CIO strategies for COVID-19 require new long-term IT planning COVID-19 radically refocuses CIO agendas in 4 key areas

Steps to building a pandemic business continuity plan

Your business continuity plan may address some concerns that come along with a pandemic, but COVID-19 has emphasized the importance of having remote work as part of it.

The COVID-19 pandemic has highlighted the importance of connecting endpoints -- and users -- to the resources they need in a time of disruption. Remote working is key to a pandemic business continuity plan; does your plan include it?

Business continuity (BC) plans span far beyond the recovery of your data, applications and systems during a disaster. They can include other kinds of disruptions such as terrorist attacks, environmental accidents and -- in the case of recent events -- pandemics.

Pandemics are not unheard of, but it's unlikely that you have prepared for a disaster scenario like COVID-19. The ease of transmission of the COVID-19 virus, requiring aggressive social distancing to slow the spread, has brought organizations of all sizes and industries to a standstill. If they are still operating, many businesses are working with significantly reduced numbers of employees allowed on site at a time.

Most disasters laid out in your business continuity and disaster recovery (BCDR) plan likely have to do with an outage or lack of accessibility to corporate resources, regardless of which kind of disaster was the cause. If your organization is beginning to resume normal operations, it's time to start thinking about what type of response you needed in this scenario to keep the business operational and what you were not prepared for. Decide whether those steps need to be included in your BCDR plan moving forward.

One of the biggest challenges from a BCDR standpoint in this pandemic is the need to support a remote workforce.

One of the biggest challenges from a BCDR standpoint in this pandemic is the need to support a remote workforce. IT departments went from a sanctioned set of devices, security layers, connectivity methods and standardized apps to, "Tell me what you have at home and I'll figure out how to get you up and running." You're likely well aware that next time, the organization needs a plan of how to do this better, faster, cheaper and with more efficacy and security.

The idea of including remote work as part of a business continuity plan isn't exclusive to a pandemic; any kind of disaster that keeps employees from coming into the office -- such as a chemical spill near the office building, power outage, damage from a hurricane -- requires a response that empowers employees to work remotely.

The question of whether to include remote working in your BC plan in many ways was answered several years ago; it's a resounding yes. Not every health crisis will require the same social distancing measures as COVID-19, but it should be considered as a factor in your future pandemic business continuity plan, especially as it applies to remote work.

So, how do you go about building the remote work section of your BC plan?

1. Assess the risk and effect on employee access

As with any proper recovery plan, you should start a pandemic BCDR plan by performing a business impact analysis (BIA). However, in this situation you should place an emphasis on analyzing the effect of employees losing access to their regular endpoints, such as office workstations. Look at which employee functions the business can temporarily do without and for how long.

Next comes the risk assessment, where you need to take a long hard look at what has transpired the last few months, assess the disruption each disaster will cause and prioritize the remediation of the shortcomings found based on this analysis.

2. Review the current response to COVID-19

There's no better teacher for future pandemic response than the work done over the last few months. IT organizations have been able to get a lot right; you may have gotten users connected, regardless of the device, made them operational and utilized online collaboration tools to keep teams working together. A lot of mistakes have likely been made; maybe you have allowed less-than-secure endpoints and connectivity or forced employees to use internal resources when cloud-based services would have been a better choice.

Looking at how your organization responded to COVID-19 and comparing it to the requirements discovered in the BIA and risk assessment is the perfect way to see which aspects of the work you've done this year should become a part of the pandemic business continuity plan and which should be thrown out.

3. Embrace new tech

Traditionally, your DR efforts may have largely been focused on recovering critical workloads, using secondary data centers, cloud infrastructure, and tech like virtual machine replication and even hyper-convergence to ensure recoverability. The real litmus test is whether your users -- be they employees, partners, contractors or customers -- can access those workloads. So, when it comes to your remote workforce, you need to provide a means for users to connect to and use those workloads in a secure way that provides a consistent experience.

To do this, you're going to need to rely on some technologies you may not have considered before as part of your DR plans. These can include:

  • Virtual desktops. Let's just put it out there: Allowing your employees to use their personal devices that have little to no real protection from cyberattacks on an equally insecure home network to access corporate systems and data just doesn't make sense. There are a lot of virtual desktop services available, in a variety of formats. Whatever the means, the goal is to create an endpoint environment you have control over and give users access to it.
  • Layered security. Although we're talking about recovering operations, there's a real need to ensure the state of security in a remote environment that is going to be far less secure than having users in the office. Consider having additional layers of security in place that protect users from malicious email and web content, as well as awareness training for users.
  • Training and testing. Users need to be trained on how to use the new recovery environment and put it through its measures. Consider having in-office employees work from home once a month, using and becoming familiar with your new method of remote connectivity and the virtual desktop environment.
  • Cloud-based services. Proactively shifting to cloud platforms is something to consider in light of how destructive a situation like the current pandemic can be. If you put a virtual desktop environment in place that has proper access to both on-premises and cloud applications, a large push to shift to a cloud-first stance may not be necessary. However, it's still worth mentioning as a consideration as you begin your pandemic BCDR plans.

Keeping workforce continuity

Servers, data, services and applications all running on their own with no one to use them aren't going to be of much value to your organization's bottom line. You know your DR plan is going to be a success only by ensuring access to those that need to use your critical workloads. With your firsthand experience of what your organization's BCDR looks like when a pandemic strikes, you know the gaps that exist in planning, tech and execution.

By including the remote workforce as part of your planning, you guarantee the ability to truly have the business not just marginally operational, but running at or near peak performance.

Next Steps

Texas power outage flags need to revisit business continuity

Dig Deeper on Disaster recovery planning and management

Data Backup