2 - Site Crisis Management Plan Template

Site Crisis Management Plan(For Company XX)

Crisis Management Team Leader ( )

Business Continuity Coordinator ( )

In the event of a business disruption go to:Site Crisis Management Plan Flow:

Management Response PhaseSub-phase 1 – Initial Response & Notification (page YY)

Table of Contents

ABBREVIATIONS........................................................................................................................................................4

DEFINITIONS..............................................................................................................................................................5

ABOUT THIS PLAN TEMPLATE............................................................................................................................6

Business Continuity Plan Documents & Crisis Response Phase..........................................................................6

INTRODUCTION.........................................................................................................................................................8

CRISIS MANAGEMENT POLICY...........................................................................................................................9

Purpose..................................................................................................................................................................9Scope.....................................................................................................................................................................9Executive Sponsor.................................................................................................................................................9Document Manager...............................................................................................................................................9Review and Compliance........................................................................................................................................9Rules Regulations..................................................................................................................................................9Staff Responsible...................................................................................................................................................9Violations............................................................................................................................................................10

SITE CRISIS MANAGEMENT PLAN....................................................................................................................11

Purpose................................................................................................................................................................11Objectives............................................................................................................................................................11Assumptions.........................................................................................................................................................11Scope...................................................................................................................................................................12

BUSINESS CONTINUITY PLAN DOCUMENTS & CRISIS RESPONSE PHASE..........................................13

Business Continuity Plan Documents.................................................................................................................14

BUSINESS CONTINUITY PLAN HIGH-LEVEL PROCESS FLOW.................................................................15

RECOVERY TIME REQUIREMENTS..................................................................................................................16

CRISIS MANAGEMENT TEAM STRUCTURE...................................................................................................17

CRISIS MANAGEMENT TEAM AND RESPONSIBILITIES..............................................................................................17IT AREA RECOVERY TEAMS AND RESPONSIBILITIES...............................................................................................18BUSINESS UNIT TEAMS AND RESPONSIBILITIES.......................................................................................................18

CRISIS MANAGEMENT TEAM CONTACT INFORMATION.........................................................................19

MANAGEMENT RESPONSE PHASE SUB-PHASES..........................................................................................21

SITE CRISIS MANAGEMENT PLAN FLOW.......................................................................................................23

MANAGEMENT RESPONSE PHASE SUB-PHASE 1 – INITIAL RESPONSE & NOTIFICATION.........................................23Sub-phase 1 - Business Continuity Coordinator Tasks.......................................................................................23Sub-phase 1 - Crisis Management Team Leader Tasks......................................................................................24Sub-phase 1 - Crisis Management Team Member Tasks....................................................................................24Sub-phase 1 - CMT Assistant Tasks....................................................................................................................25Sub-phase 1 - Damage Assessment Team (DAT) Tasks......................................................................................25

MANAGEMENT RESPONSE PHASE SUB-PHASE 2 – PROBLEM ASSESSMENT & ESCALATION...................................27Sub-phase 2 - Business Continuity Coordinator Tasks.......................................................................................27Sub-phase 2 – Crisis Management Team Leader Tasks.....................................................................................27Sub-phase 2 - Crisis Management Team Member Tasks....................................................................................27Sub-phase 2 - Damage Assessment Team Leader (DAT) Tasks..........................................................................28Sub-phase 2 - Human Resource Director Tasks.................................................................................................28Sub-phase 2 - CMT Assistant Tasks....................................................................................................................29

MANAGEMENT RESPONSE PHASE SUB-PHASE 3 – DISASTER DECLARATION..........................................................30Sub-phase 3 - Crisis Management Team Member Tasks....................................................................................30

©Sentryx 2007 All rights reserved 2

Sub-phase 3 - Business Continuity Coordinator Tasks.......................................................................................30Sub-phase 3 - Human Resource Director Tasks.................................................................................................30

MANAGEMENT RESPONSE PHASE SUB-PHASE 4 – BUSINESS AREA RESPONSE PHASE............................................32Sub-phase 4 - Business Continuity Coordinator Tasks.......................................................................................32Sub-phase 4 - Crisis Management Team Member Tasks....................................................................................32Sub-phase 4 - Business Area Recovery Team Leader Tasks...............................................................................32Sub-phase 4 - Recovery Team Tasks...................................................................................................................32

APPENDICES.............................................................................................................................................................33

SCMP 1 – Damage Assessment Report Form.....................................................................................................33SCMP 2 – [Company XX] Disaster Declaration Statement Example................................................................34SCMP 3 – [Company XX] Disaster Severity and Recovery Levels.....................................................................35SCMP 4 – News Media Procedure......................................................................................................................37SCMP 5 – Summary of Risk Assessment Information.........................................................................................38SCMP 6 – Summary of Business Impact Analysis Information..........................................................................39SCMP 7 – Summary of Business Continuity Strategy Information.....................................................................40SCMP 8 – Version Change Control....................................................................................................................41


Abbreviations

BCP Business continuity plan

CMC Crisis management center

CMT Crisis management team

BCP Business continuity plan

ERP Emergency response plan

ERT Emergency response team

ERTL Emergency response team leader

ERTDM Emergency response team deputy manager

SCMP Site crisis management plan


Definitions

Executive Sponsor

Senior management member who approves and provides full support for the development and implementation of the organization’s business continuity program

Document Manager

Person who approves and authorizes the BCP document including document revisions.


About This Plan TemplateThis site crisis management plan (SCMP) template is one template in a series of templates designed to provide comprehensive, practical, and structured guidance to those responsible for developing a crisis management plan and other related business continuity plan documents. This template contains a recommended structure, outline, and contents for a typical crisis management plan document. Where possible, instructions for completing specific sections provided and sample text is given as a suggestion of the type of information required. The template contents may be customized and tailored to suite your organization’s specific BCP requirements.

It is recommended that a Document Manager be assigned the responsibility of overseeing updates and revisions to this document. Please refer to the section “Version Change Control” for more information on how to manage and distribute changes to this document.

Business Continuity Plan Documents & Crisis Response Phase

For the purpose of this template, the crisis response phase has been defined as the overall phase during which a crisis situation or disaster occurs. During the crisis response phase, several sub-phases occur, namely, an emergency response phase, management response phase, and a business area response phase.

During each phase one of several business continuity plan documents are utilized. The diagram below depicts the crisis response sub-phases and plan documents associated with each sub-phase:


This business continuity plan template follows a phased approach as a response to a disaster or disruptive event. The [Company XX] business continuity plan consists of several plan documents as follows:

1. Business continuity plan (referenced)

2. Emergency response plan (referenced)

3. Site crisis management plan (this plan)

4. Business area recovery plan(s) (referenced)


IntroductionThis Site Crisis Management Plan (SCMP) is intended to be used by the Crisis Management Team (CMT) to oversee and direct recovery operations for [Company XX] in the event of an emergency or disaster situation. This document is one of several documents that serve as a repository for information, activities, and tasks necessary for a timely and effective response.

All SCMP’s are not alike. The following sections describe the structure and contents of a typical SCMP that may be customized to suite your own organization’s requirements.


Crisis Management PolicyPurpose[Company XX] is committed to safeguarding the interests of shareholders, clients, customers, and vendors in the event of an emergency or business disruption. [Company XX] has therefore established a comprehensive organization-wide business continuity program to protect staff, safeguard corporate assets and environment, and to ensure continuous availability of its products and services. To support the business continuity program, [Company XX] recognizes the need for an effective business continuity capability and provides this corporate crisis management policy as part of the overall organization business continuity program policy.

ScopeThis crisis management policy applies to all members of [Company XX] crisis management team. [Company XX] crisis management team shall define, approve, and implement a crisis management plan which includes essential activities, procedures, and tasks necessary to ensure critical operations and services are resumed after a business disruption.

Executive Sponsor[Company XX] assigns a senior management member to be the “Executive Sponsor” who approves, sponsors, and provides full support the development and implementation of the organization-wide business continuity program and its constituent parts including this policy, crisis management plan, and other associated business continuity plan documents. The executive sponsor approves the budget and resources required, and delegates authority to the crisis management team and team leader to manage, coordinate, and oversee the crisis management plan design, development, implementation, maintenance, and assessment.

Document Manager[Company XX] shall appoint a Document Manager to approve and authorize the BCP document and changes including document revisions.

Review and ComplianceThe corporate business continuity program policy has established an annual review and assessment for this policy and for the business continuity plan.

Rules Regulations[Company XX – enter rules and regulations that are specific to you organization here]

Staff Responsible[Company XX] business continuity and recovery teams have the responsibility to know this policy and understand and adhere to the standards and procedures established in this policy.


It is the responsibility of all staff to be aware of their departments and/or business unit’s business continuity plan and its associated documents.

ViolationsAny employee and/or contractor or service provider found to have violated this policy may be subject to legal actions such as termination.


Site Crisis Management Plan PurposeThe purpose of the business continuity plan is to:

1. Recover essential or critical business operations in a fast and efficient manner

2. Provide a mechanism for management to direct recovery efforts

ObjectivesThe primary objective of the site crisis management plan is to recover critical elements of [Company XX] operations such as:

1. work area/office services;2. information technology services; and3. manufacturing and production services.

Additional objectives are to:

1. ensure that staff are aware of alternate arrangements2. ensure that recovery teams have sufficient resources

AssumptionsThis plan has been developed with the following assumptions:

[Company XX] has conducted a business impact analysis to determine the exposure and impact that may result due to a disruptive event.

A summary of the critical functions and processes, maximum tolerable downtimes, recovery time and point objectives, workaround procedures, and critical IT systems, resources, and services have been determined and are listed in this plan.

[Company XX] has conducted a risk assessment and has implemented risk controls to reduce or eliminate potential risks to its operations.

[Company XX] has selected and implemented suitable recovery options in the event that a disaster occurs.

The business continuity plan has been tested and approved.

The recovery teams will be comprised of sufficient number of staff to ensure a satisfactory turnout in the event of a business disruption.


ScopeThe scope of this SCMP is the [Company XX] facility/site located at [Company XX facility].


Business Continuity Plan Documents & Crisis Response Phase

For the purpose of this template, the crisis response phase has been defined as the overall phase during which a crisis situation or disaster occurs. During the crisis response phase, several sub-phases occur, namely, a disaster response phase, management response phase, and a business area response phase.

During each phase one of several business continuity plan documents are utilized. The diagram below depicts the crisis response sub-phases and plan documents associated with each sub-phase:

Each crisis response sub-phase is described below:

1. Emergency Response Phase This phase is the first phase in managing a crisis. It comprises of the initial few hours after an actual disaster, or after the threat of a disaster is first identified. The business continuity plan is the primary document used during this phase.

In this phase, business continuity plan procedures, tasks, and forms are used; the business continuity coordinator and other members of the crisis management team are alerted; and evacuation occurs and/or the disruption is contained.


2. Management Response PhaseIn this phase, the crisis management team manages and coordinates all site recovery activities. This phase begins after the initial response is received by the crisis management team. The crisis management plan is the main document used during this phase.

3. Business Area Response Phase In this phase, business area teams recover and resume business operations. Depending on how large you organization is, you may opt to develop Business area recovery plans and business unit recovery plans or just business unit recovery plans. Business area recovery plans may be used to invoke business unit plans. Note that this breakdown allows for a more modular structure of activities and is especially useful if your organization is large has many business department and units.

Business Continuity Plan Documents

Below is a list of plan documents and an explanation of each:

Site Emergency Response Plan (ERP)o The ERP is used to respond to a disaster or disruption. The primary plan

objectives are to: Protect life Provide shelter Evacuate premises Mitigate threat and control extent of damage

Site Crisis Management Plano This plan. The SCMP is used to manage and coordinate all site recovery

activities including activities such as: Supervising recovery effort Declaring a disaster Invoking other plans Monitoring recovery, resumption, and normalization activities

Business Area/Department/Unit Recovery Plano Plan used to manage and recover business operations within each business

area/department/unit.


Business Continuity Plan High-level Process Flow

During BCP execution, the Crisis Management Center will be opened and CMT team members will gather to review the damage assessment report, and to determine if a disaster is to be declared. The following diagram illustrates the relationship between the various plan documents:

The business continuity plan follows a sequence of activities specified in the following documents:

1. Emergency Response Plan

Refer to [Company XX] Emergency Response Plan

2. Site Crisis Management Plan

This plan.

3. Business Area Recovery Plan(s)

Refer to [Company XX] Business Area Recovery Plan(s).


Recovery Time Requirements

[Company XX] business unit/department, business functions, and maximum tolerable downtimes.

Business Unit/Department:

Business FunctionMaximum Tolerable

Downtime

See Appendices for additional Business Impact Analysis information.


Crisis Management Team Structure

A sample CMT structure is provided below. This diagram also shows the IT Area Recovery Teams, Business Unit Teams, and Implementation & Logistics Team.

Crisis Management Team and ResponsibilitiesThe crisis management team (CMT) consists of a number of [Company XX] executives and team leaders that manage the overall recovery process. The members of the CMT must be able to act quickly during a crisis situation. If a disaster occurs, the CMT will likely be called out at an early stage to manage the recovery process.

Examples of CMT responsibilities include:

Manage and control the execution of the emergency response plan, site crisis management plan, business area recovery plans, and business unit plans.

Approve the activation of the site crisis management plan and business area recovery plan

Declare a disaster based on the findings of the damage assessment report Provide updates on all company issues to external public and media Provide updates and review progress with Board of Directors Call insurance providers and key suppliers/vendors Contact families Monitoring disaster. For example to:


Ensure evacuation has occurred, If there is potential for injury, put emergency response team on standby Assess effect of damage on working conditions

IT Area Recovery Teams and ResponsibilitiesThe IT Area Recovery Teams consist of a number of different teams, each focused on the recovery of a specific technical area. Example of these teams include

Operating Systems Platform Team, Networking and Telecommunications Team, Database Systems Team, Applications Team, Systems Backup Team, Security Control Team, and Integration and Testing Team

Examples of IT Area Recovery Teams responsibilities include: Recover, restore, and test systems and operating systems on workstations and servers Recover and restore LAN and WAN Restore from backup tapes Install critical applications and data Test restored systems, network connectivity, and integrity of data.

Business Unit Teams and ResponsibilitiesA business unit team represents a single business unit or operation for [Company XX]. Its membership consists of key users of critical systems and resources. The role of these teams is to assess the current needs of the unit, and assist the IT Area Recovery Teams to recover lost data and resources, re-enter manually recorded data, and to validate successful recovery.


Crisis Management Team Contact Information

Crisis Management Team

Company Executive

Function/Role/

AlternatesWork # Home # Cell # Email

Executive Administrative Assistant

CMT Assistant 1

CFOAdministrative Assistant

CMT Assistant 2

CIO Crisis Management Team Leader (CMTL)

Finance Director

Crisis Management Team Leader – Alternate (CMTL)

Risk Assessment Manager

CMT Member

Business Continuity Coordinator

Business Continuity Coordinator

CFO Business Continuity Coordinator – Alternate

Facility Security Manager

CMT Member

IT Director CMT Member


(Head of IT Area Teams)

Human Resource Director

CMT Member

Company Health and Safety Coordinator

CMT Member (ERP Team Leader)

IT Manager CMT Member (Damage Assessment Team Leader)

Facility Security Manager Secretary

CMT Member (Notification Team Leader)


Management Response Phase Sub-phases

During a disaster situation, [Company XX]’s top priority is the health and safety of its employees and staff. Therefore, the emergency response plan was executed in the Emergency Response Phase, the first phase of a crisis. This plan, the site crisis management plan (SCMP), is executed in the second phase, Management Response Phase. Note that this plan may be executed in parallel to the Emergency Response Plan. Tasks for Sub-phase 4 are also outlined in the SCMP.

The Management Response Phase follows several sub-phases:

Management Response Sub-phase 1 – Initial Response & Notification

In this sub-phase:o The BCC is alertedo The CMT Leader is alertedo The damage assessment team is mobilizedo A damage assessment report is preparedo The CMT proceeds to CMC

Management Response Sub-phase 2 – Problem Assessment & Escalation

In this sub-phase:o The CMT reviews the damage assessment reporto The CMT meets with DAT and physical security managero CMT monitors the disaster situation oro CMT escalates and proceeds to the next phase to declare a disaster

Management Response Sub-phase 3 – Disaster Declaration Phase

In this sub-phase:o CMT prepares the disaster declaration statemento CMT Leaders assume other tasks such as advising news and mediao Recovery team leaders are notifiedo Business area/unit recovery plans are activated

Management Response Sub-phase 4 – Business Area Response Phase

CMT oversees recovery efforts, performs recording functions, and provide assistance where necessary.

In this sub-phase (Plan Implementation & Logistics activities):o Recovery team leaders mobilize respective teamso Equipment is orderedo Recovery teams travel to recovery site


o Recovery teams prepare for recovery and resume critical services

In this sub-phase (Business Area Plan and Business Unit Plan execution activities):

o Execute Business Area Plan/Business Unit Plans such as the IT Area Recovery Plan, Manufacturing Area Recovery Plan, etc.


Site Crisis Management Plan Flow

The following sections provide example tasks for the Management Response Phase and Business Area Recovery Phase. Additional tasks may be added as required.

Management Response PhaseSub-phase 1 – Initial Response & Notification

This is the first sub-phase of the Management Response Phase. In this phase the business continuity coordinator and the crisis management team leader are alerted, crisis management team and damage assessment team are notified. The CMT proceeds to the CMC and assumes their assigned tasks.

Note, at the start of this phase, one or more of the following may have occurred: An emergency incident or disaster has occurred OR there is a threat of disaster

The Emergency Response Team (ERT) has escalated the incident to CMT/BC Coordinator. The Incident Assessment Report (generated during the Incident Assessment and Escalation Phase of the Emergency Response Phase) has been provided.

The Damage Assessment Team has been mobilized as is preparing a damage assessment report

The Crisis Management Center may or may not be opened.

Sub-phase 1 - Business Continuity Coordinator Tasks Receive a call from Emergency Response Team regarding [Company XX] disaster

situation

Note the following:o Name, Phone Numbero Obtain brief description of problemo Has Public Authorities been contacted?o Receive Incident Assessment Report (Emergency Response Plan execution)

Alert DAT Leader and ensure the DAT is mobilized (if not already mobilized) and that they are aware of the situation.

Alert CMT Leader and assess situation, at a high-level.

Proceed to the CMC.

Resume activities in sub-phase 2 “Problem Assessment & Escalation”


Sub-phase 1 - Crisis Management Team Leader Tasks

Receive a call from Business Continuity Coordinator OR Emergency Response Team regarding [Company XX] disaster situation

Note the following:o Name, Phone Numbero Obtain brief description of problemo Has Public Authorities been contacted?o Receive Incident Assessment Report (Emergency Response Plan execution)

Meet with BC Coordinator to assess situation, at a high-level.

Call CMT Assistant to begin notification procedures (if not available, contact the backup CMT Assistant)

o Provide brief description of situationo Inform CMT Assistant to activate CMT call treeo Inform CMT Assistant of location of Crisis Management Center where all CMT

members should meet

Advise corporate board and shareholders of event

Proceed to the CMC.


Sub-phase 1 - Crisis Management Team Member Tasks

Receive a call from CMT Assistant regarding [Company XX] disaster situation

Note the following:o Address of where to meet the rest of the CMTo Obtain brief description of problem

Proceed to the CMT



Sub-phase 1 - CMT Assistant Tasks

Activate CMT contact list (call tree) Advise CMT member of situation status Advise CMT member of location and time to meet at CMC Begin log of events. Record the following:

o Problems encounteredo Expenseso Additional events/incidents


Sub-phase 1 - Damage Assessment Team (DAT) Tasks

Prepare damage assessment report (use Damage Assessment Report Form):

Note this activity may have already commenced.

If the event is one of the following conditions, the damage assessment team may opt to report this immediately. In this case immediately proceed to the next sub-phase – disaster declaration and declare a disaster:

o If the disaster impact is expected to last longer than [number of hours] (as pre-determined by Company XX Executive]

o If there is loss of power and heating or loss of computing services.

o If there is severe damage to the company facilities such as structural damage, or collapsed roof, making it inaccessible.

o If there is external activity which prevents access to the facility, such as criminal activity involving police, or if there is an extended evacuation of building caused by gas leak.

Consider the following when preparing the damage assessment report:

o Determine disaster levelo Estimate financial losso Determine source of damage such as fire, flood, earthquakeo Determine extent and magnitude of damage such as

Building structures


Business units Types and number of IT systems, infrastructure, etc Number of critical processes disrupted

o Assess physical condition of the original siteo Establish safety status of the original facilityo Determine presence of hazardous contaminantso Assess risk of further damageo Estimate length of recovery



Management Response PhaseSub-phase 2 – Problem Assessment & Escalation

This is the second sub-phase of the Management Response Phase. In this phase the damage assessment report is reviewed to determine the extent of the problem, and a decision is made to either declare a disaster and escalate to the next sub-phase or to continue to monitor the situation using tasks in the emergency response plan. Activities in this phase are typically conducted at the CMC.

Sub-phase 2 - Business Continuity Coordinator Tasks

Ensure that the CMC is accessible

Meet with CMT members

Follow CMT Member tasks

Resume activities in sub-phase 3 “Disaster Declaration”

Sub-phase 2 – Crisis Management Team Leader Tasks

Meet with corporate board and shareholders, if required


Follow CMT Member tasks




Receive the damage assessment report for the extent and impact of the damage

Review disaster severity levels and disaster recovery levels

Review conditions that warrant declaration:

Example: if the event is one of the following conditions, the CMT may declare a disaster immediately:


o If the disaster impact is expected to last longer than [number of hours] (as pre-determined by Company XX Executive]

o If there is loss of power and heating services or loss of computing services.

o If there is severe damage to the company facilities such as structural damage, or collapsed roof, making it inaccessible.

o If there is external activity which prevents access to the facility, such as criminal activity involving police, or if there is an extended evacuation of building caused by gas leak.

Meet with Facility Security Manager and DAT Leader to discuss alternatives

Determine if there is impact to critical processeso If yes, proceed to the next sub-phase (Sub-phase 3 - DISASTER

DECLARATION).

o If no, continue to monitor situation and use (EMERGENCY RESPONSE PLAN).

Sub-phase 2 - Damage Assessment Team Leader (DAT) Tasks

Meet with CMT to discuss damage assessment report and alternatives.

Sub-phase 2 - Human Resource Director Tasks

Prepare statement for the news and media, if requiredo Refer to the News Media Procedure

Recommend and approve staff related concerns and issues

Procure any replacement staff, if required

Ensure headcount procedures have been conducted

Sub-phase 2 - CMT Assistant Tasks


Ensure all CMT members have business continuity plan documents

Ask CMT Leader for any assistance

Continue event logging.



Management Response PhaseSub-phase 3 – Disaster Declaration

This is the third sub-phase of the Management Response Phase. In this phase, a decision to declare a disaster is made based on the review of the damage assessment report. A suitable recovery strategy is selected, a disaster declaration statement is prepared, and appropriate teams are notified.


Review the disaster severity and disaster recovery levels in Appendix SCMP 3 – Disaster Severity and Recovery Levels.

Prepare DISASTER DECLARATION STATEMENT by:o Reviewing extent of damage to premiseso Reviewing effect of damage on staff working conditionso Reviewing impact to critical processeso Reviewing estimated time to repairo Select a Disaster Severity Level (see Appendix “SCMP 3 – Disaster Severity and

Recovery Levels”)o Select a Disaster Recovery Level (see Appendix “SCMP 3 – Disaster Severity and

Recovery Levels”)o Selecting appropriate recovery strategy

Initiate recovery process by notifying recovery teams via Business Continuity Coordinator

Resume activities in sub-phase 4 “Business Area Response Phase”


Notify recovery team leaders, such as the IT Recovery Area Team Leader, Call Center Recovery Area Team Leader, Manufacturing Area Recovery Team Leader, etc.

Notify off-site storage facility

Notify alternate recovery site to prepare for the arrival of recovery teams

Sub-phase 3 - Human Resource Director Tasks


Notify remaining staff of current status


Management Response PhaseSub-phase 4 – Business Area Response Phase

This is the fourth sub-phase of the Management Response Phase. In this phase, the recovery environment is prepared and appropriate resources are mobilized; and business area/units are recovered and resumed.


Receive recovery status information from recovery team leaders

Monitor recovery progress and provide updates to CMT


Receive recovery status information

Monitor recovery progress and provide updates to CMT

Assist with recovery efforts where possible.

Sub-phase 4 - Business Area Recovery Team Leader Tasks

Activate their area of plan

Order and ship supplies

Supervise recovery of business departments

Verify successful recovery

Sub-phase 4 - Recovery Team Tasks

Recover and resume operations as per procedures and tasks in business area/unit plans.o Commence IT Area Recovery Plan (IT Disaster Recovery Plan)o Commence Business Area Recovery Plans


Appendices

SCMP 1 – Damage Assessment Report Form

Damage Assessment Report

Assessment conducted by (name, phone number):

Name and Location of damaged facility/room/area:

Name of Business Unit/Department using damaged area:

Source of damage (fire, flood, earthquake):

Detailed type and extent of damage (building structures, business units, types and number of IT systems, infrastructure, etc):

Physical condition of building (safety status):

Presence of hazardous contaminants:

Risk of further damage:

Estimate of loss:

Impact to critical business processes:

Estimate of time to repair (e.g. hours, days, weeks):

Recommendations/notes:


SCMP 2 – [Company XX] Disaster Declaration Statement Example

[Current time and date]

Commencing on [current time and date], [Company XX] sustained severe losses to its facilities located at [Company XX location] due to [Description of Disaster].

The following conditions exist due to this disaster situation:

[Disaster Recovery Level: Level 1 Recovery at Primary Site _____ ; OR Level 2 Recovery at Alternate Site _____ ] (refer to SCMP 3 – Disaster Severity and Recovery Levels)

[Severity Level of Disaster (minor, intermediate, or major): ________________] (refer to SCMP 3 – Disaster Severity and Recovery Levels)

[Description of Disaster Severity and Recovery Levels, if required.]

[Company XX] has switched to its recovery organization and is currently is the process of recovering essential business operations.

[What plans are currently active?]

[Company XX] [Crisis Management Team Leader] has the authority to issue this disaster declaration statement.

Signed this _________ of ______________ 20______

____________________________________


SCMP 3 – [Company XX] Disaster Severity and Recovery Levels

There are 3 disaster severity levels: minor, intermediate, and major (described below). These levels provide an indication of the extent of impact to critical business processes.

In addition, there are 2 disaster recovery levels: Code YELLOW: disaster recovery level 1 – recovery at primary site, and Code RED: disaster recovery level 2 – recovery at alternate site (described below). These levels provide an indication as to the location of recovery efforts, either at the primary site or alternate site, respectively. For the alternate site, this may be an alternate work area, alternate IT recovery area, or an alternate manufacturing and production area.

A minor level disaster is typically recovered at the primary site using minimal recovery staff. An intermediate level disaster may or may not be recovered at the primary site and may require some recovery teams and/or alternate site recovery support staff. A major level disaster is recovered at the alternate site and requires all CMT, recovery teams, and alternate site support staff.

Since recovery at an alternate recovery site can be costly, the CMT must determine whether to involve alternate recovery facilities and support staff. The decision to recover at the primary or alternate site depends on the following:

Whether the disruption is expected to last more than a pre-determined length of time (e.g 12 hours)

Whether the disruption impact is minor, intermediate, or major disaster severity level

Disaster Recovery Levels

Code YELLOW: Disaster Recovery Level 1 – Recovery at Primary Site

This level may be declared if the disaster severity level is determined to be minor or intermediate and the disruption is estimated to be less than [pre-determined number of hours e.g. 12- 24] hours. The recovery of business processes, IT systems and applications may take place at the primary site. The recovery team, alternate site facility and personnel, and off-site vendor should be placed on alert for a possible escalation to level 2.

Code RED: Disaster Declaration Level 2 – Recovery at Alternate Site

This level may be declared if the disaster severity level is determined to be intermediate or major and the disruption is estimated to be greater than [pre-determined number of hours e.g. 24] hours. The recovery of business processes, IT systems and applications are to take place at the alternate site(s). The recovery team, alternate site facility and personnel, and off-site vendor are to begin recovery procedures.


Disaster Severity Levels

Minor Disaster Severity

A disaster of this severity level occurs more frequently in normal day-to-day operations, compared to the intermediate or major disaster. The severity level is considered minor because the effects are often isolated to a small subset of critical business processes.

The cause of the disruption is often the failure of a single component, system, or service. Example causes are failure of manufacturing equipment parts, system disks, and voice and network hardware.

Intermediate Disaster Severity Level

An intermediate level disaster occurs less frequently but with greater impact compared to minor level disaster. This kind of event disrupts normal operations of some but not all critical business units. The operational disruptions result from major failures of multiple systems and equipment.

Example causes are water leakage into computer room, structural damage, etc.

Major Disaster Severity Level

The possibility of this type of disaster occurring is small, but the extent of the impact is significant compared to the minor or intermediate level disasters. The event disrupts operations of most or all of the critical business processes. The operational disruptions are the result of inaccessibility or failure of most or all of the systems and equipment.

Example causes are destruction of or inability to access company facilities due to fires, earthquakes, storms, or sabotage.


SCMP 4 – News Media Procedure

The [Company XX - Human Resource Director] is responsible for communicating all press reports.

During an incident, staff shall: Direct all press to the Human Resource Director Not make any statements the press without approval Not give out confidential information such as name of casualty victims Not speculate on the status of the incident

Steps to remember about news media: Provide a discrete statement of current situation

Provide time and date of next announcement


SCMP 5 – Summary of Risk Assessment Information

Include summary information from the organization risk assessment in this section. For example, include:

A list of threats and risks A list of critical assets exposed to the threats A list of implemented risk controls and residual risks


SCMP 6 – Summary of Business Impact Analysis Information

Include summary information such as critical processes, recovery time objectives, recovery point objectives, recovery resources, etc. from your organization’s business impact analysis. For example, include:

Maximum Tolerable Downtime (MTD) Critical IT systems and applications Critical non-IT resources Recovery Time Objectives (RTOs), Recovery Point Objectives (RPOs), Work Recovery

Times (WRTs) of critical applications and resources


SCMP 7 – Summary of Business Continuity Strategy Information

Include options for recovering disrupted data, records, applications, systems, equipment, and facilities.


SCMP 8 – Version Change Control

Version control is required in order to maintain integrity and cohesion of this document. The Document Manager should be the only person to approve and authorize changes and distribute revised versions.

To reduce the risk that an old version is used, the Document Manager should collect all copies of old versions before distributing new ones. This document shall not be photocopied. Additional copies should be obtained from the Document Manager.

Version Number

Issue Date Reason for Change Authorized by
