The Global Pandemic’s Affect on Business Continuity

Though the events of 2020 are sometimes characterized as unimaginable, many organizations have been preparing for a global pandemic for years. However, many others have found themselves scrambling to maintain operations in the wake of mass shutdowns, restrictions on travel and scarcity of supplies. The goal of business continuity planning (BCP) is to prepare organizations to respond quickly and decisively in an emergency to ensure employee safety and resume business operations with a minimal amount of disruption. Regardless of whether organizations found themselves well prepared—or something less than well prepared—for a pandemic in 2020, they are likely to tweak their approach to BCP in at least some of the following ways (figure 1) going forward to ensure that they have a clear and agile process.

More Organizations Will Prioritize Pandemic Response Plans

BCP involves identifying and assessing events that could disrupt an organization’s operations and thus its ability to deliver products and services to its customers. Following the COVID-19 outbreak, organizations are likely to move pandemics higher on the list of such events in terms of likelihood and impact, if they were not already ranked highly. According to a Business Continuity Institute report, in the last century, five of the top six deadliest natural disasters were pandemics, and organizations that deal with public health or healthcare customarily list pandemic near the top in terms of key risk because pandemics (as witnessed in 2020) directly threaten frontline healthcare workers, strain the production and availability of critical medical supplies, and may overwhelm the capacity of healthcare facilities.¹ That report was written in 2018, and many organizations that did not hear or heed the warnings in the past certainly will now.

Organizations may also develop dedicated pandemic response and spread prevention plans, if they do not already have them. A pandemic response plan is a specific type of business continuity plan. It includes elements such as protocols for when to stay open and when to close; plans for physical distancing and enhanced safety/cleanliness measures in the workplace; employee leave policies and plans; and communication guidelines all specific to the event of a pandemic.² Not all organizations had a dedicated pandemic response plan as part of their BCP. There will be a learning curve ahead as organizations assess the ongoing impacts of the current pandemic and determine how to address pandemic response within their BCP process. However, there are resources available to help. For example, the US Federal Emergency Management Agency (FEMA) publishes a Pandemic Influenza Continuity of Operations Annex Template, which FEMA states is to “assist organizations in developing a Pandemic Influenza Continuity of Operations Plan.”³ FEMA encourages organizations to customize the template to their needs, making it a useful tool for organizations beginning to plan for infectious disease contingencies.

Organizations Must Constantly Adapt to Changing Consumer Needs

Recovery time objective (RTO) and recovery point objective (RPO) are two fundamental aspects of business continuity and disaster recovery planning. They describe the organization’s goals in terms of its ability to restore operations and resume meeting customer demand in a timely manner following a business disruption. However, the COVID-19 pandemic has vividly demonstrated that in the wake of a disaster, getting back to business as usual is not always possible or even beneficial. For example, without the option of returning to the workplace, having customer service associates work from home in relative safety allowed organizations to maintain customer relations. Beyond logistics, many organizations have experienced a shift in what their customers need from them post pandemic and have responded by making alterations to their product assortment and value propositions (e.g., health and beauty enterprises shifting production to hand sanitizer and restaurants and grocery stores adding takeout and drive-through services). As such, the important question in BCP is not only how fast can an organization resume operations, but how quickly can it alter them? Therefore, agility will become an increasingly important factor in BCP, and BCP may need to include defined methods for assessing whether consumer needs have changed in relation to the organization’s pre-existing business model.

THE COVID-19 PANDEMIC HAS VIVIDLY DEMONSTRATED THAT IN THE WAKE OF A DISASTER, GETTING BACK TO BUSINESS AS USUAL IS NOT ALWAYS POSSIBLE OR EVEN BENEFICIAL.

In the same vein, the experiences of COVID-19 may affect how organizations prioritize their business processes within BCP: What is truly most critical? For example, a retail chain that would previously have prioritized reopening storefronts may now choose to describe its objectives in more general terms, such as restoring product availability—a subtle but important change in mindset that allows for flexibility and innovation and describes what the organization is really trying to achieve. These types of tweaks may impact the hierarchy of the systems, processes and personnel that organizations choose to restore and support.

Organizations Will Place a Greater Emphasis on Employee Well-Being

Employee safety and well-being have always been fundamentals aspects of business continuity and disaster recovery planning. BCP has traditionally included considerations such as:

• Employee safety in the workplace
• Employee access to the workplace and key tools in the event of a disruption
• The possibility of injury or illness happening to employees during a disruption, preventing or delaying their return to work

Although these remain key considerations, more organizations will be taking a more holistic look at employee well-being in an event such as a natural disaster.

Employees should come first in any type of business disruption. Without its employees, a business simply cannot go on. This means considering their health and well-being, along with how they’ll continue to work for your organization during times of disruption.⁴

Of course, there are limits to the extent to which organizations can be responsible for the wellness of their employees. However, post COVID-19, BCP will likely broaden from shorter-term contingencies related to employee availability with respect to sustaining operations to longer-term considerations such as the effects of stress, anxiety, isolation and exhaustion on employee well-being. The rationale is that employee well-being has a direct impact on employee performance, which, in turn, has a direct impact on business success. “Support your people, make sure they are OK, and they will take care of your business.”⁵

Organizations Will Scrutinize Risk Related to Third-Party Relationships

The third-party relationships that could pose a risk to the organization in a disaster or significant disruption are virtually endless. Some examples of this risk include:

• Failure to deliver products or services based on contractual agreements could expose the organization to legal risk.
• Customers or other stakeholders may be entitled to refunds or other reparations.
• The organization’s third-party suppliers of critical materials and services may be unable to meet their service level agreements (SLAs).
• First responders, law enforcement, utility workers and alternate site providers may be impacted by the same event, impacting the organization.

Because of these possibilities, organizations will be looking at the risk and value of third-part relationships through the lens of a future catastrophic global event. According to a recent KPMG report, “Organizations have been challenged to reevaluate the relevancy of their definitions of third-party criticality” in the wake of the events of 2020.⁶ For example, while dealing with the impacts of COVID-19, the report notes,

Stakeholders across [third-party risk management] have had to modify processes to support their staff and third parties working from home. Oftentimes, this initial shift has meant operating in violation of existing policies and contracts until new agreements can be drafted.⁷

ORGANIZATIONS WILL BE LOOKING AT THE RISK AND VALUE OF THIRD-PARTY RELATIONSHIPS THROUGH THE LENS OF A FUTURE CATASTROPHIC GLOBAL EVENT.

As organizations are taking a hard look at third-party risk management in 2021 and going forward, in addition to reassessing the criticality of third-party relationships, they will be evaluating whether they are comfortable with the risk exposure created by existing contractual agreements and whether current decisions related to outsourcing vs. insourcing still make sense.

Organizations Will Look to Become Faster, More Proactive and Globally Focused

In January 2020, Continuity Central published the results of its annual survey asking business continuity professionals about their expectations for the year ahead. In that survey, 11.4 percent of respondents said that they expected their organizations would be making major revisions to business continuity management strategies and plans in the year ahead. Heading into 2021, that number should increase as organizations question how they could have been better prepared for the COVID-19 pandemic and look to apply lessons learned to business continuity management going forward. One area likely to be reassessed is the timing and phasing of the implementation of measures spelled out in the business continuity plan. At the same time, organizations will be looking to identify emerging disruptions higher upstream at the global level and anticipate their impacts. The goal is to enable the organization to respond more quickly, flexibly and proactively to challenges as they arise, and further embed resilience and business continuity into the consciousness of employees at all levels as part of business as usual.

Conclusion

The rate at which threats rise and fall and the speed of change in the marketplace both seem to be increasing, and in response, business continuity is evolving into a mindset as much as it is a document with plans, policies and contact information. Further, the pandemic has demonstrated that although BCP may look different in large, complex organizations than in small businesses, there is no enterprise for which BCP does not have relevance and value. In the wake of the COVID-19 outbreak, organizations of all sizes and industries are sure to look for ways to get more out of their BCP efforts and be better prepared for significant disruptions in the future.

Endnotes

¹ Business Continuity Institute (BCI), “Understanding Pandemic Phases for Better Emergency Planning,” 3 May 2018, https://www.thebci.org/news/understanding-pandemic-phases-for-better-emergency-planning.html
² Canadian Centre for Occupational Health and Safety (CCOHS), “Business Continuity Plan—Pandemic,” 2 December 2020, https://www.ccohs.ca/oshanswers/hsprograms/planning_pandemic.html
³ Federal Emergency Management Agency (FEMA), Pandemic Influenza Continuity of Operations Annex Template Instructions, USA, https://www.fema.gov/sites/default/files/2020-08/fema_pandemic-influenza_template-instructions.pdf
⁴ Kunkel, M.; “Business Continuity Plans: Four Updates to Make Now,” The Enterprisers Project, 29 September 2020, https://enterprisersproject.com/article/2020/9/business-continuity-plans-4-ways-update
⁵ Ibid.
⁶ KPMG, Thriving in the New Reality, 14 May 2020, https://advisory.kpmg.us/content/dam/advisory/en/pdfs/2020/thriving-in-the-new-reality.pdf
⁷ Ibid.

Kevin M. Alvero, CISA, CDPSE, CBCP, CFE

Is senior vice president of internal audit, compliance and governance at the Nielsen Company. He leads the internal quality audit program and industry compliance initiatives, spanning Nielsen’s Global Media products and company services.