The first 24 hours is the critical period when it comes to responding effectively to a crisis at any organization.
In today’s post, we’ll lay out some of the things you can do, from the business continuity standpoint, to enable you to “win” this critical period, when and if disaster strikes the company you work for.
Read our recent primer on managing risk: Everything You Always Wanted to Know About Managing Risk but Were Afraid to Ask
Today’s post is inspired by a presentation called “The Two-Minute Drill,” which MHA Consulting and BCMMETRICS CEO Michael Herrera gave at the Disaster Recovery Journal Conference in Phoenix last weekend.
In it, Michael compared the urgency of a crisis management situation to the final two minutes of a football game, when a trailing team switches to a hurry-up offense to try to come from behind and win. For such an offense to succeed, the coaches and players need to be extremely disciplined and well-prepared.
The same kind of preparation and discipline is critical to an effective crisis response by an organization.
Michael’s presentation also discussed the who, what, when, where, why, and how of how companies can successfully execute their crisis playbooks in the first 24 hours of an emergency event.
Today’s post will review the main concepts of The Two-Minute Drill.
To respond effectively within the first 24 hours of a crisis, organizations’ plans for Business Continuity (BC) and IT/Disaster Recovery (IT/DR) need to consider the following priorities:
- Life Safety. The overall execution of measures needed to protect life safety will likely fall to other teams. Life safety takes precedence over all other concerns. From the BC point of view, it’s important to consider the life safety situation as it impacts the BC and IT/DR plans. Ask yourself, what is the current state of the life safety situation? Your plans should have as a priority making sure that the people who implement the BC and IT/DR plans, and those impacted by them, are safe.
- Incident Stabilization. The next priority is to “stop the bleeding,” stabilizing the situation and preventing further damage.
- Property Preservation. Next, you should focus on preserving physical equipment, hardware, and the physical premises.
- Business Restoration. Finally, you can turn to the functional restoration of the business, whether it’s technology (IT/DR) or the business processes (BC).
While a given plan may be DR or BC focused, the other priorities listed above should be included on your checklist as items to verify.
The basic questions to ask are:
- Is everyone safe? How will the current status of our people affect our BC/DR plan execution?
- Have we stabilized the event?
- Is the organization’s property safe? How will the current state of property affect our BC/DR plan execution?
When you can answer yes to these questions, you can move on to functional restoration (BC) and the IT/DR plan.
The 80/20 Rule
The 80/20 rules says that 20 percent of our activities are responsible for 80 percent of our results. It follows from this insight that we should not get hung up on working on small, unimportant tasks simply to get them out of the way. As business consultant Brian Tracy says, “Resist the urge to clear up the small things first.” Instead, for best results, we should always focus on the most important things first.
This insight has a bearing on BC and IT/DR as practiced during a crisis. Basically, it means you should focus on the most important things rather than trying to do everything.
Your planning and preparation should focus on the functions and technologies that are most critical and have the highest impact. Do the big, most important things first and the lesser things whenever. And if you don’t get to the lesser things during the first 24 hours of a crisis, in light of the 80/20 Rule, it’s most likely no big deal.
The Power of Checklists
We at MHA are big believers in the importance of checklists as a basis of BC and IT/DR plans. We’ve seen over and over again how they can help people get a handle on the performance of a complex series of tasks during times of stress.
If you want to learn about the power of checklists, check out The Checklist Manifesto: How to Get Things Right, the book by surgeon and bestselling author, Dr. Atul Gawande.
You should also have a look at Michael Herrera’s recent post over at BCMMETRICS, The 4-3-3 Rule for Writing Business Recovery Checklists.
In preparing BC and IT/DR checklists, it’s important to remember that your lists should be short and concise. They should list the important tasks that must be done and include any unique, proprietary information that must be known to complete them.
It’s also important to remember what they are not: basic primers on doing activities that every competent professional in that field already knows how to do.
In giving someone driving directions, you don’t start by telling the other person how to drive a car. Your checklists should show the same awareness of the user’s prior knowledge. And no, a BC recovery plan checklist should not be so detailed it will allow anyone who walks in off the street to perform the task. That’s not their purpose.
Understanding Actual Risks
Make sure your plans take into consideration and prepare for the actual risks which your organization faces.
Don’t get so hung up on preparing for black swans (infrequent, high-impact events) that you don’t get ready for the kinds of problems that happen all the time. Death by a thousand cuts is just as bad as death by a single deep cut.
Remember that the most common crisis events are caused by human error or mismanagement. Do your plans and preparations address those kinds of problems?
For more on this topic, see my recent post: Shark Attacks vs. Sunburn: Preparing for the Most Likely Problems.
Among your checklists, you should have ones that ensure that the necessary preparations are in place to allow your company to execute during a crisis. If you need special supplies or backup equipment, these should be noted on a checklist. An example of such equipment might be a special printer for checks if you need one to produce them if your regular method goes down.
You should also make sure your backup supplies and measures are tested, current, and ready for use. The same goes for the necessary supporting information for applications, contacts, worksites, technology needs for displaced staff, and functional priorities.
One of the weaknesses of exercises is that they can drive a sense of complacency and a feeling of being prepared when we are not. In exercises, missing preparation steps are often resolved because items can be obtained, or an action can be easily executed. In a real event, those items will not be readily available or you may not have time for that action.
Understanding the Field
In football, offenses that run plays without regard for what the defense is doing tend not to do very well. It’s the same for BC and IT/DR. When there’s a crisis, take time to evaluate the overall situation. Don’t just start running. [We like to use the APIE methodology for managing an event – (A)ssess, (P)lan, (I)mplement, and (E)valuate.]
Figure out what the impacted functions, facilities, and people are. Try to get a feel for the strengths and weaknesses of the people you’re working with. Ditto the effect of the situation on your competitors and vendors.
Communication during the crisis can be the biggest challenge. Is everyone communicating the same message? What is your social media strategy and are you monitoring and using it?
For more on crisis communication, check out this recent post by Michael over on the BCMMETRICS blog: 4 Rules for Effective Communication in a Crisis.
Exercises and Tests
Preparation and training will help you identify gaps in documentation, skillsets, and remediation.
For more on how to get the most out of your tests and exercises, check out my recent post Kill the Zombies, or How to Get More From Your DR Exercises.
Making the Most of the First 24 Hours
In football, it’s often the last two minutes that determine the outcome. In BC and IT/DR crisis management, the critical period is the first 24 hours of a crisis.
By familiarizing yourself with the concepts set forth above, and revising your recovery plans, checklists, and preparations to take them into account, you can increase the chances that your organization will weather the emergency successfully, if and when you are faced with one.
For more on BC and IT/DR crisis management, and other hot topics in the field of business continuity, check out these recent posts from MHA Consulting and BCMMETRICS: