Business continuity is a topic that doesn’t draw much attention until times like, well, today.
Even companies with comprehensive plans are finding vulnerabilities revealed by the explosive spread of the novel coronavirus (COVID-19) and the subsequent global pandemic it has triggered. Few would have anticipated the massive size and/or speed of disruptions that have fractured global supply chains or lockdown orders that have created a remote workforce nearly overnight.
What lessons can businesses draw now that may help companies prepare for more uncertainty in the days to come — and in the future? As unsettling as today’s events are, now is the time for companies to improve their resilience. Historically, pandemics such as COVID-19 occur in waves, so it’s reasonable to presume that future disruptions may occur.
Based on our experience with business continuity planning and preparation, there are a number of steps organizations can take right now:
- Risk assessment analysis. This analysis is a study that helps companies identify which of their processes and resources are critical to the company’s core purpose in the same way a hospital might triage patients. Without this as a foundation, the business will not have much of an idea about where to focus its resources as a crisis deepens.
- Chain of command planning. Every organization should also define a chain of command in each critical area by forming a crisis management team. In ordinary times, it’s customary for a board of directors to establish a succession plan for key leaders. Establishing a chain of command goes broader and deeper into the organization, identifying key functional roles and the people who will fill them. This can help companies avoid leadership gaps in cases like today when many people may suddenly become unavailable.
- Monitoring and response coordination. Businesses that operate on a global basis should also review how they monitor and respond to alerts. In a pandemic, where widespread disruption is possible, activating a continuity plan based on the earliest triggering event can help the organization secure resources critical to operations that could become harder to secure as conditions deteriorate. And it can help pre-position employees to minimize disruptions if offices, call centers or other shared spaces must be closed or moved. On a related note, many companies maintain continuity plans with service providers that include provisions for remote office environments that can be used in emergencies. These may be dedicated facilities or multi-tenant shared spaces. In situations like the present, companies that have contracted for dedicated facilities may be able to draw on this resource. Shared facilities would not only be less attractive in the case of a pandemic, they might simply be unavailable.
- Cyber security considerations. In any crisis, companies should be prepared for a concurrent rise in associated threats such as cyber attacks. The DXC Global Threat Intelligence Report in April estimated that 80 percent of the current threat landscape is using COVID-19 as the theme for attacks. Companies that have made a sudden shift to remote work environments are especially at risk. Employees accustomed to working in a protected corporate environment will be targeted with sophisticated phishing attacks and other schemes aimed at stealing credentials and penetrating corporate systems. Educating employees about these threats is an important step that can help prevent a difficult situation from becoming even worse.
- Disaster recovery planning. In a similar vein, organizations should also revisit their disaster recovery plans, including the steps they’ve taken to maintain “gold images” — copies of critical data and applications that are remotely secured offline. In the event of a compromise, this protected data is a key component of data center recovery planning and can be used to restore production systems and compromised data.
Many chapters remain unwritten in the current epidemic, and many companies may feel as if all their attention should be focused on basic survival. But it’s also worth taking just a little time to consider how your company might respond to one simple, forward-looking question: What could possibly happen next?