How to Adjust Business Continuity Plans for COVID-19

Published June 18, 2020 by 4 min read

Your business continuity planning (BCP) and disaster recovery (DR) and response plans may not suffice for the COVID-19 pandemic—or for any pandemic.

Let’s face it: Many organizations found themselves woefully unprepared to deal with the effects of the novel coronavirus’s rapid, devastating spread. Many are still struggling.

One reason for their problems: They had not included pandemic planning in their BCP/DR planning process, and so had no back-up plan to deal with a widespread, serious health care emergency.

As a result, many were unprepared for public health and business operations disruptions including

  • Absenteeism due to illness of employees or their family members
  • Increases in sick leave payments
  • A rapid shift to a telecommuting business model
  • Losses of service providers and other disruptions in the supply chain
  • A dramatic rise in the number and scale of cyberattacks 

What’s the Difference? BC vs. DR

Both are important elements of risk management. But, although the two often get linked together as “BCP/DR”, a look at the definitions and focus of business continuity vs. disaster planning reveals a number of important differences.

Business continuity planning entails drawing up contingency plans for continuing business operations and essential services in the event of emergency or unexpected happenstances, such as, typically, natural disasters or attacks on information technology systems.

A disaster recovery plan deals with what happens after an event. How will you return to business as usual?

A vital but too-often missing piece of both types of plan is the pandemic preparedness plan.

In spite of the World Health Organization (WHO) and U.S. Centers for Disease Control and Prevention (CDC) warnings and pandemic alerts over the years, many businesses, governments, and individuals seem not to have seen COVID-19 coming. 

And yet, as we are now learning, it would have been wise to plan for a pandemic. Flu has spread globally a number of times in the last 100 years; the influenza pandemic of 1918-19 caused millions of deaths.

The scope and severity of the COVID-19 impact is particularly pronounced in the United States, straining the nation’s economy in all geographic areas as well as our emergency response efforts. Every department in your organization, from human resources to distribution to information technology, is affected.

If, in the past, your organization didn’t consider the possibility of a disease outbreak and institute infection control—hand-washing and social distancing, for instance—and other health-and-safety measures to prevent disease outbreaks at work, you may want to do so now.

The good news is, you probably don’t need to reinvent the BCP wheel. For most (non-health-care) organizations, adding a “pandemic” to your crisis-management plans merely requires a bit of adjusting. 

Your Pandemic Prep Team

The first step toward preparing for a pandemic is designating a team to work on your pandemic preparation plan. Since illness can strike anyone, including a cross-section of people from various functions and in various roles.

During team meetings, discuss the following questions:

  • How will decisions get made if decision-makers fall ill?
  • Who manages the pandemic itself at the worksite? A pandemic management team plan should assign roles, tasks, a chain of command, and coordination activities.
  • Under what circumstances would the business or parts of it need to close?
  • How will you prevent the illness from spreading?
    • Will you educate workers on handwashing, face contact, and social distancing?
    • Will you install barriers between workers?
    • Will you increase handwashing facilities and provide hand sanitizers on-site?
    • Will you periodically clean often-touched surfaces including doorknobs, handrails, and keyboards?
    • Will you require masks in the building?
    • Will you perform proactive health screenings?
    • Will you switch largely to “telework” mode using video conferencing apps and work-from-home technologies?
  • How will you keep essential functions operating even when the people who perform them are ill? Cross-training is one possibility.
  • What is your plan for emergency communications, especially when personnel are working remotely?
  • How will you help workers with stress, grief, and other issues?

Make sure to include cybersecurity concerns. Questions might include:

  • How might teleworking affect your information security and privacy programs? 
  • How will you maintain cybersecurity compliance?
  • How will you maintain appropriate cybersecurity controls?

Last but not least:

What Your Pandemic Plan Should Cover

Just as with a business continuity plan, a pandemic plan should include these elements:

  • Risk analysis management  plan that identifies risks a pandemic might post to your business, assesses their impacts and outlines strategies to manage them
  • Business impact analysis that explores how your identified risks might business operations, including identifying critical business functions, mapping them to one another and to networks and systems, and detailing how to maintain them
  • Incident response, describing responses to incidents with an eye toward limiting the loss of life and property during and immediately after a pandemic
  • Recovery, to reduce downtime and business losses after a pandemic and hasten your enterprise’s return to normal business operations

Pandemic Risk Management Considerations

Just as with any risk management plan, you’ll want to list your risks, categorize them according to their potential impact on your organization, and plan mitigation for each. Here are some risks you might list:

  • A reduction in available labor, including employees and contractors
  • A reduction in business, and cancellations of customer orders
  • Delays and reductions in the availability of supplies and materials
  • Increases in demand on your digital systems, such as from internet shopping
  • Restrictions on travel, including business travel
  • An acceleration of attempts to breach your information security systems and data
  • Disruptions in services such as telecommunications, financial/banking, water, electricity, gasoline/fuels, medicine, or the food supply—disruptions that could affect workers families, communities, entire industry sectors and economies
  • Reductions or delays in cash flow 

Modernizing your BCP

All this planning requires communication—lots and lots of it. Keeping track of emails, chats, text messages, video call notes, and workflow can be an onerous task, especially when team members are dispersed and working remotely.

ZenGRC’s workflow feature allows you to create your own program for pandemic business continuity planning, from risk management through incident response and business recovery. It helps you assign, track and manage tasks, maintain your operations from a distance, and share your pandemic BCP/DR activities, time frames, and key performance indicators with your managers and board via an easy-to-use dashboard.

During a pandemic isn’t the time to scramble to get organized. ZenGRC can be working for you within moments of activation, taking care of your pandemic planning and operations tasks automatically so you don’t have to. Worry-free business continuity is the Zen way. Contact Reciprocity today for your free consultation

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

Help us get to know you.

Get a demo