Improving Resilience in the Wake of a Crisis

Spencer MacDonald


January 5, 2023

Improving Resilience Post-Crisis

Following the countless disruptions experienced during the height of the COVID-19 pandemic, most operations have either adapted to new processes or returned to a sense of past normalcy. Organizations should take this opportunity to look back at how they dealt with each challenge throughout the pandemic and leverage those insights to bolster resilience for future disasters.

According to FTI Consulting’s 2022 Resilience Barometer, 75% of global business leaders said they had to make decisions that presented reputational risk during the pandemic. More than two-thirds also agreed that since the onset of the pandemic, their company struggles to quantify the risks posed by crisis scenarios, and 72% agreed that their organization struggles to adequately plan for an increasing number of crisis scenarios. Despite these concerns, less than half are taking steps such as updating business continuity plans, preparing leadership to manage unexpected crises and/or assessing crisis response.

This is where a policy and process review can provide significant value in helping to reassess where gaps emerged or persisted during pandemic disruptions—especially relating to the adoption of new technologies used to facilitate remote work. Such reviews can help to reestablish and strengthen operational, policy and governance functions for both the long-term health of the business and the ability to better withstand future crisis events.

Organizations have experienced a wide range of disruptions and unexpected risks as a result of the rapid transition to remote work and managing workforces during a global health emergency. In some scenarios, organizations were not equipped with a crisis management team to respond quickly and remain up-to-speed on rapidly changing and varying guidelines from health authorities in numerous regions. Many also struggled to effectively manage communications with employees, leading to increased uncertainty and work disruptions. Other common challenges spanned IT infrastructure limitations to support videoconferencing and other remote work technology, as well as effective management of third-party providers that were also in the midst of disruption.

With the insights and lessons learned provided by such a review, organizations will likely need to take a number of steps to improve crisis response and pandemic plans. These may include:

  • Adopt a flexible pandemic management framework. This framework should establish mechanisms for timely response and decision making from a dedicated crisis response team, so the organization is prepared to act as soon as an incident or disaster is first reported. It should also have built-in flexibility to allow the team to adapt as situations change.  
  • Establish a policy exception process. Policies may need to be relaxed or bypassed when employee safety or the ability to continue operations outweighs the risk of non-compliance with internal policies. This may include relaxing procurement policies to quickly obtain safety equipment or data handling requirements for critical service providers, so they are able to continue to support the business. Defining the policies that can be relaxed or bypassed during disaster situations in advance can lead to a timelier response and recovery.
  • Establish a streamlined process for monitoring and responding to government guidelines in each applicable jurisdiction. Dedicated resources assigned to track these requirements will allow for a smoother response.
  • Implement procedures to periodically monitor and review equipment, supplies and systems. For organizations that have factories or other facilities that cannot be shifted to remote work, safety equipment, PPE and other necessary supplies must be stocked and maintained.
  • Continually test recovery capabilities. Remote work capabilities and networks should be periodically stress-tested to ensure all employees can be supported simultaneously if they need to shift to remote work overnight. 
  • Establish supplier contingency plans in case third parties become unavailable or are not following emergency guidelines that align with the organization’s policies. If vendors and partners are not adhering to similar protocols, continuing to work with them during or immediately after a disaster can open up new areas of additional risk.
  • Develop a library of pre-drafted employee communications that can be leveraged and tailored for future events.

There is no way for business leaders to prepare for every possible crisis scenario. Still, it is important for organizations to be realistic that new disasters or challenging events are likely on the horizon, and another pandemic is a realistic possibility. While that may seem like a daunting prospect, baseline preparedness can go a long way in minimizing the impact. Moreover, many organizations have now built some muscle memory for how to respond and navigate these kinds of events. By taking the opportunity now to assess and lean into lessons learned, organizations can minimize risk, address new or unknown exposures and build resilience for the future, regardless of what challenges lie ahead.   


Spencer MacDonald is a director within FTI Technology’s information governance, privacy and security practice. He advises clients on a wide range of regulatory and compliance issues, including those related to privacy, information security, business continuity and third party risk management.