Earlier in this book, we discussed the need for various communications plans. In this section,
we’ll define various communications plans you should develop and identify some of the
common elements in such a plan. If you already have communications plans in place, you
can use this section as a checkpoint to ensure you’ve got all your bases covered. For each
plan, you should define specific steps just as you would for any other process in your
BC/DR plan. You should define the following:
Name of communication team, members of team, team lead, or chain of command
Responsibilities and deliverables for this team
The boundaries of responsibilities (what they should and should not do)
Timing and coordination of communication messages (dependencies, triggers)
Escalation path
Other information, as appropriate
Communications plans can be assigned to other, existing teams. A good example of this
is that the employee communication plan may be the responsibility of the HR team. There’s
no need to create additional teams to execute communications plans if these activities fall
within the scope of defined teams. However, in some companies, it might make sense to
have most of the communications come from one dedicated communications team in order
to maintain control over communications and to ensure that a single, consistent message is
delivered to all stakeholders. The decision is yours and usually is based on how large the
company is and how it currently operates.
Internal
The internal communication plan is really part of the BC/DR activation and implementation
plan. If a business disruption occurs, you need to have a process in place for notifying
BC/DR team members. This is done as part of BC/DR plan activation and is a critical
aspect that should be clearly delineated. How will team members be notified and updated?
What processes, tools, and technology are needed? Are these included in your plan yet? If
not, add them to your WBS or in a section called Additional Resources so they are captured
and addressed in advance of a business disruption.
Employee
Employee communication is also internal communication but differs because it is any communication
that goes out to employees who are not part of the BC/DR implementation. If
a business disruption occurs, you’ll need to know how to notify all employees. You’ll also
need to let them know answers to the most basic questions including what happened, what
is being done to address the problem, and who they should go to for more information. For
example, if the building burns down overnight, employees may show up for work in the
morning as scheduled. The BC/DR team may already be in action but the general employee
population needs information. How this information is communicated and by whom should
be identified. It often makes sense to develop an information tree so that key communicators
know to whom they should go for updates and official information. For example, in a small
company, you may designate the HR manager as the person who will communicate with
employees on all BC/DR matters. The HR manager should know who to go to for information
on the status of the BC/DR activities. This might be the Facilities manager or the
BC/DR team leaders (who should be identified in the activation plans, discussed earlier in
this chapter).
Customers and Vendors
Customers and vendors typically require different types of communications but the information
is often similar. They may need to be notified of the business disruption, the basic steps
being take to rectify the problem, the estimated time to recovery and any work-arounds
needed in the meantime. If you are developing crisis communications plans for the first
time, be sure to read the case study that follows this chapter, entitled "Crisis
Communications 101," for more information on how to communicate in a crisis.
Shareholders
If you have shareholders of any kind (debt or equity investors, shareholders, etc. ) you must
communicate the nature and extent of the disruption. In most cases, they are concerned
with the ongoing viability of the company and possibly the short-term financial impact of
the disruption on the company. Therefore, communication with this group requires that specific
issues be addressed. As you can tell, these issues are very different than, say, employee
issues, so someone well-versed in investor relations should be charged with this communication.
In most companies, this task falls to the CEO or a high-ranking corporate officer who
can specifically address the concerns of those who have a financial stake in the company.
The Community and the Public
In addition to communicating with all the other stakeholders we’ve mentioned, you also will
need to communicate with the general public. Local newspapers,TV, and radio stations will
certainly take an interest in a localized business disaster such as a fire or flood. National and
international media may also take interest if the event is unique in some way or is part of a
widespread disaster. Members of the local community may also have more than just vicarious
interest—they may need to understand the impact your business disruption may have
on them. Businesses in communities don’t exist in isolation, and what happens to one business
may have a ripple effect on other businesses even if those other businesses are not customers
or suppliers.
Communicating with the media is a tricky proposition and many executives at large
firms go through extensive media training sessions in order to learn how to deal with the
media. Although an extensive discussion of this topic is outside the scope of this book, you
will learn the basics by reading the case study that follows this chapter. Additional media
relations training resources are readily available online and there are hundreds of excellent
books on the topic as well. As the leader of the BC/DR project plan, you may or may not
be called upon to communicate with the media, but being prepared is always a good idea.
This plan should be well thought-out and you may wish to seek legal counsel with
regard to what must be disclosed, to whom, and in what time frame. As you learned in the
case study presented earlier in this book ("Legal Obligations Regarding Data Security" by
Deanna Conn), there are numerous legal requirements regarding notification and remediation
that must be met in certain circumstances. To ensure you comply with regulations and
laws in your industry, be sure to seek appropriate input from subject matter experts as you
craft your shareholder communication plan.
TIP:
Many public relations firms specialize in crisis communications. You can work
with this type of firm in advance to develop appropriate communications
plans. You can also contract with these kinds of firms to assist with communications
in the aftermath of a major event. In most cases, they can advise you
on the best course of action, potential communications pitfalls, and provide
guidance regarding certain legal issues. You may also need to get a legal
opinion in certain matters, especially if death or injury occurred on your company’s
premises or as a result of company action. The PR firm you work with
can help you understand how to communicate effectively and when to seek
additional input before, during, and after your business disruption.
EVENT LOGS, CHANGE CONTROL, AND APPENDICES
In traditional IT, event logs track a variety of system and network activities. In a broader
sense, you may choose to create a BC/DR event log for tracking various events and milestones.
For example, your decision to activate your BC/DR plan may be based on two or
three event types occurring, either simultaneously, in quick succession, or within a specified
time period. These events may trigger the activation of the BC/DR plan itself, or they may
signal the point in time when it’s appropriate to move to the next stage in your plan. Having
a chronological log of events can help clarify circumstances so appropriate decisions can be
made in a timely manner.
Event Logs
As an IT professional, you’re probably well versed in reviewing event logs as they pertain to
systems and security events. However, in BC/DR, event logs are not necessarily logged by a
computer system. In many cases, event logs are hard copies developed sequentially over time
by making notes on what happens when. Event logs help you track events, in order, over
time, and can help in identifying appropriate triggers for key activities.
Keep in mind that these logs establish who knew what and when, so they may become
legal documents at some point in the future. You have to balance the need for timely information
with the potential for litigation. As unfortunate as it may be, sometimes too much
documentation leaves the company open to lawsuits, even when the company has acted as
best it could given the circumstances. We don’t suggest you do anything illegal or unethical—
quite the opposite—but you may want to talk with your legal counsel to understand
what can and cannot become evidence in the event there is a lawsuit that stems from some
sort of business disruption. If something can become a legal document or be used as evidence
in some manner, you should be aware of that going in. Your legal counsel may have
recommendations about how to record data to minimize the possibility of litigation while
maintaining accurate, useful logs.
In the absence of specific legal advice on how to develop logs, the best general advice is
to record only the relevant information and stick to the actual facts, not conjecture. Instead
of "Barnett seemed confused by the request to review the equipment," you might simply say,
"Barnett was contacted regarding reviewing the equipment at 11 P. M. , 2/22/07" or "Barnett
had numerous questions regarding the request to review equipment. Issue escalated to
Barnett’s boss, Martina." All these statements are true but the first statement contains conjecture—
was Barnett confused or did you just assume he was because of the look on his face?
If you state in your log that Barnett was confused, this might be the basis of a lawsuit
claiming that appropriate action was not taken in a timely manner. Stating only the facts
keeps everything moving forward and does not unnecessarily open the door to legal problems
down the road.
On the other side of the legal coin, there may be legal or regulatory requirements to log
certain events or make notifications within a certain timeline. Event logs can help you
operate within these legal requirements as well. If you operate under these constraints, be
sure to include these requirements in your BC/DR plan, perhaps with hard copy templates
of the event logs, so that your team knows clearly what the logging or notification requirements
are in the stressful aftermath of a business disruption.
Change Control
Change control is a necessary element in any project and BC/DR planning is no exception.
There are two types of change control you’ll need to develop. First, you need to devise a
method of updating your BC/DR plan when change occurs in the organization that
impacts your plan. Second, you need a method of monitoring changes to the BC/DR plan
to ensure they don’t inject additional uncertainty or risk into your plan. Let’s look at both of
these scenarios briefly.
As companies grow and expand, numerous changes occur to the organization’s infrastructure.
This can include departmental reorganization, the creation of new departments, the
expansion to additional facilities, and more. It also comes with changes to the IT infrastructure
including the location and duties of servers, the implementation of new applications
and technologies, and the reorganization of existing infrastructure components. All these
kinds of changes impact the existing BC/DR plan. These elements should be addressed in
the plan maintenance activities, which we’ll discuss in Chapter 9. You can’t control the
change that occurs in the organization, but you can put in place a system for assessing
change and how it impacts your BC/DR plan. In most cases, this occurs during the periodic
review of the plan and we’ll remind you of that in Chapter 9.
A subset of change control is version control. Be sure to include a process for managing
revision history for your BC/DR plan. Many people choose to simply put a small table at
the beginning of the document outlining the changes in chronological order. Table 6.1
shows an example of a revision history table that might be used in your BC/DR plan.
You can define what constitutes a major and minor revision. Typically, going from 1. 0 or
1. 1 to 2. 0 is considered a major revision (when the number to the left of the decimal point
increases); going from 1. 0 to 1. 1 or 2. 11 to 2. 2 is considered a minor revision (when the
number(s) to the right of the decimal point increase). Clearly, the numbering scheme is not
quite as important as keeping track of revisions, unless you work in a company that has a
very formal system for revision control in place. A quick note in the Detail section can help
clue you in to the changes in the revision. Some people also like to document more extensive
information about the changes and this can be done in the beginning of the document.
For example, you could create paragraphs labeled,"Changes in Revision 1. 1," and note the
key changes made to the document. This helps you see at a glance how the plan has changed
without reading the entire document. There are numerous systems for managing revisions
and you should select one that is consistent with the way your company operates. Don’t
make it into a huge production or it may be circumvented, but do use some system for
tracking changes so you don’t have to compare two documents side by side to figure out
what changed between revisions.
Distribution
Although the plan is not yet complete, you should devise a strategy here for distributing
and storing the final BC/DR plan. The revision history will help you and the team with
version control, but you will still need a method of distributing the latest revision or notifying
the team that a new version exists. In some cases, the plan may be stored in a software
program that performs version control and revision notification. In that case, you’re pretty
well set other than adding team members to the notification list. If you’re not using such a
program, you can still maintain the plan on a shared, secured network location and provide
team members or team leads with access to the folder. Keep in mind that this document is
a very sensitive document and all precautions should be taken to ensure it does not fall into
the wrong hands, is not leaked to competitors or to the media, or otherwise compromised.
Use standard security and encryption where this document is concerned. Distribute the
document in soft copy via e-mail only as needed. If possible, simply e-mail a notification
that a new version is available while maintaining the document in the secure location.
Remind people that the document is sensitive and should not be copied, distributed, or
otherwise handed out. The document should only be distributed to those who have a
defined need to know.
Finally, be sure you create a process or method for printing the updated plan so you have
a hard copy version available if systems go down. The BC/DR team lead or leads should all
have a paper copy in a secure location, both on-site and off-site. When new versions are
available, old versions should be shredded or destroyed in a secure manner.
Appendices
Any information relevant to your plan that does not belong in the body of the plan should
be attached or referenced as an appendix. There are no strict rules about what should or
should not be included in the appendices, but it’s usually detail required for successful implementation
of the plan that may pertain to only one group or subset of BC/DR teams. For
example, you might include the technical specifications of mission critical servers in an
appendix. As servers are moved, updated, or decommissioned, you can easily update the
related appendix without modifying the plan itself.
Contracts with external vendors should be kept as appendix items so that they are
located in one central place for reference. Your finance and/or legal departments may want
to retain originals of these contracts, which is fine, but be sure to include copies in your
BC/DR plan. If you have to activate your plan, you don’t want to have to run around
looking for someone from finance or legal to determine how and when you can activate
your external contracts.
Templates for event logs, communications, and other predefined processes can be
included. In event log templates, be sure to include time, date, event, notification requirements,
legal, or compliance issues and other requirements so they’re easily accessible in the
event of a business disruption or disaster.
Key contact information should be included in the plan, but you may choose to include
it as an appendix, especially if it changes frequently. If you choose to do this, you should
include key contacts within the body of the plan and use the appendix for additional contact
information, as appropriate. The reason for including the key contact information within the
body of the plan is twofold. First, key contacts are integral to the successful activation and
implementation of the plan. As such, that information should be incorporated into the body
of the plan. Second, if that information changes, it should trigger a BC/DR plan revision.
Key personnel need to be trained, they need to understand their roles individually and as
part of the BC/DR team, and they need to be given the tools, resources, contacts, and information
needed to do so successfully. If a key member of the BC/DR team leaves, for any
reason, the person replacing them needs to be brought up to speed. This should trigger a
quick review of the plan. If the successor has been assigned by virtue of position (the
Facilities manager resigns and a replacement is hired), the replacement needs to be trained in
all aspects of their duties with regard to the BC/DR plan. If the successor is not assigned
and needs to be found, looking through the roles and responsibilities of this position can
help you select the right person to fill the gap.
Any other information that is related to the plan that needs to be updated, maintained,
and correlated to the BC/DR plan itself should be included as an appendix. Don’t throw
everything you can think of into an appendix and think you’re covered. More is not necessarily
better in this case, but do be sure to include key information you’d want to have quick
access to in the event of a natural disaster or other significant business disruption. To give
you a few ideas about what else might be attached to your plan in an appendix, we’ve provided
the following list. Not all of these elements are needed by every company, but you can
pick and choose based on your unique situation.
Critical work space equipment and resource information and related vendor data
Critical IT hardware, software, equipment and configuration information, and
related vendor data
Critical manufacturing, production and warehousing information and related
vendor data
Critical data and vital records information, including storage and retrieval information
Alternate IT or work site information
Crisis management center resources and information
Insurance information including all relevant policies, policy numbers, and insurance
contact information
Service level agreements (that you must provide to customers or that vendors must
provide to you)
Standards, guidelines, policies, and procedures
Contracts related to BC/DR
Forms
BC/DR Plan distribution list
Glossary
Every company and every BC/DR plan is different, so there is no hard-and-fast rule
about where information belongs, as long as critical data is included in a logical manner. If
writing a plan or organizing data is not your strong suit, be sure to recruit assistance to draft
a plan that makes sense. It should follow a logical progression and match the way your company
does business to the greatest extent possible.
Additional Resources
What other resources do you need to successfully implement and maintain your plan? In the
next chapter, we’ll discuss emergency and business recovery plans, so some of this may come
up in that context. However, if there are communication tools, equipment, or resources you
think of as you develop your plan, they should be noted in a section called Additional
Resources (or other similar heading) and they should be added to your WBS to ensure
someone takes ownership of gathering these needed resources.
WHAT'S NEXT
When you complete the work in this chapter, you should have a fairly robust BC/DR plan
in the works. It will have gaps related to specific emergency and disaster recovery efforts (see
Chapter 7), and in training, testing, auditing, and maintaining the plan (see Chapters 8 and
9), but other than that it should be well on its way to completion. If not, step back and
review your data, your plan, and your company to determine what is missing and how you
can address those gaps.
SUMMARY
Putting your business continuity and disaster recovery plan together requires pulling together
the data previously developed and adding a bit more detail. Understanding the phases of the
BC/DR plan helps you develop strategies for managing activities if you have to implement
your plan. The typical phases are activation, disaster recovery, business continuity, and
resumption of normal activities. The plan must also be tested and maintained, regardless of
whether it’s ever implemented.
Potential disruptions need to be categorized and we discussed three levels: major, intermediate,
and minor. By clearly defining these for your organization, you can ensure you
understand what recovery steps should be implemented. This will define how and when you
activate your BC/DR plan. After the plan is activated, a trigger should define when disaster
recovery tasks begin. These recovery tasks should be well defined in your BC/DR plan and
we’ll cover these in detail in the next chapter. The transition from disaster recovery to business
continuity should also be well defined so that you can begin to resume business activities,
though things will not be back to business as usual at this juncture. This is also discussed
in detail in the next chapter.
Developing your BC/DR teams is a vital part of your planning. There are numerous
roles and responsibilities in each phase of your BC/DR work and defining these and populating
your teams in advance is crucial to your success if the plan is ever activated. In addition,
these teams will need to be trained in implementing the BC/DR activities. Training is
discussed in detail in Chapter 8.
After you’ve created your teams, you can further develop your planning tasks and assign
resources, timelines, and budgets. You can identify task dependencies, develop milestones, and
create completion criteria for key tasks. Since each company’s set of tasks will vary widely,
we presented only a sampling of high-level tasks related to acquiring an alternate computing
site and contracting with vendors.
Communications plans are part of the BC/DR process because if a business disruption
occurs, many different groups of people will need status updates and information. This
includes employees, management, shareholders, vendors, customers, and the community,
among others. You’ll need to decide who needs to know what and when they’ll need to
know it. Then, you’ll need to develop distribution methods appropriate to those groups (and
to the circumstances of the disruption).
Event logs can help you manage the business disruption from start to finish, but
remember that these may become legal documents later on. You may wish to consult with
your legal counsel regarding what should and should not be included in the event logs. For
example, it’s generally considered fine to include facts but not conjecture or opinion.
Sticking to the facts helps keep the log clear and concise and can avoid misinterpretation of
data. In addition, there may be legal or regulatory requirements for event logging or notification,
so be sure to include this in your process and make a note of it in any log files you
develop (whether soft or hard copy).
Keeping track of document revisions is a bit of a "housekeeping" task but an important
one when it comes to your BC/DR plan. Use a simple, concise method of ensuring that the
plan is updated and that everyone has the latest plan. Develop a method for distribution and
storage of the plan so that it’s accessible to key personnel in the event of a disruption.
Finally, include additional data such as technical requirements, service level agreements, and
vendor contracts as appendices to the main BC/DR plan. Keeping all relevant data with the
plan can make plan implementation and maintenance much easier.
SOLUTIONS FAST TRACK
Phases of Business Continuity and Disaster Recovery
The various phases of the BC/DR cycle include activation, disaster recovery,
business continuity, maintenance/review. Plan maintenance and review occurs
periodically, regardless of whether or not the plan has ever been activated.
The activation phase occurs when a disaster or business disruption occurs and it is
determined that the plan should be implemented. Clear directives on how and
when to activate the plan should be included.
The disaster recovery phase includes the tasks that must be undertaken to stop the
impact of the event and to begin recovery efforts. This includes damage assessment,
risk assessment, salvage operations, as well as the evaluation of appropriate
alternatives and solutions.
The business continuity phase entails the activities required to restore the company
to business operations. This assumes disaster recovery has been completed and that
the business is up and running in a limited mode. This is not yet business as usual,
and may involve the use of temporary solutions and work-arounds.
Maintenance and review are similar phases. Maintenance requires a review of the
plan from time to time to ensure everything is still current and that changes to the
company or its infrastructure are reflected in the plan.
Review occurs after the plan has been activated and implemented. Gathering
lessons learned and updating the plan with new information gleaned from the
experience helps the organization avoid making the same mistake twice and helps
the organization learn from the experience.
Defining BC/DR Teams and Key Personnel
You should have already identified key personnel, positions, skills, and expertise
needed for your BC/DR activities. In this phase, you should form your BC/DR
teams based on those stated needs.
There are many different types of teams you may need. In smaller companies,
people may take on multiple roles. Be sure teams are large enough to accommodate
the potential that one or more team members may be unavailable during or after a
disaster (for a variety of reasons).
Key personnel should also be identified at this time. This may include certain
members of the executive or management team, people or vendors with specific
skills needed, and the like.
Defining Tasks, Assigning Resources
Tasks, owners, timelines, budgets, dependencies, and completion criteria are among
the details that should be developed for BC/DR plan activities. Additional detail
and checklists are provided in Chapter 7.
All the tasks needed to activate, implement, manage, and monitor the BC/DR plan
in action should be defined. You can create project plans for each subsection of
work or develop detailed checklists.
Be sure to note key internal and external dependencies for tasks. Milestones should
be added to your project plan or as items on a checklist.
Maximum downtime and other time-based objectives should be noted and
addressed within the project plan or checklist.
Contracts for alternate sites, equipment, and other products/services should be
defined in the BC/DR plan as well. The finalized contracts can be added as
appendices to the final BC/DR document. Include service level agreements, where
applicable.
Address MTD and other constraints along with legal or regulatory requirements
that must be met in the aftermath of a disruption to ensure continued compliance.
Communications Plans
There are many different kinds of communications needs during and after a major
event, disruption, or disaster. You should develop plans for communicating with
various stakeholders in these cases.
Management and employees require communication regarding the current status of
the business, where/when/how to report to work, who to contact for information,
and so on. This often is handled by the HR team, who can be tasked with
managing the employee communication plan.
External communications are needed to contact key customers, vendors, suppliers,
and contractors to notify them of the event and the company’s next steps.
Communications with local, national, and international media may be required. In
these cases, it’s best to have someone from the company who is trained in media
relations handle these communications. PR firms often offer plan development,
training, and guidance in the aftermath of an event.
In some cases, the information communicated can become the basis of legal action
in the future. Therefore, you should consult with your company’s legal counsel or
an expert in media relations to determine how, what, when, and where information
should be communicated. This should be done before any emergency
communication is needed.
Event Logs, Change Control
Event logs, like emergency communication, can become the basis of legal action, so
be sure to understand the requirements and constraints various kinds of emergency
reporting may have on your company.
Event logs help you keep track of what’s going on, what’s been done, and what
needs to be done next. Keeping detailed logs in real time helps keep track of details
that might later be lost.
Your company may be required to meet certain legal or regulatory reporting
requirements. Event logs can be helpful in ensuring you meet those requirements.
Consult with legal counsel if necessary and include these requirements in soft or
hard copies of your logs.
Changes to the BC/DR plan should be tracked and noted so that team members
can easily determine if they have the latest revision of the document as well as the
general nature of those revisions. Be sure to develop a distribution system that
notifies team members of new revisions, provides a method for accessing new
documents, and reminds teams to print and store the documents in locations
accessible both on- and off-site.
BC/DR plans should be treated as confidential documents. They should be
handled and stored in a secure manner and old copies should be destroyed
appropriately.
Appendices
Information that should not be included in the body of the plan but that is
nonetheless vital to the plan should be included at the end as an appendix.
Appendix data can include event log or other document templates, vendor
contracts, technical specifications, service level agreements, customer contacts, or
any other relevant data that would be useful to have along with the BC/DR plan
if/when it’s activated.
FREQUENTLY ASKED QUESTIONS
The following Frequently Asked Questions, answered by the authors of this book, are
designed to both measure your understanding of the concepts presented in
this chapter and to assist you with real-life implementation of these concepts. To have
your questions about this chapter answered by the author, browse to www.
syngress. com/solutions and click on the "Ask the Author" form.
Q: Our IT department consists of three people and our company has one location with 50
employees. It seems all the information in this chapter is a bit of over kill. Any comments
on that perspective?
A: Yes. There is a lot of information in this chapter and some of it may not apply to all
companies, including small companies like yours. However, it’s important that you
review and consider all this information so that you can develop a comprehensive plan
appropriate to your organization. When it’s all said and done, you may not include the
bulk of what’s included here, but you will most likely feel confident you’re not missing
something major. Because each company is unique, there really is no one-size-fits-all
solution. Instead, we have to raise as many potential points as we can and allow you to
incorporate or exclude that data as you see fit. If you’re in a small company, your plan
may be very short. It might include plans for storing your backups off site, plans for
buying or renting new computers after a disaster, and a contact list—if that’s what you
and your company feel is important. At the end of your planning process, you should
have a plan that you’re comfortable with—a plan that will enable you to recover from a
minor or major business disruption in the time and at the cost you’ve designated.
Q: Our planning process has gotten bogged down in this very step. We managed to perform
the various analyses, but now no one seems to have the time or energy to actually
develop the plan—to actually define what we’ll do, step by step. Any suggestions for how
to move forward?
A: It can be difficult to maintain momentum, especially when the analysis activities take a
fair amount of time and effort. Teams can lose participants or simply lose focus and
motivation. As the team leader for the project, you have several options. First, you should
understand the current environment in your company. Are there competing pressures for
time and resources? Are these impacting your project? If so, it might be time to check in
with your project sponsor and get his or her assistance in reigniting the interest in this
project. Second, you should look at the project as a whole. In some cases, the project
begins looking so large and overwhelming at this juncture that people just sort of melt
down. If this appears to be the case, you can find ways to break these steps down into
smaller chunks of work so that people can see progress. For example, you can develop
plans for what you would do in light of a minor disaster or event. This is usually a manageable
task to consider and can provide a sense of accomplishment to the team.
Once these steps or procedures are defined, you can move on to intermediate and
then major events. Building upon prior work can help teams feel they are making
progress and make each subsequent task seem a bit less daunting. You can also spend
time breaking the project down into smaller subprojects. For example, have the IT team
work on their response to minor, intermediate, and major events. Have the communications
team and the other subteams do the same. Then, you can convene meetings to have
these teams sync up or coordinate their plans. You may have other tried-and-true
methods you use to get a stalled project back on track, but understanding the underlying
cause is the first step. In the case of BC/DR planning, the usual suspects are lack of continued
corporate commitment or focus and the sense of unending, daunting or overwhelming
work for the team. Addressing these underlying causes often gets the project
moving forward again.
Q: Someone in the job before me created a BC/DR plan but it doesn’t track at all with
what you’ve presented so far. I’m not sure the best course of action at this point. Any
suggestions?
A: Yes. The key is to ensure that the needed data is included in the plan. In reading through
your old plan, even if it doesn’t track at all with the way we’ve presented the material, you
should be able to get a sense of whether or not the plan contains the necessary data. In
essence, ask yourself if you had to use this plan if you would know how to recover from a
major disaster. If the answer is no or maybe, then you don’t have all the information you
need and the plan is incomplete. You can decide to scrap it and start from scratch or you
can try to fill in the holes while updating it with the most current information. Sometimes
it’s easier to start from scratch but you can make this determination. A detailed review of
the plan to be sure it contains the necessary elements and the most current information
will probably suffice. There is no single "right" way to develop your plan. The bottom line
is this:Will your plan provide you enough guidance during the stressful aftermath of an
emergency, disaster, or disruption to get the business up and running again? If the answer is
yes, you’re in good shape. If the answer is no, you need to perform a gap analysis on your
plan and find out what’s missing and how to address those gaps.
CASE STUDY 3: CRISIS COMMUNICATIONS 101
Contributor Profile
Patty Hoenig, Marketing,
Media, and Public Relations Specialist
Patty Hoenig has extensive experience in marketing, media, and public
relations. She has held various positions in these fields throughout her
career and has developed a number of crisis communications plans. Her
experience working with small and large companies, including those in
heavily regulated industries such as banking and finance, enable Ms.
Hoenig to provide practical and actionable advice to her clients.
Ms. Hoenig holds a Master in Business Administration (MBA)
degree from the University of Phoenix and a Bachelor of Art (BA) in
Journalism degree from the University of Arizona.
Background
Waiting until a crisis strikes to develop your communication plan can only spell disaster,
even for the smallest company. A good, effective plan for crisis communication cannot be
created quickly in those first few hours following an accident or mishap or mistake. The
stress of the situation causes people to respond differently and having a plan already in place
for crisis management and communication will facilitate effective communication to all parties
concerned.
Though it is a crucial part of a business continuity and disaster recovery plan, a crisis
communication plan is an important part of business communications planning in general.
Crisis communication is a formalized plan that ideally should be in place before you open
your doors, created in tandem with the business plan. It evolves as the business evolves, it
changes as the company players change, and most important, a crisis communication plan is
practiced on a regular basis, just like a fire drill. This may surprise you and unfortunately,
many (or most) companies do not do this. However, if you wait until you have a disaster to
try out your crisis communication skills, you almost certainly will stumble or fall.
One of the most severe long-term impacts of a disaster is the loss of confidence by
employees and their families, investors, customers, suppliers, regulators, and the community at
large. In many cases, poor handling of the crisis communication piece results in an exacerbation
of the existing problems and leads to further decline in sales and customer confidence.
Hiding behind closed doors in the face of a crisis used to be the standard management technique,
but with the 24-hour news cycle and the rise of the Internet as a news source, companies
can ill afford to simply allow information to "manage itself." Saying nothing also
allows others to fill in the blanks. Rumors, innuendoes, and outright lies about the company,
the situation, the cause, the impact, and all other details need to be managed and controlled
by the company, not the public at large.
Three Simple Rules for Crisis Communication
There are a lot of things your crisis communication plan should cover, but let’s give you the
bottom line first. There are three simple rules to effective crisis communication, which, if
followed, should yield the best result possible within the constraints of the facts and circumstances.
That means that if the company made a serious mistake, these three rules won’t
change that, but they will help to mitigate some of the damage.
Always tell the truth.
Appoint a single spokesperson to be the face and voice of the company with the
media.
Provide information that addresses who, when, what, where, why, and how.
It’s that simple. Now, let’s talk about some of the implementation considerations of these
three rules.
Rule #1: Always Tell the Truth
Lying almost always comes back to bite you, and in the case of crisis communications, it is a
virtual certainty. You might say that even in this litigious society, the truth is your best
option; but it’s actually more accurate to say that because of this litigious society, the truth is
your best option. Although it might feel like you’re providing fuel to the litigation fire when
providing a truthful accounting of events, circumstances, and actions, especially if you or
your company is at fault, you’re actually providing information about what occurred. This
will likely come out one way or another. If your company made a massive or minor error
that led to the event, the truth will eventually come out. Someone, somewhere will know
the truth and before you know it, it shows up on blog after blog and suddenly it’s on the
24-hour news channel. So, stick with the truth.
There are numerous case studies demonstrating the power of the truth. When companies
own up to mistakes they’ve made and take action to prevent these mistakes from being
repeated, they invariably come out on top. It can be a long, painful journey, but the organization
is stronger as a result. The truth, as difficult as it may be, is always the best option
when dealing with a crisis of any kind.
However, telling the truth doesn’t mean spilling your guts and disclosing every last detail
you know. Although you should stick with the truth, short simple communications are better
than long, all-too-revealing communications. Also, when assessing Rule #2, keep in mind
that some people tend to talk more when they’re nervous. These people need to be thoroughly
trained to keep their cool and practice the "less is more" philosophy of communication
or they need to be in the background and not appointed as your corporate
spokesperson.
TIP :
There’s a saying I like to share with my clients and it’s this: "You don’t need a
good memory if you always tell the truth." Whether you remember the small
details of an event or not, you will remember the highlights (or in most
cases, the lowlights). If you’re busy trying to cover up the truth, you’ll have
less time to actually deal with the situation. If you don’t like the truth, you
need to change the situation, not the story you tell about it.
Rule #2: Appoint a Single Spokesperson
The single spokesperson should be someone well-trained in public and media relations and
specifically, in crisis communications. This person provides a single point of contact and a
consistent message to all communication channels. Although you may have multiple communications
teams working internally to address various needs such as employee or customer
communications, you should have one and only one official corporate spokesperson
during a crisis.
If the situation escalates, it’s possible that your spokesperson will have to defer to the
CEO or top executive at the firm. Sometimes the media wants information directly from
the person charged with overseeing the company and no one else will do. However, in all
other instances, assign one and only one person to talk with the media and to represent the
company for the duration of the crisis.
TIP :
Not everyone is suited to being a spokesperson. The person that represents
the company has to stay calm under pressure and respond in a thoughtful
but concise way. You do not want someone standing before the microphones
airing the company’s "dirty laundry"; you do want someone who understands
how much to share of the truth and how to present it. Certain words
are emotionally charged and will do nothing but inflame a bad situation.
Using a different word can convey the same meaning but without the emotional
impact. "Casualties" is less distressing than "dead bodies" for example.
Both are correct and true, but the first is more emotionally neutral. These are
the kinds of nuances your spokesperson should understand and be able to
employ naturally.
Rule #3: Provide Formatted Information
If you’ve ever taken a Journalism 101 class, you know that the basic information every
reporter needs to convey is who, when, what, where, why, and how. Who was involved,
when did it happen, what happened, where did it happen, why did it happen, and how did
it happen? If you fashion your communications to address these basic needs, you’ll help the
media do their job quickly and efficiently. Also, as you attempt to craft answers to these basic
questions you know reporters will ask, you can spot potential pitfalls and find ways to carefully
craft your answer. We all know there is a difference between speaking truthfully and
fanning the smoldering flames. For example, certain words evoke certain images and emotions.
Avoiding loaded words during a crisis can help deescalate the issue instead of fueling
it. If you think about how to convey the information in a factual manner that helps quell
fear and chaos, you’re doing your company, its employees, and the general public a service.
Think of the difference between "There were numerous casualties, we don’t have an exact
count or any other details at this time." and "It was a blood bath, there were bodies everywhere
and we’re still trying to pull dead bodies out of the rubble." Both statements may be
true, but the second statement takes the emotion and drama up a notch.
Your crisis communications plan and training should include language that can be used
to help neutralize the crisis by providing factual data without editorials, emotions, and other
extraneous data. Also, before releasing specific data, ensure that it is legal, ethical, and appropriate.
For instance, you should not release names of casualties or victims until families have
been notified. You should not release information about the potential cause (how, why) of
the event until it’s been cleared with executives, investors, finance, or legal representatives.
Providing templates with guidelines for crisis communication along with training and practice
can help ensure crisis communications that meet everyone’s needs without unnecessarily
escalating the problem.
Directional Communications
Your crisis communications need to go in all directions almost simultaneously. You need to
communicate out to the community, the media, and the public. You also need to communicate
up the chain of command so corporate executives can be kept informed about the
progress of events. You need to communicate laterally to others within the firm, including
other communications teams and other BC/DR functional teams.
Also keep in mind that part of your training for crisis communications includes educating
executives and employees about corporate policies related to public communication.
Essentially, everyone needs to buy into the single spokesperson model. You want to avoid
having random employees speaking to the media out of turn, providing inappropriate or
incorrect information. Set clear guidelines about these kinds of situations so everyone is clear
how it should work. Of course, you probably can’t avoid having an employee go home and
post something on a blog, but you can help educate employees as to why they should adhere
to these kinds of policies. Providing information about how this policy helps employees (the
what’s in it for me method) can help avert some of these errant communications that can confuse
or contradict ongoing efforts.
Practicing Your Plan
Practicing a plan allows people within the company to understand their role and what they
must do as part of the team. When people understand what is expected of them, what their
roles, responsibilities, and restrictions are, they are empowered and the tendency toward fear
and panic in the aftermath of an emergency can be reduced. If a crisis occurs, company
spokespeople can be (and should be) totally in control of the message. The person talking to
the press is calm, cool, and in charge because he or she has practiced this many times. He or
she will have the answers and information necessary at their fingertips and will know how
to answer difficult questions with composure.
The people who have to act behind the scenes can reassure employees and keep any
anxiety at bay immediately because they, too, have practiced these skills through repetition
and drills. They, too, will be able to answer the employees’ questions quickly and easily
because they will have the written plan at their disposal. They’ll understand how, when, and
where to communicate key information and will avoid making serious gaffes that could have
serious repercussions for employees, the company, its executives, and the community.
A well thought-out and practiced plan for crisis communication can be a corporation’s
strongest tool. It allows the crisis management team to gain quick and effective control over
chaos that typically ensues from a disaster or serious business disruption. An effective plan
defines who to speak to, what to say (or not to say), and how best to say it.
Order Your SQL Fundamentals CD Today! Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.
You've Deployed SharePoint...Now What? This one-day free online conference delivers the technical knowledge needed to kick MOSS up a notch. In one information-packed day, independent SharePoint experts will present practical, real-world information and provide take-away, ready-to-use solutions
What Would You Do If You Ran Microsoft? ITTV's 2008 inaugural video contest, "If I Ran Microsoft..." is your chance to tell it like it is. Be goofy or be serious, but don"t miss this chance to have fun, win prizes, and go viral in a major way.
Maximize Your SharePoint Investment This web seminar discusses how true bi-directional replication of SharePoint content from one server to another enables branch offices to maintain access to current SharePoint content.
Windows IT Pro
Register
