Reimagining operational resilience in the aftermath of COVID-19

John Beattie, Principal Consultant at Sungard Availability Services, explores how organisations can evolve business continuity plans to adapt for the ‘new normal’ within the workplace

We live in a time of both uncertainty and unrest, with every nation facing the unknown consequences of COVID-19 which has so far impacted hundreds of millions of people and businesses. The UK has been in a state of lockdown since the end of March with nearly 9 million people placed on the government’s job-retention scheme. The scheme, introduced in response to the economic damage caused by the Coronavirus (COVID-19) pandemic, covers 80% of an employees’ usual monthly wage. Recently released official figures show the number of workers on UK payrolls dived more than 600,000 between March and May. Most UK offices remain closed and companies have been forced to adapt rapidly. This pandemic has changed the way we live and work more than any other event in peacetime history.

Operational resilience has also changed forever. Businesses have begun taking careful steps to reopen the workplace and to plan for future threats, but both in the short and the long term, companies will need to reimagine their approach to resilience.

Traditionally, most disruptions posed two major threats: workplace displacement and workforce unavailability. These can be caused by hurricanes, fires, flooding, power outages or even a car through the front of the building. And yes, even pandemics. But what’s new here is the extended duration of these disruptions in light of the current pandemic. Few organizations planned for disruption to last more than a few days.

Data loss and third-party disruptions are the new threats due to the high dependency organizations have on both and the severe impacts if disrupted. Cyber-attacks often happen weeks or months before anyone notices, giving malware an opportunity to spread and corrupt an organisation’s backups. And as we have seen from the COVID-19 pandemic, supply chains and service networks can be severely disrupted.

Today, organisations face the potential of annual long-term lockdown cycles and reduced access to facilities, something that might never have factored into any planning for most. With such uncertainty, organisations must prepare for future events accordingly. The world is now very different, and resilience planning must adapt. A resilient culture, and agility that extends beyond working remotely, are now key for business success. Now is the time to start focusing on the future state of operational resilience.

Here are four areas that business leaders should reimagine in the aftermath of COVID-19.

1. Executive-level focus on resilience

 The current pandemic has exposed the shortcomings of many companies’ business continuity (BC), crisis management, disaster recovery (DR) and pre-COVID-19 pandemic readiness plans.

So often, check-the-box plans are high level and offer no actionable detail. They include out-of-date content, aren’t sustainable for long-term disruption (as they focus on short-term disturbances) and they don’t feature pre-event preparations and work acceleration strategies.

Additionally, COVID-19 has demonstrated that resilience is too critical to fall under the jurisdiction of a single department, as there are often gaps between disciplines that are siloed from one another. Both investors and board members want to know that a company is resilient enough to withstand long-term disruption. Resilience has become a top C-suite issue.

Organisations must review their entire business resilience program and incorporate enhancements based on proven best practice and lessons learned from the pandemic. Launching a working group within an organisation to improve and integrate each of the key business resilience disciplines, will help leaders ensure a holistic approach is in place that can be called upon regardless of the situation. Disciplines should include crisis management, business continuity, disaster recovery, pandemic planning, site emergency management, risk management and vendor risk management.

Working groups should also focus on internal and external concentration risk, contingency, and disruption response planning, and prepare for future challenges that threaten the business. Concentration risk can be split into two categories. The first is an over-reliance on a single/limited number of vendors. This is a classic case of putting all your eggs in one basket. If an organisation relies heavily on a single provider for many products and services—especially critical ones—that institution might be unable to operate if something happens to that vendor. The second is geographic concentration. If both an organisation and its third-party vendors are in the same region, it’s possible that the same event could impact both parties’ operations since they all rely on the same power and telecommunications infrastructure. With resilience officials leading a multi-disciplinary team within working groups, organisations should be ready to answer any questions from executives and the board about preparedness for what comes next. 

2. Third-party vendors’ business resilience

Cybersecurity and data protection have long been at the forefront of vendor risk assessments, but those are no longer enough. It’s time to thoroughly evaluate third-party vendors’ business resilience capabilities.

Ask questions that go beyond the presence of a plan. Organisations need to know whether there is an actionable and well-understood plan in place, what is tested, and how its tested.

Be sure to touch on the “effectiveness duration” of different disruption response strategies (i.e. how long plan(s) can withstand a disruption). Business leaders need to know that suppliers have response strategies in place to overcome disturbances for 60, 90 or more days.

Organisations must evaluate concentration risk as well. Are suppliers geographically dispersed, or are they all situated in the same region? Are the facilities and workers that support the products and services they provide all located in the same area or in different regions? Having all your eggs in one basket puts organisations at a major disadvantage if any vendors experience disruptions. That’s why lowering concentration risk must be a top priority and that may mean diversifying a supply chain.

3. Disaster recovery (DR) effectiveness in the new normal

COVID-19 has challenged organisations to work beyond their normal workplaces, with a reduced workforce and less than satisfactory service from third-party suppliers.

But in the broader scope of business resilience, organisations must also be ready to work in the aftermath of an IT disaster or a successful cyberattack that comprised data. As such, DR programs must be ready for both recovery cases.

Upon looking closely at DR processes, many organisations are realising they aren’t aligned with their rapidly changing production environments and that their test programs aren’t effective. In many cases, they’re unprepared to undertake a real DR effort while working virtually.

To make sure a DR program is up to date and relative to the current working environment, organisations should be able to answer these questions:

• Can you recover while working remotely?
• Can you verify recovery effectiveness in complex hybrid computing environments?
• Have you addressed concentration risk within IT from a people and data centre perspective?

It’s also important to maintain a regular testing schedule. Doing so will help to close any resilience perception gaps and allow companies to iron out any issues before a disaster arises.

4. Readiness for a future pandemic

Many companies were caught flat-footed when the pandemic hit. The only way to prevent a repeat of that is to start planning now for the next outbreak.

Organisations need to develop a pandemic readiness plan to monitor and manage significant potential and realised health threats. This should include proactive and reactive actions to prevent or reduce the transmission of a health threat to personnel, contingent workers and visitors.

Response strategies for various scenarios in which business dynamics change will be crucial, as will internal and external communication protocols for general information updates and urgent announcements. By developing a pandemic management plan, organisations can address the entire lifecycle of an infectious disease outbreak – monitoring, preparing, responding and recovering from it.

Consistent adaptation

Regardless of COVID-19’s long term impact, the future of an organisation’s operational resilience is in its own hands. By addressing these four areas, businesses will be more agile and better equipped to clear any hurdles down the road.

By employing the right combination of business continuity tools, adapting to changes in the current situation, and sharing the burden of knowledge relating to best practices for limiting the spread of infection, business leaders can ensure overall resilience and availability of products, services and operations.

Business leaders should review their existing business continuity strategy on a daily basis, proactively monitor the news for recent developments, check government advice regularly, and react in a timely manner.