Gajus - Fotolia
In the middle of a global pandemic, organizations around the world are at different stages of recovery. While some businesses may be in the reopening phase, many are still in the planning stages of resuming operations. No matter what stage your organization is in, pandemic recovery planning can and should be top of mind.
Maybe pandemics weren't given much attention in your previous disaster recovery plan. In the past few years, natural disasters and ransomware seem to have overtaken DR planning, and disease outbreaks weren't typically listed as potential threats. While you cannot change how your organization responded to the COVID-19 pandemic, you are now armed with the information to create a thorough plan in the event of a future outbreak.
There is a lot of overlap between a pandemic plan and a general DR strategy, but processes and tools can be tailored specifically to pandemic recovery planning. The terms below are likely to come up in the planning process, and many of them can apply to different disruptive events. Something similar to a business impact analysis (BIA) should be done for all potential disasters, but the effects of a hurricane are vastly different from those of a disease outbreak. While you may be familiar with all of the terms, it can be helpful to view them again in the context of a pandemic.
Types of plans
Pandemic plan. Odds are, this is high on your list of disaster recovery priorities right now. In many ways, a pandemic plan is similar to a general DR plan and is often included in preparation guidelines as a recovery scenario. However, a rise in ransomware attacks and natural disasters over the past few years may have pushed pandemic planning to the back burner. Including a section for pandemics in your DR plan may be sufficient, but a separate plan may enable more targeted testing and preparation. Viruses can affect people in different ways, such as the way it is spread, how contagious it is and how severely it affects those who fall ill.
As we've seen with the coronavirus, it's not just people who show symptoms who can no longer come into the office. A pandemic plan must also include social distancing measures and remote work plans.
Crisis management plan. Along with pandemic preparation and recovery, crisis management is an integral part of dealing with an ongoing pandemic and its aftermath. Like a pandemic plan, a crisis management plan overlaps with general DR planning, but it also focuses on how the organization deals with issues such as workflow, profitability, reputation and public relations. Communication, media management and post-crisis maintenance should all be covered in a crisis management plan. Crisis management must be consistent and easily integrated with DR and pandemic plans to ensure that all bases are covered.
Elements of a pandemic plan
Business impact analysis. This is a critical piece of any recovery plan and is a powerful tool when dealing with a pandemic. An internal or third-party team conducts a BIA to provide an in-depth look at how different disasters will affect operations in an organization. BIAs are used for business continuity planning and can uncover weaknesses in an organization's business continuity and DR (BCDR) strategy.
There is no one set of universal standards for a BIA, but a completed analysis typically includes gathering information on business processes and resources from employees knowledgeable about the company. The team conducting the BIA makes a report of those findings and submits it to senior management, who can then act on that information, if necessary. Information discovered in a BIA may include certain risks an organization is vulnerable to, how deeply the organization will be impacted by particular risks and advice for repairing those vulnerabilities. Your BIA findings should directly inform your DR and pandemic planning. Be sure to update your BIA after a disaster, taking into account what the organization excelled in and where it could use improvement.
Crisis communication. A key part of crisis management, crisis communication ensures that anyone who needs to know the status of the organization in a disaster is informed in a timely manner. In a pandemic, crisis communications may include telling employees to stay home, distributing remote access information or informing on-site personnel if someone within the organization had been exposed to the illness. With COVID-19, precautions and policies change rapidly, especially in the early stages. It is critical to have an efficient, reliable and rapid way to communicate important information to relevant personnel.
According to Ready.gov, this can include customers, employees and their families, media, the neighboring community, company management and investors, government officials and other authorities, and suppliers. Common methods of crisis communication include call trees and emergency notification systems, which automatically send information via email or text messages.
Tabletop exercise (TTX). One way to get practice in unprecedented scenarios is by conducting a tabletop exercise. A TTX enables a disaster recovery team to run through a disaster scenario from start to finish, ensuring there aren't any gaps in the DR plan. With a pandemic, a TTX is an excellent way to run through a plan before disaster has struck, because it goes through emergency communications processes with staff, as well as with any outside organizations you might need to contact in a pandemic. Tabletop exercises should be a part of your organization's DR testing strategy, because they also assign leadership in the event of a pandemic recovery and get the necessary parties involved and aware of their responsibilities.
ISO standards to know
The International Organization for Standardization (ISO) has numerous standards for business continuity and disaster recovery. These universal standards can serve as a reference when building a BCDR plan, and, while no two organizations are alike in their planning, ISO standards can set some basic guidelines to meet to ensure your organization is covered. Standards that may be helpful to reference in a pandemic include the following:
- ISO 22301:2019, Security and resilience -- Business continuity management systems -- Requirements. This standard provides details on how to use a business continuity management system (BCMS) and activities to perform to meet compliance requirements. ISO 22301 can serve as a helpful reference when creating a customized annual schedule of BCMS activities specific to your organization.
- ISO 22330:2018, Security and resilience -- Business continuity management systems -- Guidelines for people aspects of business continuity. While ISO 22301 addresses the compliance side, ISO 22330 addresses the people involved in a BCMS. In pandemic planning, the people are a critical element of the plan, from internal staff to the public. Reference this standard when training staff, managing the response of the company and considering what recovery might look like for the people affected, not just the business. This may include ongoing support for employees who are ill, injured or dealing with trauma following a pandemic.
- ISO/TS 22317:2015, Societal security -- Business continuity management systems -- Guidelines for business impact analysis. This standard can provide helpful guidelines when creating or updating your organization's BIA. While there is no universal requirement for what a BIA should include, this standard outlines what makes a BIA successful and why it should be updated often.
The ISO 9000 family of standards can also apply to a pandemic planning scenario. This group of standards covers quality management for many different industries and types of organizations and may be the most widely used set of ISO standards. In pandemic planning, the ISO 9000 family of standards can help ensure your organization is still meeting compliance and regulatory requirements while working remotely or with reduced staff and resources.