IT Focus Area: BC/DR
December 21, 2012
Business Continuity Best Practices: 3 Things to Learn from the Public Sector
Hurricane Sandy’s recent impact on the East Coast of the United States put business continuity and disaster recovery (BC/DR) in the spotlight. The private and public sectors were both heavily affected, and their BC/DR processes were put to the test. Businesses worked around the clock to avoid power outages, data loss and other interruptions, while the public sector took fast action to protect lives, preserve infrastructure, and set the stage for a controlled recovery. Contrary to some people’s beliefs, businesses can improve their BC/DR processes by taking a close look at what the public sector does well.
In the event of a disaster, public sector entities that are successful at managing disruptive events effectively and efficiently implement a proven command and control management system that has its roots in the Incident Command System (ICS) model. The ICS model is the most widely used disaster management system because of its benefits and features that lead toward effective direction of any event. The ICS system is used heavily by public sector entities for events ranging from building fires to natural disasters. The U.S. Department of Homeland Security, state and county emergency management offices, and local fire and police departments all use the system to coordinate amongst each other.
Although the goals and priorities of public and private entities may vary among protecting lives, infrastructure, data, and revenue, both sectors should have disaster recovery plans in place.
What makes the ICS model so applicable and useful?
There are some basic principles of this model that can help organizations achieve their BC/DR goals. Let’s look closely at three core principles and the lessons they offer for business continuity management.
1. Common terminology is a fundamental principle of ICS, and is used so that every public sector organization is on the same page. For example, police and fire departments use specific codes on their radios. Common terminology is also a crucial part of communication for private sector emergency managers. If you need to have rocks removed from the front of your office building and you call for a truck, does that mean you need a small pickup truck to remove five to 10 rocks that each weigh 10 to 20 pounds? Or do you require a truck that can carry 25 rocks that are each 200 pounds? Or do you need a resource that falls in between those two extremes? Requests for resources need to be specific. What one person would call "a truck for some rocks" can mean something different to the person who may dispatch such a resource.
BC/DR program takeaway
With a common list of pre-defined terms for specific resources, the right tool can be deployed more quickly and with less confusion at your organization.
2. Command and control is a critical component of how ICS is structured. There are three main aspects:
- Chain of command means there is an orderly line of authority to the single incident commander. This concept addresses one person’s “span of control.” That is a limited number of individuals that one person can effectively manage.
- Unity of command states that every individual has only one designated supervisor.
- Transfer of command dictates the process by which a different individual assumes leadership. This is important for two primary reasons: One person cannot continue effectively in a leadership role indefinitely; a transfer of command allows down time and a period of rest for individuals. And command may be transferred if a more qualified person becomes available to assume the leadership role.
BC/DR program takeaway
The three components of command and control can help with your BC/DR program. Effective programs will establish a hierarchy to avoid confusion surrounding critical decisions, clearly define who is in charge of whom so that no single individual has conflicting priorities, and allow for any single leader to take a break or be replaced without a disruption in recovery efforts.
3. Function and flexibility are also critical principles. ICS uses a chart to organize emergency resources around five manageable functions. To give a high-level explanation:
- Command refers to the previously discussed command and control structure.
- Planning maps out what needs to be done.
- Logistics ensures the requested resources are delivered where they are needed.
- Operations does the work.
- Finance and administrations handles the money, contracts and other financial tasks.
Flexibility is important because it allows the ICS organization structure to be "right-sized." During smaller incidents, or for those incidents that start small and grow over time, it may not be necessary to fully activate each of the functional areas. But for larger events, flexibility is a tremendous advantage.
BC/DR program takeaway
Organize and coordinate your resources into functions. Make sure each function is clear on its role and responsibilities. The size of your response organization should expand (or contract) to match the needs of the specific incident. The ability to accommodate and manage incidents of differing magnitudes is what makes ICS such a valuable asset in your response tool box.
Don't Overlook the Public Sector
The three core elements of ICS can be applied to your BC/DR programs. Don’t make the mistake of thinking "it won't work here because we're not a public sector entity.”