With more than 300,000 infections and 10,000 deaths the novel Coronavirus Covid-19 has now been declared a global pandemic by the World Health Organisation. The impact on the world economy is already enormous, with widespread travel restrictions and lockdowns, disrupted production lines and supply chains and a stock market crash. The short and medium-term impact on business is already now baked-in whatever the trajectory of the outbreak from here on.
The Covid-19 pandemic raises a number of very significant issues for business continuity and even business survival.
- The first issue is supply chain disruption. China, for example, generates around one quarter of the world’s output, including generic medicines used in the NHS and parts for mobile phones and computers. This will have a knock-on effect for businesses everywhere.
- The second issue is on employee availability. The UK government has estimated that up to 20 per cent of the workforce could be absent at any one time through sickness or quarantine. A report by Deloitte suggested that employee absenteeism in a pandemic situation, even if not actually sick, could raise this percentage to around 45 per cent.
- Social distancing measures that have now been introduced will mean that perhaps a majority of workers will need to work from home and many business locations, such as entertainment venues and colleges will be forced to shut their doors by the government.
- The catastrophic impact will be where there is a local outbreak, involving employees, customers or even family members, which could lead to individuals being quarantined and office buildings being closed.
Traditional business continuity responses, such as moving to a back-up site will not work during a pandemic. The problem will be with people being unavailable this time rather than the technology being unavailable. And the more globally spread the business the greater the risk.
Unlike a standard business continuity event, where restoring technology is the greatest issue, during a pandemic technology will provide the solution rather than the problem. Telecommunications technology will provide communications tools and facilitate remote working.
Cloud based storage and software mean that employees can work remotely from anywhere. This might mean at home, but it might also mean on another continent. Transputec, the parent company of Crises Control has a workforce of no more than 150 but spread across four different continents. This provides huge opportunities to move work around and provide a continuous level of service to customers.
One aspect of home working that needs urgent consideration is cyber-security. Here are some questions that you need to ask before you allow employees to work from home with access to your networks?
- If your employees are without company laptops, do you have a policy that allows personal laptops to be used for business related purposes?
- Was your network architecture designed securely to support teleworking?
- Are your data exfiltration solutions configured properly and actually perform as intended?
- Is your Citrix or any other remote desktop solution tested for potential security flaws and false configurations that may allow malicious individuals to leverage such weaknesses against your organisation?
- Have you considered running a phishing campaign on your behalf to raise employees' security awareness when they are far from sight?
- And, eventually, can your Security Operations Centre detect remote users’ potentially malicious action and react in time?
You will also need to plan for and consider your responses to a number of scenarios and have in place protocols covering the following issues:
- Hygiene, cleaning and infection control
- Management of suspected or confirmed cases
- Medical evacuation
- Anti-viral and vaccine medications
- Travel and HR management
- Alternative working practices
- Insurance and legal issues
- Communication and PR
With this in mind, Crises Control has created a series of pandemic response toolkits, based on the protocols listed above, to allow customers across the globe to prepare their own businesses to mitigate and respond to a series of pandemic incident scenarios, including employee infection and quarantine, building closure, service interruption, working remotely and supply chain disruption.
Finally, there is a list of business continuity planning actions that all businesses should be undertaking on a regular basis, all of which are highly relevant in the situation in which we find ourselves.
- Consider the more unpredictable events. Is your risk register based entirely on what has happened in the past? If so, you’re missing a trick. Make sure you’re considering new and emerging risks, as well as more random events. The impact of the pandemic is now baked-in, but what happens if you get another event whilst that is still running, say a loss of cloud software or storage?
- Ensure your plan is fit for use during the panic that will ensue when an event strikes. Do this by creating a series of shorter action plans to fit each of your major threat scenarios. These actions should include specific tasks for specific individuals, such as taking responsibility for locking down access to the data until the event is resolved and lifting the lockdown when the situation is resolved.
- Make sure that your action plans will be available to you under all circumstances. Having a well written plan in place is absolutely no use to you if you cannot access it in an emergency. For example, if your IT servers have been taken out by the flood, fire or power failure or your employees are working from home without access to the network. Having a copy of the plan hosted on cloud servers might be an option, but can it be accessed from mobile devices as well as laptops?
- Involve a variety of communications channels. Phone, e-mail, SMS and push notifications, means that critical messages are guaranteed to get through to employees even if they are remote working. A communications platform that can create an automatic audit trail can be helpful. This enables detailed review of events after a challenging incident, for example a health and safety incident.
- Make sure that you have a testing and exercising programme in place. This should include a mixture of virtual, desktop and live tests and exercises. Such a testing programme is required for public agencies as part of emergency planning.
Shalen Sehgal, Managing Director, Crises Control