Business Continuity Post Pandemic

Business Continuity as a concept has been around for quite a while under a variety of guises. In the 1970s it was called Disaster Planning. Companies brainstormed scenarios and what is needed to ensure corporate survival if they happened. Scenarios ranged from losing the raw material storeroom keys to a total loss of the corporate head office.

Requirements changed over time as companies became more and more reliant on IT systems, and Disaster Planning programmes specifically designed for IT recovery became part of the CIO’s To-Do list.

Many practitioners thought that Disaster Planning was a far too negative description and Business Continuity replaced it as a much more positive name. The prime movers of the change are thought to be auditors and their associated consultancy firms, who saw lucrative fee-earning opportunities in providing guidance and advice and drawing up Business Continuity plans. In addition, it satisfied the business requirement to “Protect and enhance shareholder value”.

The recent pandemic has shown clearly that many businesses do not have effective business continuity plans.

The way to kick off planning is to think of all the things that could derail the business and rank them in order of likelihood and impact on the operations. In effect, carry out a Risk Analysis. Remember though, this covers the entire business, not just a part of it. There will be some parts, for example, IT, that will have individual plans, but these are a subset of the overall Business Continuity plan.

There is also a section devoted to the actions needed by senior management.

Be creative, think out of the box. But remember as Donald Rumsfeld said, “there are known knowns, there are known unknowns, and there are also unknown unknowns”. In short, you can’t plan for everything. There may even be a scenario where your business cannot survive.

Some areas to consider include:

• A supply chain failure, such as loss of services like water, electricity, or a major supplier.
• A fire or natural disaster destroying key parts of the business.
• Loss of a key member of staff.
• A cyber-attack on your IT systems; and
• Political changes affecting the business.

These are just some of the general risks a business potentially faces. Others will be particular to a business, some to a business area, for example, changes to regulatory compliance regulations in the pharmaceutical industry.

Today, with an increased focus on IT continuance, there are some key factors to consider:

• Malware attacks, especially DDoS and ransomware, have increased significantly recently.
• If you have outsourced to a managed service supplier:
  • Their stability
  • Their vulnerability to external attack
  • Their accessibility
• Connectivity failure, either in-house or at an external point.
• Internal threats of theft of Intellectual property or financial information; and
• Key staff, their reliability, and sustainability.

The first step is to set up a working party with representatives covering all parts of the organisation. Each representative in turn sets up a working party that will look at the business risks associated with their business area. The risk might be standalone or downstream of risks in other departments. They must also set up how the risk can be mitigated or got round if it occurs. Bear in mind, that depending on the likelihood of a risk happening and the cost of preventing it, it may be better, operationally or financially, to let it happen and sweep up afterwards.

The output of each working group will be a matrix of risks, the probability of their occurring, the severity, and the steps to be taken if it occurs.

You also need to consider any other actions that must be taken. For example, a communication programme with suppliers and customers letting them know what has happened. Senior executives must be in the loop as part of an overall communications programme. You may also need them to authorise actions or commit expenditure.

It is very tempting following a BCP exercise to put the documentation in a cupboard and leave it there until it is needed – at which time you will find it is out of date. A second issue is that everyone needs to know where it is, what is in it, and what they need to do.

A regular programme of education is essential, perhaps even to training exercises. One day, lock the doors to the offices and tell people to invoke the BCP. That will be very instructive.

Understand that BCP is not a static one-off exercise, it is a continuous rolling programme.

An essential part of any BCP is regular education and updates. New threats appear, contact details change, keyholders change, suppliers change. Changes mean updates to the BCP documentation. For example, new regulations in the Finance or Pharmaceutical industries or a change in Board-Level Executives may mean changes to the BCP.

1. You need a BCP, which is up to date and regularly maintained,
2. You need to educate everyone on its existence, location and work plans.
3. You need to keep up to date with new threats and corrective actions.

If you do that, you have a fighting chance of surviving a crisis.