This post first appeared on Risk Management Magazine. Read the original article.
The COVID-19 pandemic has exposed glaring deficiencies in
business continuity and crisis management plans at organizations across all
industries. While executives and management are focusing most of their efforts
on responding to the day-to-day upheaval caused by the virus, companies must
prepare now for extended disruptions to their operations.
Before the pandemic, it was not unusual for crisis
management and business continuity teams to update plans once a year and meet
quarterly to review them. However, the most effective response to the pandemic
has demanded that teams share data weekly or even daily to continuously monitor
an evolving and highly uncertain environment.
The pandemic is only one type of threat likely to test an
organization’s crisis management and business resumption capabilities. Moving
forward, leaders need to reimagine their crisis management and business
continuity planning to prepare for simultaneous natural disasters, widespread
power or technology outages, civil or political unrest, and other events that
could conceivably threaten business operations on a large scale.
All “black swan” events should be considered in a robust
crisis management planning and business resumption exercise. Business
continuity management must address multiple concurrent threats now more than
ever. The potential convergence of disaster events will require risk management
functions to ask many new questions, including those that address the
“unimaginable,” such as:
- What if the digital infrastructure breaks down
during a disaster? - What key infrastructure redundancies should be
in place to address aggregate compounding disaster events and ensure resilient
enterprise operations? - Can remote workers perform their work as
multiple disaster events occur simultaneously?
Crisis management planners should assess all possible
alternatives under these scenarios, including solutions available today and
those that could be put in place over time.
Business continuity planning increasingly requires an
emphasis on enabling remote workers with tools, including satellite telephones,
DC to AC power inverters for cars, backup generators and power supplies.
Organizations must have multiple layers of redundancies in place and support
remote workers with ways to complete their work.
COVID-19 showed that many organizations were not maintaining
updated and tested pandemic preparedness plans. They are now reconducting
business impact analyses to focus on onsite requirements for delivering
critical business services and maintaining current service levels during peak
periods over the coming weeks and months. Organizations should prioritize
conducting a thorough evaluation of the third-party service providers that
contribute to the execution of critical business services. They are increasingly
implementing cloud-based solutions, higher-availability applications and
collaborative tools. Tabletop exercises are now almost exclusively conducted
through telecommunications platforms and virtual collaboration tools.
Postponing traditional, scheduled IT disaster recovery tests is not an option,
and enterprises are focusing increased resources on cybersecurity threats to
the organization and its customers.
For all the difficulties COVID-19 created, the pandemic has
provided organizations an opportunity to reclaim and reinvigorate crisis
management and business continuity planning. Organizations can make permanent
the more active and continuous communication practices put in place due to the
pandemic, and they can enrich their scope of preparedness by imagining extreme
scenarios, regardless of likelihood and cost.
A Plan for the Future
There is no single correct way to perform or govern business
continuity and resilience planning, given the differences among organizations
and how they view their risk profiles. Still, it is important to continuously
improve the plan, and one of the best ways is to incorporate a feedback
mechanism.
Organizations must not overlook the aspects of change
management that focus internally on business continuity management. Industry-leading
practices require organizations to identify scheduled and unscheduled triggers
that will provide the necessary information to allow the business continuity
management function to operate. Various examples of scheduled triggers include
annual continuity risk assessments, business impact analyses, and policy
standards reviews, as well as corporate governance requirements.
Unscheduled triggers include acquisitions, divestitures, and
identification of additional credible threats, as well as any changes in
locations and alternate sites, data centers and technology; legal and
regulatory requirements; the organization and/or workflow; and third-party
dependencies. Business continuity and resilience program updates should be
conducted annually, at a minimum, or as needed to address potential changes.
Historically, change management defects have undermined the
effectiveness of many business continuity plans. Triggers are integral to
continuous improvement activity, in that failures in change management cause
business continuity management defects. Change management linked to crisis
management and business continuity helps to ensure that significant
modifications to the business are planned for at the time of the update and do
not cause an unplanned outage during an emergency.
In 2021, organizations should consider the following key
concepts when implementing continuity risk management, crisis management, and
business resumption plans:
- Cultivate a flexible and resilient culture that
can respond to upheaval with a business-as-usual approach. - Conduct more frequent meetings between the
incident response and crisis management teams and integrate after-action
reports into a continuous improvement program. - Update the business impact analysis to emphasize
physical locations and the colocation of resources that provide critical
business services. Ensure current service levels are maintained during peak
periods. - Evaluate the organization’s reliance on
third-party service providers and identify alternatives in case of loss of
these providers. - Clearly define and communicate the process of
managing incidents through the crisis management plan so that declared
disasters will catalyze an immediate ramp-up of alternative operations. - Evaluate work digitization to ensure that
employees can access what they need remotely, including crisis management and
business continuity plans. Make sure remote procedures for employees meet
regulatory requirements for specific industries, such as securities traders who
are buying and selling stocks from home. - Review how crisis command centers have responded
to COVID-19. Identify areas that need improvement, and address and correct
shortcomings highlighted in after-action reports. - Evaluate supply chain disruptions and identify
alternatives for critical supply chains. - Assess the business model’s resilience, and
whether it allows organizations to adapt and recover from disruptions and
manage future crises by reducing costs in the short and medium terms. - Ensure
that crisis management and business continuity planning account for the portion
of the workforce who may continue working remotely.
Business leaders need to assess the performance of their
business continuity and resilience programs, and take steps to ensure that the
structure and strategies are in place to anticipate and respond to the next
event, no matter what it may be. Continuity risk assessments and crisis
management plans must emphasize speed and flexibility so organizations are able
to quickly adapt to rapid change. It is also essential that leadership and
employees are given fact-based information and tested alternatives to enable
real-time decision making. This integrated, comprehensive approach will help
build long-term operational resilience and prepare the organization for any future
disruption.