Contingency Plans 

White Paper

Download PDF

Good Plans are Needed for Contingencies

At Primoris Associates, we believe in carefully written plans to cover all contingencies. The most common we see is the fire evacuation plan which sometimes doubles as a general evacuation plan. We see bomb threat plans, many of which are incomplete: they provide for evacuation and notification but not employee roles on how the search will be conducted (employees know your facilities best but many will not put themselves at risk to search for a bomb).

As many a corporate security practitioner will attest, many and varied things come across his or her desk. One is often the business continuity plan (BCP) and disaster recovery plan (DRP). Though not strictly related to security (or, possibly everything can be related to security), corporate security personnel are often tasked to develop these for the corporation – we have.

|

We think that good plans should be written, trained, tested, resourced, and unified.

Formal Plans are Important

Regardless of the type of contingency plan, it must be formally conceived and produced, with the guidance, generally, of the people on the front line. We have seen all kinds of approaches, from “Old, Joe knows all that; he has it in his head and he will lead us;” to plans written on the back of a proverbial cigarette package; to plans completed from templates by people who really don’t understand the task.  We have also seen people survive catastrophes with no plan, literally rushing into the fire to grab the server then meeting around the bosses kitchen table to figure out what to do next. We don’t recommend this.

Good Plans Have Certain Characteristics

Over time, we have come to see that good plans have certain characteristics. We have seen many that have been developed and managed off the corner of someone’s desk. But, we now know that good plans have five essential characteristics. We think that good plans should be written, trained, tested, resourced, and unified (WTTRU). Let’s explain.

Good plans are written

To say that plans must be written seems prima facie obvious. However, we have found organizations without written plans or with bits and pieces of plans which they claim will do the job. A written plan is your most valuable asset in responding to a business continuity event. Not only does it assign proper roles and provide communications information, most importantly, it is signed off by someone in authority which defines its leaders and its scope. When we deal with clients, we make sure they understand that writing is necessary but the most important characteristic is that plans be signed off.

All Plan Participants Must Receive Training

Training to use the plan is the next important aspect. We know that training can take many forms, but we do not think that all plans need a formal classroom session. Training can be as simple as gathering the players around the table, confirming that they have read the plan, and having them confirm that they understand their roles and can perform them. Of course, more formal and elaborate training is the best approach and this often happens when plans are more complex.

Test Your Plan with the Real Thing

Testing is an interesting aspect of contingency plans because you can test the plan or circumstances can test the plan for you. Testing a plan generally takes the form of a tabletop exercise where a realistic scenario has been developed and those who are required to execute the plan are given an opportunity to apply their skills towards solving the challenges in the scenario. As the activity unfolds, additional information known as injects contribute to the test and make things a little livelier.  We consider the next level to be a simulation. Whereas the tabletop exercise generally stays inside the room, a simulation may involve communications to others or new people arriving with additional information. It is, as the name connotes, a little more realistic.

In addition to these two types of testing, mother nature can also arrive with a little test of her own. In this case, where a plan has been completed, signed off, and trained, a real event can qualify as a testing event.  In any business, real events are usually followed by a debriefing and both test- and surprise-events are no different. This gives the opportunity to help the plan, the training, and the people can improve. These should occur immediately after the event, before anyone goes home, even if they are quick and short. Allowing people to go home means that they will lose the ambience of the moment and some information will be lost. The military calls this debriefing a hot wash.

No Resources Equals a Weak Plan

Any plan may be well-written and signed off; however, if one does not have the resources to put it into action, it will fail. For example, if a plan calls for the deployment of five cell phones, then these phones must be available when called-for. This is a minor example, however. If the plan calls for three buses to move 70 people to another location, one must be sure that this resource will be available when needed. We often see organizations say that, regardless of any plan, they have the resources and can make it happen (we see this a lot in government). The reality is that unless a contract for a service is in place and tested occasionally, one cannot be assured that the plan is resourced.

Plans – an Aide-Memoire

When we initially developed the mnemonic, it had four components – WTTR. As we became more involved with plans, we discovered that some organizations believe that different parts of their business functions can own parts of the plan. A prime example is communication. The corporate communications people often develop a crisis communications plan. They tell the owners of the business continuity plan that they will play a role in the plan and that all they have to do is contact them and they will do the crisis communications “piece”. Needless to say, there are some vulnerabilities in this approach. In all the plans we develop, we ensure that they are unified and can stand on their own. In this way, we can be assured that anyone who picks up a plan will be able to manage it and execute it regardless of whether or not other functions are available. Therefore, we say that the plan should stand on its own and that even those with limited training should be able to execute various components. This is a unified plan.

Business Continuity or Disaster Recovery

Here we have been discussing a business continuity plan which is deployed when any business function is degraded. It has trigger points and assigned roles and decision-makers who will decide when to activate the plan. We believe that a disaster recovery plan is an extension of the BCP. With the BCP, something relatively minor has occurred in the organization which has slowed down its business function, e.g.: computer systems are out. With the DRP, something major has occurred in the business that has likely halted its operations and that needs to be dealt with, e.g.: a major fire, an earthquake, a pandemic. The DRP is executed in much the same way as the BCP except that the measures to be taken and the authorities built into the plan will be much more elevated.

We have developed business continuity plans and crisis management plans in all kinds of environments. We have a specialty in the bulk electricity industry, government and the extractive sector. Each one brings its own challenges; however, the process of developing these plans and the characteristics is the same. Those who concentrate on the field of contingency planning use a small maxim to get their point across: failing to plan, is planning to fail. We would add that failing to make good plans will lead to a failure as well. We hope that these few words will spur you on to look at your own plans and see how many conform to our five characteristics.  We hope that if they do not, you pay attention to them right away.

Let’s Work Together

Get In Touch