top of page


Sephora, a $4 billion dollar company with over 20,000 employees, needed a program that could be initiated if an operational disruption were to take place (e.g. office/warehouse structural collapse, network failure, cybersecurity breach, PR/branding incidents, or staff safety concerns). Various department heads were tasked to build the program but were unsuccessful. I was asked to learn the discipline, design, and create a program. 


I learned the discipline & interviewed the recovery staff. I discovered that:


Unclear purpose of the program. 

  • Unclear roles & responsibilities 

  • Unclear recovery framework

  • Unclear recovery priorities 

  • Users did not feel supported while building a continuity protocol.


There was a conflict between what the executives wanted and what those expected to perform the recovery needed.

  • Staff performing the recovery needed a well thought-out and structured plan and needed to feel supported.

  • The executives wanted a simple protocol to check off as an audit item. 



I took the previous top-down model and flipped it to grassroots, bottom-up approach with the goal of educating and empowering the recovery staff. During an incident, I oversaw the recovery, managed the needs and requirements of the departments, kept the C-suite and Sephora's parent companies updated and composed communications on behalf of the C-suite to the CEOs of Sephora's parent companies. 


Aside from the departments stating that they now finally understood how a recovery worked, there was a higher level of staff engagement and found substantial financial savings due to cross-functional data alignment.


what does Any of this have to do with UX?

I'm glad you asked!


I incorporated many UX design principles into my program. My biggest epiphany was that the program must be user-centered to be successful. After all, there are times when the program asks users to put the needs of the corporation ahead of their own. The only way to motivate them to do so is to make users feel supported, competent, and valued.


I also included this as a case study of the most wide-reaching and complex project I have tackled. 


Following the 9/11 attacks, 50% of the companies in the Twin Towers without a tested continuity plan bankrupted within three years. Because of this statistic, Sephora determined that they needed a program they could initiate for an operational recovery. Sephora attempted to produce a program multiple times upon direction from their parent company, LVMH. The program had shifted between four departments before I tackled the challenge.


Although consultants were brought in to build the program, a lack of a clear understanding and direction across the company contributed to the difficulty in developing the program. Sephora had tried implementing a hurried top-down approach which resulted in a plan that was neither understandable nor actionable for those in the trenches performing the recovery. 


There was also a high degree of staff hostility towards the program as data gathered by the program was used to justify a headcount reduction. Simultaneously, the executives dedicated minimal time and funds to the program. This was the atmosphere when I was asked to tackle the program. 


Scope when I first took on the program:

  • Emergency Response Plan. Recovery from incidents that might affect staff and customer safety. Examples: tornados, earthquakes, active shooters, etc.

  • Operational recovery from prolonged network/IT outages. Example: servers or internal servers become nonfunctional for the extended period.

  • Operational recovery from prolonged facilities outages. Examples: earthquake/tornado/terrorist attack at any of our headquarters &/or warehouse facilities 

  • Business Impact Analysis. What functions need to be recovered, when and why? How critical are the functions?


*Note: to the left is the business continuity cycle (ISO 22301). Some elements are similar to my design/double-diamond process, but there are key differences, namely that implementation happens before validation.


I took a multi-pronged approach in researching the problem.

  • Learn (competitive and comparative analysis)

    • The discipline of business continuity is quite vast and learned how to think about recovering a multi-billion dollar business. I took classes, found out how others in the industry approached their programs and brought in consultants to assist with the process. 

  • Talking with stakeholders (interviews)

    • What did the executives (those in charge of recovery strategy) care about? What metrics did they want to meet? What did they think of the current (and previous) plans? What were their pain points?

    • What did the departments (those in charge of recovery logistics) care about? What were their pain points of the past plans? What did they think would help them make this program easier for them?

  • Gathering company data (interviews and surveys)

    • What matters for the company in case of an incident? What is fluff? How quickly do we need to recover what and why? 


Like websites and tech products, business continuity was initially developed by engineers; it grew from the field of computer science and database management. Business continuity is known for being challenging to learn and execute. 

Senior industry experts attribute the lack of interest in the program as a "marketing problem." I disagreed and instead, I focused on the users. 

My biggest human-centered takeaway from my research was that the key people in the recovery were not the executives; they were the departments who execute the recovery tactics and logistics. The executives would be in charge of strategy which they already do on a day-to-day basis. The tactical recovery team needed to be built from scratch, and the logistics team needed a new way of organizing during a crisis than in their day-to-day operations. 

I firmly believed that if the company was interested in a plan that worked (vs. a plan to check off an auditor’s list), a top-down approach did not serve the company since the program would be written for the benefit of the auditor. For the program to be successful, I had to rethink it and build it from the bottom up while keeping the needs of the end-users (the departments) in mind. Everything needed to be catered to the departments including all the documentation materials and training. The easier it was for the end users to understand and execute, the more successful the recovery. 


The initial version of the program was very rudimentary and rough. There were only departmental plans. The structure of the tactical team morphed and changed over time. As the program matured, the number of deliverables grew. As the company itself grew, it necessitated the redesign of the program a few times. The number of assets increased to include comprehensive plans, simplified checklists and wallet cards for each branch of the program. 


Also, there were increasing requests from the senior staff regarding program scope. Additional areas that they believed belonged under Business Continuity included cyber attacks, PR incident management, and communications (internal and external). 


Where I could, I performed usability tests before implementation. The plans themselves were extraordinarily time-consuming to perform usability testing, but I was able to run the checklists and wallet cards through a few rounds of testing before deployment. My goal was to have at least 80% of the users understand how to use the assets without input from myself. 


Recovery Organization

  • There was a lot of confusion over how to recover and I realized that recovery framework needed to be an organization within the organization itself. Its mode of operation must be different enough to have staff think in a “crisis mode” as opposed to “business as usual” mode. This lead me to: 

    • Design the recovery framework and cross-functional recovery organization

    • Develop the procedures for the various roles within the recovery framework/organization



  • Designed to be comprehensive and cross-functional with all interdependencies mapped out and prioritized

  • Catered to the needs of those performing the recovery in the forefront, before and during a recovery



  • Designed for understanding and efficiency 

  • Catered to the busy schedule of the staff



  • I believe that educating our staff was the key. I built this program on the premise that if the staff felt like they understood the importance of the program and knew that there was a person there to support their efforts, they would have the confidence and interest in learning and participating more fully in the program.

  • Result:

    • In the past: *mandatory* meetings yielded 40% staff attendance. My program: *Voluntary* meeting attendance increased to 90%.

    • In the past: staff personal database accuracy (the database used to update staff during a crisis) 40%. My program: 98%



  • As the Incident Commander (I oversaw the organizing & distribution of staff and resources during a crisis) I was fortunate that there were only two incidents severe enough that I had to oversee coordination. My responsibilities included:

    • Coordinating the tactical and logistical recovery teams. Ensuring that they had the supplies and resources they needed to carry out the most critical functions in a timely manner. 

    • Updating the C-suite on the recovery efforts

    • Composing update messages for C-suite to deliver to our parent companies (Sephora Global, LVMH Paris, LVMH NY)

    • Updating my contacts within our parent companies on the situation (Sephora Global, LVMH NY)


When I wrapped up my tenure at Sephora, the program had grown substantially due to requests by the C-suite and because the better we understood business continuity, the more complex we realized it had to become to be an effective and executable program. 


  • Crisis Management Plans. Recovery Strategy plans for the C-suite or strategic decision makers for the affected location. Assets delivered (updated annually): Plans for the headquarters and warehouses; summary plan; wallet card.

  • Incident Management Plans. Recovery Tactics plans, for non-C-suite executives. Assets delivered (updated annually): Plans for the headquarters and warehouses, wallet card.

  • Business Recovery Plans. Recovery Logistics plans, for the departments. Assets delivered (updated annually): Plans for the headquarters and warehouses, wallet card. Plan count: 20. 

  • Crisis Communications Plan. The PR/Branding crisis plan. How do we respond to a PR crisis (inclusive of social media)? Assets delivered (updated annually): Plan.

  • Internal Communications Plan. How to communicate to our staff. Assets delivered (updated annually): Plan, wallet card.

  • Emergency Response Plan. Respond to staff health and safety crises. Assets delivered (updated annually): Plan, wallet card.

  • Business Impact Analysis. Researching, data-gathering, prioritization and analysis of each departments’ critical functions. Deliverables (updated annually): Assessment report.

  • Risk Assessment. What incidents are we prepared for? What incidents are the riskiest to us and in what quick and easy ways can we mitigate that risk? Assets delivered (updated bi-annually): Assessment report.

  • Plan Activation. How do we know if an incident is worth triggering the recovery plan? What are the procedures?. Deliverables: (updated bi-annually): flow diagrams, charts, reports.

  • Integration with the DR Plan. The whole program (above) needed to be routinely synched up with IT’s recovery plan to ensure they worked in tandem. This includes IT recovery due to network outages, cyber crimes, and retail website outages. (Frequency: annual).


Some of these assets are illustrated below.


Side Project

  • Personal Preparation Talk. I used my knowledge and connections within the Business Continuity world to develop a talk on personal preparation. Topics included:

    • What to expect during mass incidents

    • How to better prepare my family/home business

    • How to prepare personal finances

    • How to prepare for a family's emotional well-being

    • What resources are available to prepare for an event

    • What resources are available to recover from an event

Recovery Framework Flow Diagrams


These representative diagrams are used in training and gives the recovery staff an idea about how the recovery process escalates and progresses, starting from the moment an event occurs to the time the recovery effort is deactivated. 


Information captured include

  • Duties/tasks of the strategic team, the tactics team, and the logistics team

  • Questions the lead staff needs to ask themselves at the various stages during the assessment and recovery


Design solutions to note

  • The basic recovery flow was structured to be as simple as possible for understandability

  • The candy color-coding of the assets was intentional to make it seem more friendly. Business continuity assets tend to look as if they were created by the IRS

  • The text in the diagram covers questions the recovery staff needs to ask themselves, potential answers and possible actions to take based on those answers. This helps the user visualize what could happen and how they might respond. These diagrams are paper scenario-simulations to aid in the learning process

Business Impact Analysis (BIA)


The BIA is the primary data collection tool for my Business Continuity (BC) Program. I designed and hand built this given version (using Excel VBA) after four major versions. It collects department-level major data points needed to understand and map out the most urgent needs of a given department. Data from each department is captured and analyzed.


Major iterations/versions: 5


Information captured include

  • What critical function needs to be recovered and how quickly during what time frame (e.g. the needs during March is wildly different from November in a retail environment and the needs for Finance in January is different from their needs in May).

  • What resources are needed to recover those critical functions (staff, software, hardware, facilities, equipment), how many of these resources are needed and over what period of time (e.g. how many laptops are needed within 12 hours after declaring a disaster vs. 1 week after?)

  • What dependencies do these departments have (e.g. how are the departments interconnected with one another and which vendors are they dependent upon?)


After information is captured at the department level

  • The data is rolled up into an overall corporate BIA and all functions are prioritized (not included here for confidentiality reasons)

  • Each individual SME is given a customized handbook that summarizes their role in the recovery and the resources available to them.


UX Items to note

  • Every worksheet gave a brief description about the purpose of the worksheet. Instructions were at the top and examples were also given as comments in the cells themselves. 

  • Every year I walked every department representative through the process. I didn’t just explain the workbook to them and expect them to understand how to use it. There’s an intricate thought process that goes on behind determining what information to input. I had discovered that no matter how simple the sheet/instructions (the first version was over-simplified) the users would inevitably become confused. Filling out the sheet with them allowed for two things:

    • Data consistency across the departments. I wanted to know we were comparing apples to apples.

    • When users became confused or lost in their process, I could guide them back and help them refine their thinking.

    • I built a detailed understanding about how each department’s function worked and connected the dots from a wholistic vantage point. 

  • There was also code running in the background that could auto-pull data from one sheet to another (and in some cases, one workbook to another) to cut down on the user’s redundant work. 


A few representative screenshots are shown here.



Not shown

  • Rollup of the overall corporate BIA (due to sensitivity of data)

  • Customized individual SME reports for the subject matter experts

Logistical Recovery Staff Assets


Audience: Sephora staff, headquarters + warehouses


Major iterations/versions: 4


Challenges & Solutions 

  • There was no budget to leverage 3rd party apps/systems. Assets were created using Microsoft Office and Adobe CC 

  • Layered needs. The information the dept leaders need is different from the dept subject matter experts which are different from the non-subject matter experts. Assets and trainings delivered are customized to each group's needs. 

    • Department heads - need info on how to recover their department. Trainings were leveraged to review asset usage. 

    • Subject Matter Experts are given a higher-level overview of the recovery program as well as detailed recovery information.

    • All staff given basic communications and health & safety information.

  • Plans need to be flexible enough to recover a simple flooding of a floor to a 6-month relocation. To solve this, guidelines and a recovery framework were given to the departments as well as the specific details for each critical function. The logistics teams themselves determine which critical functions to recover based on the given incident.

  • Plans need to reduce the load of the department heads during a recovery. The core of the plan is written in checklist format and the hardcopy has multiple copies of each checklist. This assists the leader to delegate recovery tasks to others rather than performing all recovery tasks themselves.

  • Each department has very different needs. Each department’s binder is customized to their specific needs. 

Tactical Recovery Staff Assets


Audience: Department heads, headquarters + warehouses

Major iterations/versions: 3


Challenges & Solutions

  • Designing the recovery framework. The design was a highly modified version of the emergency management offices’ current framework. The modifications took Sephora’s needs and culture into account.

  • Ensuring the recovery framework is scalable. Depending on the scale of the incident, the tactical team can scale down (team of one) or up (all hands on deck). This not only allows flexibility for the size of the event, but also allows the team to scale as the recovery progresses. 

  • Designing the communication pathways to and from the tactical recovery staff. Communication was designed to be rigid and redundant. Ridged in terms of hierarchical structure: information must be reported to one specific person. Redundant reporting to one other person allowed for cross-checking and cross-documentation. 

  • Ensuring the tactical staff has the information they need for recovery but not so much to overwhelm. The roll-up of the departmental Business Impact Analysis resided with the tactical plan. However, all the intricate details provided at the department level was not provided at the tactical level.

Strategic Recovery Staff Assets


Audience: C-suite and location leaders (e.g. top warehouse leaders)

Major iterations/versions: 2

Challenges & Solutions

  • Documentation for the C-suite must be brief. Everything not critically necessary was stripped away. A one-page document was provided with a summary of do’s and don’ts

  • At the same time, the C-suite wants all needs anticipated. The rest of the documents go another level or two deep into the recovery process. Some were given the tactical document if they wanted more information. 

  • Strategic/tactical framework changes depending on the size and maturity of the company. As Sephora grew, the framework for the recovery changed from two primary recovery groups (strat/tactical & logistical) to three (strategic, tactical & logistical). All assets were revised and updated for the ongoing changes. 

Brand Recovery Asset


Audience: C-suite and Marketing/PR


Major iterations/versions: 3


Challenges & Solutions 

  • Communication flow unclear. The communication framework and flow for incidents was designed and outlined here. 

  • Unclear if responses will be successful. A running log of previous responses by Sephora an its sister companies was kept as a guideline in this document. 



Staff Communication Assets


Audience: Corporate communications + some department heads


Major iterations/versions: 2


Challenges & Solutions 

  • Flow of communication unclear. Designed the communication flow between the staff and the recovery teams, between the vendors and the recovery teams, and between our parent companies and the strategic recovery team. 

  • Unsure which communication tools would be available during an incident. Set up four avenues of communications and created a manual for each as well as when (or not) to use each tool.

  • Communication content unclear. Incorrect communication can lead to social media outrage. Created guidelines on what (or not) to say.

Staff Health & Safety Assets


Audience: All safety staff, headquarters, stores, warehouses


Major iterations/versions: 4


Challenges & Solutions 

  • Different response for different incidents. Brainstormed distinct emergency scenarios and created a checklist action plan for each scenario (tornado, earthquake, active shooter, etc.)

  • Communications. Since we had to assume a worst-case scenario with a power outage, I purchased two-way radios and designed the communication protocol. 

  • All staff needed to know general safety information, not just the safety staff. Protocols such as evacuation and basic earthquake/fire safety were combined onto the general staff wallet card.

  • Different countries have different safety requirements. We worked with specialists in other countries to ensure their safety procedures were in line with federal requirements.


Not shown

  • posters, signage

  • store manuals 

  • warehouse manuals


The great stuff

  • This was the first time I could use all of my previous training:

    • Analytical training (from the natural sciences): Analyzing the quantitative and qualitative data required precise thought and deep understanding of how all the components worked together.

    • Instructional design (my master's degree): Developing a training program with good pedagogical practices to maximize learning.

    • Coding: Building an Excel VBA-based program to organize and collect data

    • Basic UX: A program that expects its users to conform to it rather than the other way around is *always* doomed to fail. I designed the program with the end user (the tactical and logistical recovery teams) in mind.

  • I proved that an educated staff results in an engaged staff. 

  • Create a user-centered program, and you’ll be rewarded. I showed that if the staff felt like they had a voice in the process, they were being heard, and they were being supported the program was more likely to be accepted. 

  • Business Continuity is one of a few programs that allows a look at the intricacies of the corporate engine. I routinely interacted with IT, Facilities, HR, Operations, Dotcom, Logistics, Finance, Legal, etc. The program allowed me to see exactly how every aspect of the company is interconnected and to see their most important concerns.

  • I was unexpectedly able to find cost-cutting measures when I dove into our corporate data. 

  • I was able to drive a few policies of our parent company (LVMH) because I had built the most complete business continuity program of their subsidiaries.

  • I was able to interact with a variety of sister companies and mentor them on how to build a business continuity program within their companies.



  • Planning. One size does not fit all. All plans needed to be flexible enough to cover incidents that would result in operational disruptions from a week out to a year. This was extraordinary challenging to build because people believe they need a different plan for every possible scenario. 

  • Setting expectations. There’s a huge difference between building a plan so that it is executable (user-centered) vs. building a plan so that an audit item can be checked off a list (plan-centered). This goal wavered between the two extremes a few times. 

  • Talking people off the ledge. People naturally gravitate away from talk about preparation for disasters. I believe it’s because people just become overwhelmed, don’t know where to start, or don’t think it will happen to them and they disengage. In an act of either fear or rebellion, some challenged the program saying that it doesn’t cover every possible disaster. There were many repeated discussions regarding the likelihood of an Armageddon vs. taking reasonable precautions in preparation for more likely events. 

  • Data are difficult to measure. There were ways to test the plans but all are during non-crisis drills. The true test of whether the plan works during an actual crisis can only be measured after an actual crisis which fortunately didn’t occur frequently. 

  • Time needed to drill for muscle memory. Full-fledged trainings are incredibly expensive in terms of time and resources. Therefore they were discouraged. This required that the training time allotted to me to be as productive as possible.

  • Executive support. While the program was built from the grassroots, it still needed the backing of the executives which was challenging.

  • Herding cats. My program had a lot of dependencies across the company and I had to quickly learn how to extract what I needed even though I did not have any official authority over the staff 

  • Length of time taken. It takes longer and more relationship-building to build a grassroots program vs. building a program mandated from above. 


Final conclusion

I believe this program was successful during my tenure due to its user-centered aspect. Business Continuity is infamous for being as complex, interesting, and clear as the IRS tax code. The only way to motivate and engage the staff was to take a grass-roots, bottom-up approach and cater to their needs. 


“Lucretia is a great business partner."

Carole Clausen, Director of HR Payroll, Sephora 

“Very impressive job on a very difficult program."

Sherman Hoo, VP Finance Controller, Sephora 

“This is the first time I understood the program and how I fit into the recovery process."

Ann Leahy, Director of Kendo, Sephora

“You made the process incredibly easy to understand and provided us the resources to execute."

Alisa Mosler, VP, Analytics & BI, Sephora

“You're very good at what you do."

Mary Herald, EVP HR, Sephora

“Of our subsidiaries, you've created the most advanced and comprehensive business continuity program."

Claire Ascete, VP Treasurer & Risk Management, Louis Vuitton & Moet Hennessey (LVMH)

bottom of page