Many companies have a business continuity plan (BCP) in place that covers loss of facilities during things like floods and earthquakes. But it’s primarily only the really big companies (or those providing critical services for healthcare) that have done more than download a pandemic plan template off the internet and call it good.
According to a recent survey by AvidXchange, only 62% of 500 U.S. companies surveyed at the beginning of March had business continuity plans in place. Nearly half said they covered contingencies for only two to three weeks — and 10% have no plan at all. We’ve had a BCP in place for years at my company, but COVID-19 prompted an immediate review. And because we believe it can help other companies, I wanted to take this opportunity to share our approach.
1. Ask yourselves how do you ‘degrade gracefully’?
The first time I heard of a “pandemic plan” was during the bird flu outbreak in 1997, while working for a large security company. Unlike our current situation with COVID-19, that plan remained largely theoretical. If your pandemic response plan is more theoretical than actionable, or is completely non-existent, then now is the time to make it real.
In computer science, systems are ideally designed to deal with failures — of hardware, networks, or of their own ability to scale to certain demands or conditions. That process of how the machine or system ideally behaves under these conditions is called “graceful degradation.” In a pandemic where your people could be out due to illness, potentially indefinitely, you can apply the same question to your business: How do you degrade gracefully? How do you keep doing the most essential things and allow less critical functions to degrade (and also repair themselves) throughout the course of this extended event?
2. Identify critical business functions
You’re going to start by assessing the most critical functions that need to continue to happen for you to remain in business — what is the absolute last thing that gets shut off? Then you’re going to work backwards to find the most critical business processes: What are the things that are required to make sure that thing keeps working?
In our case, maintaining service for our existing customers is our most critical function. (Yes, it’s going to be important to add new customers, but if we’re just talking about the absolute most critical function, that’s it.) If you’re a consulting company, you’ll end up in a different critical place — you need to keep shipping deliverables to your clients, so the ability to email or transfer files will be a critical function.
This process isn’t going to be easy for everyone, but it is an opportunity to think about the bigger picture and what’s best for the whole company and your customers. Try to set any ego aside. It’s not an insult if your department is not a business-critical function. Just because something isn’t “mission-critical” doesn’t mean it’s something the company will stop doing, even in a pandemic.
Our entire executive leadership team worked closely to define a set of business-critical priorities for their teams to work from when fleshing out the remainder of the BCP update. Since human beings have egos and may disagree about what your most essential business processes are, this is an exercise that the most senior level of leadership should do and agree on. It should not be up to the C-level to put the plan together, but it is their responsibility to have a unified voice when it comes to defining business-critical functions. We broke our functions into four categories:
1. Mission critical: Loss of these functions would result in widespread loss of reputation, damage to the business, as well as potential damage to the general public.
2. Business essential: Loss of these functions would make it difficult, but not impossible, to continue the business. Examples include generating revenue, customers, following compliance regulations, and maintaining an external help desk.
3. Business core: Loss of these functions would have an indirect revenue impact. A good example for the COVID-era is in-person conferences; not attending these impacts both leads and, indirectly, customer satisfaction.
4. Business supporting: These functions impact employees, not employee productivity. Examples include employee reviews, internal help desk services, and business support functions.
3. Update regularly, more in crisis
We took five working days to review our plan and put this streamlined approach in place. Compared to other pandemic plans I’ve seen, our plan is super-actionable thanks to:
- A stack rank of priorities by team
- Documented instructions
- A confluence page with who does what, down to five levels of people and their current availability
- And instructions on printing it out and storing it in the event of an outage that prevents online access
We intend to update our plan quite regularly through the evolution of this pandemic, likely on a monthly basis. Once we’re through the pandemic, we’ll dial the review frequency back to twice a year.
Your plan will make you stronger. It doesn’t have to take weeks, even if you’re starting with no plan at all. You’ll discover things you didn’t realize about your business like:
- Departments you didn’t realize were critical
- Areas where you are understaffed
- Processes that need to be documented
- People who need to be cross-trained
Every department will likely have an “aha” moment going through this process. Your teams will gain:
- A clearer understanding of how they function and how they relate to the company’s overall mission
- Clear direction on communication and actions
- Relief that they won’t have to make it up as they go along
In the time of COVID-19, the act of business continuity planning is actually not too different from the 40 pounds of pasta I have stored in my garage. Even if I don’t get to all of it before the pandemic ends, the pasta won’t go to waste — it will get eaten. Even if our current pandemic were to end abruptly with limited impact (unlikely, of course), we’ll be that much more ready to weather the next global crisis.
Joan Pepin is Chief Security Officer of Auth0.