The Great Inspection: Identifying Likely Future Common BCM Problems

Richard Long

Over the past six months, we have talked with dozens of our clients across a range of industries about the issues they’ve faced in implementing their remote-work solutions. These conversations often strayed onto other potential weak points in those organizations’ business continuity management programs. In today’s post, we’ll look at the potential future problems identified by our clients in the course of this collaborative virtual inspection tour.

A Virtual Inspection

Do you know how when you take your car in for a problem the mechanic sometimes discovers and makes a note of other potential problems? Our recent intensive discussions with our clients about their responses to the COVID-19 pandemic have provided us with a similar opportunity. Collectively, these discussions have amounted to a virtual inspection of industry’s BCM programs. This inspection has surfaced several potential problems that might be lurking in the future for many organizations.

From Far-Fetched Scenario to Harsh Reality

Work-from-home plans have long been a component of most organizations’ BCM programs. Before March, however, the idea that those plans might actually need to be implemented seemed more like a far-fetched scenario than a realistic possibility. When that possibility becomes a reality, many companies had to scramble hard to adapt.

Are there any other problems out there that currently seem like far-fetched scenarios but might in the future become hard realities?

Yes.

Our virtual inspection identified several such problems across the four potential BCM loss areas of people, of facilities, of technology, and of third-party suppliers.

In the next section, we’ll lay out, area by area, what those potential future problems and vulnerabilities are.

Vulnerabilities Across Four Areas

As just mentioned, when a crisis event strikes a company, the impact is felt primarily in one or more of four areas. These areas are human resources, facilities, technology, and third-party vendors.

Below, we’ll take a look at each one, pointing out potential future problems in that area as identified by our recent conversations with our clients.

1. Loss of human resources.

The leading potential threat in this area is a future pandemic with different characteristics from COVID-19. The current pandemic has not caused a true loss of human resources. The unique circumstances of the current pandemic mean it has mainly been experienced effectively as a facility loss and need to relocate. Most employees are healthy enough to work; they just can’t gather in a common workplace. The potential still exists for a future pandemic to come along that does indeed incapacitate a large percentage of your staff. Is your organization prepared for that? What would the impact be, if within several weeks, your available staff was reduced by 30 percent? Are you prepared to work with 70 percent or less of your staff? This is a very different problem than figuring out how people can work from home.

2. Loss of building/need to relocate.

No new threats were identified for this area.As mentioned above, the COVID-19 pandemic has had its greatest impact on building access. Fortunately, the problems of enabling office staff to work remotely have mostly been solved. The hybrid approach of having some people work remotely and some in the office may emerge as a common long-term solution. The back-office and other support functions are easily done remotely, and we have learned how to work as remote teams. Physical space will still be needed for employees whose duties require the use of special equipment. Consider the long-term impact of a split work force – those that must work in the office and those that may work remotely.

3. Loss of technology.

In terms of technology, the main vulnerability identified was the inability of most organizations to recover their systems at the app or component level. For many organizations, DR is architected at a data center level – all or nothing other than those environments that are designed for high availability (immediate failover). This lack of flexibility is a potential cause of unnecessary delay, which could increase the impact of an event. Companies would benefit from acquiring the capability to restore their environments at the component level or by data center pods (subsections of the data center) rather than being able to only fail-over their entire data center. This has been a known issue for a long time and is especially acute when it comes to cyberattacks and data corruption.

Another technology vulnerability is non-hardware-based services and programs. Most organizations have sufficient resiliency and redundancy at the hardware level. This includes issues with their servers, storage, and infrastructure components (e.g., power supplies). Companies also need to ensure they have logical- and service-based resiliency. Problems with these could keep the entire system from working. The final technology vulnerability identified was physical components not being available at an alternate site. Hardware or quasi-hardware components that have a tendency to get forgotten in the IT/disaster recovery environment include firewalls, load balancers, and physical legacy servers. The absence of these components could lead to system malfunction or data loss.

4. Loss of third-party supplier.

Third-party suppliers and service-providers represent a potential Achilles heel for many organizations. The main issue here is lack of sufficient risk assessment and mitigation. Every problem that could affect your organization could affect your critical suppliers. A supply chain risk assessment should be performed for all critical suppliers and service providers. This includes technology providers, SaaS providers, and contractors. See this post for tips on identifying your critical suppliers, this one for information on vetting them, and this one for more on protecting your organization from impacts caused by vendor problems.

These are the main, commonly overlooked BCM vulnerabilities that were identified in our recent conversations with our clients. Any one of them has the unfortunate potential of following in the footsteps of work-from-home in terms of being a far-fetched scenario that could, with little warning, become a threatening reality for your organization.

Avoid the Potential Future Problem Scrambling By Planning Ahead

The intensive conversations we’ve had with our clients about responding to the COVID-19 pandemic have had a fringe benefit: they’ve surfaced several other vulnerabilities in organizations’ business continuity planning. These vulnerabilities have the potential to be tomorrow’s work-from-home problem in terms of being an unlikely event that suddenly becomes a serious, real-world challenge. Avoid repeating this year’s WFH scramble by preparing for these problems ahead of time.

Further Reading

For more information on future common BCM Problems, overlooked vulnerabilities, and other hot topics in business continuity and IT/disaster recovery, check out the following recent posts from MHA Consulting and BCMMETRICS:

About
Richard Long is one of MHA’s practice team leaders for Technology and Disaster Recovery related engagements. He has been responsible for the successful execution of MHA business continuity and disaster recovery engagements in industries such as Energy & Utilities, Government Services, Healthcare, Insurance, Risk Management, Travel & Entertainment, Consumer Products, and Education. Prior to joining MHA, Richard held Senior IT Director positions at PetSmart (NASDAQ: PETM) and Avnet, Inc. (NYSE: AVT) and has been a senior leader across all disciplines of IT. He has successfully led international and domestic disaster recovery, technology assessment, crisis management and risk mitigation engagements.
BCM COVID-19loss of human resources