A Business Continuity Plan, or “BCP”, is often spoken of in hypothetical terms. We think about a range of potential scenarios and ask the question: “what would happen if…?” Those of us lucky enough to still be working are experiencing some of these scenarios in real time.
In the previous blog, we looked at the cybersecurity challenges of adapting to remote working on an ongoing basis. That focused on what we as individuals can do to make our experience safer, and now we turn to the company-wide approach.
Business Continuity Planning has traditionally fallen onto the shoulders of the IT, security or risk departments, borne out of Disaster Recovery (“DR”) which involved having a good recovery provision in place in the event the computer room being out of action. But the current crisis has highlighted why this is not just about IT, and the chief executive or a senior manager should own this issue.
In the event of a crisis, imagine you’re in a scenario where you have multiple key systems but only have capacity to recover one, would you trust your “IT guy” to know which one?
Now is the right time to engage your management team about it, as it’s affecting them too.
She’s the Boss
Think of all the times you tried to get the CEO or senior management around a table for scenario modelling – often they would be too busy with other more urgent matters. Well, the odds are they’ll listen now because they don’t have to imagine it; they’re living it like everyone else. What’s more, you can be sure they’ve got opinions on what part of the plan worked/is working well and which bits didn’t or don’t.
I’d argue that there’s no better time than now to evaluate the business continuity plan you have. Yes, right in the middle of a pandemic. To quote the inimitable Mike Tyson: “everyone has a plan until they get punched in the mouth”. And if you haven’t got a business continuity plan, now’s the time to write one. Hopefully you don’t need to plan for getting punched in the mouth, but it would help if you know where the nearest hospitals are!
For businesses with an existing Business Continuity Plan, I’d be willing to bet you didn’t diligently follow the plan, and some of the solutions you’ve had to put in place weren’t included. Take a fresh look at where you might apply practical lessons based on what we’ve learned from experience while it’s still fresh in the mind. If you were blessed with 20:20 hindsight and knew this situation was going to happen and could roll the clock back, what would you do differently?
Making Plans for Nigel
Like most things related to security, we’re looking at this through the lens of people, process and technology. Why not start with an extreme example:
- Suppose for reasons of security, the company policy stated we didn’t allow remote working at all? Clearly, in a situation like the one we’re in now, that wouldn’t work so we’d look to circumvent it. We need to write our policies and plans to be flexible enough to deal with extreme scenarios.
- Suppose the current plan calls for all employees to work from home using company laptops if a lockdown happens again. That looks great on paper, but what if just a handful of people regularly bring their laptops home with them? What if the rest of the machines are still in the office that’s locked up and no-one can access? Then congratulations, so much for your plan B. Do you have the capability to pop down to the nearest electronics store and buy a bunch of laptops? Would they have enough stock? Do they have the apps and systems you need?
Nine to Five or A Hard Day’s Night
- Now let’s think about the technical side. Prior to this current crisis, some companies only granted permission to a privileged few to work from home out of hours (usually those night-owls in IT and other support roles). But if we’re in a situation where the office is physically ‘out of bounds’, does the business remote access solution have enough capacity for dozens, maybe hundreds of staff? Will all staff need tokens, or fobs, or some other form of access control?
- What other equipment will people need to keep doing their jobs effectively and productively? Do they have proper chairs for their home office? (That’s more important than you might think, since many people will probably be spending longer hours in them.) What about monitors? Will mobile phone contracts need to change during lockdown because employees will be consuming more data or making more calls?
Every business and workplace is different, so the BCP and the policies underpinning it need to take account of those specific situations. The plan might also need to be flexible enough to apply different sets of rules as circumstances dictate. At a previous employer of mine, we had a strict ‘no social media’ policy. But when one of the big storms hit a few years ago, everyone naturally turned to WhatsApp as a way to share information about whether it was safe to come to work.
Your business needs an efficient way to communicate with staff, so does it just accept the risk? Or only set up the group in a way that only authorised personnel can communicate, rather than opening it up to everyone?
Papa Don’t Preach
It’s worth looking at your BCP through the lens of what happens when policy meets practice and get different sections involved in running desktop scenario exercises (“Okay, Problem X, Y or Z has happened, what happens next and how would we cope?”). As a bonus, if your business is in a regulated industry, your regulator and auditor will love you for it.
Now is the ideal time to see whether your Business Continuity Plan, as it’s currently written, stands up to real-world experience. What gaps are there? Should there be multiple options: a plan A, B, C and very possibly D as well?
Your BCP should outline what options you’d have, and who you’d call into the discussion if those options don’t work for any reason.
To take a quote from Dwight D Eisenhower, “Plans are useless, but planning is indispensable.”
And if you don’t have one, what better time to write your first BCP?
Won’t Get Fooled Again
The next time around, we might not have a Coronavirus to contend with, but we could well have a scenario where we have to work from home en masse. The change to business operations over the past month has been intense, and it’s fair to say many business have adapted well to the pandemic, but it’s also given an invaluable insight into people, processes and technology we might not have had otherwise.
A lot of people now understand their business a lot more than they did before. Let’s not let this opportunity go to waste.