Resources

Business Continuity Beyond COVID-19: Lessons Learned and the “Illusion of Preparedness”

Written by: Daniel J. Poucher, CBCP

Organizations were forced to push the envelope and be creative in the way they conducted operations during the COVID-19 crisis. Remote access, employee hardware requirements, and flexible work schedules have altered our expectations of normal. Companies needed to react swiftly to accommodate the situation as it evolved and changed, requiring management teams to adjust response activities in real-time as the scenario unfolded. Many organizations have enhanced preparedness to a new level. Changes to regulatory guidance and client expectations of our resiliency ensures there will be increased scrutiny of preparedness in the near future. There’s no doubt that organizations will be expected to provide more solid evidence of a strong business continuity program. The threat landscape that organizations must protect themselves against continues to grow and expand in complexity, by turn increasing demand for availability and reassurance that business can continue in the event of an unplanned interruption. The COVID-19 pandemic has not only changed the way we conduct business but has also shifted our traditional approach to pandemic and business continuity planning.

HISTORIC PANDEMIC PLANNING

Pandemic planning became significant during the early to mid-2000s. The H1N1 flu outbreak followed by the concern over SARS brought to light the impact that widespread illness has on operational capabilities and business continuity. Historically, best practice stated that pandemic planning should prepare for approximately 50% of workforce unavailability due to sickness or family care. Although the rate and severity of illness has fluctuated since the beginning of the pandemic, the way this unfolded for many businesses was unlike what we previously planned for. For many organizations employees were available to work, but new challenges requiring agile solutions needed to be addressed. Stay at home orders, day care closures, distance learning, and bandwidth requirements were among some of the things we may not have fully considered prior to COVID-19. First responders, medical professionals, and manufacturing companies still needed to report to work but positive cases and shortages of personal protective equipment (PPE) and other supplies affected our ability to provide critical services, especially in hot spot areas. So how has COVID-19 changed our traditional approach to pandemic planning? Taking it one step further, how has it changed the way our business models look? And most importantly, has it created an “illusion of preparedness,” or false sense of resiliency, that we should be concerned about?

LOOKING AHEAD AND APPLYING LESSONS LEARNED

Many of the quick lessons learned during the pandemic have changed the way companies are thinking about business models and resiliency. Some of these practices were an inherent result of the pandemic which are proving to be useful as we adjust our operational capabilities moving forward.

How Can Remote Working and Flexible Work Schedules Increase Possibilities?

Because of the strict stay at home orders for those that were not considered front line workers, many employees faced the challenges of working from home, where distractions were abundant, and resources were limited. Technology requirements were pushed to their limits and we quickly realized this type of remote capacity had never been tested before. Yes, perhaps the occasional weather event required regional remote working, but the pandemic caused worldwide remote access requirements for organizations and health care providers as well as teachers, students, and business customers. Employers had to swiftly provide the resources to work effectively and securely in this type of environment. This included hardware, bandwidth upgrades, security enhancements, and collaboration tools such as Zoom and Teams.

In addition to these challenges, many employees working remotely had young children at home due to day care closures and/or having to assist their children with distance learning. Others were faced with caring for sick relatives. Many people found themselves having to take time out of regular business hours to handle doctor visits and parental responsibilities. This required many to work outside of normal business hours.

If properly considered, employers could use this approach to their advantage moving forward. How has the flexible work model changed the way we can think about our talent search? Perhaps companies can now be looking for expertise beyond the immediate locale, which significantly increases available applicants. It also means that employers can implement multiple shifts, which can increase potential output and expand the radius of clients and customers that can be serviced in different time zones. Organizations are no longer confined to a particular geography when defining business goals and strategic initiatives. This inherently enhances our business continuity strategies as flexible hours and geographical diversity increases our ability to continue operations during an event that significantly impacts a particular region.

How have companies increased their cybersecurity resiliency?

A respected colleague of mine often says “hackers never let a tragedy go to waste.” This was never more true than the early stages of this pandemic. A displaced workforce that was distracted by influences unrelated to work – children, television, social media, lack of a structured work environment – increased the potential for cyber-attack victimhood. Employees who are not 100% focused are more apt to make mistakes and miss the tell-tale signs of a phishing attempt. We saw rapid deployment of new technologies and security protocols and heard many organizations say, “We have wanted to enhance our network capabilities and security practices for some time now, this forced us to do it now.”

If companies took a serious look at the additional need for security, they would see that this increased resiliency makes them better prepared for the growing complexities of the cybersecurity threat landscape.

Communications

We have always known that sound communications is the foundation of efficient operations and successful recovery efforts.  Internal communications infrastructure is critical for disseminating important details of the situation and recovery effort during an emergency. External communications not only informs customers, clients, and stakeholders but also mitigates risk of reputational impact if the right information is not shared. This was especially important during this situation because everyone was communicating and not doing so would have been noticed. Communications and how it is handled are specific to every situation. Knowing the right interval for updates and the right level of detail based on the audience is important. Communication styles are also important. For instance, the LinkedIn audience is very different and more formal than the external viewers of a company’s Facebook page.

Mental Health

Everyone experiences change and stress differently. Traditional business continuity planning had a heavy focus on technology and location dependencies. But has there been enough consideration specific to the effects of a stressful situation on personnel and their ability to be productive?

In a survey conducted by Thrive Global, results showed that in the top ten things that employees worried about in May 2020, productivity was number ten. Interestingly, job security was number one. Remaining productive to ensure job security came in at the end of the line with the top three concerns after job security being personal health, childcare and home schooling, and personal finances. This tells us that keeping a job was the top concern for employees, but personal concerns were far more important under the circumstances than having to do what needed to be done to stay employed.

What is even more interesting, though, is that regardless of the things that caused the most concern, employees and employers alike were able to adjust to the situation and several surveys and studies have shown that most employers polled reported very minimal impact to productivity across the board. In fact, evidence suggests that many people worked more as they spent less time traveling to and from an office or being sucked into water cooler conversations and the like. Not as many organizations came to a halt as predicted or feared early on. This suggests that there is always a solution to every challenge and when under stress, people generally will rise to the task to make things happen, and that compromising situations increase our resiliency to future events. However, employers must develop ways of staying cognizant of the mental well-being of their employees in times of strife or this may not always be the result. Such a large-scale event forced us to acknowledge this on a global platform but the same stands true for smaller scale incidents.

THE ILLUSION OF PREPAREDNESS?

The pandemic proved that companies could react swiftly to the rapidly evolving situation. It was a true example that there really is a solution to every problem. During a crisis, people prove time and time again that when coming together, many things are possible – even those things we never considered before. The September 11th tragedy in 2001 presented so many issues that we had never planned for and the COVID-19 scenario wasn’t very different. Deploying a remote workforce with little warning and successfully navigating the constant challenges and shifts in our required response efforts was an impressive feat. However, did the pandemic leave many with an “illusion of preparedness,” or a false sense of readiness? A lot of companies are saying, “We don’t need to enhance our BCP, we lived through the biggest BCP event of our time…our plans are just fine!” Not so fast, perhaps.

Probability

We must remember that this situation was incredibly unique. Pandemics have typically been a low-probability event in risk assessments and will most likely continue to be, even with the projections of more infectious disease outbreaks to come. Statistically speaking, disasters or business interruptions are location- or company-specific. That may be changing with the seeming increase in regional events and cybersecurity breaches, but even if pandemics are ranked as more of a moderate event, preparedness to activate and implement a strategy to deploy remote working and continuity of operations is at a completely different level than it was prior to COVID-19.

Impact

However, traditional business continuity events often include loss of technologies and physical locations. This isn’t the case in a pandemic event. Yes, many locations were not accessible due to stay at home orders, but organizations were not faced with the added stress of having to reconstruct brick and mortar. In addition, although providing remote access strained technology teams, they were not pressed to send systems to backup recovery datacenters.

Forewarning

Unlike “smoking hole” disasters or sudden events that we couldn’t have known were going to happen, there was warning of the onset of the pandemic. Although minimal at times, we had time to adjust and prepare for the evolving situation. There may have been moments where it seemed that the rate of change was rapid, with new information and guidance coming out at what felt like an hourly pace, but it was still gradual and came with forewarning.

Collaboration

Organizations had the benefit of learning from their peers during this event. This was not the pandemic of New York or the pandemic of London. The effect was global, and everyone found themselves in the same boat. Yes, the boats may have been different sizes, but everyone was floating in the same body of water. Most of the time, customers, clients, patients, etc. have a greater level of tolerance in situations that also directly affect them (realizing that not all customers can be satisfied at the same time to the same level). For instance, if a bank were to suffer from an incident that significantly impacted their ability to service their customers, but their customers were unaffected, those customers most likely would become less patient the longer the interruption went on. However, in a regional event, everyone feels similar pain points and can relate to the challenges being faced. Over the past two years countless supply shortages, office or restaurant closures, cancelations of elective surgeries, delivery delays, etc. have all been “due to COVID.” The explanation is so relatable that there is less pushback than if a company’s inability to provide goods and/or services is an isolated occurrence. At the onset, many organizations were collaborating through vehicles such as virtual seminars and webinars, social media blogs, and email campaigns to share insights and lessons learned. In this way, companies were able to learn from each other and stay ahead of issues by being proactive in continuity efforts. This added benefit would not be the case for a company navigating response and recovery efforts in a vacuum due to an isolated outage.

Personnel Recovery

One of the biggest areas of concern that has come from the pandemic is the concept of personnel continuity. As a result of the pandemic, many companies have looked at the success of their remote work capabilities and have decided to make this more of a strategic initiative and incorporate this into future business models. If it was successful for months or now even years, why not make this a permanent way of conducting business? Sure, there are jobs and positions that really have the most success being on-site but online meeting tools have significantly reduced the dependency on in-person meetings for those who can work in an office environment. If budgets can be largely cut by reducing the need for office overhead, travel, and other expenses, why not increase revenue or put that money into new, innovative business ideas? In cases where organizations are opting to go back on-site, many are now considering remote working as the backup plan for personnel if the production facility becomes inaccessible, saving cost and resources for maintaining multiple locations to be used in interruption scenarios, whether in-house or outsourced to a third-party provider.

This makes incredible sense, if it doesn’t come with an unforeseen price tag when recovery plans must be implemented. If organizations are downsizing real estate footprints and moving to more of a remote workforce or using remote working as the backup for personnel if displaced from their primary location, are continuity plans considering what will need to happen if remote working is not possible? There are plenty of examples of regional events that have caused widespread power outages lasting for more than a few hours or days. In the United States, Hurricanes Katrina (2005) and Sandy (2012) as well as incidents such as the Northeast US blackout (2003) and the Southern Brazil blackout (1999) are all examples of extended power outages caused by both weather occurrences and infrastructure failures. BCPs must include considerations for regional events – it can’t be assumed that employees have generators. If the event is location-specific and only affects primary sites, working from home is a viable backup option. However, if employees are working from home as their production location or are expected to work from home as a backup, what happens in regional outages where this is not possible? Organizations must ensure that a backup plan exists that does not rely on employees working remotely. This may include maintaining a corporate headquarters with a full-scale generator or contracting with an outside provider that can provide seats for employees that have no access to power to continue critical operations. If companies have generators, it is essential to understand the generator’s capabilities. Many only support data centers and emergency power which means it cannot be considered to support desktops, etc.

The pandemic proved that pivoting to a dispersed remote work model could be successful. However, it is important to keep in mind that this type of scenario remains less likely than isolated events that impact data centers and/or facilities. Recovery plans must also include considerations for events that result in regional power issues.

LOOKING AHEAD

Back to Basics- The Importance of a Business Impact Analysis

In order to properly plan for the continuity of operations in any scenario, it is essential to conduct a thorough Business Impact Analysis and ensure plans are built based off of that. Not only documenting the priority and recovery time objectives (RTOs) and maximum allowable downtimes (MADs) for each function, but even more important is assessing the level of impact to the organization – financial, operational, legal, regulatory, reputational, etc. – to truly understand the potential risk to the organization if functions were not recovered in those timeframes. Equally important is understanding the resource dependencies – personnel, hardware, infrastructure and applications, office equipment and supplies, etc. – that must be made available in order to ensure RTOs and MADs can be met. This assists in focusing on those functions that will result in the most unnecessary loss and suspending those that would result in less impact.

Risk Assessment

How has the move to more of a remote work environment changed the way the concept of a location is defined in our BCP risk assessments? The goal of the BCP risk assessment is to identify the impact of certain threats to a company’s location. If locations are now dispersed at employee homes, how will that be accounted for? Will the location be called “remote,” and the geographical footprint be incorporated? Will the most critical location now become the one that houses the data center? Will there be a shift to assessing the impact of threats at a department or function level? Or perhaps it makes sense to have a hybrid of sorts. There also are certain threats that may become less of a risk than they were before. For instance, if the data center is outsourced, the threat of a fire at the corporate headquarters becomes less of a concern if most of the workforce works remotely. Risk assessments may need to be more customized per organization than they have been in the past.

Testing

Although the pandemic event was documented as a test of recovery abilities, it must be considered as scenario specific to working remotely. This was not a test of application recovery abilities. Systems were not affected, and traditional disaster recovery testing must continue to be a part of validating that an organization can have systems, functions, and other dependent resources up and running in the documented RTOs/MADs in order to minimize downtime and subsequent loss.

Incident Management

The evolving and changing details of the pandemic were at times happening so quickly that it was difficult to keep up. One thing that became very apparent was the need for real-time incident tracking. Automated tools are available to assist with documenting incident details and important milestones as well as to follow up on action items and responsibilities, although spreadsheets can also be helpful. One thing is for sure — letting too much time pass and trying to go back and document information after the fact is often close to impossible and increases the risk that important tasks get overlooked. Continuity plans should include established roles and responsibilities for incident tracking and should include instructions for how to do so. These details are extremely helpful in reviewing lessons learned after the event is resolved but also can be beneficial for insurance claims or regulatory reporting in regulated industries.

Company Culture

Company culture is the foundation of an organization’s ability to thrive and be resilient to challenges and change. Employee morale can be directly tied to culture and a company’s ability to keep it immersed in the employee base. Maintaining this culture is often done by setting the tone at the top with company leaders. This becomes challenging when we suddenly do not have face-to-face opportunities to establish and share cultural nuances. In-person meetings and events also increase our ability to share personal touches with our peers. Working remotely requires creative ways to ensure culture does not get lost. Conducting virtual check-ins and other more recreational events, such as virtual happy hours, workouts, trivia games, company contests, employee of the month awards, etc. can help ease the constant business-like atmosphere of virtual meetings and allow people to share personal overtones with colleagues in a relaxed atmosphere. It is also important that occasional in-person events, whether they be business meetings or company outings, continue to be incorporated so employees have the opportunity to socialize without the pressures of business obligations.

The COVID-19 crisis and our ongoing reaction to the business continuity difficulties it has exposed shows us that while we are capable of being agile under duress, there are still plenty of holes to plug. Although we may have found a variety of new and flexible solutions, we mustn’t allow that fact to instill a false sense of security – the aforementioned illusion of preparedness. Instead, we should now be focusing on how we can better build out our BCPs in the light of our most recent successes and failures.