Business continuity plans have typically been similar to things like flood insurance policies or advance health care directives - something that you know is important, save in a drawer with other important items, and hope (or even presume) you'll never need to use them. 2020 is like the 500-year flood or emergency hospitalization - the time you open that drawer and need the things that are in there.
As we head into the ninth month of the covid-19 pandemic, we've already looked at and made use of those plans. As the pandemic grinds on, much of the massive crisis of transition has passed - or at least paused. The big question today about those business continuity plans is how well they worked - did they ensure IT service continuity, were major operations able to carry on, did they provide useful guidance? Or was the forced remote work amid lock down something not even imagined and therefore not planned for - did that require making up parts of the response as you go?
Although it might be tempting to table a review of those plans and their effectiveness until we reach a next normal, like a widespread vaccination or completely flattened curve, that isn't entirely realistic. Many estimates project we won't truly round that curve until the middle of 2021.
There are two problems with waiting it out: we may need new contingencies to rely on before then and we may forget parts of the experience. The longer we wait to take up this task, the more critical inputs and insights we may lose. If we want solid plans based on our experience of 2020, we cannot afford to wait, lest too much be lost in the rearview mirror.
Did you rely upon your continuity plan? How well did it work?
The most basic question to ask yourself when judging your existing continuity plans seems simple enough: were they effective. That might be easy to give a simple yes or no on a high level, but unless you had plans specific to a pandemic with lock down, chances are that you had to make some quick decisions and rely on some creative thinking early this spring. As with any type of advance planning, you can only plan for the expected incidents and outcome.
If you were pretty satisfied with the results, despite needing to make plan and reality mesh, what were the factors that made the plan successful? What parts of the plans did you not need to implement - perhaps contingencies based on a terrorist attack or loss of access to C-suite and other executives or disaster responses at your data center/colocation sites or complete loss of connection to critical cloud providers?
In reviewing your plan's success, it's important to document where you can follow the book as well as where you needed to go off script and improvise. For components of the plans that you didn't need rely on, it's also important to note if there are any insights gained that might apply to other situations, like the need to deploy equipment remotely and to apply typical in-network access and management remotely.
If not, why not?
The biggest question, of course, is what didn't work. This is also not a simple question. If the plan failed overall, either by not providing any useful guidance or because the guidance that was essentially wrong - meaning that it not only didn't help but was harmful and created additional problems - you'll need to do some deep research to understand the problems and to mitigate them going forward.
If there simply wasn't guidance, you can build a plan from scratch based on what you've experienced over the past several months, best practices that have evolved over the course of the year, and reach out to others in your industry that were more successful and ask for some pointers about what they did that made their plans successful that weren't part of your experience.
If there were issues created by attempting to follow the documented plan, your first step is to document each one, regardless of how minor, and look for common denominators among them. It's unlikely that every problem was caused by exactly the same issue, but you will probably see a series of patterns that led to different failure points. With this information, you can model or role play how things might have played out differently if certain key variables were different.
One important aspect to this review is that you document as much detail as possible as you go along. Detailed documentation may be tiring and cumbersome, but the devil is in the details and that means that you need to be as well.
What if you didn't have a plan to begin with?
Although most large enterprises likely had in-depth plans to work from, many smaller businesses may have had very minimal plans or no plans. The result was truly fly by the seat of your pants management and anyone in this boat that was ultimately successful probably deserves a medal for managing the situation.
Ideally, you'll have documented the processes and practices that you implemented as you went along. This means you'll be able to build a plan specific to 2020 challenges by working backward and identifying what you wished that you'd had. It will also provide various jumping off points for other scenarios where typical office or network access is disrupted. And you can work backward and forward from each of those points. To be successful you will want to research continuity planning beyond the scope of this article, and you may find it extremely helpful to hire outside consultants or services to help you in the process.
We are not in a normal situation today
This may seem like an obvious statement, but it is one that's important to keep in mind. Our current everyday experience often feels like it is the new normal - and it may be the game board for a long and indefinite future, but eventually there will be an ultimate normal that evolves. What that looks like is quite murky today.
As continuity planning is the act of identifying normal operation and how to shift operation in response to extreme changes in the business, operational, and other environments, we are right now working in a gray area that is neither the old normal way of doing things nor the ultimate environment that is to come. In many ways we are still mid-crisis regardless of how routine our lives and work have become.
This isn't to say that we should avoid looking at our situations over the past several months and adding insights and needed changes. Doing so is the among the best things that we can do right now to maintain stability. But we should approach the task with the caveat that we are not writing things in stone, that there will come a point where we need to reevaluate the updates that we are making today.
Don't set it and forget it
A continuity or disaster recovery plan should never be static or a dusty binder on a shelf someplace. It should remain a living document, one that changes as the realities of business and technology change. Many organizations have mandates to update periodically while others undertake changes when there are significant new technologies employed (moving from on premise to cloud for example) that shift the calculus. Whatever the situation is and how you proceed, this year demonstrates the critical nature of these tasks even if they are easy to forget or skim over in regular operation.
Input, input, input
Regardless of where you stand right now and the methodologies you employ going forward, the biggest piece of advice that I can offer is the importance of getting input from the broadest operational base possible. This includes IT staff - all IT staff, as everyone has insights to offer and everyone can be considered an expert in their particular jobs - and executives, but it also includes line of business managers and individual workers. What seems like it worked for IT, may not have worked so well for retail staff or project teams or any other part of the business. It's crucial that you know that so that you can have the most robust and effective continuity plan possible.
What happens next?
I won't try to prognosticate about the rest of this year, next year or beyond. If 2020 has taught us anything, predictions can seem dead on one day and be utterly upended the next. That's why this review process is so important right now and why it will be important to repeat a few months from now and likely a few months from then. We're in a marathon not a sprint. We can, however, do everything in our power to keep the lights on and the wheels turning - and that requires being aware of where we are today and what is likely, if not certain, tomorrow.