The COVID-19 global pandemic tested business resilience in every corner of the globe at a scale we’ve never seen before. Even the best business continuity plan (BCP) may not have accounted for all the risk factors organizations had to manage and mitigate.
Those who remember the Avian Flu scare of 2008 might recall the mad dash to put global pandemic protocols into their BCP scenarios. During the years to follow, tabletop exercises for most large multinational corporations included global pandemic aspects.
As time passed and BCP team members changed, the global pandemic scenarios lost prominence. After all, a BCP’s scope and focus are built on the key assumptions of likelihood, frequency, and impact. The last true global pandemic was in 1918, and although inevitable, another pandemic was not a major consideration for most.
Planning for Most Likely Scenarios
Business agility and continuity is all about identifying key business impacts based on most likely scenarios, and it encompasses people, process, and technology. The nature of the risks and how one mitigates them depends on the business and industry.
Regardless of those differences, business agility needs solid leadership and communication that is concise and consistent across the organization.
Some industries, such as those relying on brick-and-mortar operations, were at a significant disadvantage by the very nature of their model, and little could be done to mitigate the impact of the required social distancing and various lockdowns. Others had more control over their destiny.
In terms of readiness for the disruption caused by COVID-19, I have seen three primary scenarios among my clients:
- Organizations with an executable global pandemic plan
- Organizations that had adopted, or at least partially adopted, remote workers and/or clients
- Organizations with neither a plan nor the technology needed to pivot to remote workers and clients
Size alone did not confer immunity. Large multinational clients with global pandemic plans in place still confronted the challenge of a suddenly remote workforce. Many found it difficult to quickly procure the required hardware such as laptops, as their overwhelmed IT departments dealt with an influx of requests to provide remote access and enable connectivity to legacy on-premise systems.
Even a global financial services client who had an 80-page business continuity plan struggled. The plan checked all the boxes for regulatory compliance but didn’t deliver on practical business requirements, such as prioritizing which functions needed to be up and running quickly.
When the coronavirus hit, they scrambled to develop an action plan at the same time they were dealing with stock market volatility and other key risks while keeping their business afloat.
Those without a plan or compensating technology obviously faced significant challenges, as they managed major reductions in workforce, reprioritized expenditures, and in some cases, shut their doors altogether.
Managing an Influx of New Risk Vectors
Companies that managed to handle the workforce disruption but failed to consider how it would impact their control environment experienced additional hardships: the influx of remote access created new cyber attack vectors.
The offboarding of resources and consolidation of roles and responsibilities heightened conflicts around the segregation of duties. And the potential for outstanding receivables and the risk that key vendors would be unable to deliver cascaded throughout organizations.
These are just a few examples of the real-world risks that the pandemic exacerbated. Although many of these risks predated COVID, the approach for mitigating them may have changed significantly in response to the evolving landscape.
In addition, organizations with large, complex governance risk and compliance (GRC) tools were not agile enough to move from pre-COVID controls to post-COVID mitigation without time-consuming rework. In some cases, this impact was further exaggerated by a lack of team capacity due to workforce reductions, competing initiatives—or both.
Fortune Favors Readiness & Resilience
Some organizations seemed prepared almost by luck (or, perhaps, 2020 foresight). For example, those in the tech industry were more likely to have already embraced the “work-from-anywhere” model as a way to retain and attract top talent or to reduce rent expenses.
Some already managed a remote workforce and had the infrastructure to enable frequent travel. And others were earlier stage companies that had adopted cloud-based solutions, enabling a quick pivot to a virtual workplace.
Regardless of the circumstances that allowed them to quickly adapt to the new normal, a couple of data points were abundantly clear:
- Technology was a key factor to success
- So was the ability to rapidly recognize that the risk landscape had shifted
While reflecting on my client’s successes and failures, I have observed a mixture of wisdom, preparation, fortitude, and luck—both good and bad. In the end, being able to adapt to change while quickly identifying and mitigating risk has been paramount.
When it comes to risk, fortune may not favor the bold, but it does reward a proactive business continuity plan. As early vaccine pioneer Louis Pasteur said, “Chance favors the prepared mind.”
Watch this video to see how technology can help you build an effective business continuity plan so your organization is prepared for the next unforeseen challenge or disruption.