COVID-19 Impact on Business Continuity
Business continuity (BC) has become a hot topic in the wake of the COVID-19 outbreak. Businesses are being advised to quickly adjust their plans and processes to maintain operation and ensure rapid recovery.
Where Today's Business Continuity Plans Are Not Prepared
- As the number one shift during the outbreak has been remote access while physical locations have closed, IT is the single-most important element in business continuity during the COVID-19 outbreak.
- Only 42% of organizations surveyed had a business continuity plan that was sufficient in enabling recovery or continuity. Worryingly, only 31% of these plans integrated IT throughout the plan.
- Some key areas where existing business continuity plans are not sufficient include: sufficient stakeholder communication, coordinating with risk/governance in developing the plan, emergency/contingency funds, appropriate allocated staff, feasibility testing using current resources, live testing or assessments have been conducted using the plan and gaining input from multiple relevant internal stakeholders.
- Some businesses have reported an increase in malware attacks since the outbreak. This shows their IT security plans have not been tested for robustness during increased remote access.
- Older companies may have many functions that are still tied to physical locations. Furthermore, their IT stack may include only local access and interaction. Older ERP systems are one example where some businesses may not have enabled access outside the perimeter.
- One adviser has found that most business continuity plans are written with weather-related disasters in mind. One consideration would be to have segmented plans for different type of catastrophic events. Reportedly, businesses in the Northeast and Midwest are better-equipped as they are more used to weather-related disruptions.
- As such, many plans do not consider additional healthy work environment measures like sanitation and cleaning.
Employee Remote Access
- One aspect that has left businesses scrambling is the physical work environment of working from home. Not all people have space to dedicate solely to work. There will be other people around that can inadvertently comprise security.
- Many plans do not include what to do if an employee is worried about eavesdropping or even a break-in.
- Companies should have a Force Majeure clause in a business's policies regarding cancellations, reschedulings and so forth. Many, to date, use generic language like "acts of God, natural disasters, government orders or laws, or strikes" which can be legally ambiguous for something like this public health crisis.
- Furthermore, a safe working environment clause can also protect the business if it needs to shutter due to being unable to maintain a safe environment for employees.
How to Adjust Business Continuity Plans
- It is really important to have employees who are sufficiently cross-trained, as if some are not able to get into work (quarantined or sick), an organization should be able to continue its critical functions.
- Similarly, corporate systems should be set up so they can be accessed and managed remotely as much as possible.
- Infrastructure must have adequate readiness to support the much higher load of people working remotely.
- Business continuity should include a robust mapping of any single points of failure, so sufficient countermeasures can be planned.
- Privacy and security are increased concerns as employees and services to working from home. It is important that robust systems are in place to ensure appropriate levels of each. This is even more important for healthcare providers now shifting to telehealth.
- Furthermore, it's important to consider small but important elements to doing business such as signatures, witnessing, tests, inspections and similar.
- Companies should review their supplier SLAs to ensure there are sufficient amendments or backups to protect the supply chain in case of emergency.
- Business continuity plans should involve the ability of most, if not all, employees being able to work remotely. Planning for this can include reviewing application licenses, prioritizing access to corporate systems and possible redistribution of employees.
- HR and management should include plans to help with increased employee stress.
- If they are key roles that cannot be done remotely, a business continuity plan should include plans for ensuring employee mobility (building access, transport) and backup plans in case of necessary absence of even those key roles.
- Continuity plans should understand where operations can be shifted or temporarily halted. If a business can close some locations, then sufficient planning should be done for security and equipment maintenance issues.
- Furthermore, evaluating company policy for things like sick leave and sickness reporting are crucial from a management point of view in maintaining business continuity and compliance with local regulations.