With so many working environments made unavailable as a result of COVID-19, and staff being forced to work remotely for extended periods of time, what lessons have companies learnt about the provisions they had in place, and how might they adapt for the future? With many organizations looking at introducing more flexible working as a permanent solution, the people element of business continuity needs more consideration than ever. Chris Butler explores…
Business continuity (BC) and impact recovery plans work extremely well when the impacts of an incident are already known. From known threats to unknown threats, and even Black Swan events, having a plan is a starting point which a company can adapt from. The military adage ‘no plan survives contact with the enemy’ is worth remembering here.
The physical consequences for a business following a disruption can vary significantly, from none at all to extensive, even if indirect. For example, a breakdown of core IT systems held with third parties, product recalls needing to be set in motion, or quality control incidents which need to be managed may all have no physical impact. However, at the other extreme, terrorism, political violence and rioting all mean businesses are often unable to provide services, or that customers have no choice but to physically stay away.
When considering the circumstances many organizations find themselves in today, pandemics last charted on the World Economic Forum’s Global Risk Landscape Assessment back in 2015 and 2008-10 before that. The risk landscape has changed significantly since then, with risks creating uncertainty increasing such as natural disasters and extreme weather events. Risks creating complexity such as supply chain issues have increased too, and many risks involving adversaries such as cyber attacks, fraud and theft appear more frequently. Even worse, they are combining to make the situation worse – phishing attacks on employees are up by 40 percent in the current pandemic. Working from home has created greater vulnerabilities that cyber attackers are exploiting.
It’s time more companies asked themselves what the key people issues are that result from having to deal with the impact of such risks.
Areas commonly overlooked include:
Complexity surrounding data and systems access
The goal for a business here is keeping data and systems available for people to use, no matter who they are or where they are located. Challenges can easily arise if data or systems are accessed from alternate locations, something IT departments must then quickly act to fix. Also consider the challenges for IT teams when people try to access data and/or systems from untested or untried networks. There may also be connectivity issues from networks that are completely outside the control of IT staff.
This complicated world can get far worse when people are sent to work from home or to alternate sites. Organizations frequently end up with an increase in configuration problems that need rapid resolutions to avoid significant productivity lapses. Companies need to recognise the pressure this puts on those left dealing with the fallout, especially if the IT teams are themselves reduced in numbers.
IT staff are the most influential part of the management of IT systems, including of course the disaster recovery (DR) plan if it needs to be activated. They are intimately familiar with business as usual and what ‘normal’ looks like. The moment to find out that a DR plan cannot be implemented, or doesn’t meet the needs of the business, is not when disaster hits. Switching certain systems or failing over needs to be practiced and effective steps recorded in plans, and it’s the people in an IT department that make that process work.
Organizations might also find that the people that set up and or manage environments aren’t able to maintain, fix, manage or fail over systems and the data in them when needed. They might have left the organization, might be retired, or of course they may themselves have been affected by the cause of the disruption.
Not understanding end users
End users may also need to be in a position to access systems and data, and they might not always be internal staff. These people might be customers – commercial or business – and a large majority might function outside a corporate firewall.
Companies need to consider how that will be managed. Will everyone who accesses systems or data have to use a VPN? Does the company know how assets will be accessed over different networks? From a working from home perspective, with whole families competing for bandwidth at the same time, what other limitations might there be? What security trade-offs have been made to enable remote access, and how will these be resolved in line with good practices?
Not understanding pressures on personnel
The ability for an employee to work effectively may be significantly impacted by many factors relating to disruptive events. They themselves might be affected by illness or have colleagues or family members who are.
New anxieties might also develop relating to personal finances, job security, school closures meaning childcare issues become a challenge, or the impact of media or government messages versus employer communication might cause stress.
A lack of planning and preparation
Staff have been increasingly asked to work from home during the current pandemic. But to do this formally, for the long term, they need to be properly equipped and have different working practices, including for continuity and recovery. For those who have to use an office, the business challenges remain about applying the relevant social distancing regulations.
In times of disruption business dynamics change. Customer expectations and behaviours change. Demand for services and goods are affected. There may be a surge in online orders. Supply chains might shift where quotas can no longer be fulfilled. Each of these things can affect customer relations and impact stock or share pricing.
It may well be necessary to adjust priorities based on existing business impact analysis and critical activities based on availability of personnel. This might lead a company to go beyond what was originally included in its business impact analysis. For example, considering how critical activities would be maintained if a company had less than 50 percent of staff available to work.
When it comes to making advanced IT preparations, organizations should have plans in place for a number of areas including security operations, technology operations, end-user support, incident and problem management. There are certain issues now heavily impacting IT teams in relation to how people are currently working and consuming goods and services. From more calls to the IT helpdesk because of remote working, greater network traffic, or demand for services changing, there is more pressure on people than ever.
Steps for success
Business continuity planning asks a business to use its imagination when it comes to the different scenarios the people it serves might face. To best prepare, organizations should run tabletop exercises to develop understanding and challenge what is currently in place. Some employees will have had limited exposure to remote working; they should be helped to work in this way for long periods to establish the limits of productivity in such circumstances. Rehearsals for communication mechanisms will also help personnel understand how and when they will be alerted to important information from the business.
Above all, reviewing plans to ensure people understand how things will be done is a very important part of business continuity. Keeping the workforce aware of what the next stages and plans will be is vital. Exercise, plan and prepare is key to succeeding here.
Chris Butler, MBCI CISM, Lead Principal Consultant for Risk and Resilience, Sungard Availability Services.