When the pandemic struck in 2020 and the world was told to “Stay at Home, Protect the NHS and Save Lives”, everybody complied, and life was put on hold for 3 months. Little did we know! Everyone was asked to “work from home, if at all possible” and this impacted most businesses with many sadly closing for the final time.
The term Business Continuity is the process of “pro-active planning that facilitates the rapid recovery of business operations to reduce the overall impact of the disaster, while ensuring the continuity of the critical business functions during and after a disaster.”
As we now have more and more data and insight about businesses that experience a disaster or extended outage, it is generally agreed about the following statistics that, out of 5 businesses:
Two will not re-open.
A third will close within 2 years.
So, therefore as a rough rule of thumb, 60% of businesses experiencing a disaster will cease operations within 2 years.
That is a frightening, yet true fact. Many businesses have suffered throughout the pandemic and many have sadly been forced to close.
Traditionally many businesses spend a fortune on tools like antivirus, firewalls, and other such tools to prevent themselves from suffering a disaster due to being hacked. This is because there is a surprising increase in acceptance, coupled with a rise of ransomware and hacking attacks, that ultimately being attacked is inevitable and simply a matter of time.
Unfortunately, the reverse is true for Business Continuity. There is a lack of media coverage when Business Continuity Planning works well – simply due to a lack of media interest. It would probably be quite difficult to find a publication that would be interested in running a story where an organisation had a disaster, but due to their Business Continuity Planning, it did not affect the organisation and therefore no repercussions. The lack of awareness is sometimes a risk as not all businesses plan for Business Continuity. Let alone include planning for a pandemic, as we have seen over the last year.
Without Business Continuity Planning, all businesses are at risk.
Rudin’s Law states “When a crisis forces choosing among alternatives, most people will choose the worst possible one”.
Planning for a Pandemic is an essential part of Business Continuity Planning (BCP). The first rule of BCP is to “save lives”. Without humans in a business, there is no business.
Humans are the weakest link in Cyber Security. A fact that has been proven time and time again by the prevalence of “phishing attacks”. Cyber Security Awareness Training provides guidance and education to humans to counter Rudin’s Law
Likewise, many companies practice fire drills – again, this is to counter Rudin’s Law.
Frustratingly, many companies have a Business Continuity Policy but have not bothered testing it. It is like owning a car, never driving it and then hoping it will start when you need it. Sadly, it does not quite work like that.
If a Business Continuity Plan is not tested regularly and the test results used to enhance and develop the plan, then it is extremely likely that the plan will fail when the business needs the plan the most.
So why should Business Continuity Planning involve planning for pandemics?
A Pandemic is defined as “A global outbreak of a disease that occurs when a new virus appears or emerges in the human population.” We have seen just how quickly this can take over the world in the last year.
According to Johns Hopkins University (https://coronavirus.jhu.edu/data/mortality) , the mortality rate of COVID-19 is 9.3% in Mexico. For this example, rounded up and therefore worst-case scenario, the figure is 10%.
If an employee brings COVID-19 into a building of 1000 people, then using the 10% approximation for BCP, 100 members of staff could potentially die. If this strain infects the Management Team, then there is the possibility for the entire Management Team to be wiped out by the virus. How will the business continue to function?
If we run the COVID-19 Scenario Table-Top Test (a documented scenario walkthrough) with a smaller organisation of 50 employees, then using our 10% fatality approximation, there is the potential for 5 members of staff to die. Again, in a small business, this would have monumental effects and damage to the organisation if it were to be the Management Team that was affected. There is the risk that without the Management Team, the organisation would cease to exist, and the remaining members of staff would be left without employment.
According to the World Health Organization (https://www.who.int/news-room/fact-sheets/detail/ebola-virus-disease) , Ebola outbreaks have an average fatality of 50% with the range between 25% up to 90%).
A strain with a fatality rate of 90% would kill 45 out of 50 staff and therefore also the business
A strain with a fatality rate of 50% would still kill 25 out of 50 staff and certainly impact the business.
So now we know why Pandemic Planning is an important part of your Business Continuity Planning.
On a final note, I have personally trained the mile2 Certified Disaster Recovery Engineer course (https://www.mile2.com/cdre_outline/) around the world in over 25 countries. I trained organisations in Africa at the height of the Ebola outbreak to assist them with planning for a pandemic.
There was one training slide that I now need to update. It states, “There will be a pandemic and it will be within the next 5-10 years”.
A few Key considerations for your business continuity plan:
Ensure that there is enough Personal Protective Equipment that includes masks (KN95+) in case an infection is discovered in your workplace and people need to be isolated and sent home. This is to prevent contaminated stakeholders from contaminating other people either at work or on their way home.
Create a risk assessment of all the issues that could affect the continuity of the business. This should address a wide range of situations from pandemics, extreme weather and fire or flooding to redundancies/mass loss of staff and cyber-attacks.
Ensure (at least) key staff can access their work remotely.
Make sure the plan is clearly communicated to staff to ensure they know what to do in case of an event. This could be as simple as non-managerial staff to await further instruction from their manager.
Make sure managers understand their authority within an event, i.e., who can send employees home? Who can purchase equipment i.e., laptops/portable toilets/ alternative office space?
Using the ‘commander’ system of Bronze, Silver and Gold allows senior members of staff to understand their responsibility within a situation or incident to be able to make proactive informed decisions.
Ensure there is a range of staff involved in testing the plan. In the event of an incident, critical senior staff who would usually be relied upon may not be available i.e., they could be on annual leave that day or off sick and someone else in that department may be able to ‘step up’.
When testing the plan, ensure some of these tests are conducted off site to make them as realistic as possible. For example, if you are expecting staff to connect to the corporate network remotely via a VPN, make sure they know how to use it and can. A common issue arises when licenses are needed and the organisation has not purchased enough for all staff to use at once, causing further delays while IT staff scramble to get authorisation and then purchase additional licenses.