In light of the recent Coronavirus or COVID-19 pandemic outbreak, now is a good time to review your plans. Two of those key plans here are your disaster recovery (DR) and business continuity (BC) plans. Each plan plays an instrumental role and serve in different capacities. There is both a science and an art to effectively building and engaging disaster recovery and business continuity plans.
Most enterprises have some form of DR/BC plans, but to varying degrees of preparedness, effectiveness and success. To make a point, disaster recovery and business continuity plans are commonly one of the biggest hidden risks to an organization. This is often due to a combination of under-funding, complications, lack of regular testing or just lack of preparedness for a variety of situations. Pandemic outbreaks are one of those situations and directly impact business continuity plans in many different ways. Let’s take a look at three things to get you prepared.
Disaster Recover Plans
First, dust off those disaster recovery plans and ensure they are current and up to date. Ensure they represent your current environment, priorities, team, processes and risk profile. Most enterprises may already have a disaster recovery plan. Keeping it current and exercising it is a whole different matter.
It should be noted that disaster recovery is neither straightforward nor easy to implement. Disaster recovery plans take into a number of things including account risk, value, time and people.
Typically, the IT organization leads this discussion. However, it is important to engage a collaborative, cross-functional team for the planning and exercising. This ensures that the plans are thorough, well thought out and take into account risk, value and people across the organization.
Beyond planning, plans need to be exercised on a regular basis. It is common to use table-top exercises for some activities. However, it is important to test the DR plans as completely much as possible. This ensures that the plans work and that there is cross-functional organizational awareness of the plans and processes. Creating muscle memory for disaster recovery plans is key.
Business Continuity Planning
Second, consider your business continuity plans. These differ from disaster recovery plans as they cover how the business will continue operating in the face of adversity. The common way to think about this: Should a given event happen, what would be the impact to the business and how would the business change to respond to it? Business continuity plans cover far more than just IT and are ideally led by someone from the risk or audit organization, not IT. IT does play a critical role in business continuity. However, because it covers broader implications such as natural disasters, work stoppages, and other global ramifications.
Not all events are global in nature. It could be an earthquake that hits the SF Bay Area and renders your headquarters building inaccessible. What happens when the staff are not able to come into work? Maybe working remotely is fine for a period of time. What about an extended period of time? Or what if the employees are having to address their own personal situation due to the event and therefore unavailable? These are all realistic situations that companies plan for and set triggers to engage the next stage of execution.
IT plays a critical role in supporting changes in the business dynamics and needs to be flexible and prepared for each stage.
Preparing for the Pandemic Outbreak
Pandemic outbreaks are not common. Thank goodness! However, when they do occur, they have widespread and lasting impact on companies, their employees, customers and ecosystems.
Pandemics are similar to situations that might impact business continuity. However, they often impact the company at its core. In the earthquake situation above, the impact to the headquarters and its employees is slightly different. In that scenario, it is plausible to have a business continuity plan where work shifts to an alternative location with different employees. Or maybe you send employees to the alternate location. Similar to a data center shifting to a backup location. In the case of a pandemic, that option doesn’t exist.
A pandemic is not a local event and will impact the company, employees, customers, partners and ecosystem across the globe. For pandemic planning, a common set of questions about actions and business impact should include:
- What will happen should your headquarters be off limits?
- What if employees are not able to get into the office and need to work remotely?
- What if employees are ill and not able to work at all?
- What actions can be taken to protect and support employees?
- What happens as the dynamics change over time?
- How will you recover from engaging your pandemic plan?
Most planning exercises have clear components such as triggers, time components and actions. Each of these is a result of collaboration of a cross-functional effort that spans well beyond the realm of IT.
These three things are not quick to engage as they take time to plan and implement. Even if your disaster recovery and business continuity plans are not where they should be, there are actions you can take to address the current pandemic outbreak.
Think about the questions outlined above that impact employees and business operations. What teams within your company need to be thinking about this? How would you answer those questions? It is not an exhaustive list that need to be considered but will provide a starting point to put you in a better position.