The COVID-19 pandemic has stretched business continuity plans across the world and has tested virtually every planning assumption. Steve Dance highlights some useful lessons learned from this for business continuity managers.
In a casual survey conducted during an online webinar, companies impacted by the pandemic (or rather the government mandated responses to it) shared their experiences of invoking their business continuity plans. It highlighted several ‘tripwires’ which forced ‘on-the-fly’ changes to deal with flaws within their plans. The case studies below detail the tripwires encountered by three different organizations:
Assumption one: When we need it, we’ll go out and buy it
One organization (which took business continuity seriously) had a well proven business continuity plan: they ran regular tests and meaningful tests of their plan and were well prepared for remote working - the life-line for many organizations operating during the pandemic) - with the majority of their workforce regularly working remotely.
When the lockdown was initiated, they implemented plans made for the event that their normal place of work was unavailable.
The plan anticipated that business critical staff would initially be provided with spare IT equipment that was kept on-site. The next step was to source and supply computers and remote communication tools for remaining staff once it was known how long the office would remain inaccessible.
Although a common approach in the event of workplace inaccessibility caused by threats such as natural disaster and terrorism, the issue of intense demand was not catered for. As the lockdown started the nationwide scramble for equipment (particularly end-user devices) was overwhelming. Suppliers were swamped with orders and rapidly ran out of stock. The organization was able to source sufficient equipment by loosening ‘bring your own device’ policies and allowing their employee to use their own personal equipment. Crucially, this involved a new risk – cyber security – because the company could not be sure of the security configurations of their employee’s equipment. To continue to operate and survive the organization had little choice but to accept this risk and operate with it.
They managed to trade through the lockdown and their plan has now built in flexibility by switching many older desktop machines for laptops which can be easily taken off-site.
They are also planning to keep a smaller cache of equipment available at a second location as an additional contingency.
Assumption two: We’ll switch voice communications to mobile
A similar situation occurred with a professional services firm. They had considered the scenario of their office being unavailable but had not foreseen it being for longer than a few weeks.
Their plan was based around undertaking a temporary re-location to a serviced office environment, and the subsequent establishment of a new site if the closure of their current site proved permanent.
Their voice communications capability was provided by a traditional PBX phone system that was physically located in their office. Although an upgrade was being considered, there were no compelling business reasons to immediately upgrade.
Their contingency plan for their communications was to forward the calls from inbound PABX numbers to an emergency mobile phone, take messages and have employees use their own communication devices to make calls back to the customers.
On lockdown the flaws in this plan became apparent almost immediately. Firstly, the plan relied on one member of staff to take all the calls inbound to a company that previously had 30 staff available to answer the phone – this exposed a significant bottleneck. Next, because of social distancing and self-isolation requirements, the person who had the phone was unable to pass it over to another member of staff member to take over that responsibility, if they fell ill (which they did).
An attempt to address these difficulties was made by using call forwarding to redirect calls to multiple staff mobiles. This approach failed: bad lines, poor signal, and the inability to present the corporate number on outbound calls resulted in a generally poor customer experience. Regulatory compliance issues proved to be the final nail in the coffin to this approach: because staff were using their own devices to make calls, call reporting could not be performed.
Fortunately, VoIP (Voice over IP) providers were still operating almost normally and were able to onboard new clients during this phase of of the pandemic. This enabled the company to get their staff set-up with ‘softphones’ on their computers or mobiles. A ‘close shave’ and one which created a pool of disaffected customers during the implementation period.
Assumption three: people can work remotely
Our final case study concerns an organization in the property sector – an estate agency with over one hundred offices across the UK. Surprisingly, estate agency business continued through the lockdown – although property sales activity was curtailed for some time, services such as lettings and progression of agreed sales continued, as did back office functions such as finance, complaints management and compliance. When the lockdown was implemented, the company initiated their business continuity plan for branch and head office closure. Almost everyone in the organization could work remotely and those that needed to do so could install security software on their own devices.
That approach, on the face of it, would seem to offer a seamless transition from office to remote working. But, on the initiation of this part of their business continuity plan, the organization ran into two big problems.
Problem one was the licensing restrictions on the number of concurrent users that were allowed by their remote access software. Like many organizations, their arrangements for remote access assumed that only a proportion of their workforce would be operating remotely at any one time – not the whole organization. The helpdesk (already working to capacity helping employees to install security software on their own devices) was overwhelmed by calls and emails from employees who could not get access to systems.
This problem was solved by acquiring more licenses so that all employees could work remotely. However, this then created problem two:
Problem two manifested itself when many staff complained that they STILL could not get access to systems whilst those that did complained of excruciatingly poor performance. The license upgrade followed by the high volume of remote access use showed that the capacity of the infrastructure supporting remote access was insufficient. The only remedy to this was the acquisition of upgraded servers and network equipment – creating an IT infrastructure project in the middle of an operational crisis. Fortunately, the demand for this type of equipment was not at the same level as that for desktops and the required equipment was available in a few days and installed several days after that.
Business continuity planning lessons learned
It may be convenient to dismiss these examples as problems that were encountered during a once in a lifetime event and in some cases this may be true. However, reliance on remote working and telephony switching are fundamental parts of any business continuity plan and form a core capability for recovery. So, even if we don’t see another pandemic in our lifetime (after all, once is enough!), PROVING that recovery capabilities have the intrinsic capability to perform as assumed will ensure whether we really do have a business continuity capability that will work when it is needed.