see Appendix “SCMP 3 – Disaster Severity and Recovery Levels”) o Select a Disaster Recovery Level (see Appendix “SCMP 3 – Disaster Severity and Recovery Levels”) o Selecting appropriate recovery strategy Initiate recovery process by notifying recovery teams via Business Continuity Coordinator Resume activities in sub-phase 4 “Business Area Response Phase”

• •

Sub-phase 3 - Business Continuity Coordinator Tasks
• • • Notify recovery team leaders, such as the IT Recovery Area Team Leader, Call Center Recovery Area Team Leader, Manufacturing Area Recovery Team Leader, etc. Notify off-site storage facility Notify alternate recovery site to prepare for the arrival of recovery teams

Sub-phase 3 - Human Resource Director Tasks
©Sentryx 2007 All rights reserved

30

Notify remaining staff of current status

©Sentryx 2007 All rights reserved

31

Management Response Phase Sub-phase 4 – Business Area Response Phase
This is the fourth sub-phase of the Management Response Phase. In this phase, the recovery environment is prepared and appropriate resources are mobilized; and business area/units are recovered and resumed.

Sub-phase 4 - Business Continuity Coordinator Tasks
• • Receive recovery status information from recovery team leaders Monitor recovery progress and provide updates to CMT

Sub-phase 4 - Crisis Management Team Member Tasks
• • • Receive recovery status information Monitor recovery progress and provide updates to CMT Assist with recovery efforts where possible.

Sub-phase 4 - Business Area Recovery Team Leader Tasks
• • • • Activate their area of plan Order and ship supplies Supervise recovery of business departments Verify successful recovery

Sub-phase 4 - Recovery Team Tasks
• Recover and resume operations as per procedures and tasks in business area/unit plans. o Commence IT Area Recovery Plan (IT Disaster Recovery Plan) o Commence Business Area Recovery Plans

©Sentryx 2007 All rights reserved

32

©Sentryx 2007 All rights reserved

33

Appendices
SCMP 1 – Damage Assessment Report Form
Damage Assessment Report Assessment conducted by (name, phone number): Name and Location of damaged facility/room/area: Name of Business Unit/Department using damaged area: Source of damage (fire, flood, earthquake): Detailed type and extent of damage (building structures, business units, types and number of IT systems, infrastructure, etc): Physical condition of building (safety status): Presence of hazardous contaminants: Risk of further damage: Estimate of loss: Impact to critical business processes: Estimate of time to repair (e.g. hours, days, weeks): Recommendations/notes:

©Sentryx 2007 All rights reserved

34

SCMP 2 – [Company XX] Disaster Declaration Statement Example
[Current time and date] Commencing on [current time and date], [Company XX] sustained severe losses to its facilities located at [Company XX location] due to [Description of Disaster]. The following conditions exist due to this disaster situation: [Disaster Recovery Level: Level 1 Recovery at Primary Site _____ ; OR Level 2 Recovery at Alternate Site _____ ] (refer to SCMP 3 – Disaster Severity and Recovery Levels) [Severity Level of Disaster (minor, intermediate, or major): ________________] (refer to SCMP 3 – Disaster Severity and Recovery Levels) [Description of Disaster Severity and Recovery Levels, if required.] [Company XX] has switched to its recovery organization and is currently is the process of recovering essential business operations. [What plans are currently active?] [Company XX] [Crisis Management Team Leader] has the authority to issue this disaster declaration statement. Signed this _________ of ______________ 20______ ____________________________________

©Sentryx 2007 All rights reserved

35

SCMP 3 – [Company XX] Disaster Severity and Recovery Levels
There are 3 disaster severity levels: minor, intermediate, and major (described below). These levels provide an indication of the extent of impact to critical business processes. In addition, there are 2 disaster recovery levels: Code YELLOW: disaster recovery level 1 – recovery at primary site, and Code RED: disaster recovery level 2 – recovery at alternate site (described below). These levels provide an indication as to the location of recovery efforts, either at the primary site or alternate site, respectively. For the alternate site, this may be an alternate work area, alternate IT recovery area, or an alternate manufacturing and production area. A minor level disaster is typically recovered at the primary site using minimal recovery staff. An intermediate level disaster may or may not be recovered at the primary site and may require some recovery teams and/or alternate site recovery support staff. A major level disaster is recovered at the alternate site and requires all CMT, recovery teams, and alternate site support staff. Since recovery at an alternate recovery site can be costly, the CMT must determine whether to involve alternate recovery facilities and support staff. The decision to recover at the primary or alternate site depends on the following: • • Whether the disruption is expected to last more than a pre-determined length of time (e.g 12 hours) Whether the disruption impact is minor, intermediate, or major disaster severity level

Disaster Recovery Levels Code YELLOW: Disaster Recovery Level 1 – Recovery at Primary Site This level may be declared if the disaster severity level is determined to be minor or intermediate and the disruption is estimated to be less than [pre-determined number of hours e.g. 12- 24] hours. The recovery of business processes, IT systems and applications may take place at the primary site. The recovery team, alternate site facility and personnel, and off-site vendor should be placed on alert for a possible escalation to level 2. Code RED: Disaster Declaration Level 2 – Recovery at Alternate Site This level may be declared if the disaster severity level is determined to be intermediate or major and the disruption is estimated to be greater than [pre-determined number of hours e.g. 24] hours. The recovery of business processes, IT systems and applications are to take place at the alternate site(s). The recovery team, alternate site facility and personnel, and off-site vendor are to begin recovery procedures.

©Sentryx 2007 All rights reserved

36

Disaster Severity Levels Minor Disaster Severity A disaster of this severity level occurs more frequently in normal day-to-day operations, compared to the intermediate or major disaster. The severity level is considered minor because the effects are often isolated to a small subset of critical business processes. The cause of the disruption is often the failure of a single component, system, or service. Example causes are failure of manufacturing equipment parts, system disks, and voice and network hardware. Intermediate Disaster Severity Level An intermediate level disaster occurs less frequently but with greater impact compared to minor level disaster. This kind of event disrupts normal operations of some but not all critical business units. The operational disruptions result from major failures of multiple systems and equipment. Example causes are water leakage into computer room, structural damage, etc. Major Disaster Severity Level The possibility of this type of disaster occurring is small, but the extent of the impact is significant compared to the minor or intermediate level disasters. The event disrupts operations of most or all of the critical business processes. The operational disruptions are the result of inaccessibility or failure of most or all of the systems and equipment. Example causes are destruction of or inability to access company facilities due to fires, earthquakes, storms, or sabotage.

©Sentryx 2007 All rights reserved

37

SCMP 4 – News Media Procedure
The [Company XX - Human Resource Director] is responsible for communicating all press reports. During an incident, staff shall: • Direct all press to the Human Resource Director • Not make any statements the press without approval • Not give out confidential information such as name of casualty victims • Not speculate on the status of the incident Steps to remember about news media: • Provide a discrete statement of current situation • Provide time and date of next announcement

©Sentryx 2007 All rights reserved

38

SCMP 5 – Summary of Risk Assessment Information
Include summary information from the organization risk assessment in this section. For example, include: • • • A list of threats and risks A list of critical assets exposed to the threats A list of implemented risk controls and residual risks

©Sentryx 2007 All rights reserved

39

SCMP 6 – Summary of Business Impact Analysis Information
Include summary information such as critical processes, recovery time objectives, recovery point objectives, recovery resources, etc. from your organization’s business impact analysis. For example, include: • • • • Maximum Tolerable Downtime (MTD) Critical IT systems and applications Critical non-IT resources Recovery Time Objectives (RTOs), Recovery Point Objectives (RPOs), Work Recovery Times (WRTs) of critical applications and resources

©Sentryx 2007 All rights reserved

40

SCMP 7 – Summary of Business Continuity Strategy Information
Include options for recovering disrupted data, records, applications, systems, equipment, and facilities.

©Sentryx 2007 All rights reserved

41

SCMP 8 – Version Change Control
Version control is required in order to maintain integrity and cohesion of this document. The Document Manager should be the only person to approve and authorize changes and distribute revised versions. To reduce the risk that an old version is used, the Document Manager should collect all copies of old versions before distributing new ones. This document shall not be photocopied. Additional copies should be obtained from the Document Manager. Version Number Issue Date Reason for Change Authorized by

©Sentryx 2007 All rights reserved

42

Sign up to vote on this title
UsefulNot useful