How to Implement a Contingency Plan

A contingency plan is developed to prepare a business to face abnormal situations and mitigate the impact of sudden disasters. The plan outlines the procedure to be followed in the event of failure of one or more critical systems.

The implementation of a contingency plan depends upon the size of the organization and the resources available during the crisis. The plan should be designed, reviewed and accepted by the management. The plan should be shared with the key members of the organization. Companies should periodically execute the steps outlined in the plan as an exercise, to be prepared when the need arises.

The business should have a contingency team that takes over the operations and implements the plan for every type of risk identified. Equipment failure due to natural disasters and sabotage may be covered by insurance. The personnel implementing the contingency plan should be aware of the contact details of people or service providers to be reached during the emergency situation, to get assistance in fixing the issue and bringing the business operations back to normal.

Communication and notification is an important part of implementing a contingency plan. If a primary business location is affected by fire or flood, the plan might be to move the employees and equipment to another location. To implement this plan of shifting operations to a new location, there should be a good communication plan in place. If the problem arises during working hours, the evacuation procedure should be followed and emergency help lines should be used to secure help. The persons responsible for implementation of the contingency plan should be able to contact all employees by a previously agreed upon mode (telephone / e-mail / SMS) and inform them to report for work at the new location until the old one can be made functional again. External suppliers, distributors and customers should also be notified of change in location, and whom to get in touch with to resume operations and contact details.

Contingency planning is important while executing a project. If a key team member is rendered out of action, there should be another team member capable of stepping in to perform important tasks. If the project follows good knowledge sharing practices and has good documentation, it will facilitate induction of new support staff (developers / testers) for assistance. It is important to communicate to the client that the absence of the regular person will not affect the project delivery schedule. If the project runs into issues which are likely to affect budget or deadlines, the person(s) implementing the contingency plan should know what needs to be communicated to client. The person should also know how and when the information should be sent to convince the client that measures have been taken to mitigate the risks and bring the situation under control. The implementer should perform follow-ups and send status updates to keep the management and client informed during a problem situation.

Early warning systems should be in place to notify / escalate issues to the relevant person(s) in-charge. Analysis, assessment, co-ordination, prioritization and preparedness are the key elements for implementing a plan. Contingency plans should be periodically updated and the lessons learnt from every incident should be incorporated into the plan.

Small Business With No Emergency Preparedness Plan? You’re Heading for Disaster

The word “Disaster” immediately brings to mind violence – of a hurricane or flood or earthquake. It’s only on second thought that the actual impact of a disaster – no matter what its cause – becomes clear.

When disaster hits a small business with no emergency survival plan, the chances are it will mean total shut-down of the business – and job loss for everyone involved.

Even when a plan is in place, it may be missing a key component: being prepared to handle the employees’ concern for the safety and well-being of their loved ones.

This concern is so strong that often even the most senior staff members — with major responsibility for mission critical functions – have been known to abandon the business altogether, struggling to get home to save family from imagined chaos or danger.

With key personnel gone, even though the building is still standing, the result can be the same – total shut-down.

Is there a solution?

After a career of working with small (and larger) businesses, and the past 15 years helping build and lead a local neighborhood emergency preparedness team, we think there IS a solution.

In our opinion, the ideal solution is the coordination or even “integration” of communities. This can be achieved when…

  • Company management, staff and employees have all been Community Emergency Response Team (CERT) trained.
  • The company has built its emergency preparedness plan around the CERT model and these specially-trained employees.
  • All employees’ family members have been encouraged or even supported in getting the same CERT training.

The ideal extension of this concept would be for each of the employee’s residential neighborhoods to also become CERT-trained communities – which we must acknowledge is an unlikely possibility.

Nevertheless the mere fact of knowing their families are prepared for major emergencies would enable employees to remain at their work stations longer, helping the company take immediate steps to protect important data and equipment to preserve the business – and their income.

It’s a win/win if it can be accomplished. And even if only part of the solution can be implemented, the company will be in a better place to withstand or even prevent business interruption.

It all starts with emergency preparedness plans for neighborhood and/or business. Such plans are NOT difficult to develop given the many resources available from government sources and dedicated authors. But there’s urgency to getting started now:

  1. Emergencies can and do happen. Without a plan, they can turn into disasters.
  2. Your planning has to take place BEFORE the emergency strikes.

New and inexpensive tools to make the process easy are available. Don’t wait any longer to get started!

Disaster Recovery Plan

A disaster recovery plan is a documented process to recover and protect a business IT infrastructure in the event of a disaster. Basically, it provides a clear idea on various actions to be taken before, during and after a disaster.

Disasters are natural or man-made. Examples include industrial accidents, oil spills, stampedes, fires, nuclear explosions/nuclear radiation and acts of war etc. Other types of man-made disasters include the more cosmic scenarios of catastrophic global warming, nuclear war, and bioterrorism whereas natural disasters are earthquakes, floods, heat waves, hurricanes/cyclones, volcanic eruptions, tsunamis, tornadoes and landslides, cosmic and asteroid threats.

Disaster cannot be eliminated, but proactive preparation can mitigate data loss and disruption to operations. Organizations require a disaster recovery plan that includes formal Plan to consider the impacts of disruptions to all essential businesses processes and their dependencies. Phase wise plan consists of the precautions to minimize the effects of a disaster so the organization can continue to operate or quickly resume mission-critical functions.

The Disaster Recovery Plan is to be prepared by the Disaster Recovery Committee, which includes representatives from all critical departments or areas of the department’s functions. The committee should have at least one representative from management, computing, risk management, records management, security, and building maintenance. The committee’s responsibility is to prepare a timeline to establish a reasonable deadline for completing the written plan. The also responsible to identify critical and noncritical departments. A procedure used to determine the critical needs of a department is to document all the functions performed by each department. Once the primary functions have been recognized, the operations and processes are then ranked in order of priority: essential, important and non-essential.

Typically, disaster recovery planning involves an analysis of business processes and continuity needs. Before generating a detailed plan, an organization often performs a business impact analysis (BIA) and risk analysis (RA), and it establishes the recovery time objective (RTO) and recovery point objective (RPO). The RTO describes the target amount of time a business application can be down, typically measured in hours, minutes or seconds. The RPO describes the previous point in time when an application must be recovered.

The plan should define the roles and responsibilities of disaster recovery team members and outline the criteria to launch the plan into action, however, there is no one right type of disaster recovery plan, nor is there a one-size-fits-all disaster recovery plan. Basically, there are three basic strategies that feature in all disaster recovery plans: (a) preventive measures, (b) detective measures, and (c) corrective measures.

(a) Preventive measures: will try to prevent a disaster from occurring. These measures seek to identify and reduce risks. They are designed to mitigate or prevent an event from happening. These measures may include keeping data backed up and off-site, using surge protectors, installing generators and conducting routine inspections.

(b) Detective measures: These measures include installing fire alarms, using up-to-date antivirus software, holding employee training sessions, and installing server and network monitoring software.

(c) Corrective measures: These measures focus on fixing or restoring the systems after a disaster. Corrective measures may consist keeping critical documents in the Disaster Recovery Plan.

The Plan should include a list of first-level contacts and persons/departments within the company, who can declare a disaster and activate DR operations. It should also include an outline and content stating the exact procedures to be followed by a disaster. At least 2-4 potential DR sites with hardware/software that meets or exceeds the current production environment should be made available. DR best practices indicate that DR sites should be at least 50 miles away from the existing production site so that the Recovery Point Objective (RPO)/Restoration Time Objective (RTO) requirements are satisfied

The recovery plan must provide for initial and ongoing employee training. Skills are needed in the reconstruction and salvage phases of the recovery process. Your initial training can be accomplished through professional seminars, special in-house educational programs, the wise use of consultants and vendors, and individual study tailored to the needs of your department. A minimal amount of training is necessary to assist professional restorers/recovery contractors and others having little knowledge of your information, level of importance, or general operations

An entire documented plan has to be tested entirely and all testing report should be logged for future prospect. This testing should be treated as live run and with ample of time. After testing procedures have been completed, an initial “dry run” of the plan is performed by conducting a structured walk-through test. The test will provide additional information regarding any further steps that may need to be included, changes in procedures that are not effective, and other appropriate adjustments. These may not become evident unless an actual dry-run test is performed. The plan is subsequently updated to correct any problems identified during the test. Initially, testing of the plan is done in sections and after normal business hours to minimize disruptions to the overall operations of the organization. As the plan is further polished, future tests occur during normal business hours.

Once the disaster recovery plan has been written and tested, the plan is then submitted to management for approval. It is top management’s ultimate responsibility that the organization has a documented and tested plan. Management is responsible for establishing the policies, procedures, and responsibilities for comprehensive contingency planning, and reviewing and approving the contingency plan annually, documenting such reviews in writing.

Another important aspect that is often overlooked involves the frequency with which DR Plans are updated. Yearly updates are recommended but some industries or organizations require more frequent updates because business processes evolve or because of quicker data growth. To stay relevant, disaster recovery plans should be an integral part of all business analysis processes and should be revisited at every major corporate acquisition, at every new product launch, and at every new system development milestone.

Your business doesn’t remain the same; businesses grow, change and realign. An effective disaster recovery plan must be regularly reviewed and updated to make sure it reflects the current state of the business and meets the goals of the company. Not only should it be reviewed, but it must be tested to ensure it would be a success if implemented.

When things go awry, it’s important to have a robust, targeted, and well-tested disaster recovery plan. Without a Disaster Recovery (DR) plan, your organization is at exceptional risk of loss of business, hacking, cyber-attacks, loss of confidential data, and more.