Business Continuity Planning
How To Stay In Business DURING A Disaster
Not BEFORE a Disaster. Not AFTER a Disaster.
DURING a Disaster.
Many people confuse Business Continuity and Disaster Recovery as the same thing, but they truly are two distinct plans.
Business Continuity – What systems and services are necessary to continue operations DURING a disaster.
Disaster Recovery – What companies need to do in order to return to pre-disaster operations.
Business Continuity
Business Continuity refers to maintaining business functions or quickly resuming them in the event of a major disruption. Business continuity is not how your business will recover from the aftermath of a disaster. While also important, those steps are typically defined in a Disaster Recovery Plan. Business Continuity and more specifically a Business Continuity Plan, is a set of instructions on how your company will stay in business during a disaster.
A quick and dirty Business Continuity Plan example would be:
Company staff will bring their laptops to my house during the hurricane and work out of my garage until the staff can safely return to normal business operations.
Now generally speaking, many businesses instinctively know what disasters they may face and loosely prepare themselves for those events. Most businesses along the Gulf Coast, for example, prepare for the annual Hurricane Season. They know there will be flooding, power outages, employees who will not be able to come in…etc. They generally prepare for a few days of downtime, followed by a near immediate ramp up in operations. Unfortunately, that is not how things typically work out. 3 days of expected downtime can become 3 months. Key employees, may not be able to resume normal business simply because their support network, is unable to resume normal business. Schools and childcare facilities may not be open. They may be stuck in a different city due to mandatory evacuation or the destruction of a home. And there are countless other variables that inhibit a company from “returning to normal.”
Creating a formal Business Continuity Plan, provides the business with an opportunity to identify their areas of weakness. It gives the employees of the company clear instructions on how the business will continue to survive during the disaster and, more importantly, demonstrate to the employees a plan to overcome the most difficult of challenges.
Creating a Business Continuity Plan sounds like a lot of work and you may be asking yourself right about now, if this is something you can create in-house.
Of course you can and TenacIT will help.
There are many examples of a Business Continuity Plan available on the internet. Templates from the Department of Homeland Security, Ready.gov, and FEMA can be downloaded and modified or you can use ones published by other companies as a template for creating your own. Click on the links or entity icons below to go strait to their templates. TenacIT has also provided our instructions for creating a Business Continuity Plan below.
TenacIT Business Continuity Template
To develop a Business Continuity Plan, start with these six general steps:
- Identify the scope of the plan.
- Identify key business areas.
- Identify critical functions.
- Identify dependencies between various business areas and functions.
- Determine acceptable downtime for each critical function.
- Create a plan to maintain operations.
Remember that key factors in the Disaster Recovery Plan may be part of the Business Continuity Plan, so developing a DR plan, assuming you don’t already have one, should be part of your process. Oh, and don’t forget to schedule regularly testing of you DR and BC plans. They will need to be updated with any new or modified assets, suppliers/vendors, critical staff, critical documents etc.
Again, it sounds like a lot, we know. And right about now you are wondering why we are giving you everything you need to create your own Business Continuity Plan for FREE. First, even if you don’t need our services, TenacIT thinks it is important that EVERY business is prepared for the worst case scenario. Second, we do this for a living and know that about hour 20 into your Business Continuity Plan, you are going to do the cost benefit analysis on whether or not you should have hired TenacIT. The answer…probably. But we know after you are done with your company’s Business Continuity Plan, you will wish you had hired TenacIT. Most of our Business Continuity Plans take 320 hours or more stretched over about 4 months time.
If you are doing the math in your head right now and decide that you would like to speak with one of our Prepper Nerds please do not hesitate to call. We will happily advise, guide and review your Business Continuity Plan all for FREE. If you are doing the math in your head and want to take a shot at building your own plan…keep reading. We have provided you with everything you need to get started below.
It should be noted that any Business Continuity Plan should be made available NO MATTER WHERE YOU ARE!!! It doesn’t do you any good to put this on the shelf in your office, only to have it burn down with the rest of your business in a fire. Multiple living copies should be put in locations so that you or your staff can gain access to them DURING a disaster.
Table of Contents
Purpose
Disasters rarely give advance notice. Disasters rarely go according to plan and they are often worse than expected. A business should hope for the best, but plan for the worst. The purpose of a the Business Continuity Plan is a worst case scenario plan. It is used to assess your business processes, determining which areas are vulnerable, and what the potential losses are if those processes go down for a day, a few days, a week or permanently. Business continuity refers to the maintaining of business functions or quickly resuming them in the event of a major disruption, whether caused by a fire, flood or malicious attack by cyber-criminals. A business continuity plan outlines procedures and instructions an organization must follow in the face of such disasters; it covers business processes, assets, human resources, business partners and more. To give your organization the best shot at success during a disaster, this tested plan must be placed in the hands of all personnel responsible for carrying out any part of it.
Inventory of Business Continuity Plans
As alluded to before, this plan is actually useless if it is destroyed during a disaster. Providing updated copies to individuals who have a part to play in the continuation of business is KEY to making this a functional document, not just a shelf warmer. That said, a log of who has access to this document and where additional copies are stored is important.
A name, address, location and ideally what format they have is important.
| Name | Title | Location and Format | Address | Signature of Receipt |
| James Minion | Procurement Manager | Digital Copy stored on Secure Thumb Drive in safe at Home | 1334 Tobacco Road Spring, Texas 77045 | |
| Sally Minion | General Counsel | Physical Copy on Shelf in Corporate Office | 123 TKE Drive Houston, Texas 70433 | |
| Albert Employee | CFO | Digital Copy stored on Secure Thumb Drive in safe at Home | 1223 Whiskey Drive Houston, Texas 77005 | |
| Karen Staff | HR Manager | Utilizes version available on One Drive | 123 TKE Drive Houston, Texas 70433 | |
| Darla Example | IT Manager | Maintains copy on One Drive with a backup, offline copy, stored in company data center. | Data Center 7777 Data Drive Houston, Texas 77043 | |
| George Template | Public Relations Manager | Stores Physical copy at Home along with press release and media templates. | 3210 News Real Drive Katy, Texas 77018 | |
| April M. June | CEO | Physical Copy on Shelf in Corporate Office | 123 TKE Drive Houston, Texas 70433 |
Disaster Matrix
A business continuity plan should list out potential disaster scenarios (regardless of likelihood) and their impact on the business. A Comprehensive "Disaster Matrix", as seen below, is an opportune way of visualizing each disaster type while simultaneously scoring it in an objective way. It incorporates a Risk Matrix rating system whereby Probablility and Consequence are combined with Current Preparedness Levels which help determine Impact on the business.
All of the Impact Scores are based the sumerization of severities and their perspective Risk Matrices as seen in the Appendix below, along with the "grade" letter corresponding to the Current Level of Preparedness. Note that the Current Level of Preparedness does not always determine a nessesity to prepare. If a listed disaster is possible, albeit ununlikely, a business may elect to list it in the Disaster Matrix without any real need to prepare for it. "Flooding in Kansas" is a good example pf this. If a business located in Texas has a supplier located in Kansas, there may be a potential impact on the businesses' supply chain and therefor may need some consideration. If there is a secondary supplier outside of Kansas, then there really is nothing to be conserned about and nothing to prepapre for.
| Impact Score | Disaster | Severity | ||||
| Probablility | Consequence | Time To Recovery | Financial Impact | Current Preparedness Level | ||
| 16A | Hurricane Landfall in Texas | 5 | 5 | 3 | 3 | A |
| 15A | Cyber-Security Breach | 4 | 5 | 3 | 3 | A |
| 10C | Earthquake in Texas | 1 | 5 | 2 | 2 | C |
| 5F | Flooding in Kansas | 2 | 1 | 1 | 1 | F |
Critical Business Functions
Critical business function analysis is usually self evident…at first. Once you begin an in-depth analysis many find that there are several key, albeit less obvious, functions that were overlooked. Creating a detailed list of critical business functions is the beginning phase of any Business Continuity Plan. Each department should be interviewed in detail to discuss the systems and processes they use and determine which functions are required to conduct business. This list should only include the functions that CRITICAL to the business. The list of critical functions should:
- Account for alternate options
- Detail acceptable downtime or lack there of
- List all staff qualified to perform the function
- List all locations where the function is performed
- Detail tasks necessary to perform critical functions
Identification of critical functions will reveal what processes are critical to maintaining and running a business in the event of an unplanned disruption. You want to identify your business critical priorities and focus recovery efforts there first. These include but are not limited to:
- Payroll and time tracking
- Revenue operations
- Physical security
- Information security
- Core business functions
- Data protection after recovery
- Identity & access management
Critical Staff
Much like the Critical Business Functions List, the Critical Staff List should be a detailed list of employees that perform critical functions for your business. If you have only one IT guy, that person should be on the list. If you have only one person with control over authorizing payments to vendors, that person should be on the list. Primary contact information, alternate contact information and emergency contacts should be listed in order to ensure all critical employees can be tracked down. Every critical employee should also document what they do in detail as a “In Case I Get Hit By A Bus” document and list whom they feel can best step into their shoes as an interim representative.
Critical Documents
Corporate formation documents, legal documents, bank records, physical check books, and other documents deemed necessary for the continuity of the business are typically stuffed into the drawer of the CEO or the company’s General Counsel. But what happens if there is a fire? How will backup documents be validated, recovered, utilized during the disaster? While less critical than ensuring the company is still up and running, critical documents may cause unnecessary issues for a business especially if that company is undergoing legal proceedings or in the middle of an acquisition/divestment.
Critical Infrastructure Inventory
| Inventory Location: | Houston Field Office | ||||||||
| Asset ID | Item Name | Description | Supplier Details | Unit Price | Lead Time | Alternate Supplier | Alternate Product | Alternate Product Price | Alternate Supplier Lead Time |
| HOUDC01 | Domain Controller 01 | Primary Domain Controller in Houston | Dell 5405 S Rice Ave Houston, TX 77081 (713) 860-9242 | $10,235.25 | 2 Weeks | None | HP Server | $13,698.56 | 2 Weeks |
| HOUDC02 | Domain Controller 02 | Secondary Domain Controller in Houston | Dell 5405 S Rice Ave Houston, TX 77081 (713) 860-9242 | $10,235.25 | 2 Weeks | None | HP Server | $13,698.56 | 2 Weeks |
Supply Chain Management
Every point in your supply chain represents a vulnerability to disaster, labor relations issues, product supply, and a multitude of other potential disruptions. Your business continuity plan should provide contingencies for the continuation of product distribution in the event of a disruption in the standard supply chain and you should start discussion with your supply chain vendors as to what their business continuity plans are. We have found that it doesn’t matter how good your direct suppliers are at providing goods and service to your business. If they experience a disaster, you may experience it right along with them.
Critical Service Providers
Much like building a Critical Staff or Critical Supplies list, you should also create and maintain a Critical Service Providers and Critical Suppliers lists.
Critical Suppliers
Much like building a Critical Staff or Critical Supplies list, you should also create and maintain a Critical Service Providers and Critical Suppliers lists.
Critical Supplier Business Continuity Plans
Many companies will be reluctant to provide you with a copy of their Business Continuity Plan, as it typically is not well prepared or they simply don’t have one. Others will be reluctant because it contains sensitive information about employees or about their suppliers and vendors. But some will have a stripped down copy available for their clients just so they are comfortable with the general process they will strive to achieve. When possible, a copy of your suppliers Business Continuity Plans should be obtained. This not only demonstrates that they are prepared for a disaster, but that there is a plan in place to see their customers though it.
Predefined Delegations of Authority
Delegations of Authority (DoA) are defined as the authority granted to identified corporate positions, used for making policy determinations and decisions at headquarters, field levels, and all other organizational locations. Delegations of authority ensure the orderly and predefined transition of leadership responsibilities within an organization during an emergency and are closely tied to succession. Delegations of authority typically specify a particular function, including limitations, conditions, and restrictions, that an individual is deemed by the organization as qualified to perform. Generally, predetermined delegations of authority will take effect when normal channels of direction have been disrupted and will lapse when these channels have been reestablished. DoAs are common in regards to company employee spending limits, which require elevated levels of authority depending on the dollar amount. A simple example:
- Board of Directors – Unlimited
- CEO – $2MM
- CFO – $1MM
- GMs and other C-Suite – $500K
- Department Managers – $100K
- Department Supervisors – $10K
- Designated Employees – $2.5K
DoAs document responsibility for decision making and expenditure of funds, administration of day-to-day operations (personnel, property, travel, training, etc.) and tell you:
- Who is delegating and receiving the authority
- What authority is being delegated
- Where this authority can be used
- Why the authority has been implemented
Pre-Established Supplier Plans
As many businesses know, the last thing you want during an emergency is to be trying to buy critical supplies at a time when supply is low and demand is high. Suppliers have an opportunity to take advantage of supply and demand leaving many customers forced to pay unreasonable prices or go without. Pre-established, contract bound pricing and, more importantly, dedicated supply, can be the difference in a company’s ability to survive during a disaster. While we can jokingly talk about the loss of toilet paper and other things, your company really should sit down and determine if there are products that you
Critical Supplies List
Creating a comprehensive Critical Supplies List is essential in preparing for any disaster. A company of any type or size must know what supply dependencies they have, the current level of inventory and lead times for obtaining new stock. First hand experience has taught us that there is nothing worse than having a supply chain issue during a disaster. Case and point…No toilet paper or disinfectant products on the grocery store shelves during a global pandemic. Below is a simple example of how a critical supplies list should be structured and the minimum information it should contain.
| Inventory Location: | Houston Field Office – Downstairs Supply Room | |||||||||
| Product Category | Item Name | Description | Quantity in Inventory | Reorder Level | Supplier Details | Unit Price | Lead Time | Alternate Supplier | Alternate Product | Alternate Product Price |
| Hygiene | Toilet Paper | 3-ply Charmin Ultrasoft Brand Toilet paper | 48 Roll Pack | 12 Rolls | Wally World 5405 S Rice Ave Houston, TX 77081 (713) 860-9242 | $16.00 | 24 Hours | KK Mart 5150 Buffalo Speedway Houston, TX 77005 (713) 661-8305 | Quilted Southern | $21/48 Rolls |
| Hygiene | CloRocks Disinfecting Wipes | Lemon Scented Disinfecting Wipes | 3 Pack – 255 Wipes | 75 Wipes | Tarjet 4323 San Felipe St Houston, TX 77027 (713) 960-9608 | $ 9.99 | 8 Hours | Wally World 5405 S Rice Ave Houston, TX 77081 (713) 860-9242 | LySoll | $2.59/32oz Bottle |
Communication Protocols
Who is to communicate and to whom do they communicate with. How often do they communicate.
The CEO:
Addresses the company and Board of Directors, via email, via public address or via conference call after receiving as much detail about the indecent or disaster from the subject matter experts (SME). The CEO, with assistance from the company’s General Counsel and Public Relations Department, will draft an internal and public “corporate message”. The CEO may be required to address the Media, but only in so far as to reinforce the approved “corporate message”.
The Head of Public Relations:
Addresses the messaging to the Media and Public with the approved corporate message. NO OTHER EMPLOYEE has the authority to speak on the behalf of the company and any requests for comment are to be immediately transferred to the Public Relations Department using the company approved phrase “Please hold while I transfer you to our Public Relations Department.”
The Head of HR:
Addresses messaging to the employees, via email regarding the facts of the situation and current KNOWN status. Any issues, questions or concerns by employees are to addressed by HR. An internal “Status” page will be created for employees to reference updated information and to submit questions. Employees should NOT be encouraged to illicit information updates from their managers as their managers may not have the very latest details surrounding the disaster which may only drive speculation and rumors.
The Procurement Manager:
Addresses the messaging to the company’s vendors/suppliers in the event that expedited services or supplies are required. Pre-arranged agreements put in place to address disaster scenarios will immediately be executed in order to ensure the company’s “preferential” or priority status.
The Head of IT:
Facilitates use of all available communication platforms and helps to coordinate activities with the Board.
The CFO:
Addresses any Investor or Corporate Financial concerns. Depending on the severity of the disaster the CFO may be required to address the Media, but only in so far as to reinforce the approved “corporate message”.
The Accounts Payable Manager:
Deals with Vendor/Supplier question or concerns regarding payment of outstanding invoices and the impact of the disaster on timely payment of invoices.
The Accounts Receivable Manager:
Deals with customer and partner communication regarding the necessity of timely or advanced payment of outstanding invoices as a means of bolstering cash reserves.
Employee Sign Off
Discussing the Business Continuity Plan with your staff and how they will be asked to participate in that plan is vital to the plans success. No one will want to hear that they are expected to engage with customers from their mom’s house in Kentucky while there house is being flooded in Louisiana. Similarly a plan that calls for everyone to work from home during a disaster, only to find out half of your employees don’t have access to the internet at home, is fundamentally flawed and destined to fail. Discussing the plan with staff will open up a dialogue with employees and help you determine THEIR level of preparedness. It also gives the employees expectations of what the business will do to maintain survival. Think of your employees as critical vendors. If they have a sound plan to continue working during a disaster, you can be confident during the disaster that your plan will actually work.
Payroll
The single biggest concerns that any employee will have during a disaster are, will I still have a job? Will the company survive? Will I still have a paycheck? Making sure there is a plan for continuing (or discontinuing) payroll is important not only for your employees, but your business. Hourly employees, find this level of transparency most important. It helps them plan for what to do in the event that their jobs are paused for what could be an extended period of time. How will you pay employees, if you can no longer get to your payroll system? How will you write and maintain tracking of payroll if you lose your office computers? Do you have the alternative ability to write manual checks to employees? Is there a service that you should be reaching out to, to discuss emergency payroll options?
AP/AR
Much like your employees, your vendors will also want key insight into how they will continue to get paid should your operations and potential revenue stop. As a vendor ourselves, we are always on the lookout for companies that randomly decide to “slow pay” or become delinquent in their normally regular payment of invoices. As a vendor we HATE calling and asking about an invoice status just as much as AP employees HATE to see a suppliers name pop up on their phones. Having clear messaging with suppliers about exectations during a disaster is important
Alternate Facilities
In some disaster scenarios primary facilities may be unavailable requiring alternatives to be established. While this may be fairly obvious, what may not be obvious during a disaster is the premiums that companies will have to pay for a quick office moves. Unless the disaster is isolated to your company, you will be vying not only with other companies looking for alternatives themselves, but also moving services that are contracted with individuals who are moving. An example of this is people who are moving after a flood. Individuals will be moving out of damaged homes. Businesses will be moving salvageable equipment into temporary storage or alternate facilities. Even companies for outside of your normal location may be looking for alternatives in your area of operations simply because it has available space. None of this is ideal even when there is no disaster occurring. Moving a business takes valuable time and resources. If you are able to preemptively identify an alternative site for your business or even determine how well working remotely works for your company you will be light years ahead of everyone during a disaster.
Security of Assets
It is probably an afterthought for many folks DURING a disaster, but taking measure to ensure your office is not looted or your field equipment is not stolen during a disaster is something that should be planned if possible. If a hurricane landing in your areas is eminent, then securing field assets for high water, high winds and the post hurricane aftermath should be near the top of the preparation list. Companies who prepare for earthquakes, building fires and other “total loss” disasters should be thinking differently about asset security. Asset security should be proactive, eliminating it from your list of concerns all together. Paper files should be digitized and stored offsite. Data should be backed up to some form of offsite cloud storage. Any other assets should be made highly mobile or made redundant in another location.
Testing
Fail-Over / Fail-Back Testing – One of the more common tests conducted by IT staff is the “Fail-Over / Fail-Back” test. The occurs with every redundant system during their regular patch cycle and is occasionally performed as part of the Disaster Recovery Validation testing. In preparation for a Disaster, EVERY system and service must undergo “Fail-Over / Fail-Back” testing. Not just technology, but mechanical assets, building facilities and even personnel. Quick question to illustrate…What happens if you unexpectedly lose you CEO for a month.
Supplier Testing – Annual Supplier and secondary supplier re-verification and meetings should be conducted on an annual basis AT MINIMUM make sure everyone is on the same page. It gives your company to validate suppliers are prepared for the scenario. It reminds the Suppliers/Vendors that they should be taking their contractual obligations seriously.
Table Top Exercises – These exercises occur in the conference room, where various scenarios are discussed. Senior Leadership Team members, department leads and critical staff all have an opportunity to go through their perspective roles of a disaster to ensure they are prepared. This is also an opportunity for the other members to throw “monkey wrenches” or “what ifs” into each position to again, ensure they are prepared.
Structured Walk-Through – In a structured walk-through, each team member walks through his/her plan in detail. Often, the team works through the test with a specific disaster in mind. Some organizations incorporate drills and disaster role-playing into the structured walk-through. Any weaknesses should be corrected and an updated plan distributed to all pertinent staff.
Redundancy Validation – Redundancy validation is primarily focused on company staff to ensure that there is NO individual that is a linchpin to the organization. Unfortunately employees quit without warning, get fired or simply are determined to be unreliable. Whatever the reason is, each critical employee should have an backup in place to handle the day to day activities and ideally become cross trained in the event that the primary person is unable to perform his/her duty (an Understudy) . The Understudy needs several opportunities to perform in that role, NOT as an actor, but as a duly authorized second in command. This solidifies the Understudy as the second in command and allows the Understudy an opportunity to truly make sure they understand the role.
Document Testing – The true test to understand if your plan actually works is to hand it over to an employee who is completely unfamiliar with it and ask them to explain it to you as they understand it. If their explanation does not match your understanding of the plan, you have some rework to do.
During each phase of business continuity testing, it is best to include employees that are unfamiliar with the plan on the test team. “Fresh eyes” might detect gaps or lapses of information that experienced team members could overlook.
Site Specific Disaster Plans
Houston Office
This is the location within your company’s Business Continuity Plan where any office specific plans should be detailed. Office specific locations for emergency medical kits. Office specific details for building exits. This is the location for fire warden, HSE, and security personnel names and phone numbers. and any other site specific details that someone from outside of that office would need to know.
Definitions and Terms
—
The Probability Score utilizes the table below to determine the actual likelihood that any one particular event will occur. While examples are provided below, this exercise should be based on the potential likelihood as seen from your point of view. Adding more granularity may be required for complex situations, but for example purposes you should be able to derive your own Probability Scores using this example.
It should be noted that this exercise may need to be duplicated for each location or facility that your company operates as disasters are typically different from region to region and what is likely in one location may not be in another.
|
RARE |
UNLIKELY |
POSSIBLE |
LIKELY |
ALMOST CERTAIN |
|
|
Qualitative Likelihood |
May occur only in exceptional or extreme circumstances |
Could occur at some point |
Will occur at some point |
Will probably occur in most circumstances |
Is expected to occur in most circumstances |
|
Quantitative Likelihood |
Is possible, but has not occurred in the recent past and is considered to have less than a 1% chance of occurring at any time. |
Has not occurred on a regular basis or even recent memory, but has occurred infrequently in other places and therefore has more than a 1% chance of occurring |
Has occurred at least once or is considered to have a better than 5% chance of occurring in the next 5 years |
Has occurred in the past few years OR is projected to occur this year with a 75% certainty |
Has occurred on an annual basis in the past 10 years OR circumstances are lining up in such a way that the likelihood is near 90% certain |
|
Score |
1 |
2 |
3 |
4 |
5 |
|
Example: |
Tornado in Houston, TX |
Multi Day Freeze in Houston, TX |
Significant Drought in Houston, TX |
Hurricane in Houston, TX |
Flooding in Houston, TX |
The Consequence Score utilizes the table below to define and value the actual consequences that any one particular event may cause the business. This table is a little expansive and examples for each individual category and consequence level would be challenging to provide, but just as stated in the Probability Score this exercise should be based on your point of view. Adding more granularity may be required for complex businesses, but for example purposes you should be able to derive your own Consequence Scores using this Matrix.
It should be noted that this exercise may need to be duplicated for each location or facility that your company operates as disasters are typically different from region to region and what is likely in one location may not be in another.
| Insignificant | Negligible | Moderate | Extensive | Significant | |
| Employees | Minor Skills Impact | Minor impact of capability | Unavailability of core skill which affects business services | Loss of critical skills or personnel | Protracted loss of critical skills or people |
| Company Stakeholders | Little to no impact. Correspondence will be circulated for informational purposes only. | Noteworthy mentioning and meetings to discuss | Potential loss of confidence / stakeholder action | Stakeholder action requiring restructuring of business leadership | Stakeholder action requiring dissolution of business |
| Public | No one affected from the public | Public nuisance | Public complaints and potential litigation | Public harmed and lawsuits eminent | Public significantly harmed or displaced / class action lawsuit |
| Health and Safety | Minor injury requiring first Aid | Injury requiring treatment by a medical practitioner | Major injury / hospitalization | Single death and/or multiple major injuries | Multiple deaths |
| Environmental | Minor cleanup by local staff with little to no environmental impact | Minor clean up by local employees and outside cleanup specialists. Internal review required | Major environmental impact requiring assistance from state, local and private agencies. State regulatory oversight of cleanup and probable financial penalties. | Major environmental impact requiring assistance from federal, state, local and/or private agencies. EPA investigation with potential criminal impacts and financial penalties. | Major environmental impact requiring assistance from international, federal, state, local and private agencies. EPA oversight and financial penalties. Complete halt to all operations pending criminal and civil investigation. |
| Intellectual Property | Compromise of edge systems, but no breach of information | Compromise of publicly available information | Minor compromise of information sensitive to internal interests or operations | Compromise of information highly sensitive to internal interests or operations | Compromise of information highly sensitive to internal interests or operations and external clients |
| Computer Systems | Minor system outage lasting < 10 Seconds | System outage lasting <1 Minute | System outage lasting > 10 minutes | System outage lasting > 1 Hour | System outage lasting > 12 Hours |
| Property | Minor damage or vandalism | Minor damage or loss of < 5% of total assets | Damage or loss of < 10% of total assets | Extensive damage or loss of < 50% of total assets | Destruction or complete loss of > 50% of assets |
| Reputation | Local, quickly forgotten event. Internal review required | Short term local media concern. Executive or internal committee scrutiny and internal audit required to prevent escalation or repeat of events. Minor impact on local activities | Persistent national concern. Scrutiny required by executives and outside review agency. Damage to brand. | Persistent national, public, political and media scrutiny. Long term negative brand impact. Major operations severely restricted. | International concern, governmental inquiry or sustained adverse national/international media. Brand irreparably damaged and organization critically affected. |
| Financial | 1% of project or annual budget | 2-5% of project or annual budget | 5-10% of project or annual budget | > 10% of project or annual budget | > 50% of project or annual budget |
| Operations | Minimal impact on non-core business operations. The impact can be dealt with by routine operations | Some impact on business operations with deadlines that may be missed. Quality should no be impacted, but will be dealt with at an operational level. | Operational impact on the business resulting in reduced performance, missed deadlines, affects on KPIs and delivery dates. Company is not in jeopardy of failing, but could be at subject to significant review and loss of market share. | Breakdown od KPIs resulting in reduced performance. Probable loss of project and potential for business failure due to revenue loss, client dissatisfaction, service delays. | Critical failures preventing core activities from being performed. The impact threatens the survival of the project or the organization itself. |
| Score | 1 | 2 | 3 | 4 | 5 |
The “Time to Recovery” Score utilizes the table below to define and place values on the impact time has on any one particular event. Adding more granularity may be required for complex businesses, but for example purposes you should be able to derive your own Time to Recovery Scores using this Matrix.
It should be noted that this exercise may need to be duplicated for each location or facility that your company operates as disasters are typically different from region to region and what is likely in one location may not be in another.
| Insignificant | Negligible | Moderate | Extensive | Significant | |
| Employees | Absence lasting < a few days | Absence lasting > a few days | Absence lasting > a few weeks | Absence lasting > a month | Permanent Absence |
| Public | Incident Lasting < an Hour | Incident Lasting < a day | Incident Lasting > a week | Incident Lasting > a month | Incident Lasting > a Year |
| Environmental | Remediation Lasting < an Hour | Remediation Lasting < a day | Remediation Lasting > a week | Remediation Lasting > a month | Remediation Lasting > a Year |
| Computer Systems | Outage lasting < 10 Seconds | Outage lasting <1 Minute | Outage lasting > 10 minutes | Outage lasting > 1 Hour | Outage lasting > 12 Hours |
| Property | Downtime Lasting < an Hour | Downtime Lasting < a day | Downtime Lasting > a week | Downtime Lasting > a month | Downtime Lasting > a Year |
| Reputation | Recovery < a week | Recovery > a week | Recovery > a Month | Recovery > a Year | Recovery > 5 Years |
| Operations | 100% Operational in < an Hour | 100% Operational in < a day | 100% Operational in > a week | 100% Operational in > a month | 100% Operational in > a Year |
| Score | 1 | 2 | 3 | 4 | 5 |
The Financial Impact Score utilizes the table below to define and place values on the financial impact any one particular event may have on the business. Adding more granularity may be required for complex businesses, but for example purposes you should be able to derive your own Financial Impact Scores using this Matrix.
It should be noted that this exercise may need to be duplicated for each location or facility that your company operates as disasters are typically different from region to region and what is likely in one location may not be in another.
| Insignificant | Negligible | Moderate | Extensive | Significant | |
| Finacial Impact | < .1% Annual or Project Budget | < 1% Annual or Project Budget | ≤ 9% Annual or Project Budget | > 10% Annual or Project Budget | > 30% Annual or Project Budget |
| Score | 1 | 2 | 3 | 4 | 5 |
The “Current Preparedness Level utilizes the table below to define and a Grade on the businesses ability to weather the event. Certain events can be nearly negated based on the level of preparedness a company has achieved. As a quick example: If a company maintains a disaster recovery location for it’s staff to operate from in the event of a hurricane, then even though a company may list the probability and consequences as significant, the actual impact is virtually eliminated. Different businesses choose to score this category in different ways, but we have chose a grading scale so that the actual score still stands alone, while demonstrating the companies level of preparedness. Adding more granularity may be required for complex businesses, but for example purposes you should be able to derive your own Preparedness Scores using this Matrix.
It should be noted that this exercise may need to be duplicated for each location or facility that your company operates as disasters are typically different from region to region and what is likely in one location may not be in another.
| No Preparation | Planning Stage | Somewhat Prepared | Well Prepared | Fully Prepared | |
| Grade | F | D | C | B | A |
