With literally hundreds of disaster recovery plan/business continuity plan DRP/BCP templates available via the Internet to download and use for your program, how do you know which one to choose?  Should you use a template that is available through a blog or general information web site?  What about those available from companies specializing in DR/BC services?  Should you use guides provided by international standards organizations such as NIST and ISO?  Let’s examine each of these different template types to help you determine which template may be right for your business.

General Information Web Sites

There are many general information web sites available across the Internet that offer you FREE templates.  Many times these sites ask for general information from you in an effort to offer you additional services.  Often these sites post one or two items in relation to DR/BC but don’t focus on the topic. 

It is prudent to be very cautious when obtaining your free templates from these types of general information web sites.  More often than not, you will receive a template that either doesn’t work (it’s a PDF you can’t edit) or doesn’t contain information you need.  What you will then be left with is a non-functional template that has generated a hoard of spam e-mail for your inbox.

DR/BC Services Companies

DR/BC services companies specialize in helping businesses prepare for disasters.  They are often managed by certified continuity professionals or companies that focus on continuity services.  These companies typically charge fees to download their templates as it is considered a source of revenue in their business line.

Templates available through these service companies are among the best you can obtain.  The provider’s focus on DR/BC ensures their templates address those topics that are critical to a well implemented DR/BC program.  While these templates usually require payment of a fee to download them, the money is usually well worth it.  When looking for templates, be sure to compare cost between several providers.  Also, obtain a preview of the table of contents before buying to ensure it addresses topics you feel should be included in your plan.

Standards Organizations

Standards organizations provide a great service to businesses in helping identify best practices on many topics.  Many of these organizations provide standards and guidelines specifically on DR/BC.  These organizations can be found in many countries around the world as they support the establishment of standards for their countries.

Guides and templates available from standards organizations are usually focused on meeting requirements of standards they’ve established.  These guides and templates are an excellent source especially for businesses that are required by law to meet certain set government rules.  An excellent example is the healthcare industry.  All covered entities  must conform to the HIPAA Contingency Plan Standard.  NIST SP 800-34 is considered an excellent resource to help with HIPAA Contingency Plan Standard compliance.  These guides and templates are also great resources for other general businesses as well.

 For Consideration

Templates available through general information web sites must always be considered with great caution as they generally don’t work or don’t address the needs of an effective DR/BC plan.  Specialized services companies are an excellent source of products that often require payment of a fee and usually ensure the addressing of topics needed in an effective plan.  Standards organizations offer great resources to help businesses meet minimal planning needs or ensure compliance with regulatory guidelines. 

Carefully consider the needs of your business when looking for plan templates.  It is critical to ensure the plan put together for your business meets your needs.  More importantly, consider obtaining the services of a certified professional that can assist you with your planning needs.  Your business survival in a disaster depends on the plans you produce.  Prepare your business today.         

I began Lighthouse Continuity Partners, LLC as a general disaster preparation services company.  I've decided to first focus my services on the health care market in my local area.  I've done this because I can narrow my scope of services down to the 5 specifications of the HIPAA Contingency Plan standard.  We will be releasing new services based on these specifications in the coming weeks ahead.

The Contingency Plan standard requires covered entities have the following five specifications documented:

 1.  Application and Data Criticality Analysis

2.  Disaster Recovery Plan

3.  Data Backup Plan

4.  Emergency Mode Operation Plan

5.  Testing and Revision Procedures

 Under recent penalty adjustments allowed under the HITECH Act, penalties for not having these documents can be as follows:

     Categories of Violations and Respective Penalty Amounts Available
--------------------------------------------------------------------------------------------------------------------
                                                                                  All such
                                                                             violations of an
    Violation category--Section       Each violation           identical
            1176(a)(1)                                                    provision in a
                                                                              calendar year
--------------------------------------------------------------------------------------------------------------------
(A) Did Not Know..................       $100-$50,000           $1,500,000
(B) Reasonable Cause..............       1,000-50,000          1,500,000
(C)(i) Willful Neglect--Corrected.      10,000-50,000          1,500,000
(C)(ii) Willful Neglect--Not                   50,000                 1,500,000
Corrected........................
--------------------------------------------------------------------------------------------------------------------

It is unlikely that any entity could claim they "Did Not Know" that they are required to have these plans documented.  Each specification is explicity spelled out in the rule.  Thus, an initial penalty would likely start at $1,000 per violation and could quickly progress toward the total $1,500,000 cap.

I'd like to understand what worries health care organizations most in regards to this standard under HIPAA.  I'd like to hear about the concerns providers have in meeting these specifications.  Does your organization have the documents immediatly available to produce to an auditor?  Have you experienced loss of EPHI or access to it in the past?  Are you confident in your contingency plan? 

Hurricane season is fast approaching and it is never too early to get ready.  The Internet has many great resources to help you prepare your family for any disaster.  Simply enter “Family Disaster Plan” into any search engine and literally millions of pages across the Internet are available for your reading pleasure.  So, here in the United States, what are some of the best sites to use to help prepare your family for hurricanes, flooding, hospitalization, and other disasters?

www.ready.gov

Ready.gov is my favorite resource.  This is the national campaign of the United States and provides well laid out resources for citizens.  Ready America is your resource for family disaster planning.  You can create an electronic plan or download forms through the Ready America – Make  A Plan area of the web site.  There are additional resources for military families, older americans, people with diabetes, and pet owners.

www.redcross.org

The American Red Cross is also an excellent source of information to prepare your family for disaster situations.  Once at the site, click “Preparing and Getting Trained” at the top of the page.  Then click “Prepare – Home and Family” in the left navigation menu.  Here you will find additional information on the same resources found at Ready.Gov.  You’ll also find “Preparedness Fast Facts” on many topics such as tornados, pandemic flu, thunderstorms, wildfires and eighteen other topics.

www.nhc.noaa.gov/HAW2/pdf/family_disaster_plan.pdf

The National Hurricane Center’s Family Disater Plan information sheet is an excellent high-level planning tool.  It provides information on all types of disasters and how to begin developing your family plan.

With these three resources alone, an effective family disaster plan can be compiled.  Each of these three resources also stress the need to develop a disaster kit which I also highly recommend for your home and your car.  More about these kits in a later blog.  Finally, I highly recommend an emergency alert disaster radio. 

It is vitally important to fully document your family disaster plan.  The safety of your family is priceless.  Take steps to prepare by having your plan documented today.

I’ve been caught by many people mentioning the term “Alternative Management Plan” for their business.  If the term has been used in the business continuity management industry in the past, I’ve not heard it before I decided to begin using it myself.  So if there is another industry definition you may know about, please leave a comment and let me know.

My personal definition is:

Alternative Management Plan – a holistically defined effective and efficient management process that establishes potential risks and provides alternative management processes to be utilized by a business in a crisis situation.

Let’s face it – in the event that a crisis occurs and affects the ability of a business to provide the products and/or services it normally produces, there must exist another method for management of that business.  A documented plan that is effective and efficient must exist so that management of the business understands how to react to the crisis.

The Disaster Recovery Institute International has defined under their Professional Practices for Business Continuity Practitioners a similar term as follows:

Business Continuity Management - a holistic management process that identifies

potential impacts that threaten an organization and provides a framework for building resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation and value creating activities.

The three keys to these two similar definitions are:

-         both focus on management processes

-         both feature defined processes that are called upon when a business crisis exists

-         both must be effective

I, myself, utilize these two terms interchangeably.  But I find it much easier to utilize my term when conversing with business managers.  Likely because the words “Alternative”, “Management”, and “Plan” are more easily comprehended in the business world.  I find that the word “Continuity” just doesn’t resonate with business managers.

Thus, an alternative management plan is essentially a business continuity management process.  And additionally, an alternative management program would be the same as a business continuity management program.  In either case, it is important to converse with industry experts whenever addressing the preparation for a business crisis.