Updated: Jul 11, 2020
We are all living in a very different world this week than just two weeks ago. Our personal and professional lives have been disrupted and altered in ways both small and big - and will be for an unknown period of time. One thing we can be sure of is that there will be more changes and disruptions coming that we can’t always predict. The imperative to protect the safety and health of colleagues, family, friends and the public may require new and unknown changes to how we live and work.
But this uncertainty needn’t be paralyzing. In this time of unprecedented turmoil, how can leaders help reduce uncertainty and improve resilience?
A good place to start is with a publication already available from FEMA: https://www.ready.gov/business. We're hopeful that our experiences, even in the last few weeks, at the forefront of helping our communities and clients, can help contribute to our shared progress. Our resilience work and conversations in the past few weeks have focused on certain key areas, so we’ve organized our thoughts and learnings around those emergent themes:
Service identification and prioritization - Knowing which services are critical to your internal and external customers is the first step in dealing with disruption in a resilient way for IT, information security, and business leaders. Without a prioritized understanding of critical services, an organization or portion of the organization will find itself ineffective and under-resourced when faced with disruptions.
Gather data on expected demand through conversations with your customers (IT, information security and business), analysis of demand data and service usage, and existing business impact analyses, service catalogs, and product catalogs. Use this information to create a prioritized list of key services and resources (systems, people, processes) needed to maintain continuity and/or adapt to change. This list becomes the foundation of any resilience function or effort.
Scenario identification and analysis - While there are a range of potential business interruption scenarios (ways in which your ability to deliver services may be impacted) occurring now and potentially in the future from COVID-19, the simple act of documenting potential scenarios helps reduce uncertainty. Identifying even a portion of potential business interruptions helps to shrink the unknown and reduces the paralysis that uncertainty can cause. Many of the scenarios our customers have analyzed deal with varying levels of remote work, for example. Going forward, other scenarios could potentially need to be identified and analyzed - dealing with scenarios where certain geographic regions or types of work are permitted or disallowed.
Our work with several clients over recent weeks has involved this kind of analysis - identifying scenarios and the impact on resources (people, equipment, infrastructure, etc) required to deliver services. Once these scenarios are identified, readiness strategies for service delivery in the face of each scenario should be developed, with a focus on identifying common elements that cut across plans. This process ultimately leads to resilience in the face of multiple scenarios, including Covid-19.
Readiness - Just as COVID-19 hasn’t paused, neither will the threats and risk that your organization needs to manage - as evidenced by reports of incidents against consumer, commercial and governmental entities from bad actors, nation states, and others that seek to actually take advantage of this disruption. Developing readiness plans to handle COVID-19 disruption should assume that business risk will be at least equivalent to that before this most recent global crisis. Once scenarios have been identified, our customers are focusing on strengthening potential points of business and security service failure in one or more of the following areas:
- Technology - Our customers often identify their remote access capabilities as a critical potential point of failure. We have been partnering with them to handle significantly increased demand while also securing their remote access capabilities. The toolkit to do this has shifted as organizations shift to the cloud and the threat landscape grows there too.
- Process - A response plan for any scenario should also consider how processes need to evolve to take into account the new service delivery models demanded by the crisis. For example, processes that enable remote access by providing credentials and devices may be severely taxed and new capacity (and security measures) may need to be added to handle the increased volume.
- People/culture - Ultimately, an organization’s ability to be resilient in the face of disruption is dictated by its people. How people work on their own, in teams and within the culture, and the company’s overall mindset - all of these make a huge difference in times of crisis. Frequent, clear, concise communication to all who are impacted by change should be the foundation of any plan. More training and cross-training can be added so that people can more fully participate in building real resilience.
Response testing and learning - Simply having clear plans for various scenarios isn’t enough - those plans need to be tested and validated against clear metrics for resilience. What is the expected response time in the face of disruption and how does it relate to business continuity? What service levels can be maintained during a disruption? Answering these questions gives you the data you need to evaluate plan effectiveness and adjust plans as needed to maintain service levels.
If you need help, we’re here. Contact us for a no-charge evaluation of your resilience program. In just a couple of hours, we can help you evaluate your current resilience program and we will provide recommendations and actionable steps to improve based on our work across a number of industries and our long experience helping companies build robust resilience plans.
Finally and most importantly, please stay safe and heed expert medical recommendations on social distancing. We are in this together and will get through it together.