The widespread appearance of Business Continuity and Disaster Recovery (BC/DR) planning was predominant during the 1980s and 1990s. The majority of large firms had them written and stored, usually created by consulting companies. These documents were static, mainly used to prop open doors, and never intended for any other reason than to meet a corporate standard.
9/11 changed that and a curious thing happened. Nearly everyone – even some of the largest affected firms – shot from the hip. Almost no one opened their BC/DR plans. They were outdated and, in a lot of cases, not at all helpful. After 9/11, firms took planning far more seriously, including developing formal processes and procedures tested regularly. Fast forward twenty years, and we are now starting to emerge from a pandemic and face the need to completely re-think BC/DR planning.
Business Continuity Planning (BCP) outlines what happens when an unthinkable “Black Swan” event occurs. How do you keep operations working the next day? A Disaster Recovery (DR) plan states what returning to “normal” entails. The problem is that we have a “new normal” that no current BC/DR plan has built-in or even considered.
Things have been strange in this pandemic. When we were all in offices, BC/DR plans meant (for instance) turning on the generator on the roof. What happens now? When is the “new normal” a hybrid working environment?
Firms aren’t dependent on a location they can control but instead depend upon thousands of employees working from home. Verizon FIOS. Comcast. That’s how many of your people now “go to work.” The world’s business environment is very fluid right now. We have to think in new ways about BC/DR plans. They are still critical but can no longer be static documents. We will live and work in a hybrid environment – in an office, remote, or another unknown situation. All of these factors now need to be considered.
At Enterprise Iron, our recommendation may seem a bit dramatic, but it is reasonable. Stop thinking about BC/DR plans as documents, and begin thinking of them as team processes, composed of people that must continually adjust to the world – thinking about what the next challenge might be, preparing on an ongoing basis. Almost every BC/DR plan written two years ago is mostly useless. Intelligent firms will adjust to this. What happens when the power fails in Texas or NJ, and half of your employees now work remotely? We still don’t know what the business environment will look like even a year from now. It most likely won’t be 100% back in offices. Depending mainly upon the industry and the firm’s size, a hybrid model (that firms are still fleshing out) is the most likely scenario, but the devil will be in the details.
What we are asserting is something new but necessary – an adjustment to a new world. BC/DR plans can no longer be seen as static documents with annual updates. They must be ongoing, flexible processes.
The Error of Planning Around the Past
Post 9/11, many of the adjustments to BC/DR plans focused on physical security as this was natural and understandable. When something shocking and unprecedented happens, the first reaction regarding BC/DR planning is, “We have to be prepared if it happens again.” For instance, the firm I was working for on 9/11 opened a hot-backup site in the southeast (hourly partial backups so basic operations could resume within an hour) and a cold-backup site in Denver (extensive backups in batches every night and full operations could resume in less than 24 hours), as well as the development of all the processes and procedures required to utilize that model.
Yet, the problem with “planning around past events” is that, while necessary, it is not sufficient. The fundamental nature of events that shocked us – at a scale that required significant changes to corporate infrastructure and operations – is that they came entirely out of the blue and caught us wholly unprepared. Two years ago, who, other than a handful of scientists, would have thought that a pandemic would emerge seemingly out of nowhere and infect, conservatively, over 200 million with loss of life tolling in the millions? Not to mention the severe disruption of both the public and private sectors globally, as new strains and resurgences have occurred for close to two years now.
For these reasons, static BC/DR plans designed around past events are no longer sufficient in today’s fluid and increasingly interconnected world. The post 9/11 adjustments made to BC/DR plans have us better prepared if another 9/11 happens, but they are virtually irrelevant to the pandemic.
BC/DR as Process
A vital aspect of the “BC/DR as Process” approach is the periodic effort attempt to discern the broad strokes of what may emerge as future threats. One of the characteristics of major, surprising disasters is that they seem to appear with no precedent and no warning. This is true at the level of detail, but that does not mean it is impossible to see potentials at a 30K foot level.
In hindsight, there were signals indicating a possible threat leading up to 9/11 as it took a lot of time to orchestrate. Our federal three-letter agencies (FBI, CIA, NSA, DoD, etc.) were insulated and siloed, so the dots were never connected in time. In retrospect, the signs were there, but we weren’t looking. The same event could not have been predicted, but evidence of planning undoubtedly existed.
Similarly, with COVID-19, the details and scale of this global pandemic took everyone by surprise. However, signs that the potential was lurking were evident in the epidemics in the last couple of decades. SARS (China, 2002); H1N1 (US and Mexico, 2009); MERS (the Middle East, 2012); Polio (a disturbing uptick in the Middle East, 2014); Ebola (West Africa, 2014); and Zika (Americas, 2015).
While these viruses and diseases spread to multiple countries and populations, luckily, they were largely contained geographically. The combination, however, of the periodic epidemics with the explosion of global travel in the past decade (making containment much more difficult) meant that while the details of COVID couldn’t be seen, the potential for something this global certainly could be for anyone that was looking.
Almost by definition, it isn’t possible to predict the exact nature of Black Swans. Still, it is sometimes possible to get a reasonable idea from which direction they’ll be flying in.
We know a lot more today about COVID-19 than we did a year ago and governments and businesses are making real progress in their handling of the pandemic. Every nation has been trying to solve two often contradictory goals: containing the spread of the virus while minimizing the damage to economies. No one has fully cracked that code, but there are reasons for hope.
Vaccination levels are increasing. Resurgences are being addressed far more rapidly and are often contained at more local levels. We are getting a much better handle on what businesses we can open and how to open them safely. While a lot of progress has been made, the pandemic is likely to be with us for some time, with ramifications likely to morph into different, unanticipated directions.
The fundamental purpose of BC/DR planning is to answer the question “what if?” and to do so by extrapolating potential future scenarios from current conditions. The pandemic is a “disaster,” albeit (unlike 9/11) a slow-moving one. Corporations have had to expend so much energy just maintaining daily operations in this perpetually changing business environment that few have updated their BC/DR plans, let alone adjusted how they think about the planning process itself. Intelligent companies will do both.
In Part Two of this series, we will discuss the second major current threat: Hacking and Ransomware. Our view is that they should be elevated from IT Security and Risk Management departments where they currently sit and become embedded in BC/DR planning. Stay tuned.