DR / ERM / BCM / BCP: What Comes First?

I’m part of many LinkedIn groups that are associated with Emergency Response, Disaster Recovery / Planning, Business Continuity Planning & Management and some Crisis groups.  From these groups I can learn many new perspectives from DR/ERM/BCM professionals around the world and there are always some interesting new twists on viewpoints and examples that may not become known – or simply be expressed to a wider audience – if these groups didn’t exist.  Sometimes, there are topics that pop up that really do have an impact on me and gets my own grey matter thinking. 

At the time of writing, there is a topic that asks the question; ‘In your opinion, what comes first in a disaster?’  As you can expect, there are many differing opinions on this.  It got me thinking; doesn’t it depend on the situation?  I would think it does.

Not every ‘disaster’ situation starts out as a disaster to begin with for starters.

If you’re familiar with ITIL then you’ll know that in many cases, Incident Management processes may kick in first before any escalation or implementation of thing ERM/DR/BCM related is considered.  You might want to investigate the issue first and see if it can be resolved before you escalate up the ladder and cause departments or entire corporations to implement various contingency strategies.

Of course, a disaster might kick in immediately where Emergency Response processes are 1st and foremost; your focus is people safety first and you do everything possible to make sure that happens.  Your Technology Recovery Plan (TRP) and Business Continuity Plans (BCPs) and other components will come after life safety has been taken care of first. 

Your BCP plans may not need to be implemented if the situation doesn’t call for it.  If it happens in the middle of the night (or at least after the main business hours) you may not implement any business/department contingency strategies right away until an assessment is done.  That assessment may say that the disaster (oh, let’s say a power interruption) will be resolved in 30 minutes.  At that time of night/day, a BCP implementation may not be required.

However, if initial investigations are performed and no potential is established for any quick resolution (day hours or night hours) then many plan/program components may be placed on alert and more and more program components get involved. Now you have the DR/Crisis Team (or whatever name your company utilizes) begins to be notified and make some decisions based on the question ‘if it’s not available by ‘x o’clock’ then this is what we need to do.’  That could mean starting call trees (corporate wide, not just escalation calls) to let people know they are – or aren’t – to report to work tomorrow.  Now you’ve got other program components being implemented.

But it all comes down to what the ‘trigger’ event is; or as the questions posed, what the disaster is.  Based on that, you’ll know what component needs to be implemented.  Of course, this is assuming you have a proper BCM program in place that covers such things as evacuations, notifications, crisis management (including trained and aware crisis team members), business/department contingency strategies, technology recovery plan and various other program components that might come into play. 

In some instances – and from personal experience – any incident or potential disaster that touched the technology infrastructure was an automatic call to the ‘DR’ site (alternate site) so that they were put on alert and ready to respond in case things did progress. 

One place I knew of (from a colleague many years ago) said that even when they had a fire drill they notified their alternate site just in case it took longer for them to get out of the building for whatever reason.  This little action actually kept everyone alert and prepared for when the ‘big’ incident occurred. People practiced this on a regular basis and knew what actions needed to be taken…and it was just a fire drill. 

Still, as either DRI or BCI state on one of their publications (I can’t remember which – might be both) and as I’ve said many times, the disaster itself will determine what actions need to be taken.  The disaster could be of a ‘sudden serious impact’ like a bomb or could be something that might have longer impacts like a ‘blip’ in power supply, where that blip’s impact may not be known immediately.  One will mean immediate life safety concerns and the other wouldn’t.  It depends on the situation.

I don’t think a question like ‘In your opinion, what comes first in a disaster?’ can be answered simply and easily.  It really depends on the situation you’re presented with. 

The thing that all corporations must know is what to do based on the situation they are presented with.  If they aren’t familiar with the various components of a resources, supported, maintained and exercised program, they may not know what to do first – regardless of the situation. 

Don’t laugh…I’ve experienced it.  I’ve been in a room where some managers attending a meeting continued to discuss their meeting agenda because they assumed it was a drill and didn’t do anything.  I did vacate the room and they then found out it wasn’t a drill; the cafeteria had had a little fire.  It was out quickly and next to no damage done but still, here was an example where people didn’t know what to do, so they did nothing.  I guess they though there can’t be a fire without smoke and if they couldn’t see the smoke there wasn’t a fire (but it could have been something else….).

Doing nothing was the first thing these managers would have done in a real disaster – or at least potentially done if it was a real disaster.  Doing nothing is any situation isn’t acceptable but knowing what to do when faced with any situation is what we’re all striving for, isn’t it?  If the fire alarm is going off then you’re first action if vacate the facility – smoke or no smoke or if the situation is known or unknown – life safety first; that’s what the alarm bells are telling you to do first.

Still, when a disaster occurs, what comes first? 

Well, it depends on the situation doesn’t it?

If the bells are ringing, well, you know what action is first.


“Heads in the Sand: What Stops Corporations from Seeing Business Continuity as a Social Responsibility” and “Made Again Volume 1 – Practical Advice for Business Continuity Programs”

by StoneRoad founder, A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3

Available at www.stone-road.com, www.amazon.com & www.volumesdirect.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s