Manager, Client Solutions
Lessons Learned from the Pandemic: Business Continuity Strategies to Increase Resiliency
Throughout 2020 and into 2021, COVID-19 has been an ever-evolving puzzle for business continuity professionals to solve—and a puzzle that, at times, feels like there are critical pieces missing.
As business continuity practitioners, we have had to combat a lack of consistent or clear guidance on how to best deal with the virus because of so many unknowns.
In addition, many organizations–even those with mature business continuity programs–may have had plans in place, but didn’t anticipate a disruption as far-reaching as COVID-19.
It’s kind of like what Helmuth von Moltke, a Prussian General in the 1800’s, once said, “No plan survives first contact with the enemy.” Or as Mike Tyson stated more plainly, “Everyone has a plan, until they get punched in the mouth.”
While you may have thoughtfully developed your organization’s business continuity plans, there is often no better evaluator of plan effectiveness than a real disruption.
Opportunity in Disruption
While many organizations may have struggled with initial COVID-19 response, the pandemic has also created opportunities for business continuity professionals to demonstrate program value and re-design it to be better than before. We would be foolish to not use this event as an opportunity to improve our programs and increase our organizational resiliency.
COVID-19 creates unique opportunities for business continuity practitioners to:
- Demonstrate business continuity value to stakeholders who previously did not understand program benefits or value. This may also benefit your program by allowing you to get additional program resources that were previously overlooked or denied.
- Use existing business continuity plans to address some of the many problems COVID-19 causes–a loss of personnel, facility, third-party service providers, and, in some cases, technology disruptions.
- Engage risk disciplines or groups throughout your organization that your business continuity team may have not worked with in the past. Areas might include IT disaster recovery, vendor risk management, and physical security.
- Coordinate information security teams, especially with so many individuals working from home now. If this coordination has not occurred in the past, COVID-19 creates a catalyst for this interaction, and in many cases, by necessity.
- Facilitate greater stakeholder buy-in and coordination to lead to greater resilience for your organization overall.
One of my clients, a manufacturing organization with about 1,000 employees, implemented a business continuity program six years ago. Today, they have a mature program with established plans and consistent execution.
But even with program maturity, there has been a consistent struggle—engaging leadership and alternate risk disciplines in the program.
Leadership’s approach was, “We’ll figure out how to respond when a disruption occurs.” And while the team believes business continuity is useful, they thought it would be unlikely a disruptive event would occur.
On top of that, risk disciplines such as IT disaster recovery and vendor management, were reluctant to participate because they saw their own initiatives as separate from business continuity. They understood that business continuity is an important business initiative, but didn’t think it concerned other groups.
Because of this, there were issues early in their COVID response caused by a lack of executive engagement and integration with other risk disciplines. As a result, the program manager expended significant effort for on-the-spot executive training about effective engagement with the crisis management and other response teams. And, as they worked through issues, they exposed some strategies developed in a silo, for example remote work plans that were built without IT input.
The good news? The organization was still able to effectively responded to the pandemic because of the existing framework that had been established. In addition, the program manager also successfully demonstrated business continuity processes and structures are part of an initiative that should be coordinated effectively across all disciplines.
A Framework for Success
The above example is by no means unique. We’ve heard firsthand from many business continuity practitioners that their organizations have experienced many of the same response issues. That’s why we’ve developed these suggestions your organization can employ to improve your program and better prepare you for future disruptions:
1. Design Your Response Structure with Executives in Mind
In our Business Continuity Management Survey, a majority of organizations (38%) have C-Level executives leading COVID-19 response instead of crisis management (31%), business continuity (15%), or other departments such as IT or HR.
This is probably not surprising given the extreme nature of the event and significant disruptions many organizations face. This necessitates that business continuity response structures be flexible enough to adapt during a disruption, and include participants that may not normally lead a response.
Many companies, especially at larger organizations, design their crisis management team so it operates just below the C-Suite. While this may be sufficient for most incidents, in a more significant disruption, C-Suite will want involvement. That’s why you should design your response structure to account for this possibility and ensure that your plans and procedures provide a clear executive leadership engagement strategy.
For these organizations, where executives aren’t always involved in the crisis management team, consider designating an executive liaison (if not the team leader directly). This role should provide status updates to executive leadership, help executives stay connected to the response, and facilitate participation as needed.
You should also define events types that may require executives to lead response ahead of a disruptive event. This may include a financial threshold, significant events like a pandemic or cyber breach, or other criteria based on executive input.
Advanced planning takes the guesswork out of the equation and ensures all stakeholders have a clear understanding of how they’re expected to participate based on event impacts. Of course, if you want executives involved in response and recovery, they should also be trained and have access to appropriate resources. Designing your response structure to accommodate this flexibility is a critical first step.
2. Develop More Effective Exercises
While many organizations have appropriate strategies to address a pandemic scenario, for many, exercising these strategies did not effectively identify planning gaps prior to the pandemic.
For example, many organizations use laptops and their plans indicate if a disruption affects a primary work location, employees can work from home. Unfortunately, few organizations actually test this strategy to ensure the network/VPN can support all employees working remotely at one time or that all critical systems are accessible remotely.
As we saw at the beginning of COVID-19, many organizations had to quickly address these issues as many employees were hindered from effectively working from home.
Here’s another example: Many organizations identify alternate suppliers for critical services or products, but most have not gone through steps to switch a workstream to an alternate supplier. And unfortunately, many organizations fail to discuss a response strategy for what happens when the primary and alternate suppliers are unavailable simultaneously, like we’ve seen during the pandemic.
These examples re-enforce why it’s important for business continuity practitioners to evaluate current strategies and identify where your organization may make assumptions, which should be evaluated further.
I’m not recommending exercising to the Nth-degree and evaluating disruption upon disruption. There is certainly a cost/benefit analysis you should consider when identifying strategies for further evaluation. However, if there are strategies where failure could be highly impactful (i.e., if all employees can’t work remotely effectively that would be a significant issue), your organization should test them. After identifying these strategies for further evaluation, develop testing plans to more accurately identify gaps and address these issues prior to a disruption.
3. Focus on Organizational Resilience
According to the survey, organizations who fared the best with COVID response are the ones that don’t place business continuity in a silo but, instead, focus on overall organizational resiliency.
The survey shows that programs focused solely on IT or only on business initiatives are less likely to have effective plans to guide COVID response. As mentioned previously, COVID-19 has impacted far more than most “standard” business disruptions. Because of this, business continuity programs with plans and strategies developed in conjunction with IT, information security, vendor management, or other risk disciplines are in a much better position to respond effectively to a significant event.
In addition, even when strategies may not fully mitigate impacts, a business continuity program focused on overall resiliency is in a much better position to adapt and respond appropriately because all pertinent stakeholders are included in the process.
Start the journey toward overall resilience by setting formal checkpoints with alternate risk disciplines throughout the year. You can use these checkpoints to train participants on response structures and align objectives to address conflict areas. By breaking down organizational silos, you can take the first step in becoming more resilient in all aspects of preparedness.
We’re starting to see a trend in business continuity programs: As businesses evolve and the world gradually becomes more complex, the need to integrate response and recovery structures throughout an organization is more important than ever. Siloed programs result in duplicated work, a limited understanding of threats and risks the entire organization faces, and because of that, an inability to develop holistic strategies.
Resilience principles focus on breaking down silos and integrating various disciplines to leverage capabilities of each and achieve organizational goals. Primarily, this is the result of setting checkpoints with each of these groups to ensure coordination and initiative alignment.
In addition, you should also consider consolidating steering committees for these various disciplines into one risk management committee. Beyond coordination at the tactical level, coordinating at the strategic level also ensures you can overcome structural differences between programs, and that all programs receive the same guidance and prioritization.
By integrating these disciplines, program managers can engineer scalable solutions, increase organizational resiliency, and ensure clear swim lanes for everyone involved in planning and response.
If you’d like to learn more about integrating risk disciplines, check out this blog post.
Never Waste a Crisis
As Sir Winston Churchill said during World War II, “Never let a good crisis go to waste.” That’s certainly true in business continuity. To improve your organization’s response:
- Consider if you have effectively included executives in your response structure to account for significant disruptions that may occur in the future.
- Reflect on how your program conducts exercises.
- Determine if there are strategies where you made significant assumptions and validated those more aggressively in the future.
Finally, it’s critical going forward not to just think about disruption response in a silo, but work to integrate strategies and initiatives with your colleagues in IT, information security, and vendor risk. By building off these objectives, you can make sure your organization is better prepared for whatever the future holds.
If you’d like to learn more about how we can help improve your business continuity program and build off of lessons learned from COVID-19, please schedule a call with our team today.
Get resilience insights delivered to your inbox.