Eventually, your business will face an emergency scenario of some kind. Regardless of severity, the impact this crisis has on your customers depends almost entirely on how well-prepared you are to mitigate it. To that end, you’ll need a comprehensive, well-thought-out crisis management plan. Here’s what that involves.
By Tim Mullahy
In a perfect world, every business would run like a well-oiled machine all the time.
We don’t live in a perfect world. From natural disasters to cyberattacks to hardware failure, there’s a ton of stuff that can go wrong with your business’s services and infrastructure. It’s not a question of if you’ll face a crisis, but when.
That’s the bad news.
The good news is that the more thoroughly you prepare now, the less of an impact a crisis will have on your bottom line when you do have to deal with it. To that end, it’s important that you have the requisite infrastructure in place to ensure business continuity – redundant architecture, automated backups, cloud disaster recovery services, and so on. But it’s equally important that you implement processes and procedures to seamlessly activate those components.
Without a proper crisis management plan, it doesn’t matter how many disaster recovery and business continuity tools you have in place – you aren’t going to be able to use them effectively.
Your people need to know their roles in a disaster. They need to understand communication guidelines, points of contact, and activation instructions for emergency infrastructure. And they need to know what to do after the dust settles – how to get your business back in working order.
A good crisis management plan addresses the above through three critical components.
A Thorough Inventory of all Important Assets
We’ll start with the most important part – inventory. Unless you know what files, systems, and servers are critical to your business’s ongoing success, you cannot create an adequate crisis management plan. Ask yourself the following questions:
- Which of my business’s services and applications are mission-critical for its clients? What impact would a service interruption have on said clientele?
- What internal services are mission-critical to internal staff? What impact would a service interruption have on these employees?
- Are there any files for which 24/7 access by clients or staff is imperative? Where and how are these files stored?
- What physical assets does my business own and manage? Would the loss of these assets result in a service interruption of any kind?
- For the assets I have identified, what risks are likely to result in a crisis?
Once you’ve answered the above questions, your next step should be the application of an asset identification framework such as NIST’s Standards for Security Categorization of Federal Information and Information Systems. The purpose here is simple – to categorize your assets by level of importance based on the impact caused by their loss.
Finally, once you have identified your assets, your next step is to identify your crisis management resources. These include tools, backups, infrastructure, and team members. A clear overview of these is key for the next element we’ll discuss.
Comprehensive Action Plans and Activation Guidelines
What qualifies as a crisis? What needs to be done within the first twenty-four to forty-eight hours of an emergency? How will these tasks be accomplished? Who is responsible for making all this happen?
These are all questions your crisis management plan needs to answer. First, let’s talk about activation guidelines – this is where you determine what qualifies as a crisis. For instance, an interruption of a few seconds in Amazon Web Services might not be an emergency, but a storm knocking out the power at one of your data centers would.
Once it’s been determined that a scenario is indeed an emergency, each department should have a unique action plan tied to that specific situation with a list of tasks that need to be accomplished. For each task, assign a level of priority, activation window, and activation instructions. You’ll also need to designate roles and responsibilities.
Each task should have at least one person who takes ownership of it, and there should be at least one individual who takes overall responsibility for each action plan. All action plans must also feature guidelines for documentation. Finally, make sure every key individual has an alternative point of contact – that way if someone is unreachable, there’s another who can step into their role.
A Communication Framework
Last but certainly not least, you need to establish a crisis communication strategy. Identify key stakeholders, devise approved crisis messaging, and assign responsibility for getting your messages out. You’ll also need a framework for internal communication, along with contact information for every point of contact and key vendor.
While it’s not strictly necessary, I would also advise looking into some form of crisis communication or alerting tool.
Don’t Go In Without A Plan
Eventually, your business will face some form of emergency scenario. When that day comes, how well you weather the storm largely depends on how well you’ve prepared in advance. With the right infrastructure and a proper crisis management plan, you should be just fine.
Tim Mullahy is the Executive Vice President and Managing Director at Liberty Center One, a new breed of data center located in Royal Oak, MI. Tim has a demonstrated history of working in the information technology and services industry.