The Thomas Howell Ferguson Blog

Words Count

7 Mistakes to Avoid in Continuity of Operations Plan (COOP)

The world isn’t getting less risky – pandemic events like COVID-19, catastrophic weather, devastating cyber threats, unthinkable man-made disasters, and more. Now more than ever, it’s imperative that organizations know how to respond to critical events and ensure essential functions are maintained. But is your organization fully prepared in the event of a crisis? Many agencies and organizations still do not have a formalized Continuity of Operations Plan (COOP). Or, if they do, it’s incomplete or gathering dust in binders on a shelf. Whether your organization is adept at contingency planning, or is just beginning to formalize the process, avoiding the following seven critical mistakes will help ensure your planning is more effective and your organization is more resilient.

Mistake #1 – Overlooking essential business functions and failing to identify their associated risks.

To prepare for disruptive events, managers must recognize the functions most essential to the survival of the organization, and then identify the potential hazards that could impact these functions. This is no small feat, but rather a process that deserves significant time and attention. A few key tips to consider when ensuring essential business functions are properly identified include:

Get buy-in from the top. A thorough risk assessment is a serious exercise. It will require input and resources from multiple levels. Make sure senior management is fully supportive and willing to provide their stamp of approval on the process.

Incorporate feedback from a variety of different sources. Do not rely solely on a handful of senior managers to develop a comprehensive list of potential hazards. While their perspectives will be invaluable and insightful in a variety of ways, they will invariably miss lower level risks that can cascade into much larger problems.

Associate details with the identified risks. For each threat, outline the potential impact along with other key elements, including:

  • Probability the hazard will occur
  • Magnitude/Severity of the event
  • Warning time associated with the risk
  • Typical duration of the hazard
  • Recovery time objectives

Make the risk assessment actionable. Identifying the risks and their associated characteristics is one thing. Outlining the proper actions to take when facing the threat is another. For each hazard, managers should define and document the appropriate actions to take to minimize disruptions and losses.

A common mistake here is to focus solely on actions taken during the event. While this is essential, planners should also consider actions related to pre-event preparedness, post-event recovery, and mitigation. These actions should be documented and be easily accessible by a wide-range of authorized individuals.

Mistake #2 – Failing to implement a process for ensuring contact information is accurate and reliable.

Proper preparedness and response begins and ends with people. As such, the organization must maintain an accurate accounting of its personnel, their responsibilities and the myriad of methods in which people can be contacted.

Sounds simple enough. However, it’s surprising how often organizations falsely assume their contact information is current. Employees come and go. Responsibilities change. Contact devices are dropped or adopted. In a crisis, this can cause substantial problems.

The organization should develop a consistent, repeatable process for ensuring workers can verify their information. Outreach campaigns to employees should be conducted at least biannually. Quarterly campaigns are even better. In addition to verifying basic contact information such as phone and email, ensure secondary contact information such as title, division, location, etc. is correct. In addition, remember to capture information from outside of the organization’s walls. In most cases, external stakeholders play key roles in business resilience. These contacts should be maintained with diligence, as well.

Mistake #3 – Failing to clearly define key teams and communicate assigned roles/duties.

For effective response and recovery, it is wise to create teams centered on specific threats, responsibilities or decision-making capabilities (e.g., Executive, Pandemic, Relocation, etc.). With team development, managers should:

Clearly specify the team’s mission. Each team should have a written “mini-charter” that outlines the role parameters of the team. During a critical event, lines can be blurred as to which teams own what responsibility. A well-defined list of team mission roles can help bring clarity to the situation.

Make sure team rosters are kept up to date. Like contact information, team data should also be reviewed and updated regularly. It can be frustrating or potentially damaging to assemble a team, only to learn a portion of its members are no longer employed, or key members have changed positions and are no longer “plugged in” to the area in which they supposedly offered expertise.

Ensure team members are fully prepared. As COOP team responsibilities are likely not something average employees think about daily, it’s imperative managers ensure members are reminded of their duties. Teams should be encouraged to meet routinely throughout the year to review team roles, members, individual responsibilities, etc. Regular tests and exercises should also be conducted.

Mistake #4 – Creating insufficiently “deep” orders of succession and failing to outline clear delegations of authority.

A familiar managerial structure can provide some degree of comfort even during a stressful critical event. However, what happens if that decision-making hierarchy is impacted? What do you do when a key senior manager is incapacitated or unreachable?

Define and document orders of succession. If a key decision-maker becomes unable to fulfill his or her duties on a long-term basis, it’s imperative that the organization knows where to turn for leadership. As such, a clear order of succession plan should be developed. It is recommended the succession plan is at least three levels deep (defining additional levels is advisable, if possible). It is also recommended that the successor’s title be the defining element in the plan instead of only referring to a specific individual’s name. Document delegations of authority.

Immediate decisions or routine approvals may be needed during the short-term absence of a key decision-maker. Situations like leave authorizations, purchase requisitions, payroll, etc. can become bogged down, disrupting the flow of business. In cases where there is a temporary lapse in leadership, clearly documented delegations of authority are valuable. The plan should list 1) the position holder(s) who have typical day-to-day authority over the decision/process and 2) the position holder(s) who have delegated authority. These should be identified in the preferred order of delegation.

Mistake #5 – Failing to maintain accurate and detailed facility information.

Facility details is a COOP item that is commonly overlooked or at least incompletely addressed. While it’s true most employees have sufficient knowledge about an organization’s main facilities, knowledge gaps regarding other locations and their associated characteristics can create resiliency problems. Questions to consider include:

  • Do new employees know about a backup location and where it’s located?
  • What about remote employees? Are they adequately identified, aware and informed?
  • Will relocated employees arrive at the collocation facility with the proper entry credentials?
  • Are relocated employees aware of emergency procedures for their new location?

To address these knowledge gaps, organizations should maintain an accurate and accessible list of all primary and secondary facilities, including the physical address. Additionally, information should be documented for each location relating to ingress/egress locations, access control measures, communications infrastructure, etc. It is also wise to detail evacuation procedures including any “rally” points for evacuees.

Mistake #6 – Failing to document vital records and critical systems.

Virtually every organization relies on a myriad of systems, spreadsheets, forms, etc. to maintain operations. Accounting systems, human resources records, client/stakeholder data, public records, etc. all may be relied upon daily to fulfill an organization’s mission.

Though the information may reside in multiple systems and locations, there are two key things planners can do to help streamline vital records response and recovery.

Determine what is “vital.” For every vital data source there may be dozens of useful, but non-vital sources and/or systems. Managers should determine which data sources are truly critical to the organization’s resilience and itemize these.

Capture relevant details about the critical data source or system. Once the most important data sources and systems have been identified, managers should outline relevant source details. Depending on the resource type, details may include:

  • Physical location for hard-copy documents
  • Shared drive locations
  • Local software applications
  • Software-as-a-Service (SaaS) Solutions and Administrator
  • Network resources such as printers, fax machines, scanners, copiers, etc.

Mistake #7 – Failing to make COOP data accessible, editable and secure.

The days of stacking shelves with COOP plan binders really should be behind us. In today’s world of secure online software solutions, hard-copy approaches leave much to be desired. Consider how online planning solutions improve the COOP process:

Better collaboration – COOP planning requires deep collaboration between multiple people, departments, and external agencies. Online solutions make collaboration easier and more efficient. Easier editing and maintenance online planning solutions make editing records, teams, and plans fast and easy. Users simply login, make changes and save. Assignments, duties, teams, etc. will be updated automatically throughout the plan.

Enhanced security – Emergency response plans should be protected as they typically contain sensitive information about the organization and its employees. Binder shelves have virtually no access limitations and safeguards, and there is no audit trail of who has accessed the documents at what times. Online planning software provides for permission-based access to plan details and contact information via assigned user names and passwords.

Superior mobility – A shelf full of binders is difficult, if not impossible, to move in the event of a disaster. Today’s online planning software providers offer mobile capabilities that place emergency response plans quite literally in the hands of the right people wherever they may be. In all, these mobile capabilities extend the practical application of crisis planning.

Faster response – A Comprehensive Emergency Preparedness Plan (CEMP) is really a conglomeration of multiple mini-plans. It’s the reason why most plans consume multiple binders on multiple shelves. As such, precious time can be wasted manually scouring printed Tables of Contents or Indexes looking for the right piece of information. With well-designed online planning software, information is easily accessed and key elements can be searched electronically to uncover crucial data within seconds.

COOP planning doesn’t have to be painful.

The best practices outlined here are based on our team’s experience helping more than organizations plan and prepare for critical events. Our team offers a unique combination of expertise, facilitation, training, and project management combined with industry-leading online planning software. The combination will help make your next planning process easier, faster and better, ultimately improving the resilience of your organization.

Contact our team to learn more today! You can reach Steve Stevens, one of our government consulting team leaders, here.  

Related Blog Posts

Subscribe to our newsletter


By submitting this form, you are granting: Thomas Howell Ferguson P.A. CPAs, 2615 Centennial Boulevard #200, Tallahassee, FL, 32308, permission to email you. You may unsubscribe via the link found at the bottom of every email. (See our Email Privacy Policy (http://constantcontact.com/legal/privacy-statement) for details.) Emails are serviced by Constant Contact.