The success of a business continuity management system (BCMS) depends, in large part, on the capabilities, or competence, of disaster recovery team members. A BCMS is the administrative framework for delivering business continuity and disaster recovery services.
The global standard for business continuity ISO 22301:2012, Societal Security -- Business Continuity Management Systems -- Requirements, addresses the issue of competence in Section 7.2 Competence. The standard explores the concept of competence by: 1) defining what constitutes the capabilities of BCMS staff; 2) reviewing how to assess the capabilities of BCMS staff based on relevant education, training and experience; 3) describing how to conduct appropriate activities (e.g., training) to ensure that BCMS staff have the necessary skills and capabilities; 4) covering how to evaluate the effectiveness of activities that increase or improve staff capabilities; and 5) offering ways to develop documented evidence of BCMS staff capabilities.
Defining and assessing competence
Typical metrics for assessing disaster recovery team competence include knowledge, which can be noted by the acquisition of professional credentials or attending educational programs; experience, which can be identified based on previous job responsibilities or participation in actual disasters; and motivation, which can be identified by participation in professional organizations, attendance and/or speaking at conferences and publication of articles. Each of these can be easily defined and benchmarked, and can serve as an effective starting point in assessing and expanding the skills and capabilities of disaster recovery team members.
A key factor in competence that may be overlooked is how individuals will respond in an actual disaster situation. Does an individual remain calm, perform his or her duties in accordance with the playbook and training, and steadily handle stress-filled situations that often arise in disasters? Or does that individual freeze, become indecisive, demonstrate lack of emotional control, or panic? Even in a disaster simulation, it's difficult to determine how an individual will respond to a real incident.
Measurable elements of competence include an ability to:
- Follow directions
- Give directions
- Adapt to changing situations
- Quickly understand a situation and respond accordingly (and as authorized)
- Accurately and concisely summarize what he/she has observed when communicating to team leaders
- Lead others
- Respond quickly and confidently in a difficult situation
- Relinquish control to others
- Prepare and present reports on an incident
- Plan and execute a business impact analysis
- Plan and execute a risk analysis
- Plan and execute a technology disaster recovery exercise
- Plan and execute a business continuity exercise
- Execute an evacuation drill
- Execute an incident response
Assessing competence starts with a background check of prospective disaster recovery team members. For the kinds of situations disaster recovery team members may face, reviewing a resume may simply not be enough. That's why a background check and reference checks are highly recommended. According to the Fair Credit Reporting Act, the background check includes verification of employment history, criminal history and credit history. Once the disaster recovery team has been assembled, periodic assessments of each member's competency are recommended, especially for members of emergency teams who will be responding to actual incidents.
Improving disaster recovery team competence is an ongoing activity, and can be accomplished with number of techniques. First, make sure the BCMS has sufficient funding and senior management support to facilitate these kinds of activities. Management support and funding ensure that attention and resources are properly focused on hiring the best staff and ensuring they are fully trained and have the necessary skills to satisfactorily perform their roles and responsibilities in a disaster. Justify the investment by reminding senior managers that disaster recovery teams must be prepared at all times to respond to an incident, and that regular training and exercising will ensure these teams are prepared. Coordinate your efforts with human resources and the appropriate corporate training resources.
Having baselined the skills and competence of disaster recovery teams, you can identify training and education that are needed by each team member. Establish a starting list of activities that will meet the training needs of the majority. For example, these can include internal classes that help employees understand what the BCMS does and its role in the organization and that also help the BCMS staff understand what they will be expected to do in an emergency. Identify internal and external resources that can provide the required training. The Federal Emergency Management Agency (FEMA) has numerous training programs that award credentials and that can be taken at no charge. Many other organizations offer similar training and credentialing programs.
Schedule and conduct the training and educational activities. Obtain scores for exams and copies of certifications each BCMS member obtains. Record this information in each team member's personal file, and be sure to send a copy to Human Resources.
With guidance from HR, establish a personal development program for each disaster recovery team member to set competency and performance goals, record activities and achievements, and measure overall performance.
It may make sense to engage an outside resource to assess competency and training programs and their effectiveness. A suitably experienced professional may also be able to interview disaster recovery team members and evaluate their skills and potential ability to respond in a real disaster.
Further, it may be valuable for disaster recovery team members to participate in community, county, state or national disaster exercises. Many of these are held annually, and can present a close-to-reality experience. Contact your local first responders to see what is happening in your area; contact your state office of emergency management (OEM) to see what is scheduled; and of course visit the FEMA site for national events.
Evaluating and documenting team competence program effectiveness
Clearly, the most effective way to assess competency and training programs is to have a real disaster. However, periodic exercises with different disaster scenarios can help identify areas for improvement.
Work with your HR department to set up a program-effectiveness matrix, identifying relevant activities, who participated in them, what was achieved and what lessons were learned. Results of such a matrix can be entered into each disaster recovery team member's personnel files.
About the author:
Paul Kirvan, CISA, FBCI, works as an independent business continuity consultant and auditor, and is secretary of the U.S. chapter of the Business Continuity Institute and member of the BCI Global Membership Council. He can be reached at firstname.lastname@example.org.