needs to be present for a risk to exist.
Absence of any of these makes the risk
go away. In other words, if there are no
threats, or if no vulnerabilities are inherent
in the asset to be exploited, then there
is no risk. The FCD suggests federal
agencies follow the risk management
cycle introduced by the government
accountability office to manage the
inherent risks to any organization. Such
risk management should be part of the
overall continuity program and continuity
planning. Organizations should assess
the risks using a proven framework,
evaluate alternatives for addressing these
risks, and implement the alternatives,
monitoring progress made and results
achieved.
The framework also directs federal
agencies to first identify all of its mission-
essential functions through a business
process analysis exercise. According to
the directive, mission-essential functions
are those limited set of agency functions
that must be continued at all costs after
a disruption of normal activities. Within
the mission-essential functions, there are
two further categories: primary mission-
essential functions and national essential
functions. These are the eight functions
the president and national leadership
will focus on to lead and sustain the
nation during a catastrophic emergency.
Primary mission-essential functions are
the agencies’ mission essential functions
that directly support the national essential
functions. These functions need to be
continuous or be resumed within 12 hours
of disruption and be maintained up to 30
days or until normal operations can be
resumed.
u Orders of succession are the next
key concept to be considered. Every
organization head should have a
designated official to succeed her or him
during an emergency. The organization
should make efforts to identify and train
successors for all its key leadership
positions and not just the CEO function.
Such succession planning should also
include specific rules and conditions when
it can be invoked. This information should
be well documented and be part of the
organization’s vital records.
u Delegation of authority is another key
concept outlined in the FCD. In addition to
the orders of succession every organization
should also have delegation of authority
procedures clearly laid out before an
emergency.
What the difference is between orders of
succession and delegation of authority?
Orders of succession are provisions
for the assumption of senior leadership
positions during an emergency, basically
when the incumbents are unable or
unavailable to execute their duties. An
order of succession allows for an orderly
and predefined transition of leadership.
Delegations of authority, on the other
hand, are specific and limited authority
procedures that can be invoked on a
temporary basis. For example, they
may take effect during periods when
those in charge are unavailable due to
travel. Successors are vested with most
of the authorities and powers of the
incumbent.
u Vital records management is the fifth
key concept outlined in the directive.
According to FCD, every agency must
have a program to identify, protect, and
be able to produce its vital records that
support its primary mission-essential
functions and mission-essential functions.
In this context, vital records also include
information systems and applications,
electronic or hard copy documents, and
any references and records needed to
continue mission essential functions
during a crisis. The agency should be
able to produce such records at the
alternate site within 12 hours of COOP
activation. Management of vital records
is a prudent business practice for any
organization and not just the federal
government.
u Test, training, and exercise (TT&E) is an
important concept laid out in the FCD. This
process provides assurance to the senior
leadership that equipment and procedures
are kept in a constant state of readiness.
Every organization should conduct TT&E
of its mission-essential functions at least
once a year, if not more frequently. For
a federal agency, the directive mandates
that it follow the guidelines outlined in
the Homeland Security Exercise and
Evaluation Program and conduct a hot
wash after each exercise. The federal
agency should also prepare an after
actions review report after the conclusion
of every exercise and review it with all
the participants as part of the corrective
actions program.
u Devolution of control is simply the ability
of a federal agency to transfer its statutory
authority and responsibility to another
agency, wherein that other agency can
step in and continue its mission-essential
functions. To ensure a smooth devolution
of authority, an agency should identify
through prior planning which other federal
agency can perform its job, build a roster
of key trained personnel who can work
for the new agency during the transition,
and outline likely situations/scenarios
where devolution options would have
to be activated. This concept may not
necessarily be applicable to a non-federal
organization.
Conclusion
Like many of the other frameworks
in business continuity, the FCD is a very
thorough framework that has universal applicability – outside the federal
arena. As you’ve likely noticed by now,
most of these key concepts can be part
of any organization’s BC/DR program.
Whether you are starting a program from
the ground up or identifying gaps to
mature and grow your existing program,
FCD can act as a checklist and a sounding board to make sure your program is
headed in the right direction. As with
any framework, there may be some areas
that may not be applicable to your specific organization. I would recommend
that every organization weigh in these
key concepts for business value and then
implement them where benefits outweigh
the costs.
v
Shankar Swaroop CISSP, CISM, CSSLP,
PMP, ITIL(V3), OCP, is currently the director
of business continuity and disaster recovery
at the Navy Exchange Service Command,
a retail operation within the Department of
Defense. He holds an MBA from the University of Texas
at Austin and is a CPA from India. He has more than 15
years of experience in the IT industry in the areas of enterprise architecture, information security, and business continuity. He is a published author and speaker in areas of
enterprise risk management and business continuity. The
author would welcome questions and feedback and can be
reached at itswaroop@gmail.com.
