The success of business continuity and disaster recovery programs hinges on proper employee training. Organizations...
that design training into BCDR programs maximize the value and effectiveness of these initiatives and ensure that employees are ready to respond to a crisis.
Training and education are essential activities in the business continuity and disaster recovery (BCDR) and emerging resilience professions. This fact is cited in section 7.2 of the international standard ISO 22301:2019 Security and resilience -- Business continuity management systems -- Requirements: "The organization shall ensure that [resilience professionals] are competent on the basis of appropriate education, training or experience." Section 7.3 of the standard also encourages that organizations raise awareness of BCDR programs.
Disaster recovery training for employees can extend beyond the members of resilience teams. This awareness encourages a company culture of building and maintaining business continuity and wider participation in recovery efforts.
There are three keys to create and maintain a BCDR training program:
- establish the program format, tools and desired outcomes;
- determine the BCDR skills and activities included in the training; and
- track benchmarks to ensure progress.
Successful training programs need internal support
Business continuity and disaster recovery training initiatives need senior management support and funding. Visible and frequent endorsements and encouragement from senior management raise awareness of and increase participation in these specialized training programs.
The next key strategy is to engage human resources (HR) in the training process. This department has the expertise to organize, coordinate and conduct formal employee training. They can also support activities that promote awareness, such as department briefings and messages on employee bulletin boards. Encourage HR to include BCDR and resilience training in new employee orientation programs. Requiring all employees -- not just BCDR and resilience teams -- to participate in at least one training session reinforces the importance of these activities and can move the organization toward a culture of resilience.
Organizations with their own intranet and employee webpages can introduce a BCDR site that describes the internal training program and what it does. This page can include sections on the training process, frequently asked questions, training schedules, and links to forms, services and other useful materials.
Regularly communicate the BCDR training program and its activities to employees and senior management. Messages should be informative and educational and reinforce the company's commitment to the program and its value.
Build a BCDR training program for employees
Following is a list of activities to build a BCDR training program:
- conduct a needs analysis to identify training requirements;
- prepare a training policy and have it reviewed and approved by senior management, BCDR/resilience leadership, HR and other key departments;
- assess existing staff competencies and understanding, in coordination with HR;
- define desired outcomes and metrics for success from the training program;
- establish an ongoing training and awareness program, with approved procedures;
- develop training tools and content using needs analysis results, and partner with HR and other internal training resources;
- develop, schedule and deliver various types of training programs, such as classes, instructional guides and templates;
- identify internal and external trainers, validate their teaching credentials and arrange for appropriate train-the-trainer programs;
- communicate information about the training program to employees, customers, suppliers and other stakeholders;
- establish and use metrics to identify training focus areas;
- capture and analyze employee comments and feedback on the training program; and
- keep records of staff training and awareness activities.
Identify relevant skills, activities and strategies
Business continuity and disaster recovery training for employees looks mostly the same from one organization to another. Organizations of all types and sizes must perform standard assessments, activities and exercises to establish and maintain resilience.
BCDR skills and activities essential to include in a training program include the following:
- how to perform a business impact analysis;
- how to conduct a risk analysis;
- how to prepare a BCDR/resilience plan;
- emergency response activities, such as assessment and evacuation;
- specialized operational recovery activities, such as how to recover data and business applications to hot/cold alternate sites, launch remote work with a VPN and/or third-party-managed emergency services, and exercise BC/DR/resilience plans;
- how to initiate work area recovery and remote work;
- responding to specialized situations, including extended business disruptions as seen with the COVID-19 global pandemic;
- coordination with first responders and law enforcement organizations;
- return-to-normal activities, especially collocated in-office work; and
- restoration of business systems and processes.
Use benchmarks to track progress
Organizations can use several benchmarks to ensure that a BCDR training program is effective. When BCDR team leaders track this data they can use the results to show upper management that training is successful, or update the training to fill any gaps.
Tips to benchmark a BCDR training program include the following:
- compare the training program with other programs at other organizations;
- compare internal programs with third-party training programs;
- periodically survey employees to determine their level of awareness of the program;
- apply lessons learned from actual disasters;
- link training activities to annual performance and compensation reviews;
- provide department managers with monthly status updates on training and related awareness activities; and
- examine BC/DR/resilience training programs available from consulting firms, equipment vendors, and cloud service and managed service providers as enhancements to your program.