Quick Contact | Half-page identifying the specific people to contact (phone or instant message) for emergency-related questions | Only when sharing internally |
Other Contacts | Half-page identifying other contacts, such as fire, ambulance, rescue, police, police non-emergency, Department of Homeland Security (in the U.S.), poison control, the FBI, and related critical contacts | Always |
System/ Business Description | Summary section covering the overall plan, surfacing critical metrics, e.g., recovery time objective (RTO), recovery point objective (RPO), service-level agreements (SLAs) etc., and describing what is being recovered | Always |
Inventory | Detailed list of system components with discussions of how they connect and who is responsible for what | Only when sharing internally |
Physical Overview | Descriptions of offices, data centers, call centers and other facilities, with short summaries of security controls in place and a discussion of how each combination of location/control are to operate during recovery/continuity operations | Only if the business has a high reliance on physical presence; not needed in “work from anywhere” setups |
Remote Connectivity | Descriptions of how remote connectivity works during normal operations and how it is expected to work during recovery/continuity operations Care should be taken as to whether remote connectivity connects users to a “place” (high reliance on physical location) or to a “system” (work from anywhere) | Always |
Recovery Design | Discussion of whether the recovery uses a hot/hot, hot/warm or hot/cold design (cloud-based businesses may not fit this model, but it will still need to be discussed) | Always |
Data Flow | Description of how data moves through the system and how that data flow is expected to change/continue during recovery/continuity | Only for internal use and/or assurance; never share externally without a non-disclosure agreement (NDA) |
Assumptions | Detailed list of assumptions made during the creation of the plan so rapid assessment of the plan’s applicability under specific circumstances can be assessed | Only when sharing internally |
Outage Types | Listing of outage types, ranked from least to most severe. Include critical metrics, such as: - Anticipated recovery time (ART)
- Recovery time objective (RTO)
- Recovery point objective (RPO)
Even if the “classic” outage types are unlikely to cause damage – such as short-term power outages when on-site UPS provides for 12 hours of power – they should be discussed here because this is where people will
look for assurance. | Always, but only include ART for internal audiences (never external audiences) |
Recovery Priorities | Multiple sections detailing which systems are to be recovered in which order. Consider technical dependencies as well as recovery of systems/ processes that will “buy time” during the recovery, allowing other business groups
to be effective. | Only when driving internal work; exclude when sharing externally or for assurance purposes |
Personnel Recovery | Discussion of which teams are expected to take on specific roles during the recovery/continuity operations | Always |
Personnel Reassignment | Discussion of which roles otherwise non-essential teams are to take on during recovery. For example, it is wise to repurpose a sales team into a customer assurance team because they have no direct recovery/continuity role and customer
inquiries are likely to increase during such operations. | Only when sharing internally to guide internal practices |
Connectivity | Discussion around all the types of connectivity the organization requires and any methods of redundancy, as well as how workers are to access systems and communicate with one another while connectivity is problematic | Only if system/environment is complex and guidance is needed (e.g., exclude if cloud provider handles connectivity redundancy) |
Contact Responsibilities | Detailed list of which internal roles are expected to contact which external parties, such as designating a specific executive for public relations and another for operational oversight, or delegating communications with insurance to the
finance or risk departments. | Only when sharing internally |
Partners | List of business-critical partners, description of what each does, their contact information and a discussion of how the partner fits into the recovery/continuity operations as well as what recovery/continuity operations exist for the
partner itself | Only when sharing internally |
Disaster Declaration | Description of who is empowered to declare a disaster, who is to declare a disaster in their absence, and what processes are to be followed when deciding a disaster must be declared. | Always |
Activation Process | Detailed procedure of activating the plan, identifying which roles perform which actions when, where the checkpoints may be, and what steps are to be taken should a primary path fail. This process requires considerable thought because some triggering events (aka disasters) can result in personnel unavailability. Process and personnel redundancy is essential. | Always |
Plan Activation Checklist | Pairs with the Activation Process, ensuring that all dependencies are met during the activation process. | Only when sharing internally |
Pandemic Discussion | Discussion of how business is expected to operate during a pandemic. Traditionally not emphasized, pandemic planning has grown in prominence in the last year. While most disaster declaration processes tend to skip human resources (HR), it is wise to give the director of HR the power to declare pandemic continuity operations, with board-level overrides. | Always |
Preparedness | Discussion of “classic” disaster types and the type of preparedness in place to reduce the overall risk of such events. Even if the “classic” disaster types are unlikely to cause damage – such as tornadoes for an underground bunker – they should be discussed here because this is where people will look for assurance. | Always |
Finance Issues | Discussion of how the business expects to continue to provide paychecks to personnel as well as pay for non-standard expenses while in recovery/continuity operations. | Only when sharing internally |
Recovery Administrative Support | Discussion of how record-keeping, status meetings, communications and other critical “invisible labor” elements of the business will continue to function during recovery/continuity operations. | These are potentially political issues. It is important to plan for this work, but in practice, if this section is omitted, specific individuals will likely step forward to ensure these actions are taken. Recognizing this fact can cause
political blow-back, but not recognizing it can cause put-upon workers to leave the organization after recovery is complete. |
Recovery HR Support | Discussion of how employee issues are to be addressed during recovery/continuity operations. Including, but not limited to: - Injuries and sickness*
- Family concerns
- Travel – personal/work balance
* Disasters can involve circumstances that make illnesses and injuries more likely than normal. |
Testing | Detailed section discussing how often disaster recovery/business continuity tests are to be run, how they are to be run, and who is responsible for ensuring they are run properly. In complex environments, this section can define how often “full” tests are run vs “bubble” tests. | Always, but reduce to a summary for external use |
Test Results | List of previous tests, results compared to RTO/RPO, and explanations for deviations. | Always |
Call Scripts | Pre-defined scripts to use when communicating recovery/continuity transitions to customers, clients, partners, workers, the press, government officials, etc. | Only when sharing internally |
Impact Analysis/ Lessons Learned | Discussion of what was learned from the previous execution of this plan – either live or through a tabletop exercise | Always |
Source: IANS, 2021 |