Experts are discovering in the wake of the global COVID-19 pandemic that former or existing strategies for handling disasters, whether natural or human-caused, are insufficient going forward. While this pandemic has caused serious disruption globally, it has also provided a tremendous opportunity for fine-tuning operational and response procedures, thus strengthening rather than weakening the present structures. In many cases, forced changes have turned out to be better business models.

“The goal of a business continuity plan (BCP) is to remove as much uncertainty as possible in how you will respond to disasters,” says Eric Sean Clay, MSc, CPP, CHPA, PCI, Vice President of Security for Memorial Hermann Health System.

Such plans provide direction to organizations in preparing for a variety of emergencies by helping them plan for ways to continue operations and enable them to act quickly. Business continuity planning identifies critical processes and isolates them so that these will get full focus. This means having precise and up-to-date data on procedures, including considerations such as supplier contacts, alternate supplier contacts, and an exact chain of command that will help the organization snap into action and soften the impact of a disaster.

“Everyone plays a role in continuity planning, whether it is having a plan for your family and home environment, office setting or leisure travel,” says Wes Decker, CPP, MBCI, MS, Director of Business Continuity and Crisis Management for Comcast. “Having a plan allows you the freedom to know that, whatever uncertainties may arise, you are equipped to mitigate a certain level of risk. Contingency planning cannot sit idle on a shelf; it is a living and ever-changing plan for how we encounter and live life.

Eric Sean Clay, VP of Security Memorial Herman Health System Image courtesy of Clay

Richard M. Kelly, Senior VP of Global Safety, Security & Business Continuity Management, Chubb Image courtesy of Kelly

Wes Decker, Director of Business Continuity & Crisis Management, Comcast Image courtesy of Decker

Lessons Learned from COVID-19

Business continuity planning goes far beyond the COVID-19 pandemic, of course, encompassing geopolitical issues, social unrest or employee strikes, natural disasters and much more. Yet, this global health pandemic was still a reality check for most businesses and presents an opportunity for security, emergency management and risk professionals across all sectors to reevaluate their plans.

“Many people didn’t understand what business continuity was or really understand its importance before 2019,” observes Decker. For most businesses, the pandemic was outside the bounds of what they expected and could plan for, thus highlighting the need for more divergent thinking in planning and willingness to define concretely what is essential and what can change.

“We had a playbook; we were used to dealing with hurricanes and tornadoes. I don’t think anybody really had a playbook for this pandemic. I think that in some ways, you’ll see a lot of companies changing the way they do business,” Decker adds.

Richard M. Kelly, MPA, CPP, Senior Vice President of Global Safety, Security & Business Continuity Management for Chubb, notes that “unlike exercises, the pandemic tested our BCPs in real time, with real-life situations that required us to make very quick decisions, related, for instance, to employee and visitor access, opportunities to work from home, capacity and logistics issues with our supply chain, and safe minimum staffing levels, to name a few.”

Adam Collison, Business Continuity and Intelligence Manager for Ford Motor Company, says that the biggest impact the pandemic had on business continuity planning is that it shined a light on new operational continuity solutions that many companies didn’t think were possible pre-COVID-19. “It was impressive how well companies across the spectrum, including Ford, were able to maintain operations while pivoting to this new style of work as the virus spread across the various regions. If the pandemic has taught us anything, I think it is that embracing a level of agility in the planning process is critical,” he says.

“What’s happened over the last 24 months with COVID is just phenomenal,” Kelly says. “It’s been tough, but it has been a tremendous opportunity for the organization to become stronger and more resilient and really push those things that are very important to continuity and the operations to the forefront for the team. So, it has been really positive too.”

COVID-19 has provided a new learning environment and new ways of doing things. “It has solidified any ambiguity that may have existed before and has clearly defined the resiliency of our workforce and the flexibility by which we can still deliver our services to the customer in a non-traditional business platform,” Decker says.

“With the pivot to remote and hybrid work, your alternate workplace may have shifted from another company facility down the street to a coffee shop near your home,” Collison says. This shift, according to Kelly, has resulted in companies having to make improvements to their networks and the IT infrastructure to make sure they have the bandwidth to handle off-site workers securely and with multiple logins at the same time.

This new awareness and resulting readiness have made it easier for businesses to handle more recent disruptions, such as the August 2021 hurricane in Louisiana. “We had such a great response and recovery effort to the hurricane most recently,” Decker says. “I think that our leadership is really seeing the fruits of investment they’ve made into business continuity and disaster recovery.”

Decker says there are three specific insights he has gained from the pandemic:

• Understanding the ever-growing challenges that confront businesses and the ability to forecast events that we may not have experienced in recent memory.
• Understanding the fragility of systems, how globally connected we are, and the interdependency we have on one another for success.
• Recognizing that how we balance our work and life commitments has shifted significantly as we reflect on the most important things.

The pandemic forced companies and organizations to analyze what was truly essential and to allow new ways of interacting and communicating. Many of these changes worked better than previous strategies and will be kept permanently. The most obvious of these is the shift to remote work, whether full-time or in a hybrid environment. “I think that the way we work has definitely changed forever,” Kelly says.

Workforces are now more flexible and often more dispersed, encompassing larger geographic areas that can be impacted in the future. “The workforce planning will continue to evolve in this current and future labor market, which must be considered in our continuity plans,” Decker says.

Continuity Best Practices

Involving senior leaders, adapting quickly and reviewing and testing regularly are important aspects of a business continuity plan. “I feel it’s critical for an organization’s most senior leadership to be involved in the business continuity product from the start,” Clay shares. “They are the ones who should create, maintain and own the process.” This communicates to the company that business continuity is a priority, ensuring support at all levels.

“It is important to involve all leaders and all parts of the business so that all pieces of it can work smoothly during disruption,” Kelly adds. “Whether it’s the financial side, HR, operations, IT, real estate, facilities, safety, security — all these functional areas come together to support the execution of the plan.”

Through collaborative and proactive dialogue, leaders and business partners can quickly adjust plans to current or forecasted events that may impact their businesses. “Our annual reviews and tabletop exercises further allow us to adapt and keep our continuity planning at the forefront to care for our employees and best serve our customers,” Decker says.

The Future of Business Continuity

Going forward, it is clear that no matter the size of the organization, business leaders should have a plan. Small businesses are much more likely to fail during a crisis if they don’t have a business continuity plan, points out Clay.

“Business continuity itself is such an important topic regardless of the size of the business,” Collison says.

It is also clear that constant reviewing and adjusting are essential. “We used to update every two or three years,” Clay says, “but now we know this must be done every six months, with virtual updates being done continuously.”

Updating includes weeding out what is not essential/critical and constantly reevaluating that, according to Kelly.

The massive array of tools now available to businesses has made continuity planning a lot easier. “Technology has been a game changer in this space in that it supports collaboration, updating and testing better than it ever has,” Collison says.

These security leaders agree that the most important thing learned is the necessity of reviewing their BCP often and on a regular basis, not just every few years. It’s also essential to test the organization’s BCP by conducting annual exercises to reveal gaps or issues. This should include regular virtual testing as well.

Clay recommends asking the following questions:

• Have any key personnel left the organization or transferred to other areas? Does your plan reflect this and list new personnel?
• Do you have new vendors? Have you removed old ones?
• Have you added or discontinued any services or goods?
• Are all of your contact numbers and emails up to date?

No matter how quickly things are changing, business leaders who make time to document everything they do — to be able to assess the processes and update the plan — will set themselves up for success.