Summary

The COVID-19 pandemic tested businesses and security teams in new ways. It highlighted the importance of having a solid business continuity plan supported by senior management that is updated and exercised regularly. Companies with good communications, strong leadership, and a resilient staff fared the best.

The full report (PDF) is the culmination of COVID-19 research that the ASIS Foundation initiated in March 2020. The original research studied nine companies in detail, tracking their pandemic response and recovery efforts from March through December 2020. Participants included: a U.S.-based NGO working primarily in Africa; a global bank based in Canada; a polymer-manufacturing company headquartered in Europe; a U.S. food and agriculture company; the Asia-Pacific region of a global furniture retailer; a global chemicals conglomerate based in Europe; a microfinancing institution serving Mexico and other Latin American companies; a polytechnic institute in southeast Asia; and a clothing retailer based in the United States.

A series of articles updated the efforts of each organization to adapt to the massive disruption wrought by COVID-19. The pandemic precipitated an unprecedented shift from office work to remote work, raising new cybersecurity and duty-of-care issues. It also shut down travel, required vigorous new sanitization protocols, introduced the concept of social distancing, imposed occupancy limits, and brought health screening and face masks to the workplace. Of course, different industries were affected in different ways. For example, retailers pivoted to online sales, while factories were forced to continually deep clean, rotate shifts, conduct contact tracing, and take other measures to make sure the world had sufficient food, toilet paper, and cleaning products. Key learnings from the various industry sectors on the foundation’s pandemic research project web page.

This is an executive summary of the final report that concludes the research by exploring the following questions:

• When COVID-19 hit, did the organization implement a crisis management or business continuity plan? How did it fare?
• How has resilience and business continuity planning changed structurally as a result of COVID-19?
• How have the resilience and business continuity duties shifted during COVID-19?
• What have organizations done well in this crisis?
• Where do organizations have room to improve?
• What other lessons have been learned or insights gained to help organizations better prepare?

To address these issues, the researcher followed up with the nine original companies, conducted a literature review, fielded a survey of senior security executives, and interviewed several of the survey respondents. One hundred and nineteen people completed the survey. The final report, including results from the survey and a glossary of terms.

Key Takeaways

Terminology

Organizations often have specific meanings for terms such as resilience, business continuity, crisis management, disaster recovery, and so on. And those meanings are not necessary consistent from organization to the next. Other organizations, however, use these same terms loosely and interchangeably.

Business Continuity and Crisis Plans

• When COVID-19 arrived, most companies implemented a plan they had in place. However, 43 percent of companies either had no plan, ignored the plan, or made limited use of it.
• Even most companies that used a plan and hewed to it found that it did not adequately contemplate the effects, magnitude, and length of the COVID-19 pandemic.
• Plans that are not regularly reviewed, contemplated, updated, and exercised diminish in value.
• Effective business continuity and resilience rely on support—and even robust advocacy—from the top. Absence of executive support cripples resilience, business continuity, and crisis management efforts.

Structural Changes to Business Continuity and Resilience

• Forty-one percent of the survey respondents said that COVID-19 had triggered structural changes to the resilience or business continuity functions.
• Fifty percent said they had not, and nine percent said that those functions reside in individual business units.
• The structural changes that have occurred are sui generis and cannot be easily categorized.
• Many companies are still examining and processing their resilience programs and will make changes consistent with recommendations that emerge.
• Various respondents say that their organizations are considering shifting business continuity to corporate security.

Change of Duties Due to COVID-19

• Nearly 40 percent of survey respondents said duties or responsibilities of the resilience or business continuity team have changed because of the COVID-19 pandemic.
• The most common change is that their resilience or business continuity team added health and safety duties where none existed before.
• The next most cited change is that senior executives better understood the importance of business continuity planning, crisis management planning, and conducting exercises, and now better support those activities.
• In some cases, the pandemic has vested additional aspects of crisis and continuity planning in the security department.
• Some resilience teams broadened their scope of duties; others had it narrowed.

Pandemic Planning and Response Successes

Respondents cited 35 discrete successes in dealing with COVID-19. The most cited success was communicating effectively and frequently throughout the organization and beyond, followed closely by transitioning to remote work. The next two frequently mentioned successes included:

• Ensuring staff safety/upholding duty of care
• Implementing building safety protocols including occupancy limits, social distancing, cleaning and disinfecting regularly, and providing personal protective equipment

Other successes that registered included:

• Keeping the business running/finding new markets
• Responding quickly to the crisis
• Collaborating with internal and external stakeholders
• Pushing response to the local level
• Adapting/protecting the supply chain
• Providing financial assistance for staff or furloughed workers

Opportunities for Improvement in Pandemic Planning and Response

Respondents cited as many distinct areas for improvement—35—as they did successes. Most common areas for improvement included the need for better or more frequent communications. Four other challenges frequently cited were:

• Lack of a more useful, more specific, or more updated business continuity plan—or even a plan at all.
• Difficulty in shifting to remote work
• Slow response
• Lack of devoted resources

Lessons Learned

• Almost 50 different lessons learned were identified. The most frequently mentioned were:
• The importance of communication, flexibility, teamwork, and leadership
• The ease or difficulty of shifting to telework (about as many security executives were surprised by how well they fared as found the process difficult)
• The importance of preparation and having a plan
• The importance of resilient staff
• The value of consulting with, retaining, or hiring medical experts such as virologists, epidemiologists, nurses, and qualified health-check screeners
• The need to take care of isolated staff who might be lonely or struggling with mental health issues