There’s a big difference between believing your business is prepared for a disruption and actually being equipped to handle one. Many organizations learned this lesson the hard way when COVID-19 came into the picture – and it cost them.
Now, businesses have a lot to think about. Aside from following guidelines for returning employees to the workplace, they must strategize for threats which may arise both in the immediate future and in the months and years to come. As such, more companies are refocusing their attention on operational resilience and risk at every level of their organization.
To ensure your organization is prepared for future challenges, you need a resilience culture and agility which go well beyond working remotely. As you reimagine operational resilience, here are four actions you must take to revamp your business continuity (BC), crisis management (CM), disaster recovery (DR), and pandemic readiness (PR) plans and prepare for future disruptions.
1. Integrate COVID-19 lessons learned
When the pandemic arrived, many companies had flawed BC, CM, and PR plans. They didn’t realize it until they had to use them. As companies thought more about holistic resilience, many realized their DR programs also weren’t ready.
COVID-19 exposed every deficiency.
Many organizations quickly discovered their plans were either too high-level, lacked actionable detail, contained outdated information, or were unsustainable for any disruption which lasted more than 30 days. There was little to no BC planning for IT activities, so everything from the help desk to cyber security operations to technical operations had no guidance and had to scramble to adapt to changing circumstances. Many organizations hadn’t taken pre-event preparations because their plans offered no guidance on doing so. When employees had to start working remotely, the plans offered no strategies for how to quickly get everyone up and running at home.
In many cases, IT couldn’t support large-scale disruption and the workforce wasn’t ready to act or implement plans. The one bright side is the pandemic shone a light on all the shortcomings, and now every organization can use these lessons learned to create stronger plans and increased resilience.
One of the most important lessons from the pandemic is the importance of resilience planning. Now more than ever before, board members and investors need to feel confident their organization has the resilience measures in place to survive a long-term disruption. As a result, resilience planning has been elevated to a C-suite concern. Resilience is too important to be the responsibility of a single department, and the gaps between siloed disciplines make it nearly impossible to gather all the information without concerted coordination. Doing it right requires the effort of the entire organization.
Now is the time to evaluate your entire business resilience program and integrate improvements based on established best practices and COVID-19 lessons learned.
To make sure you have a holistic program that’s ready for action no matter the situation, create a working group within your organization. This working group will be tasked with enhancing and integrating each of the key business resilience disciplines which include CM, BC, DR, PR, site emergency management, and vendor risk management.
Beyond integration, your business resilience working groups should address internal and external concentration risk — how many critical employees and facilities are in a single geography — as well as planning for contingency and disruption response and for challenges which could jeopardize your business in the future.
You should appoint a single stakeholder — a resilience czar — to lead a multi-disciplinary team within your working groups. In the end, you’ll be more than ready to address questions from executives, investors, and the board about your organization’s resilience readiness.
2. Confirm the business resilience of your third-party vendors
Traditionally, vendor risk assessments have zeroed in on cyber incidents and data security. The questions are typically too general, and focus on how vendors deal with brief outages and not their ability to handle prolonged disruption. Assessments rarely ask about risk around which the specific services and products organizations depend.
The pandemic made it clear those basic questions are not enough.
Don’t just make sure your vendors have plans in place; determine if their plans are actionable, well-understood by employees, and have been effectively tested.
Focus on the effectiveness duration of various disruption response strategies (i.e., how long their plans can withstand a disruption). It’s important to know your third-party suppliers have response strategies which can handle disturbances for 60, 90, or more days.
You must also make concentration risk part of your evaluation process. For instance, are your suppliers geographically dispersed or are they all located in the same region? Do individual vendors spread out their facilities and workers which support the products or services you need, or does everyone work out of the same office?
If your vendors are concentrated in the same area and a virus, flood, or power outage causes a regional disruption, you could be left in a precarious situation. Lowering concentration risk and even diversifying your supply chain can go a long way.
3. Take a fresh look at your overall disaster recovery program
Operating with a reduced workforce and experiencing service delays or disruptions from third-party suppliers are only a few ways the COVID-19 pandemic has forced companies to step outside normal workplace conditions.
Don’t forget to keep your eyes on the big picture. If you aren’t regularly updating and testing your DR plan, you will be more susceptible to other disasters. An IT disaster or a successful cyberattack which compromises data would be especially damaging to many businesses right now. Your DR programs must be equipped and ready for both of these recovery scenarios and others as well.
Oftentimes when organizations take an in-depth look at their DR programs, they discover two major issues: their programs are no longer aligned with their changing production environment and their testing programs aren’t rigorous enough. During the pandemic, organizations recognized a third issue, one that’s especially important right now. Many DR programs don’t account for how key employees will execute the plan while working virtually.
As you take a fresh look at your DR plan, make sure you’re able to recover while working remotely, verify recovery effectiveness in intricate hybrid compute environments, and address concentration risk in IT, both from a people and data center standpoint. Also be sure to keep a regular testing schedule. This will help your organization close any resilience perception gaps while giving you the opportunity to address any problems before a real disaster hits.
4. Plan for a future pandemic
When COVID-19 began to spread, some organizations realized they didn’t have pandemic readiness plans. Others had plans which had been drafted years ago and were long outdated. Now as some companies reach a new normal after scrambling to adapt to the pandemic, the last thing any company wants is to find itself in the same position in the future, whether that’s in six months or a decade from now.
As such, it’s imperative you begin planning for the next outbreak right now.
Whether you’re building on an existing pandemic readiness plan or starting from scratch, be sure to go beyond a traditional mass absenteeism situation and craft a plan to monitor and manage legitimate hypothetical and realized health threats. Your plan should consist of the following:
- actions before and after an outbreak hits to prevent or reduce the transmission of a health threat to personnel, contingent workers, and visitors
- emphasis on continuing essential business operations and support services while softening the business impacts of an outbreak
- response strategies for a variety of scenarios where business dynamics change
- communication protocols, both internal and external, for general information updates and rapid distribution of urgent announcements
- a designated leader to take charge of the response
With a pandemic management plan in place which encompasses the lifecycle of an infectious disease outbreak — everything from watching for it, preparing for it, responding to it, and recovering from it — you’ll be prepared when the next outbreak arrives.
Rethink resilience and risk today
Your organization’s operational resilience and risk might not have been top of mind at the beginning of 2020, but COVID-19 changed everything. Every business is now reassessing its resilience and forging stronger plans which prepare them to weather any disruption.
By taking these four actions, your company will be more agile and ready for whatever comes next.