Photobank - Fotolia
The past nine-plus months of the COVID-19 pandemic have demonstrated the importance of considering people when developing a business continuity and disaster recovery plan. Many organizations have been dealing with new issues that are not always characteristic of more traditional disasters, such as storm-related outages and ransomware attacks. Employee illness, social distancing and long-term remote working have become major challenges in nearly every organization.
There are some key changes companies can make to their business continuity and disaster recovery (BCDR) plans to better accommodate people-based issues. By recognizing the challenges brought on by COVID-19 and taking them into consideration in an updated pandemic business continuity plan, DR teams can avoid being caught off guard in the future.
First, an organization must modify its current business continuity strategy to address the potential loss or unavailability of employees for extended periods of time. This includes situations in which people are working remotely and changes to employee physical and mental health could result in their unplanned absence or inability to perform their normal duties. Existing BCDR teams must be aware of their roles and responsibilities when dealing with not only operational issues, but also people issues.
The next step is to incorporate pandemic recovery planning activities as an integral part of BCDR plans. The days of a separate pandemic business continuity plan collecting dust on a shelf are over. Given the situation people around the world have been experiencing, it no longer makes sense to think of pandemics -- or other far-reaching health-related events -- as once-in-a-lifetime occurrences.
The ISO has a standard that addresses the "people aspects" associated with business continuity planning. ISO 22330:2018, Security and resilience -- Business continuity management systems -- Guidelines for people aspects of business continuity, provides "guidelines for the planning and development of policies, strategies and procedures for the preparation and management of people affected by an incident." The standard addresses four integral elements shown in the chart below.
In the coronavirus pandemic, technology preparedness was in generally good shape, especially as applicable to remote working. But organizations did not have plans and procedures in place for dealing with remote work. Many organizations -- particularly, federal and state governments -- established "telework" programs years ago to address the potential need for remote working in a disastrous event.
Regrettably, many nongovernmental organizations that established remote work capabilities were unprepared for a situation in which all or most employees would be working from home.
Many of those organizations have had to address and mitigate those deficiencies since the current pandemic hit. The challenge now is if employees can return to work, and, if so, under what new rules.
The ISO recommends both BC/DR and human resources teams work together well in advance of any pandemic-like situations.
The following is a list of people-related activities that can be part of a pandemic business continuity plan:
- Ensure a list of all accessible healthcare facilities, including hospitals, same-day surgery centers and walk-in medical services, is available and up to date.
- Create a list of service organizations that deal with specialized issues, such as mental health; family issues; alcohol and drug use; and legal, emotional, stress and other issues that could affect employee performance.
- Establish and document procedures to help employees mitigate issues involving stress, anxiety and other mental conditions, especially providing contact data for specialists who can assist.
- Employees should identify their primary and alternate emergency contacts, and human resources must include this data in all employee databases.
- Establish transition procedures if employees move to a remote working environment.
- Establish and document management procedures to invoke in situations where employees need to work remotely, and periodically conduct training for all employees.
- Establish and document communications processes for conference services such as Zoom and Microsoft Teams and ensure all employees know how to use them.
- If sheltering-in-place is indicated, document procedures and identify specific locations for people to relocate.
- Establish and document transition procedures for returning to work, with flexibility of implementation based on the nature of the event.
BCDR is about more than power outages and data recovery. Be sure to incorporate as many people-focused elements in your pandemic business continuity plan as possible.
Dig Deeper on Disaster recovery planning - management
Related Q&A from Paul Kirvan
This backup and recovery audit checklist offers a comprehensive group of controls and evidence examples to get you ready for the important process of... Continue Reading
Examine the major elements of an active archiving environment, including the kinds of data that you can use in one and resources to help with ... Continue Reading
With so many dangerous threats in the IT landscape, make sure you protect your data backups from the likes of corruption, unauthorized access and ... Continue Reading