Uncertainty continues to swirl around the COVID-19 virus and its short- and long-term business impacts, a situation that makes business continuity planning (BCP) especially difficult. While most BCP focuses primarily on mitigating impacts to the business, BCP for epidemics/pandemics like COVID-19 must also consider the inevitable impacts on customers as well.
After considering new virus-specific threat models (e.g., travel bans, forced remote work, etc.), organizations should methodically review and re-assess their current BCPs to ensure business can continue as close to normally as possible in the event the virus spreads more widely. This list should include assessing remote work capabilities, creating strong communications plans and running tabletop exercises, among others.
The security team for a financial services company has been asked to attend the next executive leadership meeting to discuss the new corona virus (COVID-19) and how it affects the company’s current BCP. Specifically, the team asks:
- What are the primary threats and business impacts from COVID-19 at the current time?
- From an operations standpoint, how can we ensure we can continue to serve our clients if it escalates in the U.S.?
- What guidance should we be providing at this time?
A Broader BCP Focus Is Required
Business continuity planning surrounding an epidemic/pandemic event can be highly challenging because of its pervasive direct and indirect impacts. Typically, BCP focuses primarily on events that impact business operations. COVID-19 differs, however, because it threatens both business operations and the customers themselves. As such, BCPs should also consider how customers will potentially be affected, directly or indirectly, by an outbreak. Examples of this would include events like failing market confidence and a high amount of withdrawals (a “run on the bank” situation).
Threats to Consider
Focusing on the potential impact on the operations of the organization, some rudimentary threat modeling can be a quick place to start. Examples to consider include:
- Local travel bans
- National travel bans
- International travel bans
- Outbreaks and quarantining sites or regions
- Forced move to a remote workforce
- Inability to staff locations
- Inability to manage IT resources
- Unwillingness of staff to be exposed to customers
The general theme in most pandemic threat models is around inability to complete work due to travel bans, sickness of employees/customers or restricted access to physical locations. Additional threats may be considered; your business continuity staff should be consulted because they are the most familiar with the nature of your business.
Mitigations and Contingencies
The goal of a BCP program should be to identify mitigation techniques and management plans should such events occur. Based on the tough threat list associated with COVID-19, you should:
- Ensure you have means to contact all employees quickly and efficiently. Do you have phone trees, contact lists or other methods in place? Have they been updated recently?
- Review business impact analyses from all physical sites. This entails understanding and identifying the most critical sites to support operations, and having multiple contingency plans for having to collapse overall operations to various combinations of sites.
- Understand the potential impact to key business partners. Depending on the nature of your business, you may have upstream or downstream business partners, suppliers or other dependencies impacted by travel limitations, quarantines, etc.Review existing or establish new contingency plans for critical dependencies to ensure you will be able to meet business demands or goals.
- Identify and categorize staff criticality for operations. If possible, communicate critical and non-critical status (using your chosen nomenclature) to staff to support any forthcoming notifications. You should also identify and prioritize critical business functions to perform in event of limited staff availability.
- Review and reassess your organization’s ability to support a remote workforce. For example, you should identify whether you can appropriately support:
- Remote access: Do you have the technologies and bandwidth to support remote access for 50 percent, 75 percent or 100 percent of your workforce, including technologies like desktop virtualization, virtual private networks (VPNs), etc.?
- Remote work: Consider whether employees have appropriate home internet connections, laptops, phones, scanners, headsets, etc.
- Remote work/access costs: Understand what the potential cost structure could be for shifting to long-term remote work, such as paying for home internet, phone, software licensing, etc.
- Review and re-assess travel plans. For those who absolutely must travel internationally, in addition to established best-practices for cybersecurity hygiene, consult with the World Health Organization’s daily situation reports and travel advisories.
- Prepare and communicate best practices for interacting with customers. Consider purchasing and supplying prophylactic materials to staff to prevent disease transfer.
- Consider establishing an executive-level health advisory officer. This person should have relevant medical experience to interpret communications, trends and true threat levels based on intel provided by the World Health Organization, Centers for Disease Control and Prevention and others. This individual can help communicate infection avoidance guidance for employees, as well as advise on critical business decisions. Consider establishing a contact at a local hospital system to function in this role.
- Run tabletop exercises on certain scenarios to practice response. Include both business and IT staff, and focus on all aspects of disaster recovery and business continuity.
As of this writing, many organizations are already proactively or reactively putting in place various policies, from banning travel and participation in conferences to rationing business outputs to prepare for a slowdown. While by no means comprehensive, the above recommendations should provide a solid foundation you can use to extend into further detail inside your organization.
Executive Communications Briefing: Coronavirus as a Security/Risk Management Issue, Feb. 26, 2020
Business Impact Analysis Template, Sept. 28, 2018
A Little Planning Now Means a Lot Less Crisis Later, May 22, 2017
Any views or opinions presented in this document are solely those of the Faculty and do not necessarily represent the views and opinions of IANS. Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our written reports, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by the client in connection with such information, opinions, or advice. The guidance provided is not intended as medical advice or to address specific medical risk.