Business Continuity Management During COVID-19

Alexander Hiznay and Candice Moschell
| 5/14/2020
Business Continuity Management During COVID-19

In response to COVID-19 shelter-in-place and social distancing realities, organizations are moving to alternative work and delivery models, experiencing an increased strain on resources, and relying on processes that might be suboptimal or manual. They are also reaching for their business continuity, emergency, and pandemic preparedness plans. Now more than ever, business continuity management (BCM) is a critical focus for organizations.

Responding to disasters

Business continuity management is a broad term that encompasses several targeted plans to make sure organizations can continue to operate through various types of disruptions or disasters. These plans can support resilience for business operations by helping organizations continue to operate while navigating a significant IT disruption, loss of a facility, security breach, or, as is the current situation, pandemic.

As demonstrated in the exhibit, creating a BCM program starts with the business impact analysis (BIA) and continues through the disaster recovery plan (DRP), business continuity plan (BCP), emergency preparedness plan, and plan testing. Throughout the process, business stakeholders and IT personnel drive the plans based on the plan activity.

Exhibit: Business continuity management program components


Business continuity management program components

Source: Crowe analysis


Since (or even before) COVID-19 was declared a pandemic, most organizations have enacted their BCM programs. However, many organizations might be struggling to address the challenges caused by the pandemic with incomplete or improperly developed plans. Some plans might have been created several years ago or, unfortunately, maybe not created at all.

Organizations have had to quickly develop alternative work situations and adjust their resources. While challenging, this slow-rolling event is an opportunity for organizations to build on and improve their business continuity management programs and better position themselves to effectively and efficiently recover when another disaster or major disruption occurs. To take advantage of this opportunity, organizations must first understand the core components of a BCM program, including frequently missed components and actions they can take now to strengthen their programs.

Sign up to receive the latest cybersecurity insights on identifying threats, managing risk, and strengthening your organization’s security posture.

Business impact analysis

The BIA provides the foundation for all other components of a business continuity management program. The three main components necessary for completing the BIA include identifying the specific business processes of each department, the personnel resources needed to support the processes, and all the technology to support the business processes.

As organizations work to identify business processes and related dependencies, they frequently miss or incorrectly capture these components of BIA: 

  • Recovery time objective (RTO). Organizations must determine how long the business can operate without an identified process or technology before they experience significant impact to their operations. Note that the RTO should be captured for both the business process and the technology, independent of each other. Often, a business process is needed more quickly than the technology is available to support it.
  • Recovery point objective (RPO). Organizations should identify how dynamic the data is within a system so that backups can be performed with necessary frequency.
  • Operational impact. The BIA should identify the impact if a process is not operational. Impact can be described in several ways – financial costs, loss of life, patient safety, legal or regulatory implications, reputational damage – so it’s important to choose an impact scale that is easily understood by all key stakeholders.
  • Communication. Business process owners should dictate the components of the BIA including the RTO and RPO. One thing to keep in mind: The faster recovery is needed, the greater the operational costs, so expectations should be appropriately set and communicated with management. For example, if a critical process needs to be operational within one hour with real-time information, it will cost significantly more to build a system that meets those recovery requirements compared with a process that can afford a few days of downtime.

Opportunities exist to improve response plans based on the situations and challenges organizations are facing now. To strengthen their BIA, organizations should:

  • Survey non-front-line business process owners to understand what pain points they are experiencing as they work from home.
  • Identify which business processes or resources should be prioritized over others. Where possible, organizations should do the following:
    • Update their BIA to more accurately quantify the resources needed by each business process.
    • Make sure business processes appropriately reflect the RTO and RPO as previously defined.

Disaster recovery plan

The disaster recovery plan is the document that supports the organization’s response steps for IT systems and connectivity during disasters or disruptions. The information gathered through the BIA directs the RPO and RTO of specific technology (namely applications) within the environment that informs IT how to build those systems.

Frequently missed or incorrectly captured components include:

  • DRPs that focus on only one type of disaster. Organizations should make sure that the DRP accounts for various types of failures and not just, for example, the loss of the main internet service provider (ISP).
  • Plans that do not take into account any single points of failure. Steps should be in place to support operations if any single point of failure such as one ISP or one router per location occurs.
  • Actual steps to recover from a disaster. Often, specific individuals are tasked with executing recovery steps, but if they become unavailable, the organization will not be able to respond effectively. The goal of a DRP is to document recovery steps – including a step-by-step strategy to restore data and systems from backups and to configure applications and roles during a disaster – enabling multiple personnel to execute those steps.

To bolster their DRPs, organizations can reflect on recent challenges to:

  • Identify miscalculations of equipment requirements and use of resources based on the need to support a mobile workforce. Examples of what some organizations struggle with include:
    • Virtual private network connections (licenses)
    • Laptops
    • Peripheral devices (monitors, printers, scanners, cameras)
  • Update documentation based on issues or changes the organization might encounter when migrating and accommodating the workforce (employees and vendors) for the disruption. Examples include:
    • Access controls (networking)
    • Privilege changes (applications)

Business continuity plan

Business continuity plans detail the people, processes, and resources needed to support business operations amid a disaster or major disruption to normal business operations. More specifically, BCPs provide detailed steps various business departments must take to continue to support both the organization and key stakeholders, often while the departments are waiting for IT systems to be restored.

Frequently missed or incorrectly captured components include:

  • Dependencies. Plans often fail to take into consideration additional resources that a critical business process might rely on. Examples include dependencies on other departments for resources or personnel and dependencies on vendors for specific goods or services. Organizations should make sure the BCP includes all known dependencies.
  • Decision trees based on the type of disruption or disaster. BCPs might contain a lot of good information. However, the plans must be able to effectively respond to a specific type of disruption or disaster. Allowing decisions to be made during an emergency versus having them thought out and documented ahead of time increases the risk of poor or rash decision-making.

Organizations can take this opportunity to enhance their BCPs by:

  • Asking employees or inquiring with human resources or IT about what resources are needed to facilitate alternative work situations or the need for employees to perform other employees’ work functions. Organizations should update BCP resources based on those additional needs.
  • Practicing due diligence with all critical vendors. Because of the wide variety of unforeseen needs and situations resulting from the COVID-19 pandemic, organizations are navigating complex relationships with vendors. Organizations should make sure documentation reflects vendor changes and includes all critical vendor relationships.
  • Making note of any new regulatory changes that would modify the timing or requirements of reporting and financial regulations. Organizations should update documentation, calendars, and other resources to reflect regulatory changes.

Emergency preparedness plan

Emergency preparedness plans are designed to help support organizations’ initial responses to emergencies and pandemics. One goal of an emergency preparedness plan is to provide a playbook that protects and saves the lives of the employees who help run the organization and of the consumers they serve. Additionally, an emergency preparedness plan includes an incident response plan, which is a playbook for IT personnel to follow in the event of a suspected breach or active attack.

Frequently missed or incorrectly captured components include:

  • Lack of playbooks for specific types of emergencies. Usually by regulation, most organizations have a pandemic plan, but other often overlooked emergencies include:
    • Evacuations: Natural disasters such as hurricanes and fires
    • Lockdowns: Active shooter incidents, missing persons searches, or other discrete events
    • Shelter-in-place: Major incidents that require employees and customers to remain in designated areas
  • Lack of communication plans and platforms to alert stakeholders. Many organizations lack actionable and reliable communication plans and associated platforms. Organizations should make sure their employees’ contact information and communication plans are up to date, including who is permitted to speak with the media, customers, patients, members, and others. Where appropriate, a plan for contacting vendors and third parties should be in place as well. During an emergency, being able to access a reliable platform to support effective communication is invaluable.

Organizations can use lessons learned from the COVID-19 pandemic to strengthen their emergency preparedness plan by:

  • Documenting the “who, what, how” of the organization’s policy on external communication, including who is authorized to create and provide the message, what information is and can be shared, and how – through what channels (email, websites, newsletters) – that information will be delivered. All these details are critical for an organization’s communications strategy.
  • Assessing personnel needs. Some personnel might not be immediately available during emergencies or pandemics, resulting in resource gaps and lost efficiencies. In general, documenting missteps, lessons learned, and cross-training opportunities identified during disruptions can help organizations learn and operate more efficiently in future emergencies or disasters.
  • Determining what emergency communication technology will be used to provide alerts, updates, and messages to employees. If organizations do not have such a platform, now is the time to invest. Addressing the following questions can further enhance existing plans:
    • Who has authorization to create messages within the platform?
    • Are all employees able to receive messages?
    • Does contact information need to be updated?
    • How are vendors contacted?

Specifically during the COVID-19 pandemic, organizations should ask if they are internally tracking self-reported COVID-19 exposures within the workforce and if they will need to communicate risk of exposure in an appropriate manner when social distancing guidelines are reduced.

Navigating uncertainty

Organizations are facing tremendous challenges. Those that have actively developed business continuity management programs are able to face some of those challenges on solid footing. While some organizations might be more prepared than others, this pandemic is a unique opportunity for organizations to learn how to better equip themselves for the uncertainty of emergencies, disasters, or even future pandemics.

Defending against increasingly sophisticated threats

Cyberattacks are becoming more complex and coordinated. Is your organization prepared to meet the challenge? Watch this videocast to learn more about the increasingly sophisticated threat environment. 
Defending against deeper threats
How do you know if your organization is vulnerable to targeted threats? Watch this videocast for insights about closing your organization's cybersecurity gaps.