People Management

Operations

Purpose

The purpose of People Management is to establish and manage the contributions and availability of people to support the resilient operation of organizational services.

Introductory Notes

People are an essential asset in the organization’s ability to produce products and deliver services in the pursuit of strategic objectives. Without people and their skills, knowledge, information, and other valuable traits, many business processes could not operate effectively and the mission of organizational services would be in jeopardy.

The People Management process area focuses specifically on the “people” asset and their role in supporting the operation of business processes and services. Unlike information, technology, and facilities, the primary resilience requirement for people is availability—the availability of people to perform their roles and responsibilities in supporting organizational services as intended and when necessary. Events that disrupt the contributions of people affect the successful outcome of business processes and services and may impede the organization’s mission. Even in highly automated operating environments where people have diminished roles, the unavailability of people may render services unable to meet their missions.

To properly manage people and their contributions to services, the organization must address several key aspects of resilience. It must

• identify the vital people in the organization, based on their roles and responsibilities

• identify and manage risks that would interrupt or disrupt the contributions of people or make people unavailable to perform their roles and responsibilities

• manage the processes that ensure continued availability of people or that provide for appropriate substitutions and replacements when necessary

• manage the availability of people during and after disruptive events and other times of stress

While there is an assumption that people who support organizational services are typically employed directly by the organization, there are many cases where they are acquired through outsourcing and supplier relationships or may be otherwise external to the organization. These external staff are included in the scope of the People Management process area because their availability could affect the successful operation of business processes and services. Therefore, the “staff” referred to in this process area can be understood to include both internal and external people. In addition, the availability of people also extends to staff who are deployed in vital resilience roles in disciplines such as security, business continuity and disaster recovery, first response, and IT operations management.

The People Management process area considers the effects on the organization due to interruptions and disruptions that affect the performance and availability of people. Thus, considerations such as cross-training of staff and succession planning are included to ensure a steady stream of effective staff for vital job roles and responsibilities. In addition, the impact of staff turnover, particularly in vital roles in high-value services, is also considered and addressed. When disruptions occur, People Management focuses the organization on preparing staff to accept and perform new roles, however temporary, until a return to business as usual can be accomplished. This can be a challenge because of physiological and physical constraints that the organization may have to identify and address before staff can effectively be re-introduced to a post-event workplace environment. All of these potential issues must be acknowledged and addressed by the organization in order to ensure sustained productivity of people throughout the enterprise.

As people are a ubiquitous resource in an organization, there are many aspects of people that affect operational resilience. People Management is focused on the availability of people to the services that they support. The management of people through their employment life cycle and the effect on operational resilience are addressed in the Human Resource Management process area. Finally, promoting awareness of the organization’s efforts and providing training to resilience staff for their roles in managing operational resilience are addressed in the Organizational Training and Awareness process area.

Related Process Areas

The establishment and management of resilience requirements for people are performed in the Resilience Requirements Definition and Resilience Requirements Management process areas.

The identification of people and their support for services is addressed in the Asset Definition and Management process area.

The risk management cycle for people is addressed in the Risk Management process area.

The management of the internal control system that ensures people are adequately protected is addressed in the Controls Management process area.

The role of people in sustaining high-value organizational services and business processes is addressed in the Service Continuity process area.

The management of the human resources life cycle (from hiring to termination) is addressed in the Human Resource Management process area.

The awareness and acculturation of staff to the organization’s philosophy and approach to managing operational resilience are addressed in the Organizational Training and Awareness process area.

Summary of Specific Goals and Practices

Specific Practices by Goal

Establish Vital Staff

The vital staff of the organization are identified and prioritized.

In this goal, the organization establishes the vital staff who must be resilient due to their roles in supporting effective operation of business processes and services. While all staff in an organization must be resilient to some degree, a select group of staff are absolutely essential to the sustained operation of the organization, particularly under stressful conditions.

Prioritization of staff is a risk management activity. It establishes the staff who are of significant value to the organization and for whom additional protective controls and measures to sustain them are required. Failure to prioritize may jeopardize the organization’s ability to withstand disruptive events and recover to normal operating conditions.

People may also be categorized as vital because of the level of access they have to other organizational assets.

Identify Vital Staff

The vital staff from a resilience perspective are identified and characterized.

The identification and characterization of vital staff must be performed to ensure that the organization properly considers them in the development and deployment of its strategies to protect and sustain them.

In most cases, people are identified as vital because of the role, function, or responsibility they have. However, certain people may be identified as vital because they are of high value to the organization for other reasons. The criteria that distinguish vital staff will vary by organization but should include people who

• perform roles that are vital to the continued operation of high-value services

• perform vital resilience functions such as security and disaster recovery

• are assigned executive authority for decision making and management control over the organization

• have access to, control of, or protection responsibility for valuable or sensitive organizational assets

• are valuable due to their knowledge, experience, or organizational or community reputation

It is likely that the different groups of vital staff will require varying levels of special consideration based on the potential effects they have, either directly or indirectly, on the organization’s operational resilience and its ability to manage it.

Typically, the organization selects a subset of vital staff from its staff inventory; however, it is feasible that the organization may compile a list of vital staff based on risk or other factors. (The identification, definition, management, and control of people as an organizational asset are addressed in the Asset Definition and Management process area.)

When identifying vital staff, wherever possible, it is important to describe the role, function, or responsibility or other reason that supports their designation as vital. In addition, vital staff are often identified and described in service continuity plans and other strategies; thus, the staff identified in this practice may have to be reconciled against those plans on a periodic basis. (Service continuity plans are addressed in the Service Continuity process area.)

Typical work products

1. List (or lists) of vital staff

Subpractices

1. Identify vital service-support staff.

   Service-support staff include people who have vital roles in the continued effective operation of the organization’s services. The extent to which the organization can tolerate an interruption to the availability of these staff members should be considered when compiling this list.

   (An inventory of high-value staff is established in ADM:SG1.SP1 in the Asset Definition and Management process area.) This list may suffice for this subpractice or may be expanded if necessary.

   Examples of service-support staff include those who

   • operate or run significant business processes (which may not be operable without them)

   • have knowledge, information, or intellectual property needed to operate business processes

   • have a skill set that is unique or in limited supply in the organization

   • perform a role that can only be performed by people (i.e., cannot be automated or requires significant interpretation and reasoning)

2. Identify vital resilience staff.

   Resilience staff includes people who primarily perform vital resilience functions in the organization, including security, disaster recovery, and incident response. The extent to which the organization can tolerate an interruption to the availability of these staff should be considered when compiling this list.

   Examples of resilience staff include those who

   • perform security functions such as network security monitoring, access control, or security administration

   • perform business impact analysis and develop service continuity plans

   • manage high-value IT systems and applications

   • manage high-value IT infrastructure

   • manage access to, backup of, and restoration of high-value information assets

   • manage physical security (protection and access) of high-value areas and facilities

3. Identify vital managers.

   To remain viable, particularly in times of stress, an organization must sustain its ability for executive decision making and control. This list of vital managers should include higher-level managers who are crucial to the command and control of the organization and their alternates. Alternates should be individuals who have the responsibility and authority for decision making and control in the event that vital managers are unavailable.

   The extent to which the organization can tolerate an interruption to the availability of executive authority should be considered when compiling this list. Additionally, there may be regulatory requirements related to executive control that have to be considered and can be satisfied through the compilation of this list.

   These are examples of vital managers:

   • chief executive/financial/operating officers

   • chief risk officer

   • chief technology officer or chief information officer

   • chief information security officer

   • higher-level managers in organizational units and lines of business

   • vital higher-level roles in legal, human resources, communications/public relations, and operations

   • acceptable alternates to these positions

4. Identify staff who have access to, control of, or protection responsibility for highly valuable or highly sensitive organizational assets.

   This list of vital staff should include people who have trusted or special access to valuable or sensitive organizational assets. Such access is appropriate and necessary for people with certain roles in the organization and could be essential during a disruptive event.

   These are examples of trusted, privileged, or special roles:

   • technology staff with special and trusted access to software, hardware, systems, and networks (such as superusers)

   • production and operations supervisors (who can stop or start processes at will)

   • human resources staff with trusted access to confidential employee information

   • legal and audit staff with trusted access to sensitive organizational information and knowledge

   • physical security and protection staff who have trusted (and universal) access to facilities and buildings

5. Identify other vital staff.

   This list should include any other staff who may be vital to the organization’s ability to achieve its strategic objectives or to sustain its operations under adverse conditions. Such staff might include people who are valuable because of what they know, whom they know, or other reasons. When compiling this list, the organization should consider the importance of these people not only to the viability of the organization but in whatever role they might play during disruptive events or other incidents that may draw the organization temporarily off course.

6. Reconcile the list of vital staff periodically to service continuity plans and other resilience strategies.
7. Periodically validate and update the list of vital staff based on changes in the operational and organizational environment.

Manage Risks Associated with Staff Availability

Operational risks related to the availability of staff are identified and managed.

There are many types and categories of risk that are associated with people in the organization. On one hand, there are the risks related to the actions of people, such as when human error occurs or when staff members exploit organizational assets for their own gain. These risks involve people as a threat actor and result in a multitude of potential effects on the organization, such as disclosure of information, misappropriation of funds, and negative impact on the life, safety, and health of others.

On the other hand, there are risks associated with the interruption and interference of people in performing their job responsibilities. These risks to the availability of staff impact the organization by affecting the services that these staff members support and, in turn, the organization’s ability to meet its mission. This can result in loss of revenue, increased labor costs, fines and legal penalties, and in some cases extreme effects such as loss of life.

Risk management for vital staff is focused on the identification of risks to the availability and productivity of these people. Managing risk related to vital staff involves the determination of the conditions under which their availability could be threatened, as well as the potential impact on the organization as a result.

Identify and Assess Staff Risk

Risks to the availability of staff are periodically identified and assessed.

Operational risks that can affect staff must be identified and mitigated in order to actively manage the resilience of staff and, more important, the resilience of services that depend on the staff.

The identification of staff risks forms a baseline from which a continuous risk management process can be established and managed.

Typical risks that affect staff availability include natural disasters (that prevent vital staff from reporting to work), staff issues (such as poor performance or excessive absenteeism), inappropriate behaviors (such as failing to report to work to purposely affect the success of a business process or strategic objective), and other issues such as return-to-work considerations after a disruptive event that has psychological effects on staff.

Risks associated with the availability of staff also extend to their knowledge and experience. For example, the unavailability of a vital person who has extensive knowledge about a process or has information that is required by a process can impact the organization negatively by interfering with the availability of this knowledge and information for its intended purpose.

The subpractices included in this practice are generically addressed in RISK:SG3 and RISK:SG4 in the Risk Management process area.

Risks related to the actions that people take (as threat actors) are addressed in other process areas such as Knowledge and Information Management (for information asset risks), Technology Management (for technology-related risks), and Environmental Control (for facility-related risks).

Typical work products

1. Risk statements, with impact valuation
2. List of staff risks, with categorization and prioritization

Subpractices

1. Determine the scope of risk assessment for staff.

   Determining which staff to include in regular risk management activities depends on many factors. For most organizations, the scope will be limited to vital staff or a subset of vital staff.

2. Identify risks to the availability of staff.
3. Analyze risks to the availability of staff.
4. Categorize and prioritize staff risks.
5. Assign a risk disposition to each staff risk.
6. Monitor the risk and the risk strategy on a regular basis to ensure that the risk does not pose additional threat to the organization.
7. Develop a strategy for risks that the organization decides to mitigate.

Mitigate Staff Risk

Mitigation strategies for the risks related to the availability of staff are developed and implemented.

The mitigation of staff risk involves the development of strategies that seek to minimize the risk to an acceptable level. This includes reducing the likelihood of risks to the availability of staff, minimizing exposure to such risks, developing plans to keep staff available during times of disruption, and developing recovery and restoration plans to address the consequences of realized risk. Risk mitigation also includes the implementation of controls to minimize the likelihood and impact of risks from staff. For example, training more than one person in vital roles may reduce the potential impact when one or more people cannot report to work because there is an acceptable backup.

Risk mitigation for staff requires the development of risk mitigation plans (which may include the development of new or revision of existing staff controls) and to implement and monitor these plans for effectiveness.

The subpractices included in this practice are generically addressed in RISK:SG5 in the Risk Management process area.

Typical work products

1. Staff risk mitigation plans
2. List of those responsible for addressing and tracking risks
3. Status on information asset risk mitigation plans

Subpractices

1. Develop and implement risk mitigation strategies for all risks that have a “mitigation” or “control” disposition.
2. Validate the risk mitigation plans by comparing them to existing strategies to protect and sustain staff availability.
3. Identify the person or group responsible for each risk mitigation plan and ensure that they have the authority to act and the proper level of skills and training to implement and monitor the plan.
4. Address residual risk.
5. Implement the risk mitigation plans and provide a method to monitor the effectiveness of these plans.
6. Monitor risk status.
7. Collect performance measures on the risk management process.

Manage the Availability of Staff

The availability of staff to support high-value services is managed.

People provide direct support for the efficient and effective operation of organizational business processes and services. Thus, the availability of staff is critical to the resilience of these processes and services.

There are many potential events that can impair the availability of staff. For example, staff may be unavailable due to common causes such as illness or paid time off. Conversely, staff may also be unavailable on a broad scale due to natural disasters, civil unrest, or other catastrophic events.

In addition to their value to day-to-day operations, people are also a significant component of the organization’s service continuity management program, and thus lack of availability can render service continuity plans and the organization’s response to events ineffective. Developing and implementing plans to sustain staff availability during certain widespread or catastrophic events is a complex and challenging undertaking. When staff are facing issues of life and safety, loss or injury of family and friends, or considerable destruction of personal property, it is unlikely that they will be available or, if available, productive during or immediately following such an event.

Most of the actions that an organization can take to actively manage the availability of staff involve planning for staff redundancy and backup support for the roles that people play in the successful execution of business processes and services. This involves establishing redundancy for vital staff and performing succession planning to the extent possible to ensure a smooth transition when vital staff are unavailable. The organization must also address the availability of staff during times of stress; thus, they must consider how to redeploy staff when necessary to meet basic organizational needs, provide support for staff when they have been redeployed, and assist staff in transitioning back to their roles after a significant disruptive event.

Establish Redundancy for Vital Staff

Redundancy for vital staff is established to ensure continuity of services.

One of the most significant risks to an organization that can impact operational resilience is the loss of the skills and knowledge of staff. This risk can be increased when staff have institutional knowledge that has not been captured by the organization, documented, and communicated. Thus, a primary control for the organization to effectively (and proactively) ensure availability of vital staff is to establish redundancy through identifying, training, authorizing, and credentialing backup staff.

Strategies for providing redundancy for vital staff may extend beyond the organization’s borders. For example, in some cases, staff inside the organization may not have the requisite foundation to be trained for another role in the organization. Thus, the organization may include in its redundancy strategy provisions for procuring staff with the right skills from outside of the organization, either from a temporary agency or from a provider of consulting services. In many cases, the ability to “purchase” skills is an effective strategy for providing redundancy that helps the organization to sustain operational resilience, even during times of stress.

It must be noted, however, that a key objective of redundancy is the transfer of institutional knowledge; therefore, simply providing a resource that can be trained may not be sufficient if the specific knowledge and experience of the person being replaced has not been captured and cannot be transferred. (The processes for capturing institutional knowledge are addressed in the Knowledge and Information Management process area.)

Typical work products

1. Strategic plan for providing redundancy for vital staff and services
2. List of designated backup staff for the organization’s vital staff
3. Procedures for cross-training and credentialing
4. Procedures for outsourcing redundancy

Subpractices

1. Determine which vital staff positions must have redundancy.

   The organization must determine (from a risk and resilience perspective) which vital staff positions must be made redundant. This may involve extensive research and may be considered part of the organization’s regular risk identification, assessment, and mitigation activities. The result of this practice should be the identification of the positions that are vital to the organization and that require redundancy strategies to ensure operational resilience.

2. Identify backup staff for vital staff positions.

   The identified staff should be documented and should consent to serving as a backup as part of their position responsibilities.

3. Develop a strategic plan for providing staff redundancy.

   The strategic plan for addressing staff redundancy should consider all relevant options for ensuring uninterrupted provision of support for organizational business processes and services. Options such as cross-training, job rotation, succession planning, and outsourcing should be thoroughly researched, and the most effective options (that would present the least risk to operational resilience) should be documented and considered. The strategies chosen may be specific to the job function that is being considered, so a mix of strategies may ultimately be needed.

   Keep in mind that the strategies for redundancy, particularly during disruptive events and times of stress, may be instantiated in the organization’s service continuity plans. (The development of service continuity plans is addressed in the Service Continuity process area.)

4. Provide training to redundant staff to perform necessary roles and responsibilities.

   To be effective, the backup staff must have the skills and knowledge to perform the required functions and must be equipped with all necessary access privileges, credentials, authority, equipment, and supplies. Backup staff should be trained, briefed, and equipped to perform the necessary functions. Training should involve demonstration that the requisite skills can be applied as needed.

   It is also important to establish protocols for engaging the backup staff. For certain positions, it is appropriate for an “on-call” structure to be established to ensure the constant availability of the backup. It may also be important for other staff in the organization to be informed when a backup person is assuming the duties of a vital staff position so that it is clear who is responsible for the duties at any point in time.

Perform Succession Planning

Vital management roles and responsibilities are supported through succession planning.

Succession planning is a form of redundancy focused on providing smooth transition for vital management roles in the organization. It is also a prudent activity that is often required by regulatory bodies and oversight agencies to ensure that an organization (particularly a publicly held company), its stakeholders, and its customers will not be adversely affected by the loss of one or more vital higher-level managers.

Succession planning is an extensive and systematic activity. It requires higher-level managers to look into the organization to identify potential successors and then mentor, train, and groom them to take roles in the future contingent upon vacancies that have not yet occurred. This requires an adept balance of human resources management, strategic planning, and skill building to create an effective succession chain.

Succession plans are typically focused on vital higher-level managers. However, depending on the organization, there may be other technical and administrative managers who are not easily replaced and for whom succession planning should be performed.

A named successor to a vital manager is distinct from a backup manager. The successor must have the full set of skills, knowledge, authority, access, and credentials to serve as a permanent replacement for a vital manager. Therefore, it may be efficient for the organization to have such successors serve in backup roles as well. To be effective and able to perform the necessary roles and functions, successor managers must be trained, authorized, and credentialed to perform the functions of vital managers on a permanent basis.

Typical work products

1. List of vital managers to include in succession planning
2. Succession strategy
3. Documented succession plans for vital managers
4. Training plan and records for successors

Subpractices

1. Identify vital positions that have to be included in succession planning.

   Succession planning begins with the identification of scope. This may require a risk-management–based activity that seeks to identify the potential impact of the loss of a vital organization resource for a period of time. The result of this practice is a list of vital managers for whom succession strategies and plans must be created and applied.

2. Develop strategies for creating a succession chain.

   The succession strategy must consider the positions that must be addressed as well as the pool of existing managers who can be considered in the succession chain. In some cases, the organization may decide that there are no internal candidates who can serve in the succession chain, which may lead to hiring new managers specifically for the purpose of grooming them for a future position.

   Strategies for succession planning must also consider the time element of replacement. In some cases, the grooming process may be conducted over several years, particularly when the organization has advance (but not necessarily public) knowledge that a vital position will be vacated in the future. In other cases, the time element may be short due to the loss of a manager as a result of illness, accident, or termination.

3. Establish detailed succession plans for vital management positions.

   The succession plan should align with the organization’s strategy and include provisions for mentoring, training, and job rotation activities.

4. Mentor and train successors to perform necessary functions.

Prepare for Redeployment

Plans are established and staff are prepared to redeploy to other roles during a disruptive event or in the execution of a service continuity plan.

During a disruptive event or during the execution of a service continuity plan, the focus of the organization turns to sustaining the operations of high-value services to the fullest extent possible while stabilizing the situation and conditions for eventual return to business as usual. During such times of stress, the availability of staff is paramount, although they may need to immediately shift to alternate roles to best serve the organization.

To facilitate these temporary changes in job functions, it is necessary to plan the redeployments in advance to the extent possible and to inform, train, and equip staff to perform alternate duties.

It may also be necessary for staff to report to alternate work sites or work from home during certain events. In those cases, staff should be made aware of the plans for alternate work sites, informed as to where they will receive instructions for reporting to such work sites, and provided with necessary access (logical access for working from home, or access to the alternate work site).

Typical work products

1. Documented strategies and plans for staff redeployment
2. Training plans for redeployment
3. Service continuity plans
4. Credentials for first responders

Subpractices

1. Establish plans for staff redeployment during disruptive events.

   This planning should be conducted in collaboration with the development of the organization’s service continuity plans but should focus primarily on the availability of staff and their redeployment.

   Access, equipment, and supplies needed for the redeployment should be sourced as part of the planning process.

   Additional actions may have to be taken by the organization to ensure the availability of the staff named in the redeployment plans. (These considerations are addressed in PM:SG3.SP3.)

   The development of service continuity plans (which may contain information about staff availability and redeployment) is addressed in the Service Continuity process area.

2. Notify staff of the plans for their redeployment during disruptive events.

   Staff should be made aware of and indicate their understanding of the redeployment plans in advance of execution. Staff should also be made aware of how they will receive information and communications prior to an anticipated event or during an event. (Communications issues are addressed in the Communications process area.)

3. Provide appropriate training for staff in advance of redeployment.

   Training and skill building required for redeployment may be integrated with training provided for redundancy of vital positions (as outlined in PM:SG3.SP1).

4. Obtain and provide credentials for first responders.

   The availability of vital staff may be impeded if they do not have the credentials they need to perform their roles during a disruptive event. In many cases, it is likely that public (governmental) authorities will restrict access to a region around an event site. The restriction may continue for the duration of investigatory, safety restoration, or environmental cleanup activities. Access to the organization’s facilities may be barred for the duration of the closure of the area. If the facility contains high-value assets that require human intervention, then the lack of access can have a serious operational impact.

   To plan for the availability of vital staff in such scenarios, the organization must coordinate in advance with governmental authorities to acquire and maintain credentials for first-responder staff.

5. Review and update plans for staff redeployment during disruptive events as needed.

Plan to Support Staff During Disruptive Events

Plans are developed and implemented to ensure support is provided for staff as they are deployed during a disruptive event.

A key objective during a disruptive event is to ensure the availability of staff. Unfortunately, when disruptive events are significant in size, complexity, and impact, staff are generally focused on their own personal needs (as victims of the event) and are not particularly inclined to take on their job functions or redeployment roles. Thus, the organization must develop the means to provide for and support the basic needs of staff so that they can become available to support the organization’s objectives during an event.

This is obviously a complex undertaking: the organization must be adept at bringing resources to bear while being supportive and empathetic to the physiological and psychological situations that staff are faced with—loss of property, injuries, basic sustenance needs, and even loss of life. The success of service continuity planning and plans is dependent upon how well the organization plans and addresses the basic physiological, psychological, and safety needs of staff in these situations—otherwise, service continuity plans will be ineffective because a basic component of these plans will not be available.

Typical work products

1. Support strategy
2. Prioritized areas of support
3. Documented plans to support staff during disruptive events
4. Service continuity plans

Subpractices

1. Establish a strategy for support considerations during disruptive events.

   As part of the organization’s overall service continuity planning, considerations for supporting staff during disruptive events should be conducted.

   Event scenarios should be established as the basis for planning. The events should range from specific, local disruptions that impact the organization’s work sites to far-reaching, general disruptions that impact the general locale or region around one or more work sites.

2. Identify areas of support that the organization must provide.

   Areas of support may include the following:

   • Financial—It may be necessary to provide emergency financial support to help staff care for themselves or their families.

   • Transportation—Assistance may be needed to transport people to primary or secondary work sites.

   • Accounting for all individuals—Plans should include provisions for accounting for all staff and their location and condition.

   • Payroll—The payroll system should remain in operation throughout the event. Depending on the scale of the event, it may be necessary to assist people with check cashing or other banking issues.

   • Crisis counseling and family support—Provisions should be made for supporting the emotional needs of staff and/or their families.

   • Notifications—Notifications of injuries or fatalities should be planned carefully and performed by higher-level managers where possible.

   • Communications—Provisions should be made for communicating with staff during the event.

3. Develop plans to support staff during disruptive events.

   The plans should consider the actions the organization has to take to provide support in each of the prioritized areas. This may require other resources to be procured or committed (such as the ability to run the payroll system or to obtain services from an outsourcer). As with all types of continuity plans, the organization should document the plan and the resources needed to fulfill the plan and should test the plan on a regular basis to ensure that it is working properly.

4. Assign resources to the plans to support staff during disruptive events.

   As with all types of continuity plans, resources must be available to enact and carry out the support activities that are provided to other staff who will be called upon to perform their job responsibilities or to be redeployed.

   Staff responsible for executing the plans may require additional training to obtain necessary skills and knowledge.

5. Review and update the plans to support staff during disruptive events as needed.

Plan for Return-to-Work Considerations

Plans are developed and implemented to address return-to-work issues for staff after a disruptive event.

The availability of staff to return to work after a disruptive event is paramount to recovery. Unfortunately, there may be psychological and physiological barriers to returning to work that may affect the availability of staff and their productivity. Proactive consideration of these issues will make transition back to the workplace less problematic and may avoid issues related to lack of availability of staff that can ultimately affect operational resilience.

The organization must develop strategies and plans to address transition issues that can occur as the result of significant and catastrophic events so that the effects of the events do not carry over into the organization’s attempt to return to business as usual.

Typical work products

1. Documented transition strategies for return to business as usual
2. Contracts with external entities
3. Service continuity plans

Subpractices

1. Establish a strategy for transitioning staff back to the workplace.

   As part of the organization’s overall service continuity planning (particularly recovery planning), staff issues that could impede a return to work should be addressed. This may require the organization to perform scenario planning and analysis to determine the types of transition issues that may arise from its unique geographical locations, industry, or workforce.

2. Identify and procure resources that will be needed to ensure effective transition.

   Resource issues may include the identification of external resources such as crisis counseling and support. It may be appropriate to place such resources under a retainer contract to ensure their availability during an event.

3. Review and revise the plans to address return-to-work considerations after a disruptive event as appropriate.

Elaborated Generic Practices by Goal

Refer to the Generic Goals and Practices document in Appendix A for general guidance that applies to all process areas. This section provides elaborations relative to the application of the Generic Goals and Practices to the People Management process area.

Achieve Specific Goals

The operational resilience management system supports and enables achievement of the specific goals of the People Management process area by transforming identifiable input work products to produce identifiable output work products.

Perform Specific Practices

Perform the specific practices of the People Management process area to develop work products and provide services to achieve the specific goals of the process area.

Elaboration:

Specific practices PM:SG1.SP1 through PM:SG3.SP5 are performed to achieve the goals of the people management process.

Institutionalize a Managed Process

People management is institutionalized as a managed process.

Establish Process Governance

Establish and maintain governance over the planning and performance of the people management process.

Refer to the Enterprise Focus process area for more information about providing sponsorship and oversight to the people management process.

Subpractices

1. Establish governance over process activities.

   Elaboration:

   Governance over the people management process may be exhibited by

   • developing and publicizing higher-level managers’ objectives and requirements for the process

   • establishing a higher-level position, such as the director of human resources or the equivalent, responsible for the resilience of the organization’s people

   • sponsoring and providing oversight of policy, procedures, standards, and guidelines for managing people

   • providing oversight over the establishment, implementation, and maintenance of the organization’s internal control system for managing people

   • making higher-level managers aware of applicable compliance obligations related to people, and regularly reporting on the organization’s satisfaction of these obligations to higher-level managers

   • sponsoring and funding process activities

   • providing guidance on identifying, assessing, and managing operational risks related to people, particularly risks associated with the availability of staff to support high-value services

   • ensuring that vital staff are identified, characterized, and validated, and that the list of vital staff is regularly reviewed and updated

   • verifying that the process supports strategic resilience objectives and is focused on staff responsible for assets and services that are of the highest relative value in meeting strategic objectives

   • regular reporting from organizational units to higher-level managers on process activities and results

   • creating dedicated higher-level management feedback loops on decisions about the process and recommendations for improving the process

   • conducting regular internal and external audits, and related reporting to appropriate committees on people asset controls and the effectiveness of the process

   • creating formal programs to measure the effectiveness of process activities, and reporting these measurements to higher-level managers

2. Develop and publish organizational policy for the process.

   The people management policy should address

   • responsibility, authority, and ownership for performing process activities

   • the availability of vital people (managers, service-support and resilience staff, and others) to protect high-value assets and support high-value services during normal operations and during disruptive events

   • procedures, standards, and guidelines for

   — the identification, characterization, and prioritization of vital staff

   — managing operational risks to the availability of people

   — sustaining and reassigning vital roles and responsibilities

   — managing the impact of changes to vital staff

   — establishing, implementing, and maintaining an internal control system for people management

   — cross-training and credentialing

   — providing redundancy for vital staff and services, including outsourcing redundancy

   — engaging backup and “on-call” staff

   — succession planning

   — redeploying and supporting staff during disruptive events (Refer also to the Service Continuity process area.)

   • methods for measuring adherence to policy, exceptions granted, policy violations, and the investigation and discipline process for non-compliance with policy

Plan the Process

Establish and maintain the plan for performing the people management process.

Elaboration:

A plan for performing the people management process is created to ensure that qualified people are hired and perform in a manner that contributes to the organization’s ability to manage operational resilience. The plan must address the resilience requirements of people, the dependencies of services on them, and the roles that people fulfill at various levels of the organization. In addition, because people are the engine behind many business processes in the organization, the plan must extend to external conditions that can enable or adversely affect the availability of people.

The plan for the people management process should not be confused with the organization’s service continuity plans (refer to the Service Continuity process area), staff risk mitigation plans (as described in PM:SG2.SP2), strategic plans for providing redundancy for vital staff and services (as described in PM:SG3.SP1), succession and training plans for vital managers (as described in PM:SG3.SP2), plans for staff redeployment (as described in PM:SG3.SP3), plans to support staff during disruptive events (as described in PM:SG3.SP4), and plans to address return-to-work considerations after a disruptive event (as described in PM:SG3.SP5). The plan for the people management process details how the organization will perform the people management process, including the development of strategies and plans for managing people.

Subpractices

1. Define and document the plan for performing the process.

   Elaboration:

   Special consideration in the plan may have to be given to ensure that vital staff are adequately trained for various roles during normal operations and during disruptive events (refer to the Organizational Training and Awareness process area). These activities aid in ensuring that people are available and sustainable to support operational resilience.

   Special consideration in the plan may have to be given to the establishment, implementation, and maintenance of an internal control system for people assets.

2. Define and document the process description.
3. Review the plan with relevant stakeholders and get their agreement.
4. Revise the plan as necessary.

Provide Resources

Provide adequate resources for performing the people management process, developing the work products, and providing the services of the process.

Elaboration:

All people management practices require that higher-level managers ensure that qualified people are available to meet operational resilience management objectives and requirements. In PM:GG2.GP3, resources are formally identified and assigned to people management process plan elements. The diversity of activities required to ensure the availability of people requires an extensive level of organizational resources and skills and a significant number of external resources. In addition, these activities require a major commitment of financial resources (both expense and capital) from the organization.

Subpractices

1. Staff the process.

   Elaboration:

   These are examples of staff required to perform the people management process:

   • staff responsible for

   — the identification, characterization, and prioritization of vital staff and managing the impact of changes to vital staff

   — business continuity and disaster recovery, including those responsible for redeploying and supporting people assets during disruptive events (Refer also to the Service Continuity process area.)

   — cross-training, skill development, and credentialing

   — sustaining and reassigning vital roles and responsibilities

   — succession planning

   — the availability and notification of backup and on-call staff

   — managing external entities that have contractual obligations for people management activities, including cases where staff redundancy has been accomplished via outsourcing

   • staff involved in identifying, assessing, and mitigating risks to the availability of people assets

   • external entities responsible for providing qualified staff who fulfill resilience roles and responsibilities

   • internal and external auditors responsible for reporting to appropriate committees on process effectiveness

   Refer to the Organizational Training and Awareness process area for information about training staff for resilience roles and responsibilities.

   Refer to the Human Resource Management process area for information about acquiring staff to fulfill roles and responsibilities.

2. Fund the process.

   Elaboration:

   Refer to the Financial Resource Management process area for information about budgeting for, funding, and accounting for people management.

3. Provide necessary tools, techniques, and methods to perform the process.

   Elaboration:

   These are examples of tools, techniques, and methods to support the people management process:

   • criteria and checklists for the identification, characterization, and prioritization of vital staff based on their roles and responsibilities

   • traceability matrices or other techniques to reconcile lists of vital staff to service continuity plans

   • methods for performing risk impact valuation

   • methods, techniques, and tools for risk identification, risk analysis, risk categorization and prioritization, risk mitigation, and risk status tracking (Refer also to the Risk Management process area.)

   • traceability matrices or other techniques to map designated backup and redundant staff to vital staff

   • training plan templates for specific roles and responsibilities, including staff in backup and redundant roles

   • training plan templates in support of succession planning for vital positions

   • training plan templates for staff who have to be redeployed during disruptive events

   • call-tree structures that are used to enact the communications protocol for backup staff

   • checklists that specify criteria for the credentialing of first responders

   • service continuity event scenarios

   • methods, techniques, and tools for effective communication to all concerned staff and stakeholders during a disruptive event

Assign Responsibility

Assign responsibility and authority for performing the people management process, developing the work products, and providing the services of the process.

Elaboration:

Of paramount importance in assigning responsibility for the people management process is identifying the vital, high-value people in the organization based on their roles and responsibilities for all operational resilience management processes, as described in ADM:SG1.SP1 and PM:SG1.SP1. Vital people are responsible for ensuring their availability during normal operations as well as during disruptive events. Such availability includes identifying backup and redundant staff to cover vital roles as required.

Refer to the Human Resource Management process area for more information about establishing resilience as a job responsibility, developing resilience performance goals and objectives, and measuring and assessing performance against these goals and objectives.

Refer to the Asset Definition and Management process area for more information about establishing ownership and custodianship of people assets.

Subpractices

1. Assign responsibility and authority for performing the process.

   Elaboration:

   Responsibility and authority may extend not only to staff inside the organization but to those with whom the organization has a contractual agreement for ensuring the availability of people (including outsourcing, contract staff, and preparing for backup, redundancy, and redeployment of people assets).

2. Assign responsibility and authority for performing the specific tasks of the process.

   Elaboration:

   Responsibility and authority for performing people management tasks can be formalized by

   • defining roles and responsibilities in the process plan to include roles responsible for identifying vital staff and risks associated with their availability

   • including process tasks and responsibility for these tasks in specific job descriptions

   • developing policy requiring

   — organizational unit managers, line of business managers, project managers, and asset and service owners and custodians to participate in and derive benefit from the process for assets and services under their ownership or custodianship that require people

   — people to take personal responsibility for acquiring the necessary skill sets to fulfill their job description and roles in sustaining operational resilience

   — people to take personal responsibility for ensuring their availability during normal operations, as well as during disruptive events

   • including process tasks in staff performance management goals and objectives, with requisite measurement of progress against these goals

   • developing and implementing contractual instruments (including service level agreements) with external entities to establish responsibility and authority for performing process tasks on outsourced functions

   • including process tasks in measuring performance of external entities against contractual instruments

   Refer to the External Dependencies Management process area for additional details about managing relationships with external entities.

3. Confirm that people assigned with responsibility and authority understand it and are willing and able to accept it.

Train People

Train the people performing or supporting the people management process as needed.

Elaboration:

The basis for determining training needs for operational resilience management derives from having a comprehensive list of vital people, risks to their availability, designated backups, and substitutions and replacements when necessary; ensuring service continuity and redeployment of staff during disruptive events; and being able to implement return-to-work plans after a disruptive event.

Refer to the Organizational Training and Awareness process area for more information about training the people performing or supporting the process.

Refer to the Human Resource Management process area for more information about inventorying skill sets, establishing a skill set baseline, identifying required skill sets, and measuring and addressing skill deficiencies.

Subpractices

1. Identify process skill needs.

   Elaboration:

   These are examples of skills required in the people management process:

   • knowledge of tools, techniques, and methods necessary to perform process tasks, including those identified in PM:GG2.GP3 subpractice 3

   • knowledge necessary to identify vital staff from

   — the organization’s resilience program and plan

   — the inventory of vital staff (Refer to ADM:SG1.SP1.)

   — compliance obligations

   — those called for in service continuity plans

   — those called for in resilience job descriptions

   • knowledge necessary to ensure the availability and redeployment of resilience roles and responsibilities during normal operations and disruptive events, including the identification and readiness of appropriate backup staff, substitutions, and replacements when necessary

   • knowledge necessary to identify operational risks emerging from the process, including those that should be referred to the risk management process for disposition

   • knowledge necessary to develop and implement succession plans

   • knowledge necessary to determine credentialing criteria for first responders

   • knowledge necessary to evaluate staff availability against resilience goals and objectives, identify improvements, and take corrective actions

2. Identify process skill gaps based on available resources and their current skill levels.
3. Identify training opportunities to address skill gaps.

   Elaboration:

   These are examples of training topics:

   • training specifically targeted to owners and custodians of high-value assets and services to ensure they fully understand their roles and responsibilities for operational resilience (Refer to the Organizational Training and Awareness process area.)

   • training specifically targeted to addressing deficiencies of existing staff who are designated as potential backups and replacements for vital staff (The development of training plans is addressed in the Organizational Training and Awareness process area.)

   • general awareness training on the role of service continuity in meeting operational resilience goals and objectives, including ensuring the availability of vital staff

   • exercising service continuity scenarios to ensure a high level of preparedness during disruptive events, particularly for vital staff and first responders

   • preparation for credentialing examinations

   • working with external entities that have responsibility for process activities

   • using process methods, tools, and techniques, including those identified in PM:GG2.GP3 subpractice 3

4. Provide training and review the training needs as necessary.

Manage Work Product Configurations

Place designated work products of the people management process under appropriate levels of control.

Elaboration:

All work products related to sensitive staff information, such as information about skill gaps and succession plans, should be placed under an appropriate level of control.

Identify and Involve Relevant Stakeholders

Identify and involve the relevant stakeholders of the people management process as planned.

Subpractices

1. Identify process stakeholders and their appropriate involvement.

   Elaboration:

   These are examples of stakeholders of the people management process:

   • staff involved in identifying vital staff

   • owners and custodians of information, technology, and facility assets to which people need access

   • owners and custodians of high-value services that require the availability of vital staff

   • staff responsible for managing operational risks, including risks to the availability of people assets

   • staff responsible for establishing, implementing, and maintaining an internal control system for people assets

   • staff responsible for developing, testing, implementing, and executing service continuity plans involving people

   • staff responsible for developing, implementing, and managing organizational training, skill development, and knowledge transfer, particularly for vital staff

   • staff involved in organizational change management

   • external entities that are involved in providing redundant staff to ensure uninterrupted service

   • staff involved in ensuring service continuity

   • staff involved in succession planning

   • human resources staff

   • training staff

   • public authorities, such as regulatory bodies and oversight agencies responsible for ensuring minimal adverse effects due to the loss of vital higher-level managers

   • government authorities responsible for establishing criteria for and overseeing the credentialing of first responders

   • internal and external auditors

   Stakeholders are involved in various tasks in the people management process, such as

   • identifying vital staff

   • planning for the availability of staff

   • associating staff with services and analyzing service dependencies

   • developing service continuity and succession plans for job roles

   • managing operational risks from people

   • assessing the adequacy of internal controls

   • training and development of vital staff, including those in designated backup and redundancy roles

   • succession planning

   • managing external dependencies on people

   • overseeing credentialing of first responders

   • providing feedback to the organization on resilience job roles and skills

   • making commitments to process plans and activities

   • reviewing and appraising the effectiveness of process activities

   • resolving issues in the process

   • interfacing with government and other public authorities

2. Communicate the list of stakeholders to planners and those responsible for process performance.
3. Involve relevant stakeholders in the process as planned.

Monitor and Control the Process

Monitor and control the people management process against the plan for performing the process and take appropriate corrective action.

Elaboration:

Refer to the Monitoring process area for more information about the collection, organization, and distribution of data that may be useful for monitoring and controlling processes.

Refer to the Measurement and Analysis process area for more information about establishing process metrics and measurement.

Refer to the Enterprise Focus process area for more information about providing process information to managers, identifying issues, and determining appropriate corrective actions.

Subpractices

1. Measure actual performance against the plan for performing the process.
2. Review accomplishments and results of the process against the plan for performing the process.

   Elaboration:

   These are examples of metrics for the people management process:

   • percentage of vital staff who do not have redundancy plans

   • percentage of vital managers who do not have succession plans

   • cost, schedule, and effort required to address training gaps for vital staff and those designated to serve as backups and replacements

   • schedule for collecting and reviewing measures of policy compliance

   • statistics for vital staff available (on hand) to conduct service continuity planned exercises and tests

   • results from service continuity exercises and tests that reflect the availability (or not) of vital staff and their designees

   • percentage of first responders who do not have appropriate credentials

   • number of reports to public authorities regarding the loss of a vital higher-level manager

   • number of people availability risks referred to the risk management process; number of risks where corrective action is still pending (by risk rank)

   • level of adherence to process policies; number of policy violations; number of policy exceptions requested and number approved

   • number of process activities that are on track per plan

   • rate of change of resource needs to support the process

   • rate of change of costs to support the process

3. Review activities, status, and results of the process with the immediate level of managers responsible for the process and identify issues.

   Elaboration:

   People management reviews are likely to concentrate on the availability of vital staff, including succession planning and coverage during disruptive events, as well as normal operations of high-value services and assets. An additional area of concentration is the internal control system for people assets.

   Periodic reviews of the people management process are needed to ensure that

   • vital staff are identified, characterized, and prioritized and backup, redundancy, and succession plans are in place

   • staff affected by redeployment plans are informed, trained, and equipped to perform alternate duties

   • the process has been exercised and tested in preparation for disruptive events and other service continuity activities

   • actions requiring management involvement are elevated in a timely manner

   • process issues are referred to the risk management process when necessary

   • the performance of process activities is being monitored and regularly reported

   • key measures are within acceptable ranges as demonstrated in governance dashboards or scorecards and financial reports

   • administrative, technical, and physical controls are operating as intended

   • controls are meeting the stated intent of the resilience requirements

   • actions requiring management involvement are elevated in a timely manner

   • actions resulting from internal and external audits are being closed in a timely manner

4. Identify and evaluate the effects of significant deviations from the plan for performing the process.
5. Identify problems in the plan for performing and executing the process.
6. Take corrective action when requirements and objectives are not being satisfied, when issues are identified, or when progress differs significantly from the plan for performing the process.

   Elaboration:

   For people assets, corrective action may require the revision of existing administrative, technical, and physical controls, development and implementation of new controls, or a change in the type of controls (preventive, detective, corrective, compensating, etc.).

7. Track corrective action to closure.

Objectively Evaluate Adherence

Objectively evaluate adherence of the people management process against its process description, standards, and procedures, and address non-compliance.

Elaboration:

Review Status with Higher-Level Managers

Review the activities, status, and results of the people management process with higher-level managers and resolve issues.

Refer to the Enterprise Focus process area for more information about providing sponsorship and oversight to the operational resilience management system.

Institutionalize a Defined Process

People management is institutionalized as a defined process.

Establish a Defined Process

Establish and maintain the description of a defined people management process.

Establishing and tailoring process assets, including standard processes, are addressed in the Organizational Process Definition process area.

Establishing process needs and objectives and selecting, improving, and deploying process assets, including standard processes, are addressed in the Organizational Process Focus process area.

Subpractices

1. Select from the organization’s set of standard processes those processes that cover the people management process and best meet the needs of the organizational unit or line of business.
2. Establish the defined process by tailoring the selected processes according to the organization’s tailoring guidelines.
3. Ensure that the organization’s process objectives are appropriately addressed in the defined process, and ensure that process governance extends to the tailored processes.
4. Document the defined process and the records of the tailoring.
5. Revise the description of the defined process as necessary.

Collect Improvement Information

Collect people management work products, measures, measurement results, and improvement information derived from planning and performing the process to support future use and improvement of the organization’s processes and process assets.

Elaboration:

Establishing the measurement repository and process asset library is addressed in the Organizational Process Definition process area. Updating the measurement repository and process asset library as part of process improvement and deployment is addressed in the Organizational Process Focus process area.

Subpractices

1. Store process and work product measures in the organization’s measurement repository.
2. Submit documentation for inclusion in the organization’s process asset library.
3. Document lessons learned from the process for inclusion in the organization’s process asset library.
4. Propose improvements to the organizational process assets.