Business Continuity Planning is increasingly in focus as businesses implement and review their plans for COVID-19. From my experience of working in large complex organisations I’ve found a few elements to be especially important for organisations to focus on. These will also be relevant for smaller businesses but applied in a different way.
Establish what is mission critical
If you want to get business continuity right, it's really important that you understand what is truly mission critical. I think, quite often, people don’t work out degrees of recovery. For example, what can be done without for a couple of hours, and what can be done without for three weeks.
If you take an example of a clinical situation, which is where most of my experience is, then you might be able to tolerate losing access to records within an intensive care unit for a couple hours. But you might be able to tolerate losing your financial management system for three weeks. Nobody is going to die if you don’t have your financial management system. Your suppliers might be a bit aggrieved that they are not being paid or your workforce might be concerned they’re not getting their annual bonus, but you can always run last month's payroll again, and you can always pay people on account. You can’t keep people alive indefinitely if you don’t have access to their clinical records.
Prioritise, agree and document
You have to look at the range of things an organisation has to do and get a sense of priority and, more importantly, get those priorities agreed with business owners. I've been in some horrendous situations where there was a detachment between the IT function and the business in terms of what is most important.
It’s about negotiating with the business in a very planned way. It’s too late to do that once things hit the fan. The conversation can’t take place in a crisis. It can only take place as a rational discussion within a planning period.
No matter the size of the organisation, the business continuity plan needs to be documented and signed off by the business. Smaller organisations often think this is a breeze, that if something happens, they’ll just move and work from home. Everyone will know from recent experience that you can work from home to a certain extent but there needs to be adaptations.
Understand the interdependencies
The plan needs to be documented, tested, and communicated, and then it needs to be understood and practiced at an individual component level. This is especially important because there's a whole range of new interdependencies which emerge in a business continuity situation.
If you take a hospital scenario, in the normal course of events, somebody in a hospital ward is sent for an X-ray, the Porter comes and takes them down to the X-ray department and then brings them back and half an hour later, an X-ray report appears on a machine to tell the doctor what's wrong with the patient from a radiological perspective. But, if you don't have technology, or if you don’t have enough people to report these things and get it onto the technology, then interdependencies start to fail.
Manage the backlog
In my experience, any business continuity scenario leaves a backlog of data. This is obviously true for a technology incident, but it’s also the case when services or departments are not available or have been stepped down. With the best will in the world you're not going to get all your information to the point where it is real-time the moment the service is resumed. This is a key criticality because there’s a lot of events that are sequenced.
If you take a financial management scenario you can't pay an invoice before you've ordered a good. But during the downtime people may have been ordering goods over the telephone rather than the normal route. When the invoice comes in people are then trying to reconcile invoices to non-orders within the IT system. So, to bring everything in synchrony, it’s very important that people understand the sequence of events after the event.
What is overlooked?
Authority to act and a controlled cascade of actions are two often overlooked aspects of business continuity planning. It’s about ensuring that not only do you have a plan that’s well understood from a task perspective, but also that there’s a control room set up and that people understand who’s calling the shots.
During the largest outage I’ve been involved in we set up a Gold Command, the people who are in a central location with the authority to mobilise resources and make decisions. This team handed off to a series of Silver Commands which might be regional hubs or particular service department hubs, who then hand off to Bronze Commands which may be particular functions within these hubs. This means there’s a cascading of responsibility required during the event to make sure that a decision made at point A filters it’s way appropriately to points B and C and that there are no parts of the system operating in opposition to what has been decided. There needs to be a very strict order of command in a major business continuity situation.