Emergency Response? Crisis Management? Business Continuity? Disaster Recovery? How do you know which plan to use during an incident?
It’s often confusing which plan to activate, and who is in charge.
Each plan should clearly identify the scope and responsibilities for executing the plan and have distinct and disparate objectives. During the life-cycle of an incident, all of the plans may be activated – but often only some of them are. Like many things “it depends”.
Let’s go into more detail on each of the plans and their purpose.
The Emergency Response Plan (ERP)
Activated in response to a fast-moving event. Examples include: fire, active shooter, earthquake. The objective of the ERP is life safety and is usually divided into events and actions (e.g. fire = evacuate). Often outside resources such as fire fighters are also engaged during an emergency response. Emergency events are usually short-lived, but the impacts can be long lasting, and may require activation of one or more of the following plans.
Emergency response is typically led by the facilities or security function, supported by a cross-functional team representing the site.
The Crisis Management Plan (CMP)
The CMP is a response document and should include:
- Key roles & responsibilities, contact (and backup) details
- Mechanics of activation
- Level of response (e.g. local, regional, global or corporate-level)
- Structure and role of the crisis management team
- Key templates and tools
Some examples of when the CMP will be activated are:
- The emergency event (e.g. fire) impacts are significant
- Loss of life, considerable number or severity of injuries
- Operational disruption that negatively impacts customer service and/or financial results (More about the Business Continuity Plan later)
- Negative reputational event
The crisis response is managed by a cross-functional team with decision-making authority and is typically led by the business lead or corporate communications. A high performing crisis team utilizes a crisis coordinator. More on that role HERE.
The Business Continuity Plan (BCP)
The Business Continuity Plan(s) will be activated in response to a disruption to normal operations. The disruption could be caused by lack of access to the facility (snow limiting travel to the facility, damage from a fire), systems outage, or loss of people (e.g. pandemic) or a multitude of other events. Typically, an organization will have multiple process-level BCPs. One, or multiple BCP’s will be activated in response to the disruption. For example, if there is system outage that is unique to one department, only that department’s BCP will be activated. If it’s an enterprise-wide system, multiple BCPs will be activated in response.
The objective of BCPs is to recover critical (time sensitive) operations over time.
BCP leads should be at the process level, and periodically report to the crisis team (if it has been activated) the status of operational recovery. These reports can be facilitated by the crisis coordinator as a liaison between the BCP leads and crisis teams.
The Disaster Recovery Plan (DRP)
Despite the name, the DRP is not activated every time there’s a disaster. It’s activated in response to a situation system functionality is interrupted, and provides step-by-step actions required to recover access. The DRP may be activated in conjunction with one or more of the other plans (ERP, CMP, BCP).
The DRP is typically led by the IT Department, and lead is based on the specific system or application(s) impacted. A significant interruption might be led by the Chief Technology Officer, whereas an outage of a single application may be led the team that supports that application.
I’m still confused…
Let’s use a scenario:
A fire breaks out in the company’s data center during a tour for the local university computer science class. Several of the students, the tour guide, and employees working in the vicinity receive burns from the fire. The call center which is a critical operation based on the strategic Business Impact Analysis is just below the data center, and sprinklers activate flooding desks and computers.
- Activate the Emergency Response Plan to evacuate the building, put out the fire, and treat the injuries.
- Next, activate the Crisis Management Plan to: account for employees, communicate to employees, the university, media.
- Shortly after the chaos subsides, the Business Continuity Plan(s) for the call center is activated. Call center staff move to the back up site and resume operations.
- In parallel with BCP activation, the IT team convenes and identifies what systems and data are impacted by the fire. They then activate the Disaster Recovery Plan(s) to begin the process to recover at a back up site.
Now I get it – what’s next?
Plan owners should routinely collaborate to ensure that plans work together, roles are clearly delineated, and teams are rehearsed. It’s good practice to exercise two or more plans together to identify gaps and/or redundancies. And cross team lessons “to be” learned is imperative after an event!
Make sure that you have alignment on terminology and definitions across the company. If you are using different names for the same objective, it can be confusing and cause delay in responding to an event. Keep it simple! You won’t win awards for a “fancy” name for your plan, and you run the risk of confusing the team and employees. What’s important is that your plans provide teams with the objectives, actions and authority to respond to an event, you will empower them to be truly resilient.