So, COVID-19 is here and, has resulted in arrivals to New Zealand being told to self-isolate for two weeks, events such as LawFest, Homegrown and the Pasifika Festival being postponed/cancelled, and the possible closures of schools, among other things.

Although thankfully no one in New Zealand has died from the disease yet, significant disruption has been caused by the quarantining of many of those who have come into contact with the infected. This includes the 43 clinical staff at Waitemata DHB, all of whom came into contact with one infected patient. This quarantine has reportedly crippled an already stretched accident and emergency service.

Damian Funnell

This should have you thinking about how well your firm is prepared to recover from, and persist through, a disaster.

Regardless of whether or not anyone from your firm contracts the disease, for example, how well would your firm continue to function if everyone within the office was sent home for self-isolation for a couple of weeks?  What functions would continue to operate and for how long?  How would this affect your staff, your clients, your reputation and your finances?

Every company, regardless of size, should have a business continuity plan that prepares you for exactly this type of event.

You should also have backup (‘disaster recovery’ or ‘DR’ systems) in a secondary (DR) location for use in the event of a disaster.  A decade ago small and medium companies would argue that they couldn’t afford expensive DR systems, but the cloud has changed all that.  Even if you still run legacy systems that are not cloud-based you should still be able to use services such as Amazon AWS to create inexpensive DR solutions to protect your business.

Your business continuity plan should set out the various scenarios that you’re planning for and how you will recover from each of them.  All of your staff should be familiar with the plan and they should know exactly what their role is if the plan is invoked.  Most important, your business continuity plan should be tested at least twice per annum.

If your plan has not been tested within the last six months then you cannot rely on it to be effective.

Identifying all the key systems

Simply giving everyone a directive that they should work from home is not enough.  Your business continuity plan should identify all of the key systems that your employees need to do their jobs and how you will ensure that they will remain operational and accessible during and after a disaster.

I know of several companies that had robust business continuity/disaster recovery plans but that were still severely impacted, and in some cases wiped out, by the Christchurch Earthquake.  This is because very few business continuity plans contemplated the establishment of the red zone, which prevented physical access to their offices for an extended period of time.  One organisation that I worked with had both their primary and backup sites within the red zone. Neither was damaged - they simply needed someone to get into their computer rooms to turn everything back on once the power came back up after the earthquake. No one could and the company rapidly went out of business as a result.

It’s also not enough to simply trust that your IT department has everything in hand. Business continuity planning is a business function, not a technology one.  Also, if you ask your IT team whether you’re prepared for a disaster you’ll often get a positive response, but this is not a ‘yes or no’ question.  Most IT teams struggle to simply look after ‘business as usual’ adequately and don’t have time to develop and test disaster recovery measures. Yes, they may have built redundancy into some systems, but that redundancy may become meaningless if it’s not regularly tested (ie, it might not work when you need it) or if no one knows how to access that system in the event of a disaster.

Your business continuity plan should allow your organisation to continue to operate during and after various types of disaster (eg, civil unrest, natural disaster, major security breach, disease outbreak, etc) and it should be tested regularly.  It can be a really good idea to bring in skilled external consultants to help you create, maintain and test your plan. Leverage their expertise to maximise the quality of your plan and to hold your organisation to account regarding the ongoing testing and validation of it. It’s too easy to defer important DR tests otherwise.

All staff should know what the plan is and what their role is in the event of it being invoked. Your plan should allow for events where key staff are rendered unable or unwilling to work because of a disaster too.

Testing your business continuity plan should include simulating the disasters that you’re preparing for. Your disease outbreak plan may, for example, involve you locking everyone out of the office and asking them to work from home for a day.  If you still have your own servers (how quaint) then tests should include both planned and unplanned loss of service (ie, turning them all off) and invoking DR systems.

Involve your team in the test and review the results with them.  If the test fails (eg, if you failed to bring up a key system during the simulation or something else didn’t work) then fix the problem and run the test again.

By testing your business continuity plan twice per year you’ll be doing it often enough that your team will be well rehearsed with it and it will become easier and easier each time.

If you don’t test your plan regularly then you’re likely to find that it’s about as worthwhile as a mountain of panic-bought toilet paper when the stuff really hits the fan.