B: Assess risks and vulnerabilities to physical and cyber systems from a reduction in staff, both internally and among key organizational interdependences, such as supply chain partners or service providers.
Communicate early and regularly, internally and externally -information voids will often be filled with incorrect information.
Security and IT executives need to brief senior leadership regularly and ensure there is a clear understanding of leadership’s expectations and their true level of risk acceptance.
C: Establish an intelligence baseline, determine which trusted sources of information you’re going to rely on. Good examples include WHO, the Centers for Disease Control, Department of Health or a trusted medical provider.
Leveraging these sources, companies can gain an understanding as soon as possible. Focus your awareness campaign on those sources, unless gaps emerge that must be addressed.
Sticking with select sources allows you to conduct trend analysis on how the situation is evolving.
C: Identify potential triggers, risk tolerances and responses. All crises are fluid, but emergent medical issues tend to be even more so.
A trigger-based escalation matrix can be an incredibly powerful tool to help you respond more confident. When new information comes in, it’s important to validate it as soon as possible and discern which escalation plans or other pre-vetted decision trees might need to be recalibrated.
Accept that the ‘facts’ are likely to change. Be prepared to re-evaluate your assumptions then adjust your action plans based on new information or emerging trends.
D: Ensure a coordinated response. Organizations must ensure a strong, coordinated response that integrates cybersecurity, emergency management and risk communications staff.
Ensure consistent and frequent communications to your staff and external stakeholders.
E: Think globally. The term pandemic refers to a disease that has spread across a large region such as multiple continents.
When evaluating security risks or preparing business continuity plans, companies need to be prepared for potential impacts on a worldwide scale. Ensure all plans have factored in worldwide aspects of your business, including supply chain, customers and service providers.
A pandemic is not like a natural disaster that may be geographically isolated. Keep in mind that many suppliers and business partners are in different parts of the world. Contact business partners—especially supply chain—to confirm instructions for requests, orders, shipments, receipts, payment, etc.
F: Stress test all facets of the remote work capability. Estimates of the peak impact of COVID-19 vary widely and likely will continue to vary for some time. What’s clear is that the business impacts are not going away anytime soon and may well increase before they begin to dissipate.
Remote work—whether by choice or out of necessity—will likely have to play a significant role in your business continuity planning. Stress test every facet of your infrastructure now.
An IT backbone intended to remotely support perhaps 10% to 20% of the workforce might struggle under the weight of the current challenge. The earlier you understand the weak points in your system, the more time you’ll have to problem solve, or prioritize who should have access to your systems".
G: Be transparent in sharing updates. Even the best business continuity plan is likely to be significantly challenged without dedicated employees willing and able to go above and beyond their normal responsibilities to help navigate the unique challenges a medical crisis can pose.
By removing—or simply reducing—your employees’ burden of sifting through an overwhelming and contradictory mountain of ‘intelligence,’ you enable them to focus on their roles and free them up to help meet the challenges to the organization.