Tuesday, December 29, 2009

ERM-BC-COOP: Need to know documents


Lately there has been some discussion on DRJ's LinkedIn site [**] titled "How many employees should understand your organization’s emergency or crisis management plan?"

Fortunately, it has generated a number of responses.

Most responders think that the only answer is "All."

However, a few responders are concerned with sharing too much information, especially sensitive information and especially with some personnel lacking a "need to know."

That is understandable.

The solution is relatively simple and follows the scheme for most useful ERM-BC-COOP documentation: Create a complete document and distribute parts of the document on a "need to know" basis. The document also can be developed so that it can be distributed to "the world" with critical information easily removed prior to publication.

Basically, The Plan - be it business continuity or emergency/crisis management or any other - starts off with a high level overview.

  • What is the plan's purpose
  • What the plan includes
  • When the plan was created/revised
  • Who sponsored the plan; who authored the plan

All the above is "public" information.

In the case of an emergency/ crisis management plan, there might be a listing of several generic scenarios (e.g., building unavailable [for any reason], loss of communication, facility inaccessible [different from unavailable since people may be trapped in the facility]).

The scenarios would be in the "public information" category and distributed to all hands and can even be shared with "the world" much like a sanitized business continuity plan.

Everything else falls into restricted information.

Some of the restricted information can be shared with all hands. Included in this could be:

  • Emergency notification process and relevant numbers to call (e.g., in case of fire, dial 0 and tell the Operator the location of the fire)
  • Action to take in the event of various events (e.g., fire, smoke, electrical failure)
  • Telephone numbers personnel can call to check on operational status (e.g., if the facility is unavailable, when/where to report, what time code to use)
  • Policies and procedures relating to emergency/crisis situations

Finally, there is the restricted information sub-section, the "need to know" portion of the plan.

There an be two valid reasons for "need to know" restrictions.

First, and certainly "politically correct," is that there is no reason to burden all hands with information specific to a few people. The Crisis Management Team is a good example. These people are responsible for assessing (or having assessed) damages and making decisions regarding immediate personnel activities. Since "shelter-in-place" is included in an emergency/crisis management plan, there is more to consider than just "return to the facility."

Second, there may be truly sensitive information that must be restricted to a minimum number of personnel. HR-related information falls into this category; likewise InfoTech user information.

The mechanics of plan creation are documented at http://www.drj.com/articles/fall05/1804-04.html but basically require

  • Thoughtful document design (organization)
  • A word processor's "hidden text" capability
  • An editor/proofreader to assure all "sensitive" information can be hidden
  • A PDF generator (software)

In this case, both those who think everyone needs to know about an organization's emergency/crisis management plan and those who would restrict information are satisfied.

One caveat: As with all ERM-BC-COOP documents, this one must be exercised and maintained (kept up to date).

** http://www.linkedin.com/groupAnswers?viewQuestions=&gid=117659&forumID=3&sik=1262100736213


John Glenn, MBCI
Enterprise Risk Management practitioner (& sometime tech writer)
Looking for a new job

No comments: