Business Continuity Planning & Management in times of CoVID-19 and an economic recession.
Updated: Jun 2, 2020
Having a plan to adapt to an unforeseen crises should always be a key tool in any company's arsenal. With Corona virus seriously denting the Global economy on various fronts, its essential for every organization to have a comprehensive BCP to maintain operational resilience.
Business Continuity Planning (BCP) summarizes the Business Continuity Strategy and tactical objectives that have been considered as a basis of an organization's action plan. This plan will be invoked on the basis of contingency requirements, such as the current pandemic or any other crises that may emerge from time to time.
Business Continuity Management (BCM) consists of mitigations, stress-tests and recoveries executed by a dedicated team supporting all entities within an organization. This ensures a uniform and disciplined approach across the organization to act in accordance with the BCM framework and Action plan – thereby ensuring operational continuity.
Day to day governance of BCP program should be through the Risk Management division or a centralized action management area like a PMO (Project Management Office). The framework should be aligned with, current global and industry benchmarks, best practices and standards including, ISO 22301, the Global Good Practice Guidelines of the Business Continuity Institute and Disaster Recovery Institute International.
Business Continuity Management consists of:
1. Possible Risk Scenarios
A Business Continuity Plan addresses the three following high-level scenarios:
Building Events – all or part of the facility is unavailable for use. A building might be an office location, sales location or a data center. The cause of the event is immaterial at the time of an incident but might be fire, flood, quarantine, explosion, power failure etc.
Technology Event – significant non-availability of computer and / or communications infrastructure. In the context of our office locations, as your IT services are supported by a mixture of local and cloud based servers. A technology event is most likely to be an impact upon the network infrastructure. In the context of a data center. Such events are likely to be the catastrophic loss of functions of multiple IT systems and services. The IT Disaster Recovery Plan and IT Group BCP address the response to such events
People Event – significant non-availability of staff required to undertake critical business operations.
These plans are designed to provide the required response to address a “worst case scenario” and are sufficiently flexible and scalable that they will support events of greater/lesser magnitude.
2. Delivering Assurance
Companies should use several strategies to ensure that their plans and preparations collectively and continuously deliver the level of functional assurance and “recoverability” that is necessary to:
Satisfy your obligations and protect the interests of your customers, business partners, regulators and other key stakeholders (including our staff);
Protect your organization's reputation and brand value;
Ensure the ongoing viability of your business and operations.
Those strategies include:
Generating and communicating awareness through briefings to new staff and a variety of communications that regularly refresh communications with existing staff;
Periodic Testing of mass communication strategies and technologies;
BCP and IT recovery exercises and tests – ensuring that all critical components of our framework are tested annually (and more frequently where the criticality of the team or recovery element so demands);
IT recovery testing conducted within the Business Continuity framework generally falls into two approaches:
Testing of the availability, resilience and / or recovery concepts associated with a specific platform where such testing forms part of a specific contractual or regulatory obligation; or
Full data center isolation testing – in which the goal is to simulate the total loss of a data center and, in partnership with your business teams, confirm that the performance and functionality of the recovery environment meets the recovery and recovery time objectives (RTOs) identified for each of our businesses.
3. Continuity and Recovery Strategies
The aim, following a disruptive incident such as the current COVID-19 pandemic, is to meet all contractual &/or regulatory binding obligations. Companies should do this within the parameters set out in associated agreements and to maintain a resilient IT infrastructure.
The general recovery objectives should have a time frame with the following dimensions:
Primary front office plus supporting middle / back office functions
Work area recovery sites in strategic locations
Technical strategies, including use of virtual desktop profiles
Sales and 3rd Party location network access to workspace, data connectivity and voice communications
IT Service delivery models that require components to be distributed across multiple data centers
High availability or back-up and restoring capabilities
Diverse network and communications routing
Procedures for fail-over / activation of the associated systems and services
Operational testing of IT Disaster Recovery resources and infrastructure
4. Incident Response and Plan Activation
Execution of an incident response strategy is defined by scale and relative importance of each location and by the severity of impact of an incident.
An incident response matrix determines how and by whom the response will be managed and escalated.
Events that have either zero or only very minor impacts on operations are addressed by normal operational management
Events that result in harm to personnel and / or directly affect the conduct of operations in excess of 60 minutes will trigger a formal incident response
Maintain regularly trained and exercised tactical incident response teams
5. Crisis Notification and Communication
Embarking upon an ongoing Business Continuity Plan maintains, and regularly tests, your mass communication tools that enable you to quickly and easily communicate with and direct your staff in the event of an incident. The methodology enables you to select staff generally within a geographic area or specifically by office location or, in certain cases, by selected functional group.
As a general rule the aim of any BCM plan framework is the continued delivery of your key customer services and products. Additionally, any constraint upon normal operations should be largely transparent to your customers and business partners.
Please get in touch with us if you are interested to know more or would like us to support you on your Business Continuity Planning (BCP) and Business Continuity Management (BCM). We specialize in preparing companies to become more resilient and help them get through various crises.