Lessons for Business Resilience Planning

Damon Owen


February 1, 2021

The COVID-19 pandemic has exposed glaring deficiencies in business continuity and crisis management plans at organizations across all industries. While executives and management are focusing most of their efforts on responding to the day-to-day upheaval caused by the virus, companies must prepare now for extended disruptions to their operations.

Before the pandemic, it was not unusual for crisis management and business continuity teams to update plans once a year and meet quarterly to review them. However, the most effective response to the pandemic has demanded that teams share data weekly or even daily to continuously monitor an evolving and highly uncertain environment.

The pandemic is only one type of threat likely to test an organization’s crisis management and business resumption capabilities. Moving forward, leaders need to reimagine their crisis management and business continuity planning to prepare for simultaneous natural disasters, widespread power or technology outages, civil or political unrest, and other events that could conceivably threaten business operations on a large scale.

All “black swan” events should be considered in a robust crisis management planning and business resumption exercise. Business continuity management must address multiple concurrent threats now more than ever. The potential convergence of disaster events will require risk management functions to ask many new questions, including those that address the “unimaginable,” such as:

  • What if the digital infrastructure breaks down during a disaster?
  • What key infrastructure redundancies should be in place to address aggregate compounding disaster events and ensure resilient enterprise operations?
  • Can remote workers perform their work as multiple disaster events occur simultaneously? 

Crisis management planners should assess all possible alternatives under these scenarios, including solutions available today and those that could be put in place over time.

Business continuity planning increasingly requires an emphasis on enabling remote workers with tools, including satellite telephones, DC to AC power inverters for cars, backup generators and power supplies. Organizations must have multiple layers of redundancies in place and support remote workers with ways to complete their work.

COVID-19 showed that many organizations were not maintaining updated and tested pandemic preparedness plans. They are now reconducting business impact analyses to focus on onsite requirements for delivering critical business services and maintaining current service levels during peak periods over the coming weeks and months. Organizations should prioritize conducting a thorough evaluation of the third-party service providers that contribute to the execution of critical business services. They are increasingly implementing cloud-based solutions, higher-availability applications and collaborative tools. Tabletop exercises are now almost exclusively conducted through telecommunications platforms and virtual collaboration tools. Postponing traditional, scheduled IT disaster recovery tests is not an option, and enterprises are focusing increased resources on cybersecurity threats to the organization and its customers.

For all the difficulties COVID-19 created, the pandemic has provided organizations an opportunity to reclaim and reinvigorate crisis management and business continuity planning. Organizations can make permanent the more active and continuous communication practices put in place due to the pandemic, and they can enrich their scope of preparedness by imagining extreme scenarios, regardless of likelihood and cost.

A Plan for the Future

There is no single correct way to perform or govern business continuity and resilience planning, given the differences among organizations and how they view their risk profiles. Still, it is important to continuously improve the plan, and one of the best ways is to incorporate a feedback mechanism.

Organizations must not overlook the aspects of change management that focus internally on business continuity management. Industry-leading practices require organizations to identify scheduled and unscheduled triggers that will provide the necessary information to allow the business continuity management function to operate. Various examples of scheduled triggers include annual continuity risk assessments, business impact analyses, and policy standards reviews, as well as corporate governance requirements.

Unscheduled triggers include acquisitions, divestitures, and identification of additional credible threats, as well as any changes in locations and alternate sites, data centers and technology; legal and regulatory requirements; the organization and/or workflow; and third-party dependencies. Business continuity and resilience program updates should be conducted annually, at a minimum, or as needed to address potential changes.

Historically, change management defects have undermined the effectiveness of many business continuity plans. Triggers are integral to continuous improvement activity, in that failures in change management cause business continuity management defects. Change management linked to crisis management and business continuity helps to ensure that significant modifications to the business are planned for at the time of the update and do not cause an unplanned outage during an emergency.

In 2021, organizations should consider the following key concepts when implementing continuity risk management, crisis management, and business resumption plans:

  1. Cultivate a flexible and resilient culture that can respond to upheaval with a business-as-usual approach.
  2. Conduct more frequent meetings between the incident response and crisis management teams and integrate after-action reports into a continuous improvement program.
  3. Update the business impact analysis to emphasize physical locations and the colocation of resources that provide critical business services. Ensure current service levels are maintained during peak periods.
  4. Evaluate the organization’s reliance on third-party service providers and identify alternatives in case of loss of these providers.
  5. Clearly define and communicate the process of managing incidents through the crisis management plan so that declared disasters will catalyze an immediate ramp-up of alternative operations.
  6. Evaluate work digitization to ensure that employees can access what they need remotely, including crisis management and business continuity plans. Make sure remote procedures for employees meet regulatory requirements for specific industries, such as securities traders who are buying and selling stocks from home.
  7. Review how crisis command centers have responded to COVID-19. Identify areas that need improvement, and address and correct shortcomings highlighted in after-action reports.
  8. Evaluate supply chain disruptions and identify alternatives for critical supply chains.
  9. Assess the business model’s resilience, and whether it allows organizations to adapt and recover from disruptions and manage future crises by reducing costs in the short and medium terms.
  10. Ensure that crisis management and business continuity planning account for the portion of the workforce who may continue working remotely.

Business leaders need to assess the performance of their business continuity and resilience programs, and take steps to ensure that the structure and strategies are in place to anticipate and respond to the next event, no matter what it may be. Continuity risk assessments and crisis management plans must emphasize speed and flexibility so organizations are able to quickly adapt to rapid change. It is also essential that leadership and employees are given fact-based information and tested alternatives to enable real-time decision making. This integrated, comprehensive approach will help build long-term operational resilience and prepare the organization for any future disruption.

Damon Owen is director of technology strategy for Protiviti.