Observations About the State of Business Continuity
Agility recently hosted a webinar with implementation manager Alexa Grose and sales director Warren Mullis about what they have seen change within business continuity in the last year.
Biggest Changes in Business Continuity Within the Last Year
Alexa: There is a broader knowledge of business continuity in general; more people understand that when something like a pandemic happens, they need a plan in place. More clients from all backgrounds are coming to us wanting to learn about how to get started.
The power of automation has never been more apparent, either. People had huge documents created years ago that were never touched again, and they didn’t know where to start with updating. You can easily change one section with a more automated program and see those updates automatically populated everywhere.
Warren: Organizations got used to work-from-home and people relocating, which led them to change their business continuity plans, procedures, and testing. When some of the severe storms last year knocked remote employees offline, companies realized that there were still challenges with work-from-home. Employees needed to be able to pick up and work somewhere else if they were affected by weather or outages or needed to bring something to their home to supply power and connectivity.
Advice for Those Looking to Start Planning
Alexa: When someone comes to me saying they got handed this project by leadership and feel lost, I ask them what they do every day. What’s critical that you do every day that your business wouldn’t be up and running if you didn’t? What departments and processes are in place? Define roles within the company and make sure everyone knows who is responsible for what.
Warren: Include multiple business leaders. Business continuity used to live in IT or operations, but you need to look at it holistically. This isn’t disaster recovery; it’s recovering the whole business. You need everyone’s help.
The Future of Business Continuity
Warren: There’s job security in business continuity. Overall knowledge around business continuity is drastically increasing as companies look at risk profiles and comfort levels around interacting with outside vendors. States are beginning to adopt rigorous regulations (New York is a good example), like conducting annual business impact analyses and tabletop tests and requiring due diligence questionnaires (DDQs) and cybersecurity questionnaires from third parties. These programs will continue to get beefed up as organizations realize they can’t depend on an old plan that hasn’t been updated in years. They need to take business continuity seriously.
Alexa: Everyone wants to see your organization’s business continuity plan. If you have a prospect or client who asks for it and you don’t have one, they’ll see that as a red flag. That’s even for industries without requirements. With the pandemic, people were caught unaware. You can’t be too prepared – start now before the next incident occurs.
Business Continuity Plan Update Frequency
Warren: At a minimum, every organization needs to update its business continuity plan annually. We’re in one of the biggest hiring frenzies, leading to high employee turnover. Make sure also to update your plan after a test – you’ll learn that you may need to change procedures, not just people and systems.
Alexa: Update any time after completing a test. That’s why you test – to find gaps. Run through your plan quarterly and update any employee changes; account for new vendors and processes.
Key Lessons Learned During 2021
Alexa: As much as you plan, you can’t plan enough; the unexpected will always happen. The biggest key is learning to adapt. Don’t focus on the cause of the impact but its impact. What are your continuity operations no matter what? How do you stay above water and get things done? It’s essential to adapt to an ever-changing environment and ensure everyone has that awareness.
Warren: We can’t keep focusing on threats. There will be a disruption – organizations must define and plan for results like the loss of technology, third-party vendors, infrastructure, and people.
The awareness of needs has increased. There’s more emphasis on working with vendors with work-from-anywhere; there’s a higher dependence on the cloud and SaaS-based platforms. Make sure you have redundancies and hard copies.
Advice for Business Continuity Peers
Alexa: Test! You need to test. You might “know” it’ll work, but you need to test. Just because you have a process doesn’t mean that process works.
Assess your communication chain. Ensure people know if they’re going to be a go-to person when an incident occurs and that they’re included in the test. Don’t surprise them. Unless people know they’re included in plans and what they’re responsible for, the plan is worthless.
Warren: Test using different scenarios and threats with a multipronged approach – for example, a blackout that occurs causing an IT outage. Many clients do the same incident year after year and don’t take it seriously; you need to try different things.
Get your plan out in front of others in the business. Recency bias may prevent you from seeing shortfalls, but you’ll create unique opportunities to improve your plan by getting out of the operations and business continuity departments.
Look for areas within the plan with a single point of failure – one person or system you depend on for a process. You want to be able to pivot to a secondary and tertiary resource. Many clients in Q1 want multiple threats – a tornado and a cyberthreat, a power outage leading to loss of IT.
The Best Way to Communicate with Staff
Alexa: It’s a mix of everything. Don’t just ever have work emails, personal emails, or mobile phones. How much information can you get? Do you really care if you’re sending a message to multiple devices in case of an incident? Not everyone checks or has access to work emails outside of the office. Emails are not the best way to communicate. How many unread messages do you have on Slack or another messaging app? You can’t communicate that way during a disruption.
Blind Spots During Planning, Testing, and Recovery
Warren: The most significant blind spot is having only one person responsible for recovery. You must have secondary and even tertiary people, preferably who are geographically dispersed.
Within companies’ work-from-home strategies, companies don’t always account for significant geographical disruptions, blackouts, or cyber threats that will take big systems offline. Identify and supply your critical employees with things like a DIY kit with a battery pack that can power a laptop and cell phone and a hotspot that can run independently of Wi-Fi. Find areas outside employees’ homes that they can go to and continue working.
Alexa: Recovery strategies aren’t one size fits all. Work-from-home might not be doable for all departments or processes. Losing access to an office for a day requires a different recovery strategy from the office crumbling to the ground.
Have an open mind – you may need to dig deeper. You can’t over plan! Have something in place for different recovery strategies.
Greg Tillotson (test & declare manager): With testing, many clients don’t explain why they’re testing – they do it to check a box. You need to get something out of every test. Have defined objectives; use the test to get people on board and raise awareness of your plan.
Common Objections to Testing
Alexa: Clients don’t know where to start or who to go to to help them test. People don’t know the first steps to take.
Warren: Clients don’t know how to test. They may have imposter syndrome; they’ve never collected this group of stakeholders together and walked them through their plan.
Changes in Testing Strategies and Gaps
Warren: Testing has gone almost fully remote the last couple of years. There has been an increase in organizations bringing in third parties and technology to support their efforts. Traditionally they’ve worked through a paper document, but now people are using incident management programs to get real-time visibility into their plans. That gives them more feedback on areas to adjust.
Alexa: There is more participation now that tabletop tests have moved to virtual. People tend to interact more since the plan isn’t all on a piece of paper. In terms of gaps, now that many have and use software, they learn during tests that they don’t have the right people trained or aren’t taking advantage of new enhancements to the tools. Virtual testing also takes away a lot of the COVID risk and the costs of in-person testing.
How Work-from-Anywhere Has Changed Business Continuity
Alexa: The communication piece has changed a lot thanks to work-from-anywhere. You can go to someone’s desk and rally people during an incident when you’re in an office. In a work-from-anywhere environment, people struggled with whether and how to contact colleagues after hours. Organizations were reminded that they still needed a business continuity plan, even when employees were remote. Many offices shut down central locations that had been part of their plans during COVID and never updated the plans.
Warren: Have a backup for work-from-anywhere. Work-from-anywhere has changed the systems, people, and processes we depend on, and redefined realistic RTOs. At the beginning of the pandemic, organizations weren’t making massive changes to their business continuity plans because it seemed like COVID would end quickly. Now, organizations realize this is the new normal, whether that’s hybrid or going back to work or going fully remote, so they need to look at their entire plan from the beginning – or even redo it. Look at the whole plan holistically and make sure you’re making changes to address the new normal.
Challenges Organizations Face
Alexa: Customers are trying to determine what they need to have compared with best practices. A customer may ask for one thing, and regulations require another. There are also significant privacy concerns.
Our customers are looking for advice, consultation, and best practice sharing to know they’re doing what they need to.
They’re asking questions about what templates they need to have saved for crisis communications and who should have the capability to send alerts company wide.