Decide on the continuity and preparedness processes

For example, you can divide products, services, tasks, and the functions and resources that support them into three categories

1. Those whose operative continuity is ensured as a first priority (priority 1)
2. Those whose functionality is ensured when priority 1 functions are first ensured (priority 2)
3. Those whose functionality is ensured when priority 2 functions are first ensured (priority 3)

Stakeholder supply chains should also be identified far enough so that preparedness processes are efficient in the event of possible deviations.

Planning continuity management and preparedness processes in normal conditions reduces the risks associated with organising precautionary measures and the risks that emerge from emergency conditions for the organisation.

Ensure that preparedness and continuity management processes can be implemented normally in your organisation, even if

• some resources are unavailable, or
• key persons cannot be reached.

Preparedness and continuity management processes should not depend on electricity or telecommunications networks, for example, as they might not always be available. The preparedness plan must also be available in manual format.

Particularly those in roles that are critical to precautionary measures, and their deputies, must have sufficient competence and time to develop these skills as the organisation’s operating environment develops.

Despite careful planning, there may be gaps or ambiguity between the roles and responsibilities. Practical training helps identify and minimise these.

Read more about the TIETO preparedness exercise on the Digipooli page of the Technology Industries of Finland (in Finnish)Opens in a new window..

The communication processes must work in exception conditions so that the persons in roles relevant to precautionary measures know what is expected of them during the exception conditions.

• DT2030 Projects (National Emergency Supply Agency) (in Finnish)Opens in a new window.

Regular practice is a good way to measure the functionality and quality of preparedness and continuity management processes.

The monitoring of a situation picture during exception conditions must be planned, documented and practised in normal conditions.

In exception conditions, the monitoring and updating of the situation picture must be agreed on by the party leading during exception conditions, and the situation picture must be monitored sufficiently frequently in relation to the exception conditions.

The situation picture should take into account the matters that are key for managing the exception conditions, such as

• persons
• resources
• communication channels
• topics to share in communications
• stakeholders
• planned measures and their progress.

Changes in the operating environment challenge the detection and management of risks related to precautionary measures. Developing a staff-wide rewarding programme is a good way to support the organisation’s ability to observe.

Identify indicators suitable for the organisation that can be used to monitor the situation picture of digital security and identify development targets.

Reporting must support

• the development of preparedness of critical functions of the organisation and its stakeholders
• the monitoring of changes in the organisation’s operating environment and
• updating the situation picture.

When planning the reporting processes for unusual conditions, the possible challenges the conditions pose for reporting must be taken into account. Make sure that the documentation is also available in unusual circumstances and that it is updated as the operating environment and situational awareness change.