In a completely unscientific survey ITBusiness.ca conducted for this story, at least four out of five public and private sector organizations said they believe one size fits all when it comes to business continuity plans.
That won’t work when it comes to adequately preparing for the pandemic, according to Gartner Inc.
“We simply believe no matter how elegant or complete they (business continuity plans) may be, they simply will not be adequate for the unique nature of the pandemic,” said Ken McGee, vice-president, research, at Gartner, in a recent Webinar.
Most BCPs are predicated on the assumption an organization will need to respond to a specific event, such as a power failure on the West Coast or an earthquake in Asia, so if something occurs in area X, you have backup in area Y.
“That is not how the pandemic will behave,” he said. “A pandemic will pose a situation BCPs were never engineered to address.”
Unlike traditional disasters that are geographically specific, a pandemic will be worldwide in scope, will unfold rapidly and will have a much greater effect than an earthquake or a tsunami, as devastating as those events are.
McGee, who says the first step organizations should take is to arm employees with everything they will need to know in order to protect themselves and help keep the organization running, says it’s also essential for businesses to ask their suppliers for copies of their plans as well.
“If they are not adequately engineering their plans to meet your needs, that requires a sit-down,” he says.
McGee also advises organizations plan now to ensure employees are able to work from home. If there are travel restrictions, a sudden wave of hundreds of thousands of employees trying to access the Internet could, he says, reveal “some very real truths about the laws of physics and traffic engineering,” in that residential networks were not designed with a pandemic in mind.
“We’re recommending that organizations directly oversee the installation of wide-area network facilities to the home of the most critical people and if they don’t yet have broadband capability, oversee the installation. If they have it, oversee the installation of backup broadband capability, particularly for senior executives.”
McGee recommends that organizations negotiate preferential terms with video-, audio- and Web conferencing providers — now, not after a pandemic is declared.
“The point is to do it now to create the terms and conditions and come to closure on those conditions,” he says. “In the event a pandemic takes place you will be able to invoke these rights to a vendor to whom you have already paid insurance-like premiums. The pandemic will take about 21 days and you’re just not going to have enough time to make those arrangements.” As well, he adds, if you’re going to use conferencing as an alternative means of communication, have dry runs now and work with your clients and customers so you’re not struggling to become familiar with it after the fact. “And get satellite phones for executives – they have a fiduciary responsibility to maintain the business.”
One vendor that is providing that kind of insurance policy type of service is Toronto-based Route1 Inc., which recently announced its SAFE (simplified access for emergency) Response solution to help organizations prepare for a potential pandemic.
CEO Andrew White says the service allows users to pay US $19.95 a month to keep the vendor’s MobiKEY service on standby.
MobiKEY, which is a USB token-based device that maintains digital certificates for specific users, enables users to access their desktops directly and securely from anywhere. The software from the host computer is loaded off the key into the memory of the guest computer, and the user is able to manipulate his or her desktop in real time.
“The desktop I want to connect to is what is originating the transaction, so unlike the typical scenarios today with a VPN or other solutions where I have to initiate the transaction through the firewall to get to my computer, it’s my computer on the inside coming out to find me,” says White. “The encrypted session is application to application, so it’s not like I’m opening a tunnel from my guest computer back to corporate network. If there’s any sort of malware on the computer I’ve plugged into it is impervious to it; you can’t transmit anything, so it’s a very simple secure mode of remote access for the enterprise.”
Route1 developed the SAFE Response service because customers were saying they needed a backup plan but they hadn’t been able to find a single, safe, economic solution that would address all their remote computing needs, White says.
“One company in particular has a pandemic planning committee, and what they’ve been doing is saying what’s the technology and how are we going to deploy it,” he says. “They’re looking at technology from five different vendors to be able to cobble something together but they still have all these other issues.”
The challenge with VPNs is businesses that install them on employees’ home computers have left themselves vulnerable to viruses and other security issues, he says.
“So then they went out and bought a bunch of laptops and locked them down and gave them to the employees and said, ‘here’s how you’re going to connect,’ but then you’re paying for the laptop and doubling up on operating systems,” White says. “Furthermore, you’re leaving a lot of sensitive data on those laptops, and every week there’s another story of some large company or government agency losing a laptop with highly sensitive information on it.
One of the alternatives large organizations might consider if they haven’t already is to arrange for data centre services, says George Kerns, president of Fusepoint Managed Services Inc. in Toronto. “If there’s a problem in their data centre, our data centre would take the work load from them,” he says. “We have the technical skills and we operate on a 24×7 basis to leverage their entire infrastructure. If their facility were damaged or they just couldn’t get into it or whatever’s going on we have the ability for their workforce to work remotely from our facility – not the entire workforce but key members of their staff to keep the infrastructure running.”
Kerns says many organizations may have a disaster recovery playbook that they keep on a shelf and “maybe test it once a year and then are keeping their fingers crossed.”
Those organizations are in for a nasty surprise, he warns.
“I think those people are a little naïve. They don’t realize how tough it’s going to be if they have a problem as opposed to the ones that have already engaged a service provider.”
If your organization hasn’t even gotten to that point – of having a BCP to dust off at least once a year – IBM has stepped up the plate. Big Blue recently announced its contingency planning assessment (CPA) tool, a service designed to provide an independent review of an organization’s pandemic response program based on best practices, government, World Health Organization and the Centers for Disease Control and Prevention guidelines, as well as its own experience in the crisis management field.
Richard Cocciara, chief technology officer for business resiliency and an IBM distinguished engineer, says customers have been trying to figure out what a pandemic would mean for their continuity plans.
“We quickly realized this is going to be different than what we’ve normally seen in the past with disasters,” he says. “Where they’ve been locally focused and infrastructure-based, this is going to be human capital-based, so we realized a lot of our clients when putting together business continuity and crisis management plans had always assumed they were going to deal with an infrastructure disaster and hadn’t thought about the human capital disaster. We thought we should look at what is going to be needed to prepare for that.”
IBM offers a high-level, report card type of assessment mostly for small and mid-sized business that looks at whether or not an organization has continuity and communication plans in place and if it has identified critical resources, as well as a more in-depth analysis for government and enterprise that drills down further into the critical elements of a pandemic plan.
“We don’t want them to create something that’s one-off, we want them to create something that integrates into what they already have.”
IT will play a huge role not just in deploying and maintain the technology to help an organization get through such a crisis, but also in the ability to track and manage human capital – whether employees are reporting in and what their condition is, he says.
“But you also might have to change some of your current work processes because if you don’t have the ability to allow a department to work together as they have, say as one office, you may have to change the way that department works business process-wise, so technology can help in that.”
And while it’s hard to imagine any silver linings to an illness that could potentially kill millions, businesses actually can learn a lot and benefit hugely from the process of pandemic planning, notes Cocchiara.
“When you start looking at things differently the norms start to break down,” he says. “Then people are open to change. When people accept the fact they’ve got to change, then they do kind of free themselves from the boundaries they’ve had before and they start to think up new things. It becomes like a snowball rolling down the hill where it picks up more momentum and more ideas.”