Updating Business Continuity Basics After COVID-19
Emergency managers and public safety professionals are familiar with the concept of business continuity, also known as continuity of operations. We’ve planned it, practiced for it, and even have had to implement various phases or aspects of it in real life, following a devastating event or series of events that requires a cessation of normal business activity and the adoption of extraordinary measures. But just what is business continuity, and how has it evolved in the era of COVID-19?
Generally speaking, business continuity plans involve an enterprise-level, coordinated effort to safeguard corporate equities, including data and critical infrastructure, from all threats—both man-made and natural. In theory, a well-designed and practiced plan would allow the affected business or agency to reestablish critical or core operations within a maximum of 72 hours after the onset of the crisis scenario. Business continuity planning requires dedicated personnel and meticulous planning, employee awareness, tabletop scenarios, and coordination with local first responders and emergency services personnel. It cannot be done at the last minute or on the fly, or the entity risks cascading into a state of general chaos during an incident.
Core services do not mean all services.
There are myriad scenarios that would trigger implementation of the plan. Typically, major natural disasters such as a hurricane, tornado, earthquake, tsunami, or widespread wildfires would necessitate the adoption of extraordinary operating procedures. It may also be necessary to implement the plan as result of a devastating man-made disaster, such as a workplace shooting involving multiple victims or an act of terror. The common element to these adverse events is that they are so disruptive to the normal course of business that the business itself is no longer viable, at least for the short to medium term, without a major reworking of procedures and a significant reassignment of personnel and retooling of the workplace.
It’s crucial here to point out the difference between business continuity planning and other emergency operating procedures. For example, in a major passenger aircraft disaster, local hospitals will call in additional personnel, extend shifts, and retrieve emergency stockpiles of supplies. Hospital personnel practice for these potentially overwhelming events. Their continuity of operations is not threatened, though it may be taxed.
On the other hand, if the electrical supply to the hospital is cut due to an earthquake and the emergency generators are crushed by falling debris, the viability of the hospital itself is thrown into jeopardy. This is where continuity planning becomes essential.
Every U.S. government agency is required to maintain an approved business continuity plan. The Federal Emergency Management Agency (FEMA), under the U.S. Department of Homeland Security (DHS), is the coordinating agency for such planning and maintains a repository of each agency’s approved procedures. The National Infrastructure Management System (NIMS) lays out the framework of required planning and mandates that each agency address its core business functions and articulate its plan for maintaining these essential services when disaster strikes.
A key working assumption is that there is no way to determine what percentage of the workforce will be infected.
It is worth noting that core services do not mean all services. For example, if a U.S. embassy is destroyed due to a catastrophic event, core services may entail ensuring that essential embassy personnel can report to an offsite location and begin organizing the repatriation of American citizens or their remains. A non-core service that is subject to suspension could be the routine issuance of passports or visas.
In a private enterprise scenario, your core functions must be identified so that your continuity plan ensures their partial operation within the shortest amount of time possible. To accomplish this, it is essential to conduct a business impact assessment, followed up by detailed and extensive planning and response protocols that are disseminated throughout your workforce.
What are your core functions? Think of what your essential services are. Do you provide products to the public, such as a retailer or manufacturer would? Or do you provide a key service, such as electricity, fuel, or police/fire response?
Core functions for a hotel or cruise ship hit by widespread food poisoning, for example, would include prioritizing the safety and security of guests, the bulk of whom would be confined to their rooms. Food service would be limited to delivery of pre-packaged meals. For a distributor of business supplies, core functions might include securely storing client billing data, order history, and other details. Securing current stock on hand might be deemed non-essential for the duration of the crisis.
What is the status of your main facility, warehouse, or office? Now would be a good time to start familiarizing yourself with some specific terminology used in business continuity, such as national incident command, the alternate worksite, resiliency, devolution, and reconstitution. It is essential to use common language among key personnel involved in planning your continuity of operations protocols and in managing the response; it facilitates a streamlined approach and a better understanding of events and issues.
Are your personnel able to safely report to work, at least on a part-time or shift basis? No untrained personnel should be permitted to enter a building or worksite that has been compromised until technicians have declared it to be safe and structurally sound. If the alternate worksite is to be used, adequate security must be provided and it should be sufficiently distant from the primary worksite so as to avoid contamination or ancillary damage, should such risks be a possibility.
Where is management, and who is in charge? The management hierarchy during a pandemic may face significant upheaval, as key personnel may be sidelined due to illness. The crisis manager should have at his or her disposal a list of managerial personnel who are cross-trained in multiple functions and who can step in and play a key role in guiding the enterprise. Every business function must be executable by alternative personnel, and there should be no one person who is indispensable to the enterprise. Bear in mind that your continuity planning should include a crisis manager who can delegate essential business management functions to these trained personnel. Succession planning is essential here, but it is not identical to continuity planning.
A comprehensive continuity plan should address a pandemic or a rapidly spreading bacterial illness or food poisoning that threatens to sideline company operations. Although there are common elements to all continuity planning, we are witnessing firsthand how the current, COVID-19 pandemic has precipitated a sea change in the operating environment. The pandemic has caused business to vastly scale down in-person operations, reduce the number of employees, and even suspend operations completely.
What are some elements of your continuity planning that might need to be altered in order to address a pandemic as opposed to reestablishing operations after the primary worksite has been destroyed or rendered inaccessible? Meetings and status conferences may need to be conducted online to avoid further contamination or spread of a virus, so a robust online environment for the enterprise must be in place beforehand. IT technicians should be included in business continuity planning to ensure such capability exists. Furthermore, although alternate or remote worksites should be incorporated into your planning, the assembly of personnel in such spaces during a pandemic might be discouraged, based on the pathology of the illness. The alternate worksite might logically be in employees’ own residences.
Other factors to consider in your pandemic business continuity planning must include addressing strict contamination prevention and control measures, frequent health screening of personnel, and monitoring of pandemic reporting worldwide. An on-call contract medical service should be involved in every stage of pandemic preparedness planning.
A key working assumption is that there is no way to determine what percentage of the workforce will be infected. However, data shows that about half of all those who are infected will seek medical care. Others may not show symptoms or even be aware of their infected status, or the infection will only be detected after recovery or the patient’s death. Therefore, social distancing will be essential and strict monitoring of official government websites and communications portals (such as the U.S. Centers for Disease Control and Prevention website) will be a key resource in guiding response.
For a detailed example of workflow, delegation of authority, templates, and other useful information on continuity of operations planning for non-federal entities, see FEMA’s free continuity plan template for non-federal entities.
For easy-to-understand business continuity planning for a pandemic, visit https://www.ready.gov/pandemic
Stephen Cocco is a Rimkus Security Consultant and frequent speaker on security issues, vulnerabilities, and use-of-force matters. He provides expert witness testimony on premises liability cases and teaches active shooter prevention and preparedness courses for clients from various business segments. His expertise includes crisis and emergency management, evidence collection, investigative reports, fraud and financial analysis, domain assessment, and intelligence collection and analysis. Before taking on his current positions, Cocco served as an FBI special agent for 27 years.