"For Best View, Please Open this Website on Laptop / Desktop Or Mobile"

Search
Cancel
05 June 2020 / WHITE PAPER

Business Continuity After COVID 19

Application Controls Audit

Here's a few changes your BCP needs- explained by our Business Continuity Expert Atique Ur Rahman Shaikh explains.

WHITE PAPER

Introduction

An organization's business continuity plan focuses on the stepwise process to recover operations from a disruptive incident. If an incident has a high or significant adverse impact on the Organization's business-critical processes and human resources and the organization finds it challenging to continue operations, then activates its Business Continuity plan.

When an organization plans its BCP in terms of unavailability of Premise, usually the approach is that if the Primary site is inaccessible, operations would be resumed from alternate site. In the current pandemic, however, the premises were available, but people could not travel to the premises rendering the BCPs ineffective. What are the key areas that an organization should re-look at, with learnings from COVID-19?

Below are the key points:

  1. Trigger point for events

  2. Response plan for such events

  3. Communication plan 

 

Incident Response

Most organizations have a documented Incident response process that follows well defined steps such as incident detection, reporting, communication.

                                                                                         

 

 

 

 

 

 

 

Fig. 1

Any unplanned event that disrupts normal business operations and/or damages infrastructure is considered an incident.

Post detection of an incident, the organization follows an ‘incident response plan’. If the impact is low or moderate and the organization can continue operations within defined RTO timelines, the BCP is not invoked. If the impact is high, or it may take more time than defined in the RTO then the BCP is invoked. Note here that the invocation of BCP is preceded by an incident that is somehow disrupting the normal operations.

 

What should change?

Considering the current pandemic COVID-19, that has caused unavailability of Premise inspite of the premise being there, the old flow of BCP invocation is not effective. It is not an ‘incident’ that is disrupting the active operations.

Here the case should be different from the old incident flow. A pandemic is an event that ‘may’ cause disruption of operations. The BCP needs a trigger before an incident!

The response to such event would be different from response to an incident.  It will include an action that Risk Quotient calls ‘Disruption preparedness.’

Disruption Preparedness

                               

 Fig. 2

Disruption preparedness is preparing for potential disaster to reduce the impact on organization’s critical process. When the pandemic was rapidly spreading across geographies, causing complete lockdowns in cities, organizations’ top management had the time to consider this threat. They started to proactively look out of alternative in case working from premise was not available. These alternatives may or may not have been a part of their existing business continuity plans. They had the time to get data from their IT teams about VPN options and Laptops / Desktops. They also had the time for HR team to communicate with employees about the upcoming plan to work from home and trigger the Emergency response. 

Changes in BCP

The biggest shift in business continuity thinking is the existence of a time for preparation between the incident and the disruption.

Create a separate section documented on Disruption preparedness considering the following points:

  1. Identification trigger points for such events.

For events like as heavy rains, floods, pandemic, etc. Identify what will be the trigger points for such events. There can be different trigger points which is event specific. For Pandemic, it can be communication from Management team and for floods it can be warning from local authority. Determining such kind of trigger helps for efficient response to such incidents.

  1. Response plan for such Incidents.

Incidents that directly do not affect operations but can cause disruption in the future need not be addressed in the Organization’s incident response process/procedure. For such types of incidents, there should be a documented plan. It can be part of an Incident response procedure or it can be included in the Business Continuity plan itself. Respective stakeholders should be aware of such a response plan.

  1. Communication plan to be updated accordingly. 

Communicating with internal and stakeholder during disaster or post-disaster is an important element of the response and recovery plan. Communicating before potential disruption should also be part of the response/recovery plan