In the months since the first news reports about a mysterious “pneumonia strain” — now known as the “novel Coronavirus” — were first flagged from Wuhan, China, the outbreak has left the world reeling. It is not just individuals who have been badly hit. National economies, governments, and businesses too have been counting the (many) costs of the crisis — costs that are unlikely to abate anytime soon.
Furthermore, national lockdowns, social-distancing rules, and other restrictions (traveling, working from home, etc.) have badly damaged several industries in countries worldwide. Major industrial production chains have ground to a halt which has led to massive falls in industrial production. Many industries have been massively hit where it hurts most — their bottom lines. For all these reasons and more, the International Monetary Fund (IMF) has stated that the global economy will shrink by 3% in 2020. No wonder it is believed that the COVID-19 pandemic has created a “crisis like no other.”
Now, if the global economic situation is so gloomy, should organizations even bother to continue business operations? Assuming the answer is YES (and how can it not be? Commerce makes the world go round, after all!), what do organizations need to do in order to do so? Can Business Continuity Planning (BCP) help them keep going in the face of this crisis, or is it a case of “too little, too late”?
The answer to the last question is: Of course, BCP can help, and it is definitely not a case of “too little, too late”! Organizations that realize this will be better prepared to deal with the many more challenges COVID-19 is sure to throw in their path over the coming months.
According to the Disaster Recovery Journal, business continuity is “the strategic and tactical capability of the organization to plan for, and respond to incidents and business disruptions in order to continue business operations at an acceptable predefined level.”
A BCP ensures that in the event of a crisis, the organization is prepared to continue business operations with minimal impact or downtime. But BCP looks beyond dealing with the current crisis in the short term. It takes into account a number of factors and linkages and considers what will be required to keep the business going in the future. In addition, it also:
Conversely, failure to implement a BCP will affect a company’s crisis-preparedness, which in turn will disrupt its operations, increase the risk of financial loss, raise the probability of noncompliance with legal and statutory norms, and even adversely affect its brand image and market reputation.
COVID-19 is no longer simply a vague threat on the future horizon but a massive crisis in the present moment. However, a BCP can still help organizations deal with its effects today and mitigate its effects in the future.
In fact, rather than “too little, too late,” a BCP is more about “better late than never” — even if resolving the current crisis feels like a Sisyphean undertaking!
In the midst of such an all-encompassing crisis, businesses would do well to learn some lessons from it and utilize these learnings to develop their Business Continuity Plan.
Here are five such lessons that will prepare them for current as well as future crises:
1. Actions taken today can and will determine future success.
Smart, pragmatic organizations do not simply complain about the crisis, or wait passively for someone else (say, the Government) to solve the problems it has created for them. Instead, they take quick action to understand the repercussions of the crisis on their business, and then gather all relevant “data points” to design their Business Continuity Plan. They then leverage the BCP to ensure that their operations continue with no (or at least minimal) impact on their topline or bottom-line.
2. The future has changed, but it is not necessarily bleak.
“Business as usual” is a nice “theoretical” concept, but COVID-19 has changed the world in such unprecedented ways that the definition of “usual” itself has changed. Consequently, the way business is done, and the way businesses operate need to evolve. Organizations that think about these issues are able to create a BCP that can effectively deal with these changes with minimal disruptions. Hope for the best, prepare for the worst!
3. Crisis management is not and never has been a “oneman show.”
A number of entities are cooperating closely to combat COVID-19 and its effects. The lesson here is in realizing that managing a crisis and mitigating its effects — an effort that requires BCP — can be best achieved when multiple parties pool their resources together in pursuance of a common goal. Only then can they find a feasible solution for everyone involved or affected by the crisis.
4. You can never be “too” prepared.
Business is not and should never be a “play it by the ear” game. Although it is impossible for anyone to predict the future, it is possible to look back on past crises, review current realities, and use this information to create a workable future plan. Businesses that make this effort are better able to successfully deal with whatever it throws at them.
Keep reading to know more about the value of “proactive” and “predictive” decision-making in Business Continuity Planning!
5. Alternatives are available — the key is to look for them.
It is important to understand the available alternatives and make the most of them. This requires resourcefulness, a quality that differentiates organizations able to weather storms from organizations that simply fold under at the first sign of trouble. A BCP forces organizations to harness their resourcefulness so they can deal with any surprises the crisis throws up — even the nasty ones.
The best way to deal with chaos in the future is to be prepared today. A crisis like COVID-19 requires ingenuity and decisive action. Equally important, it requires proactive thinking and decision-making, not reactive approaches and non-agile business models. These qualities and benefits are what BCP tries to bring to the fore.
A proactive organization has proactive leaders who are able to study trends, critique (and criticize) their own decisions, and find ways to convert challenges into opportunities. They invest time (and money) in preparing for future crises and in planning their possible responses. They also make use of data to get better insights about their performance and about the landscape they operate in, in order to improve their decision-making.
The use of predictive tools and technology is an important aspect of proactive organizational behavior and informs Business Continuity Planning to a large extent. One such technology is of course, Artificial Intelligence. In fact, AI is becoming an important aspect of business continuity, affecting it in several positive ways:
A particular organization’s Business Continuity Plan will probably look very different from the Business Continuity Plans of other organizations, even those that operate in the same business area, industry, or country. This is why, it is not possible to create a general BCP “template” that applies to every organization, everywhere.
However, there are certain BCP best practices that have worked well in the past for organizations of all types and sizes, and there is no reason why they will not work well in the future as well.
Here are five such best practices or “rules of thumb”:
1. Start by doing a Business Impact Analysis (BIA)
A BIA helps you look at your organization’s processes and determine which are most critical to keep operations going. It also determines which areas are vulnerable and identifies the costs of a sudden loss of these functions. This information can provide an excellent starting point to setting goals, identifying objectives, making priorities, and designing the actual BCP.
2. Identify the main “levers” of your BCP
Before you develop a BCP, identify its scope. What will it cover? What will it not? Also, identify key business areas, critical functions, and dependencies between them all. If possible, determine an “acceptable” level of downtime for each process and a strategy to deal with downtime that goes beyond this level. Include checklists with information about key personnel, emergency responders, critical vendors, the location of data backups, and everything else that may be required to maintain operations close to pre-crisis levels.
3. Prioritize
Simplify business continuity with a “tiered” approach. Prioritize the most important processes and applications that must be recovered first. Design your plan so that any backup and other supporting infrastructure for these specific processes become available first. In addition, identify obsolete or unneeded applications so that you can optimize the use of precious resources with minimal wastage.
4. Test your plan
A controlled testing strategy can provide an opportunity to identify gaps in the BCP and implement improvements before a crisis strikes. Identify challenging scenarios and test your plan at regular intervals. Common tests include structured walkthroughs with drills and disaster role-playing, disaster simulation testing with relevant equipment, supplies and personnel, and table-top exercises which involve team brainstorming and ideation for plan improvement.
5. Get organizational buy-in at every level
Management buy-in is crucial to formalize and evangelize a BCP. Instead of just stating the benefits of a BCP, focus on the potential costs of not having a BCP. The workforce should also be made aware of the BCP. Only then will they be able to react appropriately during a crisis.
The best way to deal with chaos in the future is to be prepared today. And this is what BCP is all about.
In 2012, the International Organization for Standardization (ISO) published a new standard for Business Continuity Management (BCM). This standard, ISO 22301, can be used by organizations of all sizes and types. It emphasizes the need for timely escalations as well as transparent communications. ISO 22301-certified organizations can demonstrably prove to government legislators, regulatory bodies, customers, prospects, and other interested stakeholders that they are adhering to good BCM practices and can maintain operational continuity in the event of a disaster. An organization can use ISO 22301 to measure itself against good/standard BCP/BCM practices, and to design a well-defined incident response structure.
Another standard, the ISO/IEC 27001, speaks particularly of the “information security aspects of Business Continuity Management.” It determines whether an organization’s information security ecosystem supports the continuance of its operations and helps certified organizations demonstrate that cyber security is a top priority for them.
ISO 22301 is based on the Plan-Do-Check-Act (PDCA) cycle and has many of the same management elements as ISO/IEC 27001. These include documentation control, internal audit, corrective actions, management review as well as training and awareness. This means that an organization that has implemented these elements for ISO/IEC 27001 is also fully compliant with ISO 22301. Furthermore, some other elements of ISO/IEC 27001, such as risk management are fully compatible with ISO 22301. Since both information security and business continuity protect the availability of information, ISO/IEC 27001 includes business continuity controls in its Annex A. Thus, since many of the elements of ISO 22301 are the same as in ISO/IEC 27001, organizations can implement both standards at the same time.
To make ISO 22301 work well for them, organizations must first thoroughly understand its requirements. They must also realize that BCM and BCP are ongoing processes that require competent people with appropriate knowledge, skills, and experience to respond to incidents when they occur. Strong leadership is also required to ensure that strong support systems and robust organizational structures are provided that will perform appropriately as and when needed. The organization must also undertake Business Impact Analysis and Risk Assessment to understand how the business could be affected by disruption and use this information to develop a strong business continuity strategy.
Everyone is talking about how COVID-19 has led to the creation of a “new normal.” Without a doubt, organizations that have invested resources in Business Continuity Planning will be in a better position to adapt to this new normal than organizations that did not. A BCP can prepare organizations, regardless of their industry, to deal with potential crises and allow operations to continue despite disruptions. Of course, creating a BCP is only the first step. As already mentioned, it must be regularly tested, maintained, and whenever required, updated. Only then they will be able to take full advantage of its many benefits now and in the future.
Al Mahdi Mifdal is an information security subject matter expert with over 12 years of senior information security compliance and consulting expertise for fortune 500 companies, cloud service providers, Silicon Valley start-ups and international companies in healthcare, technology, and critical infrastructure sectors. Al Mahdi has extensive experience managing a wide range of consulting projects (Risk Management, Critical Infrastructure Protection, Security Operations Center Design, etc.) and compliance assessments (PCI, SOC, ISO/IEC 27001, HIPAA, etc.). He currently serves as the Global ISO Assurance Practice Principal at Coalfire Systems and manages ISO assurance services and programs for clients worldwide. Al Mahdi has earned several industry-recognized certifications, including the Certified ISO/IEC 27001 Master, CISM, CISA, and PCI QSA.