(Issue: May 2021 )

Business Continuity Planning from the Perspective of the Pandemic 

By Bob Mellinger, CEO, Attainium Corp., NALMCO Convention Speaker


Bob Mellinger will present on business continuity planning at the NALMCO Annual Convention & Trade Show, Tue., Oct. 12. He also is facilitating a panel discussion focused on NALMCO members diversifying and sustaining business during times of chaos on Tue., Oct. 12. See program information inside this issue or online, www.NALMCO.org

How the lessons learned from the pandemic can impact your existing business continuity plan and help as you develop a new plan. 
 

COVID-19 surely tested your business continuity plan if you had one. If you had no plan things may have been more challenging. Plan or no plan, this pandemic still may be challenging you today as the it continues to disrupt our lives. While we struggled through needs of working at home, everyone learned a lot about what worked, what didn’t work, and what you might have done differently. If you had no plan, we hope you were taking notes about things to consider as you develop one. It’s possible that the most important lesson learned was that you need a plan or, at the very least, that your plan probably needs updating to be prepared for the next crisis. Even as the situation improves, we will face challenges over the next year and even into the future; experts believe that COVID-19 probably won’t be the only pandemic or challenge we face in the year or years ahead.  
 
Risks and Assumptions 
We’re all aware that one of the first things we have to do when we put together a BC plan is to identify the threats and hazards we are planning for. Once you have identified these, it’s important to note that you cannot be prepared for every possible disruption. You need to concentrate on what is most likely to occur and have the most impact. For that reason, it’s unlikely many prepared for a pandemic because it was, we thought, not likely to occur although the impact would be great. The next step would be to attempt to identify the potential for any risks to occur and, critically, to identify the consequences of those risks. For example, the probability of a meteorite hitting your facility is likely quite small, although the consequences from such an event would be huge. The risks on which you want to concentrate are those in which both the likelihood of occurrence and the potential consequences are in the medium to high range. 
 
In addition, in the past months of this pandemic, we’ve learned some difficult lessons about continuity and resilience, many of which should inform our ongoing planning. It’s time to figure out what new risks—beyond hurricanes, fires, cyber-attacks and others—might challenge our resilience in the future. It’s clear we have to identify additional business continuity planning assumptions in the light of those lessons; you can’t rely only on the assumptions used for your current plan. You know you could handle power outages, transportation shutdowns, chemical spills in the neighborhood, a fire and other disasters. But honestly, did you have a plan for what we’ve experienced with COVID-19? 
 
More to the point, we need to plan now for the next crisis. The consequences of COVID-19 have been far greater than we could have imagined, so we need to think bigger as we plan for the future. Scientists believe that unique risks will result from climate change as well as the frequency of pandemics as temperatures rise and lost habitats result in humans and animals living closer together and transmitting disease. Others warn that the melting permafrost could cause ancient diseases to reemerge. Air pollution also could cause viruses to become airborne and spread faster. All of this should give us a lot to think about as we begin to plan or update our plans. The recent freezing and flooding in Texas should be a lesson also, because of the consequences that affected so many people and businesses.  
 
We now know that we should plan for extended periods out of the office if necessary, shutdowns ordered by the government, as well as the need to maintain (and obtain if necessary) additional equipment to allow people to work from home. And what about ensuring that people working from home have access to broadband and digital communication equipment. The challenge for all of us is to try to identify what additional risks could impact us in the next couple of years, how probable they are and how much of an impact they might have.  
 
Reputation damage, litigation, and other factors increase the odds against business continuity; there is significant potential for loss of income if you are not prepared. An organization should be prepared for anything that could happen—ready to protect its employees, clients/customers, members, and, to the greatest degree possible, its reputation and financial viability. It's entirely possible that one ruined or badly handled incident might result in extensive revenue losses and require years of rebuilding reputation and attendance.  
 
Mitigation—The Art of Helping Prevent Disruption 
Mitigation is everything you do to prevent a disruption from occurring or to minimize its impact—activities aimed at reducing vulnerability, activities performed in advance to decrease impact, loss or damage. There are any number of potential disruptions that you might be able to mitigate, And what about this pandemic you might ask? That’s a good question, since it’s unlikely we would have been able to prevent it. If we had considered in the planning stage that we might have to deal with a pandemic, we might have been able to do something to make it easier on everyone.  

Now that we know that such a risk is possible and even inevitable, we need to think about how to plan for the next such crisis. For example, instead of scrambling to come up with sufficient equipment for everyone to work at home, what can we do now to prevent all that scrambling? How can we plan for virtual events and meetings? As you think about mitigation, you also need to prioritize which risks might cause the greatest disruptions and plan for those first. It’s important to keep things in perspective. Any consequence that might involve potential critical injury or loss of life must take precedence over less critical outcomes. 

Where Do You Begin to Plan?  
Business continuity planning is a time-consuming, ongoing process. After you have been through the tasks of identifying your risks and determining any possible mitigation steps, the steps below can help get you from no plan or outdated plan to workable plan. Wherever you are in the process, your efforts will benefit from implementing or rethinking these steps.  

Identify your key business functions. You need to assess the criticality of your organization’s business processes and determine the impact and consequences of loss of service or a reduction in normal service levels. Your key business functions are those that, under no circumstances, could be subbed out to a contractor/vendor and must remain viable to the organization to continue to function. I’m sure you already see a problem here: during this pandemic, did your key business functions change? In what way? How are they likely to remain in their current state and how does that affect your planning? 

Determine your recovery time objectives. Once you have identified the key business functions, your next step should be to determine your recovery time objectives (RTO) for each function. How long can you be without each function before the situation goes critical? This will help you determine what you should concentrate on first. Again, however, how did/do your RTOs change during this pandemic? What will they be going forward?

Ensure the safety and security of your people. In any disruption or disaster situation, the safety of your employees should be your main consideration. Start by making sure you have a complete employee roster and contact information for everyone. Have a complete evacuation plan and practice it; every employee should be familiar with it and know what to do. What will you need in a shelter-in-place situation? As people return to the workplace, this will still hold true. But what will be unique about sheltering out of place when the office is off limits? 

Protect your network, data and records. This is critical to ensuring the future viability of your firm. You have a secure network, but do you have a backup network—at some distance from your primary location—in the event your primary network is compromised? Maintaining your important records in the cloud is perhaps the best option and can make data available to employees working from home. 

With what you have seen this year, you need to consider what you would add or change to strengthen your plan if a similar situation were to occur again. How will you build resilience into your organizational DNA? Is this really a good time to update your plan? Absolutely, with the knowledge of what worked, what didn’t and what wasn’t even considered, this is the best time. Act while the results are fresh, so you won’t get caught again without the strongest plan possible. 

Bob Mellinger is the president and CEO of Phoenix, AZ-based Attainium Corp. For more information about the Plan-A-ware™ service, tabletop exercises, drills, and The Disaster Experience, contact Attainium Corp. at (571) 248-8200 or ContactUs@attainium.net, or visit the Attainium web site at www.attainium.net