If it seems like each step in preparing your Disaster Recovery Plan is the most important step, even more important than the one that came before it, I can’t blame you. That said, we’ve come to another really important step – creating your Disaster Response Team (the “Team”).
This is more like two separate steps, but for the sheer sake of time, I will combine them here. First, you’re going to need to identify all the roles and the structure of the Team. Then you’re going to have to fill those roles with people in your organization. It’s definitely two different steps.
Creating Your Disaster Response Team Structure
For each disaster that you have identified in your Risk Matrix, you need to have a written procedure to be followed in the event such a disaster occurs. Your Team will be in charge of performing (or overseeing the performance of) those procedures. Critical responsibilities include:
- Assessing whether to declare a disaster (and then actually declaring one);
- Ensuring ongoing backups are performed and maintenance of business continuity systems;
- Communication with employees and contractors;
- Communication with vendors and other business partners;
- Communication with customers, press, emergency services, governmental agencies, etc.;
- Reporting to management and acting on any changes to the Plan; and
- Managing the crisis and managing the recovery.
Your Team will likely be comprised of several different sub-teams or groups responsible for specific aspects of your Plan. The exact makeup of each team, its size, and its specific composition will likely be unique to your company’s circumstances, needs, and resources.
Regardless of your company’s unique needs, however, there are certain overall tasks that need to be performed. Below is an example of how your Team could be organized, along with some general descriptions of each team’s overall role.
Disaster Recovery Management Team
The Disaster Recovery Management Team is responsible for initiating your Disaster Response Plan, implementing its protocols, notifying and activating the members of the Team, coordinating the efforts of your IT team/vendor through each step of the Plan, and generally is responsible for ensuring that the actions taken by the Team align with pre-determined business needs. This team, led by the Disaster Recovery Coordinator/Manager – usually a business leader within your business, preferably with IT experience – oversees the activation and execution of the Plan (with a focus on IT-focused issues) from the beginning of a disaster through the full recovery of assets pursuant to the Plan.
The Disaster Recovery Management team includes:
- Disaster Recovery Coordinator/Manager
- Facilities Coordinator
- Technical Coordinator
- Administrative Coordinator
- Network Coordinator
- Applications Coordinator
- Computer Operations Coordinator
Business Recovery Team(s) (Non-IT)
Business Recovery is an integral part of your Plan. This team is responsible for implementing the non-IT aspects of your Plan in accordance with overall company strategies. Among the Business Recovery Team’s main roles is coordinating the logistics and personnel in order to return the business to full operations as quickly as possible.
Your Business Recovery Team acts as the main point of contact between the Disaster Recovery Management Team and rest of the company, to facilitate open communication throughout the organization. Depending on the size of your business, some of this Team’s roles will be filled by one individual, or potentially by an entire sub-team with a designated team leader. Make sure you plan appropriately –a Disaster Recovery Plan could fail because you gave one person a role that needed a team.
Some key business recovery roles include the following:
- Executive Management Team
- Business Recovery
- Business Unit Recovery
- Damage Assessment
- Facility Support
- Administrative Support
- Logistics Support
- Transportation and Relocation
- User Support
- Media Relations
- Legal Affairs
- Physical/Personal Security
- Human Resources
- Procurement (Equipment and Supplies)
- Marketing and Customer Relations
Disaster IT Team (IT)
The Disaster IT Team has the most responsibility in the event of an actual recovery process. This team is your IT experts who are pulled from each unit of your IT infrastructure to cover your network, servers, databases, and storage. They understand what is unique to your IT landscape and know how to implement strategies appropriate to maintaining your business’s systems.
The Disaster IT team includes the following roles:
- Computer Recovery
- Computer Backup
- Offsite Storage
- Software Recovery
- Communication Infrastructure
- Computer Restoration
- Systems Software
- Network Operations Recovery
- Database Recovery
- Application Recovery
- Hardware Salvage
Clearly, having members of this team who are familiar with your systems is critically important. However, it’s better to have designated someone who can perform the tasks necessary for the role than someone who can’t, regardless how well they know your business.
Staffing Your Disaster Response Team
Now that you’ve created the structure for your Team, it’s time to identify the people on your payroll to fill those roles. Before you begin, it’s helpful to establish some selection criteria to guide your decisions. Your selection criteria should be based on:
- Skill sets and business knowledge – Ideally, teams should be staffed with the personnel responsible for the same or similar operation under normal conditions;
- Size – The team needs to have sufficient staff to perform its appointed role, and needs to remain viable even if some members are unavailable to respond (this is a disaster, after all;
- Flexibility – Team members who are familiar with multiple roles are valuable, so use them where their flexibility is a benefit;
- Every team must have an identified team leader, who directs overall team operations and approves all team decisions. The team leader must have both the subject-matter knowledge applicable for that team, as well as essential management skills, such as macro viewing capability and effective team communication.
A clear Succession Plan should be in place which describes the flow of responsibility when normal staff is unavailable. The Succession Plan must account for various contingencies, including situations where the unavailable person is coordinating the plan, or is merely responsible for executing a single action item.
Business Advisory Group
One “team” that, depending on the size and nature of your organization, you may want to include in your planning is a Business Advisory Group. While your advisors are not technically a part of the Disaster Response Team, they will work as a committee to evaluate and determine strategy, budget, and policy considerations. If appropriate they can also be tasked with the role of selecting the members of your Disaster Response Team.
They’ll help oversee the process and planning and have key insight into knowing each department’s downtime tolerance. Generally, this group is made up of executives, managers, and department leaders.
This team is effective in many businesses for providing overall guidance following a major system disruption or emergency. The team is usually led by the Chief Information Officer (CIO) or equivalent or someone with the authority to make decisions regarding spending levels, acceptable risk, and inter-organization coordination. Thus, the staff selected to be in this team must be:
- Able and capable of making a management decision and supervising the execution of Disaster Recovery operations.
- Capable of facilitating communication among other teams and supervising plan tests and exercises.
The right personnel with the appropriate attitude, capability, and skill-sets, when put into the correct positions in the Team structure, will help ensure the smooth execution of the Plan in the event of disaster.
The Disaster Response Team Contact List
One critical element of your Plan is the Disaster Response Team contact list. Everyone on the Team needs to be reachable in the event of disaster, so the list should contain multiple ways to reach everyone on the list – including different types of communication. You also need to have a procedure for keeping it up-to-date.
An example of the information your contact list should contain is: