Many organisations have either a business continuity and/or disaster recovery plan in place. In constructing these plans, leaders tend to model a range of threat scenarios, including issues such as natural disasters such as hurricanes and earthquakes, power grid outages and major cyberattacks. In recent years, some entities have had to activate their plans to deal with ransomware incidents.
Almost no business has ever dealt with the outbreak of a new virus like coronavirus (COVID-19) and the adverse impact it can have on the health of employee and their families, contaminated workplace facilities, questionable food sources, shortages of essential goods due to supply chain disruptions and other facets of business operations. No industry is immune to coronavirus and little is known about how it spreads, how long it remains potent on surfaces, how long the human incubation period is and what safeguards beyond quarantine are truly effective.
So what should your business continuity plan (BCP) look like in the current environment?
Planning and risk management
A good BCP should act as a foundation for deciding how to address catastrophic events that can negatively affect a business. The strategy that management puts in place must ‒ at a minimum ‒ consider its employees, critical processes, customers, suppliers and other stakeholders. While most events are confined to a specific geographic area, the response to a pandemic is more complex and forces management to plan on different severity levels, requiring assumptions about the anticipated spread and duration. Coronavirus is an example of how a threat that appears to have its origins in a single city has evolved into a global issue due to travel and transportation.
With every BCP, there is a risk assessment component that identifies the potential threats and vulnerabilities and prioritises the severity of each business disruption. Management needs to involve employees in multiple areas and departments to understand the risks and the associated likelihood and impact. The specific risks related to the pandemic must be incorporated into the business impact analysis portion of the BCP, which should include:
Assessing and prioritising the critical business processes and locations affected by coronavirus
Determine the impact of coronavirus on the business processes, employees, customers, service providers, technology and regulations
Estimate the ‘recovery time objective’, which is the target time management sets for the recovery of the organisation’s IT and business activities after a pandemic.
Due to the complexities associated with any pandemic, businesses ideally need a pandemic plan, which requires careful planning, preparing, responding and recovery. Numerous internal and external factors and interdependencies should be considered including:
Assign a group to monitor the stages of the virus outbreak
Identify possible work-related exposures to coronavirus
Monitor absenteeism, which can be a result of quarantined households, ceasing public transportation and school closures
Educate employees on preventive care and human resource policies or topics (e.g. leave flexibility, changes to working hours for parents etc.)
Identify key individuals at different locations who will have the authority to take appropriate action that is documented in the pandemic plan
Make procedure manuals available and consider cross-training for critical functions or processes
Identify and establish communication protocols with employees, investors, customers and suppliers.
Responding to a pandemic requires significantly more collaboration between management, employees and third parties than other types of events. Pandemic events will likely last far longer than typical BCP threat scenarios, so communication is essential as the pandemic continues to evolve. Assigning individuals to closely monitor the situation and communicate with key stakeholders should be a top priority.
Although a business may have a well-documented plan with detailed analysis, testing is a critical component in the programme. Even though many organisations have already had to take critical decisions, there are still areas that they can test – even if activities are already underway.
Testing allows the identification of issues and promotes employee confidence. By performing tabletop or other testing methods, it allows individuals to understand their roles and responsibilities.
Testing enables management to identify issues or technical challenges such as technical resources, lack of communication with outside parties, the inability to properly identify or classify events due to environmental and other changes, and the lack of coordination with employees. A crisis also takes its toll on an employee’s mental health and physical stamina as they try to balance their work commitments with their fears and concerns about their homes and families.
The maxim that ‘by failing to prepare, you are preparing to fail’ still holds true today. Your well-considered, well-documented and well-tested BCP can help protect both your business and your employees.