The recent H1N1(A) flu pandemic saw companies desperately digging into their business continuity plan for a response. Some built their response plan from their severe acute respiratory syndrome (SARS) or avian flu plan. A few simply activated their cold or warm sites. Many did not do anything—they did not know what to do.
Fortunately, the fatality rate of the current H1N1(A) influenza pandemic is similar to the seasonal flu. However, the World Health Organization (WHO) warns against a second wave of deadlier mutated strains. The current wave is hence a warning shot.
Traditional business continuity planning (BCP) focuses on the loss of the use of physical and IT infrastructure and key personnel due to fire, explosion, earthquake or flood. The typical responses are activating the alternate data center, recovering data from remote backups, operating from secondary sites, repairing and rebuilding infrastructure, and switching back to normal operations. In a pandemic, the situation is drastically different (see figure 1). The physical and IT infrastructure are intact; the threat is in losing a large group of key personnel and key business supplies. This calls for different responses.
There are three key challenges in a pandemic:
- Uncertainties—Unlike conventional outages where the outbreak is readily recognized and the extent of damage easily assessed, every virus has a different fatality rate, infection pattern and mutation potential. For instance, while SARS and the H1N1(A) flu pandemic are known to be transmitted between humans, avian flu is not. Without such knowledge, it is difficult to devise effective measures to prevent and contain the infection.
- Fear and anxiety—The fear of life-threatening disease affects staff morale. Staff may choose to quit their job or to be absent from work. During the 2003 SARS outbreak, some medical professionals in affected areas left their jobs for fear of infection. Suppliers were also reluctant to deliver supplies to the hospitals. Similar impact was felt in the air travel and retail industries where there is a high volume of human contact. Losing key business supplies and key personnel can be catastrophic to an operation.
- No quick fix—While the loss of physical and IT infrastructures may be repaired and replaced, finding a cure or vaccine to a pandemic takes time. They are subjected to stringent processes to test their effectiveness and safety before the health authorities approve their use. Companies may need to operate in crisis mode for months and this puts resources under great stress.
In the face of these challenges, a different approach is needed (figure 2):
- Determine a common reference point—How does one know a pandemic has descended? Panic abounded when WHO raised its flu pandemic alert level from 1 to 5 within weeks following the discovery of the first case of H1N1(A) in Mexico. Different countries responded differently. Those that had suffered SARS took a cautious approach. They screened visitors’ temperatures, isolated those with symptoms and tracked those who had close contact with the infected. The rest of the world took it like a seasonal flu. The different attitudes created tensions when some countries issued travel advisories and screened and quarantined visitors from affected areas. Likewise, different companies took the alert differently. Those that took it lightly were seen as irresponsible, while those that took it seriously were seen as overreacting. Similar tensions can occur among different units in a company.
Establishing a common and reliable reference point is an important first step. While large companies may have the resources to assess the threat on their own, most companies will find it useful to look to WHO and local health authorities for guidance. A common reference point helps to defuse tensions between parties with different assessments of the gravity of the situation.
- Adopt a response framework—The second crucial step is to predetermine what the company will do as the pandemic alert level gets escalated. In WHO’s six-phase framework, levels 1-3 indicate the need for capacity development and response planning activities, and 4-6 indicate the need for response and mitigation efforts. It is a useful framework to guide companies in their planning and execution. Companies should identify the activities, resources, investment and personnel required in each phase. This should be carried out prior to a need, as operationalizing the framework and plan into actionable steps takes much time and effort.
- Assess key personnel and supply risks—In a health-related contingency, companies have to assess how the loss of key personnel and business supplies increases business risks, such as not meeting contractual requirements, lost market share, impaired operations and tarnished image. Companies should systematically assess each operation to uncover and rank the risk exposures. They know who their key personnel are, what supplies are crucial and the parties upon whom they depend. The assessment helps to define the order of implementing preventive and corrective measures, and the manner by which limited resources are allotted. For companies operating in multiple geographies, the picture is a bit more complex, with different offices under different level of threats at any one time.
- Operationalize the response plan—The effectiveness of a response plan depends on what is known about the virus, such as whether it is airborne and how long it remains infectious on surfaces. Overreacting and underreacting are both costly to business. Consulting medical professionals and health authorities and benchmarking with peers in the same industry help to ensure the company is taking effective measures. These measures include:
- Workplace diversity—Splitting key personnel into different workplaces reduces the risk of mass infection should one workplace be infected. This requires a long-term plan as no one knows when a disease will strike and how long it will last. It is a costly solution. Telecommuting can be a viable alternative as it benefits the company in peace time and during a crisis. The infrastructure requirements include a virtual private network (VPN), broadband connection, notebook/ laptop, printer, fax machine, conference bridge and video conference system. These needs should be acquired, installed and tested, and staff trained before an incident.
- Human flow management—In addition to workplace diversity, redesigning human flow within a workplace helps to reduce spreading of disease in locations where people congregate, including cafeterias, conference rooms, training rooms and presentation halls. In the recent pandemic, some companies have prohibited face-to- face meetings and staggered lunch breaks for key staff.
- Lights-off data center operations—First developed as a cost-saving measure, it is a necessity in a pandemic situation. When personnel fall ill in a data center, it may not be accessible until it is disinfected. This can be problematic for operations that require frequent human operator interventions. Tools that can help to reduce such dependencies include remote console, job scheduler, large tape library and automated loaders.
- Health insurance coverage—The human resources department needs to review medical and travel insurance to cover staff who get infected on official duties. This is crucial for staff working in high-risk areas such as hospitals and those traveling to areas with high infection risk and low health care standards. Engaging the service of an international emergency evacuation team may be necessary.
- Key business supplies—In a worldwide epidemic, a global shortage of critical supplies is likely as supply chains may be hampered by the pandemic. Diversifying supplies, stockpiling and getting suppliers to develop their pandemic contingency plan are strategies to reduce the risk in supply disruption.
- Collaboration with business partners—Companies could consider securing preferential medical care and supplies from their health care service providers. Swapping offices with business partners to achieve work-space diversification is a win-win strategy.
- Addressing key stakeholders’ concerns—Whatever measures the company takes, it must meet the expectations of the regulators, customers, business partners and employees. Companies must proactively listen to their stakeholders and address their concerns.
- Education and communication—Companies should advise their staff whether they should travel to high-risk areas, when they should consult a doctor and what they should do to uphold a high level of personal hygiene. Setting up communication channels for staff to clarify doubts and to get assistance is good for staff morale.
- Incident handling—In a pandemic situation, infection will ultimately creep into the workplace. When that happens, having a predefined and tested incident-handling procedure will help to minimize further infections, assure key stakeholders and contain business impact. An infection control mechanism typically includes setting up a well-trained and well-equipped infection control team, evacuating infected staff via a predefined isolated path, disinfecting the workplace, and tracing personal contacts.
- Media management—As in any contingency, media must be handled carefully as unchecked negative rumors will hurt the company. Appointing a spokesperson helps to manage the quality and consistency of the information released. Having a communication plan and predrafted letters and e-mails help to reduce anxiety and speed up response to media queries.
The business risks of a pandemic are real. Just as companies are concerned with their key suppliers, their customers expect similar assurance from them. Failing to provide such assurance, their customers may diversify their suppliers or switch to other suppliers to lower their risks. Apart from this, a pandemic is a public health threat that may cause the local health authority to impose emergency policies and regulations to safeguard public safety. In some countries, noncompliance with these regulations may result in suspension of business licenses. The company may also be seen as socially irresponsible.
The current flu pandemic has surfaced gaps in BCP and given companies the opportunity to work on them. The problem is one does not know how much time one has.
Bok Hai Suan, CISM, CGEIT, PMP
is the IT director of a large IT services company. He has oversight of the company’s IT plan, policies, applications, security, infrastructure and operations and has many years of experience in business continuity planning (BCP). He has spoken at many regional conferences, sat on a number of IT professional committees, and published articles in books and journals.
Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2010 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.