Most organizations weren’t prepared to maintain the continuity of their business during a pandemic. So when COVID-19 hit, the most companies could do was dust off their disaster recovery plans, and react to the past while taking a series of gambles on an unknown future.
Disaster recovery plan: A plan to restore business operations, systems and infrastructure following a manmade or natural disaster, such as a hurricane, pandemic, or civil unrest.
Business continuity plan: A plan to avoid risk and disruption to business activities, such as alternative measures to protect employees and assets; for example, vetting alternate third-party vendors to protect a business supply-chain.
When properly implemented, a solid business continuity plan will reduce the negative business impact of adverse events and make the business more resilient.
A business continuity plan differs considerably from a disaster recovery plan. Most obviously, the former attempts to anticipate issues and disruptions before they occur while the latter specifies what to do after the disruption is over.
Here are six ways to shift from planning for when a disaster strikes to identifying risks that can lead to disasters, which will disrupt company operations.
1. Empower your people
In a recent NAVEX Global webinar, Protiviti's Katie Stevens made the point: "If you don't really do training and communications, you will find yourself in a position where your critical staff is unavailable, and nobody knows how to do a function," said Stevens.
Efforts to implement training and improve communications benefit both disaster recovery and business continuity programs. Employees are better equipped to handle whatever challenge comes, whether it's planning for adverse events or managing through a crisis.
2. Enlist stars of disaster recovery
If your company was among the majority unprepared for COVID-19, look at the bright side. You swung into action, changed courses, and generally made the best of a bad situation during disaster recovery. You also found some gems in the workforce who excelled under pressure.
To get your business continuity program up and running, enlist the shining stars from your COVID-19 disaster recovery effort. Recruit key individuals who showed their mettle while serving on disaster recovery committees and making autonomous, smart decisions. They'll be instrumental on the business continuity team that requires a cross-section of the company's workforce with expertise in strategy, planning, analysis and more.
3. Pay attention to third parties
COVID-19 was a wakeup call for supply chains and all companies with third parties. Many experienced their suppliers suddenly unable to meet their service level agreements. You saw firsthand what happens in operations during disaster recovery—work stops. You had to scramble and find workarounds for missed deliveries to get operations restarted.
In business continuity planning, disaster scenarios and business impact analysis give you a sneak preview of what to expect if the unexpected occurs, so everyone is better prepared. Also, the goal of business continuity is to identify risks that can affect and disrupt operations. That enables the organization to avoid disasters entirely and build resiliency with every crisis averted.
Critical third parties are an integral part of business continuity plans that identify each third party's significant role in operations. In disaster recovery, the focus is on recovering operations, which may or may not involve third parties.
4. Don't forget compliance
When a company's management is in crisis mode, it's easy to neglect priorities like compliance. With a disaster recovery plan, the focus of compliance might be focused on notification requirements like in the case of a data breach. The longer the recovery period, the more likelihood of neglecting compliance.
In business continuity planning, compliance risk is a priority. A compliance risk assessment identifies contractual, ethical and legal requirements, ensuring none are neglected in an adverse event.
With regulations like the California Consumer Privacy Act and the current emphasis on health risk, the process of handling personally identifiable information belongs in business continuity plans.
What applies to people is also applicable to business. If you're a retail organization complying with The Payment Card Data Security Standards (PCI DSS), it's easy to do things on networks that violate PCI tenants. It's not intentional; it's just that compliance doesn't register for this situation. A business continuity plan identifies this risk and plans accordingly.
"Compliance is the underestimated need within business continuity planning." Katie Stevens, Protiviti
5. Plan with ethics in mind
The pandemic put ethics in the spotlight . The decisions made by leadership could have consequences later.
Imagine a scenario of a company cutting salaries and laying off workers due to the pandemic but also rewarding executives with bonuses. If people perceive companies as unethical, such companies could have a tough time finding talent after the pandemic, whether that's three, 12 or 18 months.
During disaster recovery, leaders make decisions in haste, and there is no way around it. Business continuity that seeks to reduce the risk and impact from adverse events affords the time to make informed, ethically-sound decisions.
6. Make resiliency an organizational initiative
Going forward, business continuity planning will likely expand in size and importance. One reason is COVID-19 woke everyone up to global health risks. Another is the domino effect as one risk has a cascading impact on other risks beyond people's health. Disaster recovery plans have a role within the business continuity program.
The future is indeed uncertain, but business continuity planning helps you manage whatever challenges come your way. That could be a second wave of COVID-19. The hurricane season just started. IT disasters are always in season.
Prepare for the unpredictable with Lockpath Business Continuity Management.
From recovery to resiliency
Even the quickest, most agile disaster recovery plan can’t beat advance planning and preparation. The disaster recovery plan may have done its job during the crisis, but now the challenge is getting back to work, meeting goals and minimizing disruptions from adverse events.
That's why it’s important to shift focus from recovery to resiliency. Even when adverse events occur, you're more prepared and resilient with a business continuity plan. A disaster shouldn’t define an organization. Leverage business continuity planning to unleash your organization's potential to define its future.
Watch Business Continuity: Risk and Resiliency Planning, to learn more. The webinar features Katie Stevens with Protiviti and Sam Abadir with NAVEX Global. Register now!
