CHAPTER 5
BUILD AN INTERIM PLAN
Don’t Just Sit There, Do Something
Build it and they will come.
—Field of Dreams
INTRODUCTION
Building an effective business continuity plan can take a great deal of time and resources. By this point, you have identified the processes critical to your business in the Business Impact Analysis (Chapter 2), identified the risks to these processes in your risk assessment (Chapter 3), and determined your strategy for building a comprehensive plan (Chapter 4). Until the primary disaster plan begins coming together (Chapters 14 to 20), there are 11 steps you can take right now to provide some initial protection. The steps you follow in this chapter will be expanded in great detail in later chapters. Even if your disaster planning stops after this chapter, you will be noticeably better prepared.
Create an Interim Plan Notebook to organize your information. It should contain:
1. Access to People. Organization charts should be included to show who is assigned what areas of responsibilities and who their assistants are. Contact information for each key person—work phone, home phone, cell phone number, pager number, and home address—should be included.
2. Access to the Facility. A set of keys must be available to every door, cabinet, and closet that holds equipment you support, all maintained in a secure key locker. This includes copies of any special system passwords.
3. Service Contracts. Be sure you have the name, address, telephone number (day and night), contact name (day and night), serial numbers of equipment on the contract, contract number, and expiration date. This section may also include a copy of the service agreement renewal calendar.
4. Vendor List. A list of companies where you have accounts set up for quickly buying emergency supplies. This includes contact information.
5. Walk-Around Asset Inventory. This is necessary to properly build a plan. A thorough asset inventory will come later. What assets might you need to recover or to restore to service right away?
6. Software Asset List. What software are you protecting, insuring against loss, and supporting?
7. Critical Business Functions. What are the business functions you are trying to protect, to keep running with minimal disruption?
8. Operations Restoration Priorities. What do you fix first, and in what order do you restore functions to service?
9. Toxic Material Storage. Locations of toxic material anywhere on the company grounds.
10. Emergency Equipment List. Where are the equipment and materials you need to help clean up a mess?
11. Trained First Responders. Do you have any volunteer firefighters or Emergency Medical Technicians (EMTs) on your staff? Does anyone have critical skills you can use in a crisis until emergency crews arrive?
In most emergencies, there are several keys to a successful recovery: key people, keys to the doors, and key support account information. For your interim plan, you will pull together basic contact information on the people you would call on in a disaster, the service contracts you would invoke, and keys/passwords necessary to gain entry into where you need to be.
A quick way to gauge your current state of disaster readiness is to make unannounced visits asking for critical support information. Watch the people as you ask for this information, and you will see how organized some are. See who can quickly provide a copy of their list and who has everything scattered about in a “sticky-note file.” As you watch them fumbling through folders of documents, aren’t you glad this isn’t happening during a real crisis? How high would the quality of their hurriedly gathered information be? How quickly could they provide the correct answers? Rapid availability of this information is very useful even if the computer room is not on fire. Imagine the same people doing this during an emergency, and with the office illuminated only by emergency lighting.
As the information flows in, take time to carefully organize it. Label each item as to who sent it to you and the date you received it. If you later need an explanation about their information, you’ll know who to call. The date indicates when you received it, not how old this information actually is. It never hurts to validate critical information like telephone numbers and contract agreements. Set up a tabbed three-ring binder to hold all the information. Later, you will consolidate this information into your own lists and they will take a lot less space.
Remember that what you collect for an interim plan must be useful to anyone involved in disaster recovery. Readability, accuracy, and clarity are important. The various documents must be accumulated in a single binder and presented to your various managers. Place a date on each document to show when it was created. This will also act as a built-in reminder to call for updated documents if you feel they are too old. Be sure to keep a copy of these documents at home; emergencies don’t always happen during normal business hours.
Keep track of who has a copy of the binder. Then, as updates are created, you know whom to pass them on to. Ensure all binders are tabbed for quick reference and clearly marked as Company Confidential in accordance with your company’s document guidelines (remember, you have home telephone numbers in here).
At a minimum, each of the following people should have an up-to-date copy of this interim plan.
Business Continuity Manager (you—the person writing the plan).
Disaster Recovery Manager (to be kept at home).
Information Technology department’s Help Desk (useful for providing support).
Facility Security Manager (in a place the after-hours guard on duty can reach it).
ACCESS TO PEOPLE
Reaching key people is a two-step task. The first step is to know whom to notify. The second step is to know how to reach them. You should know not only how to reach your boss, but also the head of the purchasing department, the public relations manager, the custodians’ office—many more than just the people in your department.
Start with an organization chart that shows who works in what department, from the top person down to the night-shift custodians. Current charts are often hard to come by. Organization charts reflect the formal lines of authority within an organization, not the actual day-to-day flow of authority.
The organization chart will help you identify who is responsible for what areas and who you might need to call if a disaster occurs. Think of the ways this will be useful. If the accounts payable system crashes over a weekend, you might need to call the accounting clerk who uses that system to test your fix before work starts on Monday. If there is a fire in the Quality Assurance office overnight, you need to know which manager to notify.
The second piece is a complete telephone list for all employees that includes home telephone numbers, cell phone numbers, pager numbers, etc. In most cases, you will only notify the department managers, but by having a complete list, you should always be able to call in the “resident expert.”
A funny thing about a telephone recall list is that some people lie to the company about their home telephone number. Imagine that! Others “forget” to pick up their pager every night before they go home. We can’t change all the bad habits of the world, but for those key people who are critical to your disaster recovery efforts, ensure their numbers are correct even if you have to call them yourself.
An easy way to check this list is whenever it is used to call someone off-hours, make a small notation of the date next to their name. If the call went through, that is validation enough. Once every several months, take time to make a call to any of the unchecked phone numbers just to verify them.
Try to never call people after hours unless it is necessary (like checking the list). Check with your human resources manager to see what the impact is on hourly and salary workers’ compensation for calling people after hours.
If your company has multiple sites, you will also need the telephone numbers for their key technical, support, and management people. In an emergency, it is sometimes quicker to borrow material from a sister company than to buy it. Also, instead of hiring unknown consultants to assist in your recovery, it is far better to borrow skilled people from sister companies. They are already familiar with your company’s procedures, and they should have already had a security screening (something your emergency consultants may not have). All around, it is preferable to call on your fellow employees to supplement your recovery staff than it is to hire someone on the spur of the moment.
ACCESS TO THE FACILITY
Limiting access to the company’s assets is not an optional activity. It is something your auditors will be checking. All sensitive areas must be secured, such as computer rooms, telephone switch room, vital records storage, and personnel files. There may be other areas unique to your company that must also be safeguarded. If in doubt, ask the auditors. They are a valuable source of information for disaster planning.
Don’t be shy about asking detailed questions of your company’s security force concerning the arrangements protecting your area of responsibility. Do not take for granted that the force provides the proper protection for your equipment. Review their after-hours entry policy to ensure it meets your emergency needs.
Physical Keys
Murphy’s law says that problems will happen in the worst possible places. Wherever the problem occurs, you will need to get into the location. Imagine a network problem. You may need keys to access a number of equipment closets checking data hubs until you find the defective equipment, another key to gain entry to the hub’s cabinet, and still a third key to enter the secure area where spare hub cards are maintained.
In most facilities, the security force maintains copies of the physical keys to all doors and locks. If this is the case in your company, then you should review their key management policies and key locker procedure. Things to look for and for you to do if they are missing:
There should be a formal request form for requesting a key. Each request should be properly authorized before a key is issued. People who feel accountable for a key will treat it more like a valued object. If someone keeps losing their keys, then they should not be given any more of them. Note how often their car keys turn up missing and you’ll see that it is only your key that they don’t care about.
There should be a “Key Log” of who has what keys. Verify that people who work for you only have what is needed. Use this list to recover keys when people leave the company. If a theft of company property is detected, this list will be a valuable starting point for the investigation. If locks must be changed, this will tell you how many keys are needed for the new setting. Review this list at least quarterly to recover keys from people who no longer need them.
There should be a locked cabinet where copies of all keys are maintained.
Sometimes paranoid people attach their own locks to cabinets to keep others away from their equipment. You may not even be aware there is an unauthorized lock on this door or know whom to even ask for a combination. Personal locks on company doors and cabinets must be vigorously discouraged as it will hinder your recovery at a time when you can ill afford it.
Even if your facility security force has a “Key Locker,” you might want to have one just for your department in a place that you can get to quickly. For your own department, you might establish a key locker to hold a copy of every key to every door and cabinet in your facility. Then no matter who is on-site during a disaster can quickly enter the room or cabinet and begin containing the damage until the expert support team arrives.
For security reasons, only a few people should have access to this cabinet. Otherwise, you would be surprised how fast these keys will disappear. A sign-out sheet in the cabinet can be used to track what has been loaned out, to whom, when, and by whom it was authorized.
Note the phone numbers of local locksmiths who are available around the clock, every day of the week. If you are depending on the building security folks to provide this service, inspect their operation to ensure it includes all keys and that they are available 24/7. Whoever maintains the key locker should also have a large set of bolt cutters. This “master key” will open most locks by slicing through them. Use it liberally on all noncompany locks you encounter.
Master keys are keys that open more than one door. The way that door locks are keyed is such that security zones are created. This allows a master key to open all the doors in a given department and not in other departments. Master keys must be closely guarded and issued sparingly.
Electronic Keys
An excellent solution to the problem of propagating keys is electronic locks. Electronic locks are expensive to install but provide a wide range of benefits. An electronic lock not only opens the door but it tells you who tried to open a door, when they opened the door, and how long it was open.
You see electronic door locks in most modern hotels. Hotels had a problem. Customers often lost their keys or continued their journey without turning them in. The hotel had to assume that someone was walking around with the key to a room that they might use to break in later. This forced hotels into an expensive rekeying of the doors. Rekeying cost their customers money and was a constant problem for the innkeeper. Now, if someone checks out of a hotel with an electronic key, that key is disabled. Door locks no longer need changing and customers are no longer billed for rekeying.
Another problem with physical keys is that they get lost, get copied (with and without permission), and the people holding them may pass them on to less-trusted individuals. You can never be sure if a key is truly lost or has been intentionally stolen so that some miscreant can gain access to a particular area. This forces an expensive lock change. It also means that anyone else with one of these keys (those who are entitled to have one) must exchange their key for a current version.
There is no law against copying keys. Even the keys stamped with an admonition of “Do Not Copy” have no legal standing. Key makers will copy them as they please. So anytime a key is provided to someone, that person can easily make a copy. Once a key is surrendered, you cannot be sure that door is still safe. For all anyone knows, the employee made a copy of that key for a friend in another department.
An electronic lock uses the digital number on a key or a key code to determine who has access to what area. All information is kept in a master database. When you try to open a door, the badge’s number is read or the key code used is recorded and sent to a database. The database checks to see if you are authorized to open that door. If you are, then the door latch releases. If not, then usually nothing happens and the lock ignores the key. At the database, a record is saved of the key number trying to open a door, where, when, and if the door was opened or not.
In this way, people can be given access or denied access via the database without issuing or recovering keys to each door. If a key is lost, it can be disabled at the database and be worthless to a thief. Anyone who finds it has a useless piece of plastic. This of course depends on the individual to report the lost key and have it promptly disabled. If an employee leaves the company, you can disable the key quickly.
Whether you are allowed in or not, each attempt is recorded with a date and time for tracking who went where. Denied access can be used to see who is testing your security system. If something is missing from an area, you can see who entered each room. This log must be reviewed daily to see which unauthorized cards are attempting to get through which doors.
An electronic lock can also track doors that are propped open. Depending on how your system is configured, this may trigger a security alarm to see if this is a legitimate activity or if someone wanted a door left ajar. Since the log also told you who opened the door, it could be a good time to find out why they did this. If you wanted the door left open, you would save money and remove the lock!
Electronic locks also allow for master keys and security zones. For example, this lets you set up the electronic key for the telephone systems technician to open all telephone room doors but none of the computer room doors. Electronic keys are nice because it is easy to enable various levels of security at any time.
Just as you would manually with physical keys, you should use the electronic lock software to generate a quarterly key access report to review which employees have access to what areas. This will catch those cases where someone’s project once needed access to an area that is no longer required. It may also highlight more than one card issued to a person (they lost one, were issued a “temporary” replacement, and then kept it and the original). Usually this list is circulated among your managers to ensure people have the proper access. Keep in mind your after-hours support requirements or you’ll be making some late-night trips to open doors!
System Passwords
A system password is like a master key. Usually keyed to the user ID or administrator, passwords provide unlimited security access to every feature on a computer system. In our case, we may need them to perform an emergency shutdown of main computer systems. For this reason only, we need them kept in the key locker. These passwords have an unlimited potential for mischief, so they must be closely guarded.
Establish a secure area to store system passwords. They can all fit on a sheet of paper and must include all administrator-level accounts. This is kept in a sealed envelope near your equipment in the event that a rapid system shutdown is required. Another place to store this is inside your key locker. Check the seal on the envelope from time to time to ensure it has not been tampered with.
You will need this information if you ever need to shut down or restart your computer system when the systems experts are not available. This might be due to a fire in an adjacent room where the loss of electrical power [and Uninterruptible Power Supply (UPS) power] is imminent.
SERVICE CONTRACTS
How could someone qualify the downtime on a piece of machinery as a disaster? You would if that was the only printer that could print paychecks and today is payday! These normally must be distributed at a given time, and you may not be able to wait another 4 hours for a staff member to come in just to look at it. It might be critical if your primary data communications hub began emitting blue smoke. It might be critical if . . . but I think you get the picture.
A service contract isn’t much good to you if you can’t call for help when you need it. Round-the-clock service coverage is very useful for maximizing system uptime. This is especially true for critical hardware and software. Unfortunately, 24/7 service can easily double the cost of a service contract. So if you are paying out this large premium every month, take steps to ensure it is available when needed. People cannot call for it if they don’t know how.
Obtain a list of all service providers you have service agreements with. Cross-check this list with a walk-around to ensure that all your major equipment is accounted for on the list. We will need to include all these service provider names later when we build our vendor contact list.
There are four basic types of contracts with endless variations:
1. 24/7. They provide unlimited around-the-clock coverage for time and materials. Pay one price per month and leave your worries behind. This is necessary for mission-critical equipment and is the most expensive approach.
2. 8 to 5. They will work on equipment problems during the business day and usually supply any parts that are needed.
3. Time and Materials. They will work on the problem and charge you by the hour for the repair technician’s time. The costs of any parts required are also included on the bill. This is good for nonessential equipment that rarely breaks.
4. Exchange. Send them your broken equipment and they will either send you a refurbished replacement or repair it and send it back. This is good for devices where you have on site spares, such as monitors, terminals, scanners, printers, etc.
Begin building your list of service agreements. This list will be very useful in many areas of your company—the help desk, the late-shift operators, the security guards, and many other places. Use Form 5-1 on the CD-ROM to develop your list. The essential information to gather from each of your service agreements includes:
Contact Names. Whom do I call? There may be multiple people involved with your account. There may be a sales representative, a dedicated technician, and even an after-hours contact name and number. When time is short, you need to know whom to talk to for the fastest service.
Company Address. Look at the city to see how far away they are. You can gauge an approximate response time for the technician. Any spare parts the technician may need will probably be that far away also. If the service company is too far away, make a note to look for someone closer to home. On the other hand, some companies use a work-from-home field workforce, so using the company’s address is only a starting point for this inquiry.
Telephone Numbers. This could be a rather long list. You may have a separate number for normal hours, their fax machine, the technicians’ direct line, and an after-hours number. You need them all clearly identified. Like your recall list, when you use one, pencil in the date next to it so you know the last time that telephone number was validated.
E-mail Address. Many companies use e-mail to pass noncritical information to their customers. This might also help if your sales representative was away from the office on a business trip and was checking for messages.
Customer Number. The identification code number by which this contract is known to the vendor. You will need this when you call the problem in. Service centers normally will not budge until they verify that you are paid up and eligible for this service.
Hours of Support Under Contract. This is VERY important. It will determine if you will be billed for the service call. If you are paying for 8:00 AM until 5:00 PM service and then demand a technician come out late at night, you will be billed for a hefty hourly fee. This may be acceptable, so long as you are aware of the potential costs. Paying for 8 to 5 service means that if the repair isn’t finished at 5:00, the repair technician is going home and will be back tomorrow. Otherwise, you will again be paying a large overtime hourly fee.
When Does the Agreement Expire? Some equipment inconveniently breaks on the wrong side of the deadline. All service contract expiration dates should be placed on a calendar so that you can see this coming and negotiate a new agreement before the old one expires. This information can also feed into your annual budget process.
Description of What You Buy from Them. This could be a wide range of things. Some contacts provide everything for a fee to include materials and labor. Service companies you don’t often need may be contracted under a time-and-materials scheme for all repairs. Whatever you buy from them, very briefly describe it here.
Your Internal Designated Contact Persons. Many contracts require that several persons be designated as the company’s representatives for contacting them to prevent their lines from being flooded by minor calls. Even though specific people are named in the contract, by declaring an emergency the service company should begin assistance until the named parties arrive.
Now that you have this list, assign someone to make up small cards for each machine covered by a service agreement. On this card, print all the essential information you have gathered. Firmly attach this information to the machine or inside of its cover. This is the ideal—information available at the point it is needed. Now if that device quakes, shakes, and begins to moan, the information on whom to call is immediately at hand.
When attaching these cards, check the machine over for advertising stickers. Some service companies attach them to whatever they repair. This is OK except when you change service companies and some well-meaning soul calls the number on the sticker to repair the machine. Without a service agreement, they may come out and send you an expensive bill. So when you see these stickers, remove them. People will get into the habit of depending on the cards you tape to the machines.
If you have a lot of equipment in the same room, make up an information station with a notebook attached to the wall that contains all the same information. Keep track of wherever you place this information for the times when you need to update your service providers or hours of coverage.
VENDOR LIST
Now that you know whom to call for a service call, make up a list of the other companies you routinely deal with using Form 5-2 (see CD). Since we have the major equipment covered, we can now focus in on the companies that provide your routine supplies. Why is that important?
Have you ever run out of something seemingly mundane like a special toner cartridge, and your usual purchasing agent is on vacation? The company kept moving along but there was someone out there who was very vocally upset. As you collect vendor contact information, you will quickly see how this can be very useful.
You want vendor contact information for the companies that supply your support materials such as custom cables, preprinted forms, backup tapes, any number of things you need to keep your operation flowing smoothly. Most suppliers don’t list an after-hours number. They have one but it is not published. Try to get it from the salesperson. If they don’t have it, get the salesperson’s home number. Often when you really need something, a salesperson will go the extra mile to build customer loyalty.
Obtain a list of all support materials suppliers. This includes companies that provide off-site storage of your backup tapes, courier services, companies that provide preprinted forms, and companies that sell or lease you equipment as well as companies that repair it. Mandate that it be kept current. Essential data elements include:
Contact names.
Company address.
Telephone numbers: normal hours, fax, and after-hours number.
E-mail address.
Your internal vendor number.
Description of what you buy from them.
Public utilities are another set of vendors you need to know about. Loss of service from telephone, Internet, electric, gas, and water companies can shut down your operations in the blink of an eye. These companies all have 24-hour service support numbers. They may also have a special trouble reporting number for companies and major customers. For each utility, you will need:
Contact names for sales, technical support, after-hours dispatch.
Telephone numbers for each contact to include their normal hours number, fax number, and after-hours number.
E-mail address for handling routine issues.
Public safety telephone numbers must also be prominent on your list. The ubiquitous 911 is always a good starting point, but you may find the normal telephone numbers for police, fire, ambulance, and the local hospital are all handy to have in a crisis. Use Form 5-3 (see CD) to start your list of whom to call in an emergency.
WALK-AROUND ASSET INVENTORY
Most companies have a lot of equipment to keep track of. We’ll get to that later. Start by doing a walk-though of your areas of responsibility (do not trust this to memory). Draft a list with key information on all your major equipment. A major piece of equipment is one that costs a lot of money, or that takes a long time to replace, or your operation depends on it and it is the only one like it you have. This will usually be your larger or shared pieces of equipment.
As you walk around, be sure to open all closet doors and look into boxes. You would be surprised what you will find stashed away by people for emergencies. Note the location of any spare equipment. Arrange to have it picked up later. It should all be collected into one central point to cut down on the number of duplicate spares. Computers and computer component parts are like fresh fish; they lose value quickly with age. If everyone is hiding something like a spare printer in case they have system problems, you could be paying for many more spares than you need. Consolidate and lock up all your spares in one location to minimize costs and to ensure they will be available to whoever needs them. This may even free some equipment for use elsewhere.
When you examine each machine, look for indications of who sold or maintains the device. Sometimes repair services place large stickers with their telephone number on devices they service. Note these in case you cannot locate the service contract for this device.
Another sticker often found somewhere on the inside is a notice of the last time this device received preventative maintenance. Some equipment such as a network server may need as little as an occasional shakeout of the fan filter. Other devices, such as your UPS system, need their batteries checked every 6 months. The frequency that preventative maintenance is required can be found inside the manual that accompanies the equipment. Therefore, also begin locating the manuals you need. All preventative maintenance must be recorded in a log for that device. Note what was done and by whom. If the service was improperly done, and then the equipment fails, you may have a claim against the service company.
To continue with the thought on hardware manuals, the books should either be prominently displayed adjacent to the equipment or collected into a central place. This reduces the amount of time lost looking for answers. As you walk around, make a note next to each piece of equipment on your list as to whether the manual could be located.
In each room note the following information. Again, this is for critical systems, not a wall-to-wall inventory. Be sure to include all the equipment in your computer room, telephone switch room, and network closets (a chain is only as strong as its weakest link). The list should include:
Manufacturer’s Name.
Model Number.
Serial Number.
Warranty Expiration Date. Tracking this will save on service costs and help you to know when to add that item to a service contract. Be sure to add it to your service contract renewal calendar.
Location. You may need to work up your own notation for this if everything is not conveniently set up in an easily identifiable room.
Serviced by. This may be a sticker right on the device.
Connected to. This will take some asking around but will be very useful. Out of this, you may uncover the weak link in a chain.
Feeds into What. Same benefits as connected to.
Think back to previous problems. Are there any other critical or unique devices around your facility that should be on the list? How about the UPS in your computer room? I bet there is another one on your telephone switch. Both rooms require climate control for the equipment to operate safely, so the HVAC repair number must be on there also.
Now that you have a list of your critical equipment, take time to cross-reference the equipment list to the vendor service agreement list. Are any of your critical devices lacking service coverage? Be sure to check the serial numbers because that is how service companies determine what is covered. Note the type of service agreement that each item has.
Consider each item on the asset list separately. Based on your experience, should any of the coverage be increased to include after-hours support? Should any of the items be reduced to 8:00 AM to 5:00 PM (or whatever they offer)?
With all this information at hand, draft a vendor list of whom to call and the normal billing method (time and materials, flat rate, etc.). Consider making a matrix that allows you to quickly check to see who supplies services or materials per device, such as every vendor that supports your AS/400. Use Form 5-4 (see CD) as a starting point for creating your list.
SOFTWARE ASSET LIST
If you lose a server, a critical PC, or a shop floor controller to a fire, you need to know what to replace it with. There is much more to a computer than what you see on its outside; there is all the very important software inside of it. Replacing the hardware without loading all the appropriate software (and data) will only result in a dark monitor staring back at you.
For each of the critical systems you have previously identified, you need to make a list of any software they require to drive them. This includes copies of custom software, any nonstandard driver programs, or operating system settings. (Cross-check this against your vendor list!)
This sometimes creates a problem if the machine that dies is old and only the latest hardware is available. You can reload the software from a data backup (you hope), but the hardware and existing operating system might create some conflicts.
In many cases, you can recover the software for that machine by reloading its full disk image backup. If you must reload the software from the original media, you need to be able to locate it. Once purchased software has been loaded onto a server, it should be stored along with your backup tapes at an off-site location.
CRITICAL BUSINESS FUNCTIONS
A key driver to your disaster planning is a clear identification of the critical business functions performed at your facility. You cannot protect everything equally, so you need to concentrate your recovery plans on the most important functions. Identifying this is a top management function.
Every company has a few essential things it does. Everything else can be delayed for a short time while the critical functions bring progress to a halt. Critical items must be recovered before all other areas. If you must draw up your own list, be sure to discuss them with your accounting manager or controller. Don’t be surprised if they cannot rattle off a list to you. They probably never worked a list up either.
For each critical function you identify, explain why it is important. Does it involve cash flow? Does it fulfill a regulatory requirement? If you have a broad understanding of your business, your list may be quite long—too long. Try to narrow it down to 10 or fewer items. The longer list is still very useful, but what we are after is a guideline.
OPERATIONS RESTORATION PRIORITIES
If three things break at once, which one do you fix first? That is a restoration priority. Based on the critical business functions identified in the previous step, you now take your asset list and identify restoration priorities for every asset.
Some of these are easy. If there is a file server used by many departments across the company, it will have a high priority for service restoration. A telephone switch is the same high importance. But how important is your e-mail server? Is it more important than the Materials department’s warehouse server? Probably not, unless it is the conduit for e-mailed and faxed orders from customers.
Consider this from another angle. If the electric company called and said they were shutting off two thirds of the power to your building, which equipment would you shut down, which would you ensure stayed up, and which would you stand by to start as soon as the outage was over?
TOXIC MATERIAL STORAGE
For the safety of all concerned, you should know if there is any toxic material stored on the premises and where it is. If there is a fire, building collapse, or flood, you will want to help warn people away from that area.
Use a map of the facility to indicate where this material is stored and what it is. If it is flammable, be sure to note that also. This is an important part of your plan so ensure everyone is aware of it.
Everyone on the recovery team must know where these dangerous materials are located and how to identify if they are leaking. They should know what to do if they encounter them.
EMERGENCY EQUIPMENT LIST
When a disaster occurs, you’re going to want to know where things are to help reduce the amount of damage to equipment and the facility. This includes things such as electrical shutoff, water valves, gas shutoff, sprinkler system controls, etc. You also want to know where any special equipment such as portable pumps, wet/dry vacuums, and special fire extinguishers are kept so that damage can be kept to minimum.
Everyone on the recovery team must know where these items are located and how to use them in the event of an emergency. See Form 5-5 (on CD) to start your list of emergency equipment. And yes! Don’t forget the keys to the doors!
TRAINED FIRST RESPONDERS
Many rural communities depend on volunteer fire departments and ambulance crews to support their towns. If any of your employees are EMT qualified, this is important to note. If anyone is a trained volunteer firefighter, this is important; a ham radio operator, a homebuilder, any number of things might show up. An additional question is if they have any hobbies or outside interests that would be of use in a crisis.
If you have any military Reserve or National Guard personnel, the training for their military job classification may be useful. They may be military police, hospital workers, or a wide range of things. It is not unusual to work in a military field that is entirely different from your civilian job. A possible downside to having these people on staff is that, in a wide-area emergency, these people may be called to government service and not be available to assist in your recovery.
Anyone that you identify with additional skills should be added to your recall roster. You need to indicate what skills each has, along with details on how to contact them during and after work hours. This list will have the same format (and be a continuation of) the emergency notification and recall list drawn up in the “Access to People” section of this chapter. You will need their work telephone number, home telephone numbers, cell phone numbers, pager number, home address, etc.
You should check this list with your Human Resources department to ensure you are not violating any company rules by calling on these people in an emergency.
CONCLUSION
Once you have finished the steps outlined in this chapter, you’ll have created a basic interim plan that will drastically improve your ability to handle any disaster that occurs. This interim plan will provide the recovery team the critical information they need to:
1. Get access to key people who can get the recovery process started as soon as possible.
2. Get access to facilities and computer systems to get them back up and running.
3. Have the service contracts they’ll need to get the vendors you’ve contracted with for outside support busy as quickly as possible.
4. Order emergency supplies quickly from critical vendors.
5. Document assets damaged using the walk-around asset list.
6. Order replacement copies of important software.
7. Identify the critical business functions that must continue during restoration.
8. Restore the operational functions in the best order.
9. Identify the location of toxic materials to cleanup crews for their protection.
10. Locate onsite emergency equipment and materials you need to help clean up the mess.
11. Ask for assistance from any volunteer firefighters or EMTs who are on staff.
If you have followed these steps and collected this information, you have the material for a basic business continuity plan. If your project stopped right now, your company is noticeably better prepared for a crisis than it was before. But don’t stop now! There is much more important information to gather and mitigation actions to identify. What you have now is a good starting point. Continue reading to get the information you need to develop a complete plan.