If your business didn’t have ‘pandemic’ anywhere on its disaster planning bingo card, you’re not alone.
A Gartner poll of 1,500 organizations found only 12 per cent were “highly prepared” for the impact of COVID-19 on their business and just over half (56 per cent) said they were “somewhat prepared.”
Now, six months into a global pandemic that has turned their operations upside down, businesses are either exploring disaster recovery (DR) and BCP (business continuity planning) for the first time, or updating their existing plans to be ready for future waves.
DR versus BCP
DR and BCP are related but different. Disaster recovery starts with IT, focuses on recovering from a disaster within a limited amount of time and is reactive to a specific emergency.
Most DR plans identify and assess:
- potential risks and disasters (such as fire, floods, earthquakes or data breaches)
- critical IT assets and functions
- data backup and recovery
- connectivity to service provider(s)
- backup power
BCP, on the other hand, is business-centric. It’s about keeping the entire business going, not just IT. And it must involve all business units and focus on the ongoing continuation of critical business operations.
BCP typically involves identifying and assessing:
- the most critical functions key staff must perform daily
- resources staff need to perform those functions
- potential financial impact
- relationships with alternative suppliers if the supply chain is disrupted
- the need for alternate space (such as office, manufacturing, warehouse or retail storefront)
The International Information System Security Certification Consortium (ISC2) recommends that DR and BCP be prepared and executed in parallel rather than separately. And many experts say DR and BCP processes should be tested and updated annually.
Here’s a sobering stat: In 2016, when ISC2 polled organizations whose DR and BCP had failed during a disaster, 90 per cent blamed the failure on their plans not being up to date.
Why pandemic planning is different
If your organization still has no DR and BCP, now is the time to create them before COVID-19 forces another lockdown. If you’re still relying on the DR and BCP you had before COVID-19, that’s not good enough. Any existing disaster plan must now be updated specifically for COVID-19.
“A general business recovery plan is only helpful in dealing with disruptions caused by an extreme weather event or an IT failure,” Forrester Research VP Stephanie Balaouras has pointed out.
“A pandemic recovery, just as with pandemic planning, requires its own unique response because disease outbreaks can subside and then flare up again,” she says. “Organizations need guidance on how to quickly close and reopen their operations if there is a new burst of infections or a second wave.”
Updating your BCP
What should enterprises focus on when updating their existing plans for COVID-19? A July survey of more than 500 global IT pros provides some hints. Some of the biggest challenges they’ve faced so far with their existing DR and BCP during this pandemic include not enough prior testing, team communication tools, VPN infrastructure, security vulnerabilities and cloud workspaces.
If your enterprise is looking for a COVID-based template for DR and BCP, this one from the SANS Institute is comprehensive and updated specifically to deal with the virus. It recommends:
- a graduated COVID-19 response plan based on advisories from global, federal and local health officials
- training alternate leadership who can execute your plan if key executives are ill or quarantined
- educating staff about COVID-19 symptoms, exposure, risk and methods to prevent and contain infection
- identifying staff who may have a higher likelihood of unavailability to work due to illness or child care issues
The SANS template also suggests planning for how people will be paid, where they will work, how they will accomplish tasks if they can’t get to the office and what work will be suspended during an outbreak or lockdown, as well as alternate communication plans.
They should also consider which operational procedures must be altered or suspended regarding facilities, visitors and non-essential activities; increase bandwidth, VPN concentrator capacity/licensing and the ability to offer VoIP and laptop/remote desktop availability; as well as alternate customer engagement or service.
Another excellent guide to consult is the Uptime Institute’s pandemic planning and response document. It outlines crucial measures to protect enterprise data centres before and during COVID-19 outbreaks, including site cleaning, staff safety protocols and keeping critical IT infrastructure running.
BCP for small businesses
Small businesses employ two-thirds of the American workforce. About 110,000 of them have folded since the pandemic began and another 7.5 million are in danger of closing permanently if economic conditions don’t improve within the next six months.
One survey found that 31 per cent of U.S. small business owners who’ve already suffered one COVID-19 closure haven’t taken any steps to prepare for another shutdown.
Here are guides and templates small businesses can consult to formulate DR and BCP plans for the first time ever:
- BCP: U.S. Small Business Administration
- BCP: Business Continuity Institute
- BCP: FEMA
- DR: U.S. Department of Homeland Security (USDHS)
- BCP: USDHS
Some of the clearest advice I’ve seen for small businesses planning for future COVID-19 disruptions comes from the U.K.-based BCI we mentioned earlier. BCI urges small businesses to do these three things, and incorporate them into their pandemic era DR and BCP:
- rapidly accelerate the digitization of their operations
- re-think, diversify and repatriate their manufacturing and supply chains
- realize the survival of their business depends on the health and safety of their staff
Some other great advice comes from a BCP podcast produced by Databarracks. Various business execs and managers have been guests on the podcast, and their tips could be helpful to organizations of all sizes tackling DR and BCP during the pandemic:
Keep it short: The best BCP is a concise checklist, not a 50-page binder.
Make it readable for business units: If only IT can figure out what the plan means, it won’t be executed properly or quickly.
Plan for impacts, not scenarios: Instead of trying to plan for “massive asteroid hits Earth,” plan for impacts you could face under various disasters, like “people unavailable,” “premises inaccessible” or “communications down.”