2 - site crisis management plan template
TRANSCRIPT
Site Crisis Management Plan(For Company XX)
Crisis Management Team Leader ( )
Business Continuity Coordinator ( )
In the event of a business disruption go to:Site Crisis Management Plan Flow:
Management Response PhaseSub-phase 1 – Initial Response & Notification (page YY)
Table of Contents
ABBREVIATIONS........................................................................................................................................................4
DEFINITIONS..............................................................................................................................................................5
ABOUT THIS PLAN TEMPLATE............................................................................................................................6
Business Continuity Plan Documents & Crisis Response Phase..........................................................................6
INTRODUCTION.........................................................................................................................................................8
CRISIS MANAGEMENT POLICY...........................................................................................................................9
Purpose..................................................................................................................................................................9Scope.....................................................................................................................................................................9Executive Sponsor.................................................................................................................................................9Document Manager...............................................................................................................................................9Review and Compliance........................................................................................................................................9Rules Regulations..................................................................................................................................................9Staff Responsible...................................................................................................................................................9Violations............................................................................................................................................................10
SITE CRISIS MANAGEMENT PLAN....................................................................................................................11
Purpose................................................................................................................................................................11Objectives............................................................................................................................................................11Assumptions.........................................................................................................................................................11Scope...................................................................................................................................................................12
BUSINESS CONTINUITY PLAN DOCUMENTS & CRISIS RESPONSE PHASE..........................................13
Business Continuity Plan Documents.................................................................................................................14
BUSINESS CONTINUITY PLAN HIGH-LEVEL PROCESS FLOW.................................................................15
RECOVERY TIME REQUIREMENTS..................................................................................................................16
CRISIS MANAGEMENT TEAM STRUCTURE...................................................................................................17
CRISIS MANAGEMENT TEAM AND RESPONSIBILITIES..............................................................................................17IT AREA RECOVERY TEAMS AND RESPONSIBILITIES...............................................................................................18BUSINESS UNIT TEAMS AND RESPONSIBILITIES.......................................................................................................18
CRISIS MANAGEMENT TEAM CONTACT INFORMATION.........................................................................19
MANAGEMENT RESPONSE PHASE SUB-PHASES..........................................................................................21
SITE CRISIS MANAGEMENT PLAN FLOW.......................................................................................................23
MANAGEMENT RESPONSE PHASE SUB-PHASE 1 – INITIAL RESPONSE & NOTIFICATION.........................................23Sub-phase 1 - Business Continuity Coordinator Tasks.......................................................................................23Sub-phase 1 - Crisis Management Team Leader Tasks......................................................................................24Sub-phase 1 - Crisis Management Team Member Tasks....................................................................................24Sub-phase 1 - CMT Assistant Tasks....................................................................................................................25Sub-phase 1 - Damage Assessment Team (DAT) Tasks......................................................................................25
MANAGEMENT RESPONSE PHASE SUB-PHASE 2 – PROBLEM ASSESSMENT & ESCALATION...................................27Sub-phase 2 - Business Continuity Coordinator Tasks.......................................................................................27Sub-phase 2 – Crisis Management Team Leader Tasks.....................................................................................27Sub-phase 2 - Crisis Management Team Member Tasks....................................................................................27Sub-phase 2 - Damage Assessment Team Leader (DAT) Tasks..........................................................................28Sub-phase 2 - Human Resource Director Tasks.................................................................................................28Sub-phase 2 - CMT Assistant Tasks....................................................................................................................29
MANAGEMENT RESPONSE PHASE SUB-PHASE 3 – DISASTER DECLARATION..........................................................30Sub-phase 3 - Crisis Management Team Member Tasks....................................................................................30
©Sentryx 2007 All rights reserved 2
Sub-phase 3 - Business Continuity Coordinator Tasks.......................................................................................30Sub-phase 3 - Human Resource Director Tasks.................................................................................................30
MANAGEMENT RESPONSE PHASE SUB-PHASE 4 – BUSINESS AREA RESPONSE PHASE............................................32Sub-phase 4 - Business Continuity Coordinator Tasks.......................................................................................32Sub-phase 4 - Crisis Management Team Member Tasks....................................................................................32Sub-phase 4 - Business Area Recovery Team Leader Tasks...............................................................................32Sub-phase 4 - Recovery Team Tasks...................................................................................................................32
APPENDICES.............................................................................................................................................................33
SCMP 1 – Damage Assessment Report Form.....................................................................................................33SCMP 2 – [Company XX] Disaster Declaration Statement Example................................................................34SCMP 3 – [Company XX] Disaster Severity and Recovery Levels.....................................................................35SCMP 4 – News Media Procedure......................................................................................................................37SCMP 5 – Summary of Risk Assessment Information.........................................................................................38SCMP 6 – Summary of Business Impact Analysis Information..........................................................................39SCMP 7 – Summary of Business Continuity Strategy Information.....................................................................40SCMP 8 – Version Change Control....................................................................................................................41
©Sentryx 2007 All rights reserved 3
Abbreviations
BCP Business continuity plan
CMC Crisis management center
CMT Crisis management team
BCP Business continuity plan
ERP Emergency response plan
ERT Emergency response team
ERTL Emergency response team leader
ERTDM Emergency response team deputy manager
SCMP Site crisis management plan
©Sentryx 2007 All rights reserved 4
Definitions
Executive Sponsor
Senior management member who approves and provides full support for the development and implementation of the organization’s business continuity program
Document Manager
Person who approves and authorizes the BCP document including document revisions.
©Sentryx 2007 All rights reserved 5
About This Plan TemplateThis site crisis management plan (SCMP) template is one template in a series of templates designed to provide comprehensive, practical, and structured guidance to those responsible for developing a crisis management plan and other related business continuity plan documents. This template contains a recommended structure, outline, and contents for a typical crisis management plan document. Where possible, instructions for completing specific sections provided and sample text is given as a suggestion of the type of information required. The template contents may be customized and tailored to suite your organization’s specific BCP requirements.
It is recommended that a Document Manager be assigned the responsibility of overseeing updates and revisions to this document. Please refer to the section “Version Change Control” for more information on how to manage and distribute changes to this document.
Business Continuity Plan Documents & Crisis Response Phase
For the purpose of this template, the crisis response phase has been defined as the overall phase during which a crisis situation or disaster occurs. During the crisis response phase, several sub-phases occur, namely, an emergency response phase, management response phase, and a business area response phase.
During each phase one of several business continuity plan documents are utilized. The diagram below depicts the crisis response sub-phases and plan documents associated with each sub-phase:
©Sentryx 2007 All rights reserved 6
This business continuity plan template follows a phased approach as a response to a disaster or disruptive event. The [Company XX] business continuity plan consists of several plan documents as follows:
1. Business continuity plan (referenced)
2. Emergency response plan (referenced)
3. Site crisis management plan (this plan)
4. Business area recovery plan(s) (referenced)
©Sentryx 2007 All rights reserved 7
IntroductionThis Site Crisis Management Plan (SCMP) is intended to be used by the Crisis Management Team (CMT) to oversee and direct recovery operations for [Company XX] in the event of an emergency or disaster situation. This document is one of several documents that serve as a repository for information, activities, and tasks necessary for a timely and effective response.
All SCMP’s are not alike. The following sections describe the structure and contents of a typical SCMP that may be customized to suite your own organization’s requirements.
©Sentryx 2007 All rights reserved 8
Crisis Management PolicyPurpose[Company XX] is committed to safeguarding the interests of shareholders, clients, customers, and vendors in the event of an emergency or business disruption. [Company XX] has therefore established a comprehensive organization-wide business continuity program to protect staff, safeguard corporate assets and environment, and to ensure continuous availability of its products and services. To support the business continuity program, [Company XX] recognizes the need for an effective business continuity capability and provides this corporate crisis management policy as part of the overall organization business continuity program policy.
ScopeThis crisis management policy applies to all members of [Company XX] crisis management team. [Company XX] crisis management team shall define, approve, and implement a crisis management plan which includes essential activities, procedures, and tasks necessary to ensure critical operations and services are resumed after a business disruption.
Executive Sponsor[Company XX] assigns a senior management member to be the “Executive Sponsor” who approves, sponsors, and provides full support the development and implementation of the organization-wide business continuity program and its constituent parts including this policy, crisis management plan, and other associated business continuity plan documents. The executive sponsor approves the budget and resources required, and delegates authority to the crisis management team and team leader to manage, coordinate, and oversee the crisis management plan design, development, implementation, maintenance, and assessment.
Document Manager[Company XX] shall appoint a Document Manager to approve and authorize the BCP document and changes including document revisions.
Review and ComplianceThe corporate business continuity program policy has established an annual review and assessment for this policy and for the business continuity plan.
Rules Regulations[Company XX – enter rules and regulations that are specific to you organization here]
Staff Responsible[Company XX] business continuity and recovery teams have the responsibility to know this policy and understand and adhere to the standards and procedures established in this policy.
©Sentryx 2007 All rights reserved 9
It is the responsibility of all staff to be aware of their departments and/or business unit’s business continuity plan and its associated documents.
ViolationsAny employee and/or contractor or service provider found to have violated this policy may be subject to legal actions such as termination.
©Sentryx 2007 All rights reserved 10
Site Crisis Management Plan PurposeThe purpose of the business continuity plan is to:
1. Recover essential or critical business operations in a fast and efficient manner
2. Provide a mechanism for management to direct recovery efforts
ObjectivesThe primary objective of the site crisis management plan is to recover critical elements of [Company XX] operations such as:
1. work area/office services;2. information technology services; and3. manufacturing and production services.
Additional objectives are to:
1. ensure that staff are aware of alternate arrangements2. ensure that recovery teams have sufficient resources
AssumptionsThis plan has been developed with the following assumptions:
[Company XX] has conducted a business impact analysis to determine the exposure and impact that may result due to a disruptive event.
A summary of the critical functions and processes, maximum tolerable downtimes, recovery time and point objectives, workaround procedures, and critical IT systems, resources, and services have been determined and are listed in this plan.
[Company XX] has conducted a risk assessment and has implemented risk controls to reduce or eliminate potential risks to its operations.
[Company XX] has selected and implemented suitable recovery options in the event that a disaster occurs.
The business continuity plan has been tested and approved.
The recovery teams will be comprised of sufficient number of staff to ensure a satisfactory turnout in the event of a business disruption.
©Sentryx 2007 All rights reserved 11
ScopeThe scope of this SCMP is the [Company XX] facility/site located at [Company XX facility].
©Sentryx 2007 All rights reserved 12
Business Continuity Plan Documents & Crisis Response Phase
For the purpose of this template, the crisis response phase has been defined as the overall phase during which a crisis situation or disaster occurs. During the crisis response phase, several sub-phases occur, namely, a disaster response phase, management response phase, and a business area response phase.
During each phase one of several business continuity plan documents are utilized. The diagram below depicts the crisis response sub-phases and plan documents associated with each sub-phase:
Each crisis response sub-phase is described below:
1. Emergency Response Phase This phase is the first phase in managing a crisis. It comprises of the initial few hours after an actual disaster, or after the threat of a disaster is first identified. The business continuity plan is the primary document used during this phase.
In this phase, business continuity plan procedures, tasks, and forms are used; the business continuity coordinator and other members of the crisis management team are alerted; and evacuation occurs and/or the disruption is contained.
©Sentryx 2007 All rights reserved 13
2. Management Response PhaseIn this phase, the crisis management team manages and coordinates all site recovery activities. This phase begins after the initial response is received by the crisis management team. The crisis management plan is the main document used during this phase.
3. Business Area Response Phase In this phase, business area teams recover and resume business operations. Depending on how large you organization is, you may opt to develop Business area recovery plans and business unit recovery plans or just business unit recovery plans. Business area recovery plans may be used to invoke business unit plans. Note that this breakdown allows for a more modular structure of activities and is especially useful if your organization is large has many business department and units.
Business Continuity Plan Documents
Below is a list of plan documents and an explanation of each:
Site Emergency Response Plan (ERP)o The ERP is used to respond to a disaster or disruption. The primary plan
objectives are to: Protect life Provide shelter Evacuate premises Mitigate threat and control extent of damage
Site Crisis Management Plano This plan. The SCMP is used to manage and coordinate all site recovery
activities including activities such as: Supervising recovery effort Declaring a disaster Invoking other plans Monitoring recovery, resumption, and normalization activities
Business Area/Department/Unit Recovery Plano Plan used to manage and recover business operations within each business
area/department/unit.
©Sentryx 2007 All rights reserved 14
Business Continuity Plan High-level Process Flow
During BCP execution, the Crisis Management Center will be opened and CMT team members will gather to review the damage assessment report, and to determine if a disaster is to be declared. The following diagram illustrates the relationship between the various plan documents:
The business continuity plan follows a sequence of activities specified in the following documents:
1. Emergency Response Plan
Refer to [Company XX] Emergency Response Plan
2. Site Crisis Management Plan
This plan.
3. Business Area Recovery Plan(s)
Refer to [Company XX] Business Area Recovery Plan(s).
©Sentryx 2007 All rights reserved 15
Recovery Time Requirements
[Company XX] business unit/department, business functions, and maximum tolerable downtimes.
Business Unit/Department:
Business FunctionMaximum Tolerable
Downtime
See Appendices for additional Business Impact Analysis information.
©Sentryx 2007 All rights reserved 16
Crisis Management Team Structure
A sample CMT structure is provided below. This diagram also shows the IT Area Recovery Teams, Business Unit Teams, and Implementation & Logistics Team.
Crisis Management Team and ResponsibilitiesThe crisis management team (CMT) consists of a number of [Company XX] executives and team leaders that manage the overall recovery process. The members of the CMT must be able to act quickly during a crisis situation. If a disaster occurs, the CMT will likely be called out at an early stage to manage the recovery process.
Examples of CMT responsibilities include:
Manage and control the execution of the emergency response plan, site crisis management plan, business area recovery plans, and business unit plans.
Approve the activation of the site crisis management plan and business area recovery plan
Declare a disaster based on the findings of the damage assessment report Provide updates on all company issues to external public and media Provide updates and review progress with Board of Directors Call insurance providers and key suppliers/vendors Contact families Monitoring disaster. For example to:
©Sentryx 2007 All rights reserved 17
Ensure evacuation has occurred, If there is potential for injury, put emergency response team on standby Assess effect of damage on working conditions
IT Area Recovery Teams and ResponsibilitiesThe IT Area Recovery Teams consist of a number of different teams, each focused on the recovery of a specific technical area. Example of these teams include
Operating Systems Platform Team, Networking and Telecommunications Team, Database Systems Team, Applications Team, Systems Backup Team, Security Control Team, and Integration and Testing Team
Examples of IT Area Recovery Teams responsibilities include: Recover, restore, and test systems and operating systems on workstations and servers Recover and restore LAN and WAN Restore from backup tapes Install critical applications and data Test restored systems, network connectivity, and integrity of data.
Business Unit Teams and ResponsibilitiesA business unit team represents a single business unit or operation for [Company XX]. Its membership consists of key users of critical systems and resources. The role of these teams is to assess the current needs of the unit, and assist the IT Area Recovery Teams to recover lost data and resources, re-enter manually recorded data, and to validate successful recovery.
©Sentryx 2007 All rights reserved 18
Crisis Management Team Contact Information
Crisis Management Team
Company Executive
Function/Role/
AlternatesWork # Home # Cell # Email
Executive Administrative Assistant
CMT Assistant 1
CFOAdministrative Assistant
CMT Assistant 2
CIO Crisis Management Team Leader (CMTL)
Finance Director
Crisis Management Team Leader – Alternate (CMTL)
Risk Assessment Manager
CMT Member
Business Continuity Coordinator
Business Continuity Coordinator
CFO Business Continuity Coordinator – Alternate
Facility Security Manager
CMT Member
IT Director CMT Member
©Sentryx 2007 All rights reserved 19
(Head of IT Area Teams)
Human Resource Director
CMT Member
Company Health and Safety Coordinator
CMT Member (ERP Team Leader)
IT Manager CMT Member (Damage Assessment Team Leader)
Facility Security Manager Secretary
CMT Member (Notification Team Leader)
©Sentryx 2007 All rights reserved 20
Management Response Phase Sub-phases
During a disaster situation, [Company XX]’s top priority is the health and safety of its employees and staff. Therefore, the emergency response plan was executed in the Emergency Response Phase, the first phase of a crisis. This plan, the site crisis management plan (SCMP), is executed in the second phase, Management Response Phase. Note that this plan may be executed in parallel to the Emergency Response Plan. Tasks for Sub-phase 4 are also outlined in the SCMP.
The Management Response Phase follows several sub-phases:
Management Response Sub-phase 1 – Initial Response & Notification
In this sub-phase:o The BCC is alertedo The CMT Leader is alertedo The damage assessment team is mobilizedo A damage assessment report is preparedo The CMT proceeds to CMC
Management Response Sub-phase 2 – Problem Assessment & Escalation
In this sub-phase:o The CMT reviews the damage assessment reporto The CMT meets with DAT and physical security managero CMT monitors the disaster situation oro CMT escalates and proceeds to the next phase to declare a disaster
Management Response Sub-phase 3 – Disaster Declaration Phase
In this sub-phase:o CMT prepares the disaster declaration statemento CMT Leaders assume other tasks such as advising news and mediao Recovery team leaders are notifiedo Business area/unit recovery plans are activated
Management Response Sub-phase 4 – Business Area Response Phase
CMT oversees recovery efforts, performs recording functions, and provide assistance where necessary.
In this sub-phase (Plan Implementation & Logistics activities):o Recovery team leaders mobilize respective teamso Equipment is orderedo Recovery teams travel to recovery site
©Sentryx 2007 All rights reserved 21
o Recovery teams prepare for recovery and resume critical services
In this sub-phase (Business Area Plan and Business Unit Plan execution activities):
o Execute Business Area Plan/Business Unit Plans such as the IT Area Recovery Plan, Manufacturing Area Recovery Plan, etc.
©Sentryx 2007 All rights reserved 22
Site Crisis Management Plan Flow
The following sections provide example tasks for the Management Response Phase and Business Area Recovery Phase. Additional tasks may be added as required.
Management Response PhaseSub-phase 1 – Initial Response & Notification
This is the first sub-phase of the Management Response Phase. In this phase the business continuity coordinator and the crisis management team leader are alerted, crisis management team and damage assessment team are notified. The CMT proceeds to the CMC and assumes their assigned tasks.
Note, at the start of this phase, one or more of the following may have occurred: An emergency incident or disaster has occurred OR there is a threat of disaster
The Emergency Response Team (ERT) has escalated the incident to CMT/BC Coordinator. The Incident Assessment Report (generated during the Incident Assessment and Escalation Phase of the Emergency Response Phase) has been provided.
The Damage Assessment Team has been mobilized as is preparing a damage assessment report
The Crisis Management Center may or may not be opened.
Sub-phase 1 - Business Continuity Coordinator Tasks Receive a call from Emergency Response Team regarding [Company XX] disaster
situation
Note the following:o Name, Phone Numbero Obtain brief description of problemo Has Public Authorities been contacted?o Receive Incident Assessment Report (Emergency Response Plan execution)
Alert DAT Leader and ensure the DAT is mobilized (if not already mobilized) and that they are aware of the situation.
Alert CMT Leader and assess situation, at a high-level.
Proceed to the CMC.
Resume activities in sub-phase 2 “Problem Assessment & Escalation”
©Sentryx 2007 All rights reserved 23
Sub-phase 1 - Crisis Management Team Leader Tasks
Receive a call from Business Continuity Coordinator OR Emergency Response Team regarding [Company XX] disaster situation
Note the following:o Name, Phone Numbero Obtain brief description of problemo Has Public Authorities been contacted?o Receive Incident Assessment Report (Emergency Response Plan execution)
Meet with BC Coordinator to assess situation, at a high-level.
Call CMT Assistant to begin notification procedures (if not available, contact the backup CMT Assistant)
o Provide brief description of situationo Inform CMT Assistant to activate CMT call treeo Inform CMT Assistant of location of Crisis Management Center where all CMT
members should meet
Advise corporate board and shareholders of event
Proceed to the CMC.
Resume activities in sub-phase 2 “Problem Assessment & Escalation”
Sub-phase 1 - Crisis Management Team Member Tasks
Receive a call from CMT Assistant regarding [Company XX] disaster situation
Note the following:o Address of where to meet the rest of the CMTo Obtain brief description of problem
Proceed to the CMT
©Sentryx 2007 All rights reserved 24
Resume activities in sub-phase 2 “Problem Assessment & Escalation”
Sub-phase 1 - CMT Assistant Tasks
Activate CMT contact list (call tree) Advise CMT member of situation status Advise CMT member of location and time to meet at CMC Begin log of events. Record the following:
o Problems encounteredo Expenseso Additional events/incidents
Resume activities in sub-phase 2 “Problem Assessment & Escalation”
Sub-phase 1 - Damage Assessment Team (DAT) Tasks
Prepare damage assessment report (use Damage Assessment Report Form):
Note this activity may have already commenced.
If the event is one of the following conditions, the damage assessment team may opt to report this immediately. In this case immediately proceed to the next sub-phase – disaster declaration and declare a disaster:
o If the disaster impact is expected to last longer than [number of hours] (as pre-determined by Company XX Executive]
o If there is loss of power and heating or loss of computing services.
o If there is severe damage to the company facilities such as structural damage, or collapsed roof, making it inaccessible.
o If there is external activity which prevents access to the facility, such as criminal activity involving police, or if there is an extended evacuation of building caused by gas leak.
Consider the following when preparing the damage assessment report:
o Determine disaster levelo Estimate financial losso Determine source of damage such as fire, flood, earthquakeo Determine extent and magnitude of damage such as
Building structures
©Sentryx 2007 All rights reserved 25
Business units Types and number of IT systems, infrastructure, etc Number of critical processes disrupted
o Assess physical condition of the original siteo Establish safety status of the original facilityo Determine presence of hazardous contaminantso Assess risk of further damageo Estimate length of recovery
Resume activities in sub-phase 2 “Problem Assessment & Escalation”
©Sentryx 2007 All rights reserved 26
Management Response PhaseSub-phase 2 – Problem Assessment & Escalation
This is the second sub-phase of the Management Response Phase. In this phase the damage assessment report is reviewed to determine the extent of the problem, and a decision is made to either declare a disaster and escalate to the next sub-phase or to continue to monitor the situation using tasks in the emergency response plan. Activities in this phase are typically conducted at the CMC.
Sub-phase 2 - Business Continuity Coordinator Tasks
Ensure that the CMC is accessible
Meet with CMT members
Follow CMT Member tasks
Resume activities in sub-phase 3 “Disaster Declaration”
Sub-phase 2 – Crisis Management Team Leader Tasks
Meet with corporate board and shareholders, if required
Meet with CMT members
Follow CMT Member tasks
Resume activities in sub-phase 3 “Disaster Declaration”
Sub-phase 2 - Crisis Management Team Member Tasks
Meet with CMT members
Receive the damage assessment report for the extent and impact of the damage
Review disaster severity levels and disaster recovery levels
Review conditions that warrant declaration:
Example: if the event is one of the following conditions, the CMT may declare a disaster immediately:
©Sentryx 2007 All rights reserved 27
o If the disaster impact is expected to last longer than [number of hours] (as pre-determined by Company XX Executive]
o If there is loss of power and heating services or loss of computing services.
o If there is severe damage to the company facilities such as structural damage, or collapsed roof, making it inaccessible.
o If there is external activity which prevents access to the facility, such as criminal activity involving police, or if there is an extended evacuation of building caused by gas leak.
Meet with Facility Security Manager and DAT Leader to discuss alternatives
Determine if there is impact to critical processeso If yes, proceed to the next sub-phase (Sub-phase 3 - DISASTER
DECLARATION).
o If no, continue to monitor situation and use (EMERGENCY RESPONSE PLAN).
Sub-phase 2 - Damage Assessment Team Leader (DAT) Tasks
Meet with CMT to discuss damage assessment report and alternatives.
Sub-phase 2 - Human Resource Director Tasks
Prepare statement for the news and media, if requiredo Refer to the News Media Procedure
Recommend and approve staff related concerns and issues
Procure any replacement staff, if required
Ensure headcount procedures have been conducted
Sub-phase 2 - CMT Assistant Tasks
©Sentryx 2007 All rights reserved 28
Ensure all CMT members have business continuity plan documents
Ask CMT Leader for any assistance
Continue event logging.
Resume activities in sub-phase 3 “Disaster Declaration”
©Sentryx 2007 All rights reserved 29
Management Response PhaseSub-phase 3 – Disaster Declaration
This is the third sub-phase of the Management Response Phase. In this phase, a decision to declare a disaster is made based on the review of the damage assessment report. A suitable recovery strategy is selected, a disaster declaration statement is prepared, and appropriate teams are notified.
Sub-phase 3 - Crisis Management Team Member Tasks
Review the disaster severity and disaster recovery levels in Appendix SCMP 3 – Disaster Severity and Recovery Levels.
Prepare DISASTER DECLARATION STATEMENT by:o Reviewing extent of damage to premiseso Reviewing effect of damage on staff working conditionso Reviewing impact to critical processeso Reviewing estimated time to repairo Select a Disaster Severity Level (see Appendix “SCMP 3 – Disaster Severity and
Recovery Levels”)o Select a Disaster Recovery Level (see Appendix “SCMP 3 – Disaster Severity and
Recovery Levels”)o Selecting appropriate recovery strategy
Initiate recovery process by notifying recovery teams via Business Continuity Coordinator
Resume activities in sub-phase 4 “Business Area Response Phase”
Sub-phase 3 - Business Continuity Coordinator Tasks
Notify recovery team leaders, such as the IT Recovery Area Team Leader, Call Center Recovery Area Team Leader, Manufacturing Area Recovery Team Leader, etc.
Notify off-site storage facility
Notify alternate recovery site to prepare for the arrival of recovery teams
Sub-phase 3 - Human Resource Director Tasks
©Sentryx 2007 All rights reserved 30
Notify remaining staff of current status
©Sentryx 2007 All rights reserved 31
Management Response PhaseSub-phase 4 – Business Area Response Phase
This is the fourth sub-phase of the Management Response Phase. In this phase, the recovery environment is prepared and appropriate resources are mobilized; and business area/units are recovered and resumed.
Sub-phase 4 - Business Continuity Coordinator Tasks
Receive recovery status information from recovery team leaders
Monitor recovery progress and provide updates to CMT
Sub-phase 4 - Crisis Management Team Member Tasks
Receive recovery status information
Monitor recovery progress and provide updates to CMT
Assist with recovery efforts where possible.
Sub-phase 4 - Business Area Recovery Team Leader Tasks
Activate their area of plan
Order and ship supplies
Supervise recovery of business departments
Verify successful recovery
Sub-phase 4 - Recovery Team Tasks
Recover and resume operations as per procedures and tasks in business area/unit plans.o Commence IT Area Recovery Plan (IT Disaster Recovery Plan)o Commence Business Area Recovery Plans
©Sentryx 2007 All rights reserved 32
Appendices
SCMP 1 – Damage Assessment Report Form
Damage Assessment Report
Assessment conducted by (name, phone number):
Name and Location of damaged facility/room/area:
Name of Business Unit/Department using damaged area:
Source of damage (fire, flood, earthquake):
Detailed type and extent of damage (building structures, business units, types and number of IT systems, infrastructure, etc):
Physical condition of building (safety status):
Presence of hazardous contaminants:
Risk of further damage:
Estimate of loss:
Impact to critical business processes:
Estimate of time to repair (e.g. hours, days, weeks):
Recommendations/notes:
©Sentryx 2007 All rights reserved 33
SCMP 2 – [Company XX] Disaster Declaration Statement Example
[Current time and date]
Commencing on [current time and date], [Company XX] sustained severe losses to its facilities located at [Company XX location] due to [Description of Disaster].
The following conditions exist due to this disaster situation:
[Disaster Recovery Level: Level 1 Recovery at Primary Site _____ ; OR Level 2 Recovery at Alternate Site _____ ] (refer to SCMP 3 – Disaster Severity and Recovery Levels)
[Severity Level of Disaster (minor, intermediate, or major): ________________] (refer to SCMP 3 – Disaster Severity and Recovery Levels)
[Description of Disaster Severity and Recovery Levels, if required.]
[Company XX] has switched to its recovery organization and is currently is the process of recovering essential business operations.
[What plans are currently active?]
[Company XX] [Crisis Management Team Leader] has the authority to issue this disaster declaration statement.
Signed this _________ of ______________ 20______
____________________________________
©Sentryx 2007 All rights reserved 34
SCMP 3 – [Company XX] Disaster Severity and Recovery Levels
There are 3 disaster severity levels: minor, intermediate, and major (described below). These levels provide an indication of the extent of impact to critical business processes.
In addition, there are 2 disaster recovery levels: Code YELLOW: disaster recovery level 1 – recovery at primary site, and Code RED: disaster recovery level 2 – recovery at alternate site (described below). These levels provide an indication as to the location of recovery efforts, either at the primary site or alternate site, respectively. For the alternate site, this may be an alternate work area, alternate IT recovery area, or an alternate manufacturing and production area.
A minor level disaster is typically recovered at the primary site using minimal recovery staff. An intermediate level disaster may or may not be recovered at the primary site and may require some recovery teams and/or alternate site recovery support staff. A major level disaster is recovered at the alternate site and requires all CMT, recovery teams, and alternate site support staff.
Since recovery at an alternate recovery site can be costly, the CMT must determine whether to involve alternate recovery facilities and support staff. The decision to recover at the primary or alternate site depends on the following:
Whether the disruption is expected to last more than a pre-determined length of time (e.g 12 hours)
Whether the disruption impact is minor, intermediate, or major disaster severity level
Disaster Recovery Levels
Code YELLOW: Disaster Recovery Level 1 – Recovery at Primary Site
This level may be declared if the disaster severity level is determined to be minor or intermediate and the disruption is estimated to be less than [pre-determined number of hours e.g. 12- 24] hours. The recovery of business processes, IT systems and applications may take place at the primary site. The recovery team, alternate site facility and personnel, and off-site vendor should be placed on alert for a possible escalation to level 2.
Code RED: Disaster Declaration Level 2 – Recovery at Alternate Site
This level may be declared if the disaster severity level is determined to be intermediate or major and the disruption is estimated to be greater than [pre-determined number of hours e.g. 24] hours. The recovery of business processes, IT systems and applications are to take place at the alternate site(s). The recovery team, alternate site facility and personnel, and off-site vendor are to begin recovery procedures.
©Sentryx 2007 All rights reserved 35
Disaster Severity Levels
Minor Disaster Severity
A disaster of this severity level occurs more frequently in normal day-to-day operations, compared to the intermediate or major disaster. The severity level is considered minor because the effects are often isolated to a small subset of critical business processes.
The cause of the disruption is often the failure of a single component, system, or service. Example causes are failure of manufacturing equipment parts, system disks, and voice and network hardware.
Intermediate Disaster Severity Level
An intermediate level disaster occurs less frequently but with greater impact compared to minor level disaster. This kind of event disrupts normal operations of some but not all critical business units. The operational disruptions result from major failures of multiple systems and equipment.
Example causes are water leakage into computer room, structural damage, etc.
Major Disaster Severity Level
The possibility of this type of disaster occurring is small, but the extent of the impact is significant compared to the minor or intermediate level disasters. The event disrupts operations of most or all of the critical business processes. The operational disruptions are the result of inaccessibility or failure of most or all of the systems and equipment.
Example causes are destruction of or inability to access company facilities due to fires, earthquakes, storms, or sabotage.
©Sentryx 2007 All rights reserved 36
SCMP 4 – News Media Procedure
The [Company XX - Human Resource Director] is responsible for communicating all press reports.
During an incident, staff shall: Direct all press to the Human Resource Director Not make any statements the press without approval Not give out confidential information such as name of casualty victims Not speculate on the status of the incident
Steps to remember about news media: Provide a discrete statement of current situation
Provide time and date of next announcement
©Sentryx 2007 All rights reserved 37
SCMP 5 – Summary of Risk Assessment Information
Include summary information from the organization risk assessment in this section. For example, include:
A list of threats and risks A list of critical assets exposed to the threats A list of implemented risk controls and residual risks
©Sentryx 2007 All rights reserved 38
SCMP 6 – Summary of Business Impact Analysis Information
Include summary information such as critical processes, recovery time objectives, recovery point objectives, recovery resources, etc. from your organization’s business impact analysis. For example, include:
Maximum Tolerable Downtime (MTD) Critical IT systems and applications Critical non-IT resources Recovery Time Objectives (RTOs), Recovery Point Objectives (RPOs), Work Recovery
Times (WRTs) of critical applications and resources
©Sentryx 2007 All rights reserved 39
SCMP 7 – Summary of Business Continuity Strategy Information
Include options for recovering disrupted data, records, applications, systems, equipment, and facilities.
©Sentryx 2007 All rights reserved 40
SCMP 8 – Version Change Control
Version control is required in order to maintain integrity and cohesion of this document. The Document Manager should be the only person to approve and authorize changes and distribute revised versions.
To reduce the risk that an old version is used, the Document Manager should collect all copies of old versions before distributing new ones. This document shall not be photocopied. Additional copies should be obtained from the Document Manager.
Version Number
Issue Date Reason for Change Authorized by
©Sentryx 2007 All rights reserved 41