By Paul Kirvan, CISA, CISSP, FBCI, CBCP
Pandemic plans differ slightly from traditional disaster recovery and business continuity plans in that they focus more on people and somewhat less on technology. Each type of plan provides a structured approach for responding to situations that threaten an organization's ability to sustain operations. Considering the health threat to employees from by a pandemic, a carefully designed pandemic recovery plan can help the firm remain viable, even with a reduction of staff. This article and SearchDisasterRecovery.com's free downloadable pandemic planning template provide an effective starting point.
The Centers for Disease Control and Prevention (CDC) has indicated that an H1N1 (swine flu) pandemic is threatening the U.S. population. The number of H1N1 cases continues to grow, as does the number of deaths attributed to the virus. Supplies of H1N1 vaccine have been slow to appear in appropriate quantities, but they are expected to improve later this year and into 2010.
In this guide on using a pandemic template, you'll learn what you need in a pandemic plan for your business and what to put on your pandemic planning checklist. To get started, read our guide, and then download our free pandemic plan that can be customized for your business.
A GUIDE TO PANDEMIC PLANNING FOR BUSINESSES: TABLE OF CONTENTS
How to build a pandemic plan
Pandemic planning questions
Pandemic planning checklist
Pandemic planning best practices for your business
Reviewing the pandemic planning template
Exercising the pandemic plan
When building a pandemic plan, the principal concern is availability of staff. Employees who contract the H1N1 virus may not be able to perform their daily activities for a few weeks to possibly a few months. Begin the process by completing a risk assessment that identifies critical company operations, and the systems and the staff needed to support them. Next, prioritize the business functions in terms of the most critical to the organization's survival. In collaboration with your human resources department, identify the employees who are deemed most critical to supporting critical business functions.
Given the potential lead time to respond to an H1N1 outbreak (e.g., three to five days incubation period before the disease presents itself), the number of employees initially infected may be low, but could increase quickly.
Download our free pandemic planning template
Pandemic plans are a combination of 1) preventive measures, e.g., hand cleaning stations throughout the building, availability of face masks, and 2) active response measures, e.g., replacing absent employees with healthy staff who can perform the same functions. An important strategy for achieving the latter goal is to cross-train employees in multiple functions within their business units. In addition, access to detailed step-by-step procedures for recovering disrupted systems and networks can help backup staff recover and resume normal operations.
The goal of these processes is to minimize any negative impacts to company operations attributed to loss of staff through illness. A comprehensive pandemic plan includes primary and alternate supplier contacts; sources of medical supplies; contact information for all employees as well as stakeholders, customers, and key supply chain vendors. Finally, it includes a logical sequence of action steps that ensures employee heath is protected and critical operations are maintained.
The following are some additional issues to consider. Some are more effectively handled at a higher level, such as state departments of health, while others ought to be part of your own pandemic readiness program.
- At what point would you consider quarantines? For example, if someone comes to work exhibiting flu symptoms, he/she should be sent to a local hospital emergency room for observation and testing. If an appropriate health facility is not readily available or nearby, it may be necessary to isolate the person in a separate room away from other employees until transportation can be arranged. Regular review of messages from the CDC and local authorities should be maintained to determine the status of the disease and its spread. If the spread seems to be increasing, e.g., several employees have called in sick or have tested positive for H1N1, it may be time to activate a "reduced staff business model" and send most employees home, other than those designated for reduced operations support. Ideally, company leadership should have such a discussion well in advance of an actual outbreak to decide how/when to shut down operations. Closing the doors is the last activity to do.
- At what point would you release antiviral stockpiles? Large companies may stockpile vaccines if they can afford it, have sufficient space and can actually obtain doses. Most other companies are not likely to stockpile vaccines. Err on the side of caution in stockpile situations. Release stockpiled doses of the vaccine as soon as the first verified case is reported.
- How big should stockpiles be? Assuming that only a single dose of the vaccine is needed, stockpile one (1) dose for each employee per location.
- How quickly can you get to them? If they are stored on site, distribution can be almost immediate. If not, use of an overnight delivery service is advised. If on site storage of vaccine is not available, the time to get doses could be anywhere from the same day to a week or less.
- What steps are being taken to detect new cases?
- What travel or trade restrictions are you considering or implementing?
- What step-by-step preparation and action plan do you have?
- What organizational response team roles and responsibility have been assigned?
- What succession planning actions have been arranged?
- What cross-training activities have been arranged?
- How easily can employees work from home?
- What safety guidelines have been prepared?
- How is information on the current situation being communicated to employees and clients?
- What human resources and facility planning policies and procedures have been established for a flu outbreak?
The following is a suggested sequence of plan development activities.
- Establish a pandemic recovery team (PRT); it is charged with plan development and coordinating the organization's pandemic response.
- Have the PRT meet with human resources, senior management, internal technology groups, and disaster recovery, business continuity and emergency response teams to establish the scope of the plan.
- Brief business unit as well as senior management on these meetings so they are properly informed.
- Gather all relevant employee information, e.g., contact information and skills inventories.
- Gather all relevant business process information, e.g., critical activities that must be maintained.
- Gather information about the technology infrastructure that supports these processes.
- Obtain copies of existing business continuity and disaster recovery plans.
If copies of existing business continuity and disaster recovery plans do not exist, proceed with the following steps:
- Identify what management perceives as the most critical business activities.
- Identify what management perceives as the most critical IT assets, e.g., call center, server farms, Internet access.
- Determine the maximum outage time management can accept if the identified business processes and IT assets are unavailable.
- Correlate the employee data to the critical business processes and technology assets.
- Identify situations where a single person is responsible for a critical function, and identify possible backups.
- Identify the operational procedures currently used to respond to critical outages.
- Determine when these procedures were last tested to validate their appropriateness.
- Identify emergency response team(s) for all business functions and the technology infrastructure; determine their level of training with regard to critical processes and systems, especially in emergencies.
- Identify opportunities for cross-training of staff potential to prevent gaps in coverage.
- Identify vendor emergency response capabilities; if they have pandemic response plans and when they were tested; impact of a pandemic on contract obligations; presence of service-level agreements (SLAs).
- Compile results from all analyses into a gap analysis that identifies potential staffing issues associated with critical business functions and technology assets, with recommendations as to how to achieve the required level of preparedness, and estimated investment required.
- Have management review the report and agree on recommended actions.
- Prepare pandemic recovery plan(s) to address critical business functions, facilities and technology assets.
- Conduct tests of plans, employee backups and system recovery assets to validate their operation and effectiveness.
- Update pandemic plan documentation to reflect changes.
- Schedule next review/audit of pandemic recovery capabilities.
Keep in mind the following best practices for your business:
- Senior management support: Be sure to obtain senior management support so that pandemic plan goals can be achieved.
- Take the pandemic planning process seriously: If the H1N1 virus continues to spread; it could affect your organization sooner than you think. Your pandemic plan doesn't have to be dozens of pages long. Plans simply need the right information, and that information should be current and accurate.
- Keep it simple: Gathering and organizing the right information is critical.
- Review results with business units and technology groups: Once pandemic plan is complete, review the results with business unit and technology leaders.
- Communicate the program with all employees: Also advise key customers, supply chain vendors and stakeholders of your program.
- Be flexible: The suggested template in this article can be modified as needed to accomplish your goals.
Next, we'll examine the table of contents from the pandemic planning template, indicating key issues to address and activities to perform.
- Statement of Intent: This sets the stage and direction for the plan.
- Policy Statement: Very important to include an approved statement of policy regarding the provision of pandemic recovery services.
- Objectives: Main goals of the plan.
- Key Personnel Contact Information: Locate key contact data near the front of the plan, as it's the information most likely to be used right away.
- Plan Overview: Describes basic aspects of the plan.
- Emergency Response: Describes what needs to be done following the occurrence of pandemic cases.
- Pandemic Recovery Team: Members and contact information of the pandemic team.
- Emergency Alert, Escalation and Pandemic Plan Activation: Steps to take through the early phase of an outbreak, leading to activation of the pandemic plan.
- Media: Tips for dealing with the media.
- Insurance: Summarizes the insurance coverage associated with a pandemic outbreak and any other relevant policies.
- Financial and Legal Issues: Actions to take for dealing with financial and legal issues.
- Pandemic Plan Exercising: Underscores the importance pandemic plan exercising.
- Appendix A: Suggested Pandemic Recovery Plan Forms: Ready-to-use forms that will help facilitate plan completion.
Perhaps the most effective way to test a pandemic recovery plan is through tabletop exercises. The following is a list of items to cover at such an exercise.
- Gather key members of the pandemic team and other relevant teams, including human resources, facilities, emergency response, and disaster recovery and business continuity.
- Review the healthcare and preventive measures in place and those that need to be added.
- Review impacts on company facilities.
- Review impacts on the organization's key business functions, who currently supports them and who can back them up if they are unavailable.
- Discuss efforts to provide cross-training to employees who may be designated as backups.
- Discuss succession planning to minimize any leadership gaps.
- Discuss communications activities, both internal and external, that ensure employees have all relevant information about the pandemic and key external organizations know how the company is responding.
- Address supply chain concerns by reviewing key suppliers and how they plan to provide a pandemic response.
- Determine which supply chain firms should be part of a joint discussion on cross-organization pandemic responses; schedule meetings to address these issues.
- Identify where additional support, training, resources and funding are needed; secure these resources.
- Update plan documentation as needed.
- Schedule follow-up tests.
Considering the investments businesses make in their IT infrastructures, all businesses should also invest sufficient time and resources to protect those investments from unplanned and potentially destructive events. This article/template will help you get started on developing plans to protect and recover your critical IT infrastructure assets following such events.
About this author: Paul F. Kirvan, FBCI, CBCP, CISSP, has more than 20 years experience in business continuity management as a consultant, author and educator. He is also secretary of the Business Continuity Institute USA Chapter.