The purpose of People Management is to establish and manage the contributions and availability of people to support the resilient operation of organizational services.
People are an essential asset in the organization’s ability to produce products and deliver services in the pursuit of strategic objectives. Without people and their skills, knowledge, information, and other valuable traits, many business processes could not operate effectively and the mission of organizational services would be in jeopardy.
The People Management process area focuses specifically on the “people” asset and their role in supporting the operation of business processes and services. Unlike information, technology, and facilities, the primary resilience requirement for people is availability—the availability of people to perform their roles and responsibilities in supporting organizational services as intended and when necessary. Events that disrupt the contributions of people affect the successful outcome of business processes and services and may impede the organization’s mission. Even in highly automated operating environments where people have diminished roles, the unavailability of people may render services unable to meet their missions.
To properly manage people and their contributions to services, the organization must address several key aspects of resilience. It must
• identify the vital people in the organization, based on their roles and responsibilities
• identify and manage risks that would interrupt or disrupt the contributions of people or make people unavailable to perform their roles and responsibilities
• manage the processes that ensure continued availability of people or that provide for appropriate substitutions and replacements when necessary
• manage the availability of people during and after disruptive events and other times of stress
While there is an assumption that people who support organizational services are typically employed directly by the organization, there are many cases where they are acquired through outsourcing and supplier relationships or may be otherwise external to the organization. These external staff are included in the scope of the People Management process area because their availability could affect the successful operation of business processes and services. Therefore, the “staff” referred to in this process area can be understood to include both internal and external people. In addition, the availability of people also extends to staff who are deployed in vital resilience roles in disciplines such as security, business continuity and disaster recovery, first response, and IT operations management.
The People Management process area considers the effects on the organization due to interruptions and disruptions that affect the performance and availability of people. Thus, considerations such as cross-training of staff and succession planning are included to ensure a steady stream of effective staff for vital job roles and responsibilities. In addition, the impact of staff turnover, particularly in vital roles in high-value services, is also considered and addressed. When disruptions occur, People Management focuses the organization on preparing staff to accept and perform new roles, however temporary, until a return to business as usual can be accomplished. This can be a challenge because of physiological and physical constraints that the organization may have to identify and address before staff can effectively be re-introduced to a post-event workplace environment. All of these potential issues must be acknowledged and addressed by the organization in order to ensure sustained productivity of people throughout the enterprise.
As people are a ubiquitous resource in an organization, there are many aspects of people that affect operational resilience. People Management is focused on the availability of people to the services that they support. The management of people through their employment life cycle and the effect on operational resilience are addressed in the Human Resource Management process area. Finally, promoting awareness of the organization’s efforts and providing training to resilience staff for their roles in managing operational resilience are addressed in the Organizational Training and Awareness process area.
The establishment and management of resilience requirements for people are performed in the Resilience Requirements Definition and Resilience Requirements Management process areas.
The identification of people and their support for services is addressed in the Asset Definition and Management process area.
The risk management cycle for people is addressed in the Risk Management process area.
The management of the internal control system that ensures people are adequately protected is addressed in the Controls Management process area.
The role of people in sustaining high-value organizational services and business processes is addressed in the Service Continuity process area.
The management of the human resources life cycle (from hiring to termination) is addressed in the Human Resource Management process area.
The awareness and acculturation of staff to the organization’s philosophy and approach to managing operational resilience are addressed in the Organizational Training and Awareness process area.
The vital staff of the organization are identified and prioritized.
In this goal, the organization establishes the vital staff who must be resilient due to their roles in supporting effective operation of business processes and services. While all staff in an organization must be resilient to some degree, a select group of staff are absolutely essential to the sustained operation of the organization, particularly under stressful conditions.
Prioritization of staff is a risk management activity. It establishes the staff who are of significant value to the organization and for whom additional protective controls and measures to sustain them are required. Failure to prioritize may jeopardize the organization’s ability to withstand disruptive events and recover to normal operating conditions.
People may also be categorized as vital because of the level of access they have to other organizational assets.
The vital staff from a resilience perspective are identified and characterized.
The identification and characterization of vital staff must be performed to ensure that the organization properly considers them in the development and deployment of its strategies to protect and sustain them.
In most cases, people are identified as vital because of the role, function, or responsibility they have. However, certain people may be identified as vital because they are of high value to the organization for other reasons. The criteria that distinguish vital staff will vary by organization but should include people who
• perform roles that are vital to the continued operation of high-value services
• perform vital resilience functions such as security and disaster recovery
• are assigned executive authority for decision making and management control over the organization
• have access to, control of, or protection responsibility for valuable or sensitive organizational assets
• are valuable due to their knowledge, experience, or organizational or community reputation
It is likely that the different groups of vital staff will require varying levels of special consideration based on the potential effects they have, either directly or indirectly, on the organization’s operational resilience and its ability to manage it.
Typically, the organization selects a subset of vital staff from its staff inventory; however, it is feasible that the organization may compile a list of vital staff based on risk or other factors. (The identification, definition, management, and control of people as an organizational asset are addressed in the Asset Definition and Management process area.)
When identifying vital staff, wherever possible, it is important to describe the role, function, or responsibility or other reason that supports their designation as vital. In addition, vital staff are often identified and described in service continuity plans and other strategies; thus, the staff identified in this practice may have to be reconciled against those plans on a periodic basis. (Service continuity plans are addressed in the Service Continuity process area.)
Typical work products
Service-support staff include people who have vital roles in the continued effective operation of the organization’s services. The extent to which the organization can tolerate an interruption to the availability of these staff members should be considered when compiling this list.
(An inventory of high-value staff is established in ADM:SG1.SP1 in the Asset Definition and Management process area.) This list may suffice for this subpractice or may be expanded if necessary.
Resilience staff includes people who primarily perform vital resilience functions in the organization, including security, disaster recovery, and incident response. The extent to which the organization can tolerate an interruption to the availability of these staff should be considered when compiling this list.
To remain viable, particularly in times of stress, an organization must sustain its ability for executive decision making and control. This list of vital managers should include higher-level managers who are crucial to the command and control of the organization and their alternates. Alternates should be individuals who have the responsibility and authority for decision making and control in the event that vital managers are unavailable.
The extent to which the organization can tolerate an interruption to the availability of executive authority should be considered when compiling this list. Additionally, there may be regulatory requirements related to executive control that have to be considered and can be satisfied through the compilation of this list.
This list of vital staff should include people who have trusted or special access to valuable or sensitive organizational assets. Such access is appropriate and necessary for people with certain roles in the organization and could be essential during a disruptive event.
This list should include any other staff who may be vital to the organization’s ability to achieve its strategic objectives or to sustain its operations under adverse conditions. Such staff might include people who are valuable because of what they know, whom they know, or other reasons. When compiling this list, the organization should consider the importance of these people not only to the viability of the organization but in whatever role they might play during disruptive events or other incidents that may draw the organization temporarily off course.
Operational risks related to the availability of staff are identified and managed.
There are many types and categories of risk that are associated with people in the organization. On one hand, there are the risks related to the actions of people, such as when human error occurs or when staff members exploit organizational assets for their own gain. These risks involve people as a threat actor and result in a multitude of potential effects on the organization, such as disclosure of information, misappropriation of funds, and negative impact on the life, safety, and health of others.
On the other hand, there are risks associated with the interruption and interference of people in performing their job responsibilities. These risks to the availability of staff impact the organization by affecting the services that these staff members support and, in turn, the organization’s ability to meet its mission. This can result in loss of revenue, increased labor costs, fines and legal penalties, and in some cases extreme effects such as loss of life.
Risk management for vital staff is focused on the identification of risks to the availability and productivity of these people. Managing risk related to vital staff involves the determination of the conditions under which their availability could be threatened, as well as the potential impact on the organization as a result.
Risks to the availability of staff are periodically identified and assessed.
Operational risks that can affect staff must be identified and mitigated in order to actively manage the resilience of staff and, more important, the resilience of services that depend on the staff.
The identification of staff risks forms a baseline from which a continuous risk management process can be established and managed.
Typical risks that affect staff availability include natural disasters (that prevent vital staff from reporting to work), staff issues (such as poor performance or excessive absenteeism), inappropriate behaviors (such as failing to report to work to purposely affect the success of a business process or strategic objective), and other issues such as return-to-work considerations after a disruptive event that has psychological effects on staff.
Risks associated with the availability of staff also extend to their knowledge and experience. For example, the unavailability of a vital person who has extensive knowledge about a process or has information that is required by a process can impact the organization negatively by interfering with the availability of this knowledge and information for its intended purpose.
The subpractices included in this practice are generically addressed in RISK:SG3 and RISK:SG4 in the Risk Management process area.
Risks related to the actions that people take (as threat actors) are addressed in other process areas such as Knowledge and Information Management (for information asset risks), Technology Management (for technology-related risks), and Environmental Control (for facility-related risks).
Typical work products
Subpractices
Determining which staff to include in regular risk management activities depends on many factors. For most organizations, the scope will be limited to vital staff or a subset of vital staff.
Mitigation strategies for the risks related to the availability of staff are developed and implemented.
The mitigation of staff risk involves the development of strategies that seek to minimize the risk to an acceptable level. This includes reducing the likelihood of risks to the availability of staff, minimizing exposure to such risks, developing plans to keep staff available during times of disruption, and developing recovery and restoration plans to address the consequences of realized risk. Risk mitigation also includes the implementation of controls to minimize the likelihood and impact of risks from staff. For example, training more than one person in vital roles may reduce the potential impact when one or more people cannot report to work because there is an acceptable backup.
Risk mitigation for staff requires the development of risk mitigation plans (which may include the development of new or revision of existing staff controls) and to implement and monitor these plans for effectiveness.
The subpractices included in this practice are generically addressed in RISK:SG5 in the Risk Management process area.
Subpractices
The availability of staff to support high-value services is managed.
People provide direct support for the efficient and effective operation of organizational business processes and services. Thus, the availability of staff is critical to the resilience of these processes and services.
There are many potential events that can impair the availability of staff. For example, staff may be unavailable due to common causes such as illness or paid time off. Conversely, staff may also be unavailable on a broad scale due to natural disasters, civil unrest, or other catastrophic events.
In addition to their value to day-to-day operations, people are also a significant component of the organization’s service continuity management program, and thus lack of availability can render service continuity plans and the organization’s response to events ineffective. Developing and implementing plans to sustain staff availability during certain widespread or catastrophic events is a complex and challenging undertaking. When staff are facing issues of life and safety, loss or injury of family and friends, or considerable destruction of personal property, it is unlikely that they will be available or, if available, productive during or immediately following such an event.
Most of the actions that an organization can take to actively manage the availability of staff involve planning for staff redundancy and backup support for the roles that people play in the successful execution of business processes and services. This involves establishing redundancy for vital staff and performing succession planning to the extent possible to ensure a smooth transition when vital staff are unavailable. The organization must also address the availability of staff during times of stress; thus, they must consider how to redeploy staff when necessary to meet basic organizational needs, provide support for staff when they have been redeployed, and assist staff in transitioning back to their roles after a significant disruptive event.
Redundancy for vital staff is established to ensure continuity of services.
One of the most significant risks to an organization that can impact operational resilience is the loss of the skills and knowledge of staff. This risk can be increased when staff have institutional knowledge that has not been captured by the organization, documented, and communicated. Thus, a primary control for the organization to effectively (and proactively) ensure availability of vital staff is to establish redundancy through identifying, training, authorizing, and credentialing backup staff.
Strategies for providing redundancy for vital staff may extend beyond the organization’s borders. For example, in some cases, staff inside the organization may not have the requisite foundation to be trained for another role in the organization. Thus, the organization may include in its redundancy strategy provisions for procuring staff with the right skills from outside of the organization, either from a temporary agency or from a provider of consulting services. In many cases, the ability to “purchase” skills is an effective strategy for providing redundancy that helps the organization to sustain operational resilience, even during times of stress.
It must be noted, however, that a key objective of redundancy is the transfer of institutional knowledge; therefore, simply providing a resource that can be trained may not be sufficient if the specific knowledge and experience of the person being replaced has not been captured and cannot be transferred. (The processes for capturing institutional knowledge are addressed in the Knowledge and Information Management process area.)
Typical work products
The organization must determine (from a risk and resilience perspective) which vital staff positions must be made redundant. This may involve extensive research and may be considered part of the organization’s regular risk identification, assessment, and mitigation activities. The result of this practice should be the identification of the positions that are vital to the organization and that require redundancy strategies to ensure operational resilience.
The identified staff should be documented and should consent to serving as a backup as part of their position responsibilities.
The strategic plan for addressing staff redundancy should consider all relevant options for ensuring uninterrupted provision of support for organizational business processes and services. Options such as cross-training, job rotation, succession planning, and outsourcing should be thoroughly researched, and the most effective options (that would present the least risk to operational resilience) should be documented and considered. The strategies chosen may be specific to the job function that is being considered, so a mix of strategies may ultimately be needed.
Keep in mind that the strategies for redundancy, particularly during disruptive events and times of stress, may be instantiated in the organization’s service continuity plans. (The development of service continuity plans is addressed in the Service Continuity process area.)
To be effective, the backup staff must have the skills and knowledge to perform the required functions and must be equipped with all necessary access privileges, credentials, authority, equipment, and supplies. Backup staff should be trained, briefed, and equipped to perform the necessary functions. Training should involve demonstration that the requisite skills can be applied as needed.
It is also important to establish protocols for engaging the backup staff. For certain positions, it is appropriate for an “on-call” structure to be established to ensure the constant availability of the backup. It may also be important for other staff in the organization to be informed when a backup person is assuming the duties of a vital staff position so that it is clear who is responsible for the duties at any point in time.
Vital management roles and responsibilities are supported through succession planning.
Succession planning is a form of redundancy focused on providing smooth transition for vital management roles in the organization. It is also a prudent activity that is often required by regulatory bodies and oversight agencies to ensure that an organization (particularly a publicly held company), its stakeholders, and its customers will not be adversely affected by the loss of one or more vital higher-level managers.
Succession planning is an extensive and systematic activity. It requires higher-level managers to look into the organization to identify potential successors and then mentor, train, and groom them to take roles in the future contingent upon vacancies that have not yet occurred. This requires an adept balance of human resources management, strategic planning, and skill building to create an effective succession chain.
Succession plans are typically focused on vital higher-level managers. However, depending on the organization, there may be other technical and administrative managers who are not easily replaced and for whom succession planning should be performed.
A named successor to a vital manager is distinct from a backup manager. The successor must have the full set of skills, knowledge, authority, access, and credentials to serve as a permanent replacement for a vital manager. Therefore, it may be efficient for the organization to have such successors serve in backup roles as well. To be effective and able to perform the necessary roles and functions, successor managers must be trained, authorized, and credentialed to perform the functions of vital managers on a permanent basis.
Typical work products
Subpractices
Succession planning begins with the identification of scope. This may require a risk-management–based activity that seeks to identify the potential impact of the loss of a vital organization resource for a period of time. The result of this practice is a list of vital managers for whom succession strategies and plans must be created and applied.
The succession strategy must consider the positions that must be addressed as well as the pool of existing managers who can be considered in the succession chain. In some cases, the organization may decide that there are no internal candidates who can serve in the succession chain, which may lead to hiring new managers specifically for the purpose of grooming them for a future position.
Strategies for succession planning must also consider the time element of replacement. In some cases, the grooming process may be conducted over several years, particularly when the organization has advance (but not necessarily public) knowledge that a vital position will be vacated in the future. In other cases, the time element may be short due to the loss of a manager as a result of illness, accident, or termination.
The succession plan should align with the organization’s strategy and include provisions for mentoring, training, and job rotation activities.
Plans are established and staff are prepared to redeploy to other roles during a disruptive event or in the execution of a service continuity plan.
During a disruptive event or during the execution of a service continuity plan, the focus of the organization turns to sustaining the operations of high-value services to the fullest extent possible while stabilizing the situation and conditions for eventual return to business as usual. During such times of stress, the availability of staff is paramount, although they may need to immediately shift to alternate roles to best serve the organization.
To facilitate these temporary changes in job functions, it is necessary to plan the redeployments in advance to the extent possible and to inform, train, and equip staff to perform alternate duties.
It may also be necessary for staff to report to alternate work sites or work from home during certain events. In those cases, staff should be made aware of the plans for alternate work sites, informed as to where they will receive instructions for reporting to such work sites, and provided with necessary access (logical access for working from home, or access to the alternate work site).
Typical work products
Subpractices
This planning should be conducted in collaboration with the development of the organization’s service continuity plans but should focus primarily on the availability of staff and their redeployment.
Access, equipment, and supplies needed for the redeployment should be sourced as part of the planning process.
Additional actions may have to be taken by the organization to ensure the availability of the staff named in the redeployment plans. (These considerations are addressed in PM:SG3.SP3.)
The development of service continuity plans (which may contain information about staff availability and redeployment) is addressed in the Service Continuity process area.
Staff should be made aware of and indicate their understanding of the redeployment plans in advance of execution. Staff should also be made aware of how they will receive information and communications prior to an anticipated event or during an event. (Communications issues are addressed in the Communications process area.)
Training and skill building required for redeployment may be integrated with training provided for redundancy of vital positions (as outlined in PM:SG3.SP1).
The availability of vital staff may be impeded if they do not have the credentials they need to perform their roles during a disruptive event. In many cases, it is likely that public (governmental) authorities will restrict access to a region around an event site. The restriction may continue for the duration of investigatory, safety restoration, or environmental cleanup activities. Access to the organization’s facilities may be barred for the duration of the closure of the area. If the facility contains high-value assets that require human intervention, then the lack of access can have a serious operational impact.
To plan for the availability of vital staff in such scenarios, the organization must coordinate in advance with governmental authorities to acquire and maintain credentials for first-responder staff.
Plans are developed and implemented to ensure support is provided for staff as they are deployed during a disruptive event.
A key objective during a disruptive event is to ensure the availability of staff. Unfortunately, when disruptive events are significant in size, complexity, and impact, staff are generally focused on their own personal needs (as victims of the event) and are not particularly inclined to take on their job functions or redeployment roles. Thus, the organization must develop the means to provide for and support the basic needs of staff so that they can become available to support the organization’s objectives during an event.
This is obviously a complex undertaking: the organization must be adept at bringing resources to bear while being supportive and empathetic to the physiological and psychological situations that staff are faced with—loss of property, injuries, basic sustenance needs, and even loss of life. The success of service continuity planning and plans is dependent upon how well the organization plans and addresses the basic physiological, psychological, and safety needs of staff in these situations—otherwise, service continuity plans will be ineffective because a basic component of these plans will not be available.
Typical work products
Subpractices
As part of the organization’s overall service continuity planning, considerations for supporting staff during disruptive events should be conducted.
Event scenarios should be established as the basis for planning. The events should range from specific, local disruptions that impact the organization’s work sites to far-reaching, general disruptions that impact the general locale or region around one or more work sites.
The plans should consider the actions the organization has to take to provide support in each of the prioritized areas. This may require other resources to be procured or committed (such as the ability to run the payroll system or to obtain services from an outsourcer). As with all types of continuity plans, the organization should document the plan and the resources needed to fulfill the plan and should test the plan on a regular basis to ensure that it is working properly.
As with all types of continuity plans, resources must be available to enact and carry out the support activities that are provided to other staff who will be called upon to perform their job responsibilities or to be redeployed.
Staff responsible for executing the plans may require additional training to obtain necessary skills and knowledge.
Plans are developed and implemented to address return-to-work issues for staff after a disruptive event.
The availability of staff to return to work after a disruptive event is paramount to recovery. Unfortunately, there may be psychological and physiological barriers to returning to work that may affect the availability of staff and their productivity. Proactive consideration of these issues will make transition back to the workplace less problematic and may avoid issues related to lack of availability of staff that can ultimately affect operational resilience.
The organization must develop strategies and plans to address transition issues that can occur as the result of significant and catastrophic events so that the effects of the events do not carry over into the organization’s attempt to return to business as usual.
Typical work products
Subpractices
As part of the organization’s overall service continuity planning (particularly recovery planning), staff issues that could impede a return to work should be addressed. This may require the organization to perform scenario planning and analysis to determine the types of transition issues that may arise from its unique geographical locations, industry, or workforce.
Resource issues may include the identification of external resources such as crisis counseling and support. It may be appropriate to place such resources under a retainer contract to ensure their availability during an event.
Refer to the Generic Goals and Practices document in Appendix A for general guidance that applies to all process areas. This section provides elaborations relative to the application of the Generic Goals and Practices to the People Management process area.
The operational resilience management system supports and enables achievement of the specific goals of the People Management process area by transforming identifiable input work products to produce identifiable output work products.
Perform the specific practices of the People Management process area to develop work products and provide services to achieve the specific goals of the process area.
Elaboration:
Specific practices PM:SG1.SP1 through PM:SG3.SP5 are performed to achieve the goals of the people management process.
People management is institutionalized as a managed process.
Establish and maintain governance over the planning and performance of the people management process.
Refer to the Enterprise Focus process area for more information about providing sponsorship and oversight to the people management process.
Elaboration:
Establish and maintain the plan for performing the people management process.
Elaboration:
A plan for performing the people management process is created to ensure that qualified people are hired and perform in a manner that contributes to the organization’s ability to manage operational resilience. The plan must address the resilience requirements of people, the dependencies of services on them, and the roles that people fulfill at various levels of the organization. In addition, because people are the engine behind many business processes in the organization, the plan must extend to external conditions that can enable or adversely affect the availability of people.
The plan for the people management process should not be confused with the organization’s service continuity plans (refer to the Service Continuity process area), staff risk mitigation plans (as described in PM:SG2.SP2), strategic plans for providing redundancy for vital staff and services (as described in PM:SG3.SP1), succession and training plans for vital managers (as described in PM:SG3.SP2), plans for staff redeployment (as described in PM:SG3.SP3), plans to support staff during disruptive events (as described in PM:SG3.SP4), and plans to address return-to-work considerations after a disruptive event (as described in PM:SG3.SP5). The plan for the people management process details how the organization will perform the people management process, including the development of strategies and plans for managing people.
Elaboration:
Special consideration in the plan may have to be given to ensure that vital staff are adequately trained for various roles during normal operations and during disruptive events (refer to the Organizational Training and Awareness process area). These activities aid in ensuring that people are available and sustainable to support operational resilience.
Special consideration in the plan may have to be given to the establishment, implementation, and maintenance of an internal control system for people assets.
Provide adequate resources for performing the people management process, developing the work products, and providing the services of the process.
Elaboration:
All people management practices require that higher-level managers ensure that qualified people are available to meet operational resilience management objectives and requirements. In PM:GG2.GP3, resources are formally identified and assigned to people management process plan elements. The diversity of activities required to ensure the availability of people requires an extensive level of organizational resources and skills and a significant number of external resources. In addition, these activities require a major commitment of financial resources (both expense and capital) from the organization.
Subpractices
Elaboration:
Refer to the Organizational Training and Awareness process area for information about training staff for resilience roles and responsibilities.
Refer to the Human Resource Management process area for information about acquiring staff to fulfill roles and responsibilities.
Elaboration:
Refer to the Financial Resource Management process area for information about budgeting for, funding, and accounting for people management.
Elaboration:
Assign responsibility and authority for performing the people management process, developing the work products, and providing the services of the process.
Elaboration:
Of paramount importance in assigning responsibility for the people management process is identifying the vital, high-value people in the organization based on their roles and responsibilities for all operational resilience management processes, as described in ADM:SG1.SP1 and PM:SG1.SP1. Vital people are responsible for ensuring their availability during normal operations as well as during disruptive events. Such availability includes identifying backup and redundant staff to cover vital roles as required.
Refer to the Human Resource Management process area for more information about establishing resilience as a job responsibility, developing resilience performance goals and objectives, and measuring and assessing performance against these goals and objectives.
Refer to the Asset Definition and Management process area for more information about establishing ownership and custodianship of people assets.
Subpractices
Elaboration:
Responsibility and authority may extend not only to staff inside the organization but to those with whom the organization has a contractual agreement for ensuring the availability of people (including outsourcing, contract staff, and preparing for backup, redundancy, and redeployment of people assets).
Refer to the External Dependencies Management process area for additional details about managing relationships with external entities.
Train the people performing or supporting the people management process as needed.
Elaboration:
The basis for determining training needs for operational resilience management derives from having a comprehensive list of vital people, risks to their availability, designated backups, and substitutions and replacements when necessary; ensuring service continuity and redeployment of staff during disruptive events; and being able to implement return-to-work plans after a disruptive event.
Refer to the Organizational Training and Awareness process area for more information about training the people performing or supporting the process.
Refer to the Human Resource Management process area for more information about inventorying skill sets, establishing a skill set baseline, identifying required skill sets, and measuring and addressing skill deficiencies.
Subpractices
Elaboration:
Elaboration:
Place designated work products of the people management process under appropriate levels of control.
Elaboration:
All work products related to sensitive staff information, such as information about skill gaps and succession plans, should be placed under an appropriate level of control.
Identify and involve the relevant stakeholders of the people management process as planned.
Subpractices
Elaboration:
Monitor and control the people management process against the plan for performing the process and take appropriate corrective action.
Elaboration:
Refer to the Monitoring process area for more information about the collection, organization, and distribution of data that may be useful for monitoring and controlling processes.
Refer to the Measurement and Analysis process area for more information about establishing process metrics and measurement.
Refer to the Enterprise Focus process area for more information about providing process information to managers, identifying issues, and determining appropriate corrective actions.
Subpractices
Elaboration:
Elaboration:
People management reviews are likely to concentrate on the availability of vital staff, including succession planning and coverage during disruptive events, as well as normal operations of high-value services and assets. An additional area of concentration is the internal control system for people assets.
Elaboration:
For people assets, corrective action may require the revision of existing administrative, technical, and physical controls, development and implementation of new controls, or a change in the type of controls (preventive, detective, corrective, compensating, etc.).
Objectively evaluate adherence of the people management process against its process description, standards, and procedures, and address non-compliance.
Elaboration:
Review the activities, status, and results of the people management process with higher-level managers and resolve issues.
Refer to the Enterprise Focus process area for more information about providing sponsorship and oversight to the operational resilience management system.
People management is institutionalized as a defined process.
Establish and maintain the description of a defined people management process.
Establishing and tailoring process assets, including standard processes, are addressed in the Organizational Process Definition process area.
Establishing process needs and objectives and selecting, improving, and deploying process assets, including standard processes, are addressed in the Organizational Process Focus process area.
Subpractices
Collect people management work products, measures, measurement results, and improvement information derived from planning and performing the process to support future use and improvement of the organization’s processes and process assets.
Establishing the measurement repository and process asset library is addressed in the Organizational Process Definition process area. Updating the measurement repository and process asset library as part of process improvement and deployment is addressed in the Organizational Process Focus process area.
Subpractices