Reimagining operational resilience in the aftermath of COVID-19
June 10, 2020
By John Beattie
Many organisations believed they were prepared to withstand a business disruption. Then COVID-19 arrived and the reality set in: They were not as ready as they thought.
As businesses begin taking careful steps to reopen the workplace and plan for the threats to come, both for the next couple months and the next couple years, there has been a renewed interest in operational resilience.
The world is different. Your resilience planning should be too. A resilience culture and agility, which extends beyond working remotely, will be key if you want to be ready for the challenges that lie ahead.
So, now’s the time to start focusing on the future state of operational resilience within your organisation.
Here are four areas you should consider while reimagining operational resilience in the aftermath of COVID-19.
Executive-level focus on resilience
The COVID-19 pandemic has exposed the shortcomings of many companies’ business continuity (BC), crisis management, disaster recovery (DR) and pandemic readiness plans.
Oftentimes, their check-the-box plans are high level and offer no actionable detail. They include out-of-date content, aren’t sustainable for long-term disruption (they focus primarily on short-term disturbances) and they don’t feature pre-event preparations and work acceleration strategies.
Additionally, COVID-19 has shown us that resilience is too critical to fall under the jurisdiction of a single department, as there are often gaps between disciplines that are siloed from one another. Investors and board members want to know that their company is resilient enough to withstand long-term disruption. Which is why resilience is now a C-suite issue.
As such, you must review your entire business resilience program and incorporate enhancements based on proven best practices and lessons learned from the pandemic.
Launch a working group within your organisation to improve and integrate each of the key business resilience disciplines to ensure you have a holistic program that can be called upon regardless of the situation. The disciplines include:
Site emergency management
Vendor risk management
Your business resilience working groups should also focus on internal and external concentration risk, contingency and disruption response planning, and preparing for future challenges that threaten your business.
With resilience “Czars” leading a multi-disciplinary team within your working groups, you’ll be ready to answer any questions from executives and the board about your organization’s preparedness for what comes next.
Third-party vendors’ business resilience
Cybersecurity and data protection have long been at the forefront of vendor risk assessments, but those are no longer enough. Now you also need to more thoroughly evaluate your third-party vendors’ business resilience capabilities.
Ask questions that go beyond the presence of a plan; you need to know whether they have an actionable and well understood plan in place, what they test and how they test it.
Touch on the “effectiveness duration” of different disruption response strategies (i.e., how long their plan(s) can withstand a disruption). You need to know that your suppliers have response strategies in place to overcome disturbances for 60, 90 or more days.
Make sure you evaluate concentration risk as well. Are your suppliers geographically dispersed, or are they all situated in the same region? Are the facilities and workers that support the products and services they provide you all located in the same area or in different regions?
Having all your eggs in one basket puts organisations at a major disadvantage if any of their vendors experience disruptions. That’s why lowering concentration risk should be a top priority for organisations, and that may mean diversifying your supply chain.
Disaster recovery effectiveness in the new normal
COVID-19 has challenged organisations to work beyond their normal workplaces, with a reduced workforce and with less than satisfactory service from third-party suppliers.
But in the broader scope of business resilience, organisations must also be ready to work in the aftermath of an IT disaster or a successful cyberattack that comprised data. As such, DR programs must be at the ready for both of these recovery cases.
Upon looking closely at their DR programs, however, many organisations are realising that their programs aren’t aligned with their rapidly changing production environments and that their test programs aren’t effective. And, in many cases, they’re unprepared to undertake a real DR effort while working virtually.
To make sure your DR program is up to date relative to your current working environment, pay extra attention to the following questions:
Can you recover while working remotely?
Can you verify recovery effectiveness in complex hybrid compute environments?
Have you addressed concentration risk within IT from a people and data center perspective?
It’s also important to maintain a regular testing schedule. Doing so will help you close any resilience perception gaps and allow you to iron out any issues before a disaster arises.
Readiness for a future pandemic
Many companies were caught flat-footed when the pandemic hit. The only way to prevent a repeat of that is to start planning now for the next outbreak.
Develop a pandemic readiness plan to monitor and manage significant potential and realised health threats. These plans should include:
Proactive and reactive actions to prevent or reduce the transmission of a health threat to personnel, contingent workers and visitors
Emphasis on maintaining essential business operations and support services while mitigating the business impacts of an outbreak
Response strategies for various scenarios in which business dynamics change
Internal and external communication protocols for general information updates and rapid dissemination of urgent announcements
Someone in charge of the response
By developing a pandemic management plan that addresses the entire lifecycle of an infectious disease outbreak – monitoring for it, preparing for it, responding to it and recovering from it – you won’t be caught off-guard.
It’s time to rethink resilience
Regardless of COVID-19’s impact on your business, the future of your organisations’ operational resilience is in your hands.
By addressing these four areas, your business will be more agile and better equipped to clear any hurdles down the road.