100 Days Have Passed since we Implemented our Business Continuity Plans – the next 100 will be Even Harder

I have started this reflection each week for 8 weeks. I’ve thought about the quick things we learned as security and continuity professionals as we adapted our "Severe Weather" or H1N1 plans for COVID-19 conditions. The concepts of “critical infrastructure” and “essential workers” were quickly widened to address the real needs of communities around the country. The dynamics of our businesses and the interdependencies with our stakeholders became more complicated regardless if a stakeholder was government, client, patient, customer, employee, Board of Directors, spouse, parent, or child. I guess I should have had an annex in my BC plans for “stay at home learning” for my daughter since 30 seasons of “The Simpsons” and 7 seasons of "The Clone Wars" only gets you so far.

Frankly speaking, I have discovered that despite many companies having vastly different numbers of office locations and employees, COVID-19 was still raising the same operations and employee engagement issues and the remediations were remarkably similar. Thus, there are a few learnings that enterprises should consider as we move into resetting our continuity programs for long term recovery and "new normal" in the face of the ongoing COVID-19 threat to our company’s personnel, reputation, market share, supply chain, and customer success. We have many more miles to go before COVID-19 can be said to be ‘managed’ as a risk. As such, here are 6 lessons I have learned as we head into the next 100 days.

1.      Never let a good crisis go to waste. Criticism continues to be thrown back at the media by government leaders that “now is not the time to reflect on how we got here…but to focus on the future.” This is exactly the mistake that leads government leaders to rebuild the Maginot Line again or CEOs to conflate speed with decisiveness. Now is exactly the time to learn from planning misses, question our assumptions, build new partnerships, put aside our fears, and try on new ideas for size. As security and continuity professionals, we often tell each other – “Never let a good crisis go to waste.” We are each catalysts for change at all levels within our organizations. We use every trick and tool we have – hard and soft power; negotiation; persuasion, networking, patience, and plain hard work to get the job done. We each may be struggling to overcome program issues further brought on by COVID-19 due to various internal or external blockers to our programs’ evolution. Well, that COVID-19 “crisis” is here to stay. And, we have the duty and opportunity to help our organizations plot different futures.

2.      Control what you can control. Operating in uncertainty can exhaust Leaders who want to move forward.  Many of us have been hosting calls and briefings with executive teams and business units. Most are now in some “new state of normal operations” and may appreciate focusing less on the overwhelming nature of the road to better testing and a vaccine and more on how to make the next 6 months more successful within the business and company culture. Look to your teammates to develop more strategic analyses instead of tactical reporting on “new COVID cases.” Focusing on the strategic opportunities may be more valuable.

3.      Returning to the Office will not be easy, fast, and COVID will not cooperate with school calendars. The return to office race is one you may not want to win. The infection rate and case volumes in the US remain unsettling with no guarantees your office won't open just to have a rash of infections and have to close again . Schools just closed after their first attempt at distance learning and plans for the fall are in development but likely to be some hybrid of home and in class learning. Unfortunately, COVID-19 doesn’t follow the school year calendar. The education challenge of getting kids back in classrooms so that workers can return to their offices may not be possible. BC planners needs to work with business teams and HR now to prepare for that reality.

4.      Nurture your partnerships with HR, Legal, Internal Controls and Marketing. Go thank them. Right now. These are the people that are going to work with you to close all the policy gaps you found; ensure you adhere to all the COVID-19 requirements that change daily; and ensure that all of your new guidance and procedures get communicated in a way that resonates with your employee base. They may not have known how hard BC/DR work is until COVID either, but I’m sure they now see the effort and strain it takes. You’ll need each other for the year ahead.

5.      Investment in Partnerships with Government Agencies Pay off. In the 11 years since H1N1 and 19 years since 9/11, the advocacy from a diverse community of emergency management, cyber security, supply chain, NGOs, and continuity experts has helped convince FEMA, DHS, DOD, and State Emergency Managers that the private sector is THE critical partner in any effective response. Private Sector Liaison roles now exist in most states and all FEMA regions. The DHS and the CDC conduct Private Sector briefings. Emergency Support Function 14 was added to the National Response Framework codifying this evolution. Knowing how to plug into the acronym soup of government agencies at the right level is easier to figure out before the next lockdown and hurricane with COVID-19 comes this summer.

6.      Now is the perfect time for a Cyber Exercise. This cannot be understated as the FBI and DHS are publishing IOCs and warnings weekly. One medical school just paid a $1.14M ransom to get their data back. BC and Crisis Managers and CISOs have been collaborating more and more to ensure data incident teams are ready to respond to cyber attacks. With all the work from home and work-from-anywhere talk, it’s the right time to force your geographically dispersed team to exercise their plans to recover vital physical and IT systems. This can be a tabletop…I’m not suggesting you be mean about it, but be smart about this active threat and if you need to exercise to do this year - chose a cyber scenario. 

And here is a bonus lesson learned from the last 10 weeks:

7.      Gather good writers and graphic designers to your team. The science and health information behind a novel virus public health emergency is challenging for everyone to comprehend. Having writers on your team or access to the Marketing Team’s writers in a in pinch will set your team apart as the thirst for information from across the organization will be insatiable. There are visual and written materials that will be needed quickly to meet operational and regulatory deadlines while continuing executive and employee communication about social distancing and track & tracing, as well as designing compelling graphics about the new work experience.   

There is no good way to generalize business continuity lessons learned from incidents because we all have different programs, priorities, and resources, but each of these observations can help get your program off the ‘X’ and focused on the next 100 days.  This crisis is far from over and we have more work to do together.