All About Business Continuity Plan Amidst the Global Pandemic

We have all heard about Disaster Recovery Plan or Business Continuity Plan. Very few would have heard about Pandemic Plans until the recent eruption of Covid-19. Pandemic plans differ from the common disaster recovery plan or business continuity plan. Pandemic plans are people or employee-focused and depend less on technology. It is the other way round for Disaster recovery plan or business continuity plan. Each of these plans provides a customized approach for responding to situations. The common element in all of these is they threaten the organization ability to sustain its operations. Pandemic poses a severe health threat to the employees of the organization and hence a carefully customized pandemic recovery plan can help a firm remain viable, even with a reduced staff.

Business Continuity Plan: Business continuity planning is a strategy. It ensures continuity of operations with minimal service outage or downtime. Business continuity consists of a plan of action. It ensures that regular business will continue even during a disaster. It refers to the processes and procedures that employees take to make sure that regular business operations continue during a disaster. A good Business Continuity Plan can make a difference between survival and total shutdown. A Business Continuity Plan has usually drafted post detailed analysis of the existing system. It tries to isolate the critical business processes to sustain the business. It is to be noted that each of the business and operation is unique and will require a customized Business Continuity Plan. In a good Business Continuity Plan, we have to upfront identify which business functions are critical. You should also identify which business functions can be suspended till it is fully recovered. You should have a priority list and keep on bringing it as you recover. It is a step by step process to be back in the full stream of the business. This is a very good data management, even if the catastrophe never occurs. With Business Continuity Plan you should earmark your employees who will support the essential functions. Proper training to these employees is essential so that they know what they should do at different catastrophe event. The Business Continuity Plan should include a process and should be constantly updated with the changing business scenario. The Business Continuity Plan should be transparent and different stakeholders both internal and external should know the process clearly without any ambiguity. Business Continuity plan should have a process to replace and recover the Information Technology systems. Hence, Business continuity planning suggests a more comprehensive approach to making sure you can keep making money, not only after a natural calamity but also in the event of smaller disruptions including illness or departure of key staffers, supply chain partner problems or other challenges that businesses face from time to time.

Steps of Business Continuity Plan: Once you have decided which processes of your business are critical, you can develop plans to work around these situations. First, you have to determine what your goals are for the continuance of the business. You should decide the short-term and long-term goals. You should decide how to overcome these obstacles. You should also develop a clearly defined and documented policy. You should also have a plan wherein you develop a strategic team and who will be the leader or commander of the team. You should also prepare your team through intensive training for crisis management and communication. The team should also be able to handle the media relationship to keep up the organization brand high. You should also ensure that you cross-train your employees to help ensure essential functions can continue.

Disaster Recovery Plan: Disaster Recovery Plan is a subset of the Business Continuity Plan. A Disaster Recovery Plan includes getting the system up and running following a disaster. Information Technology disasters can range between a small hardware failure to massive security breaches. A complete system crash and loss of data is like the aftermath of a burglary. You will not know what is missing until you look for it. You should have a methodical plan to restore each of the critical applications in your Information Technology structure. It is critical to upfront understand how long it will take to restore the system backups. Usually, it is the time between your last cloud backup and when your system went down. A Disaster Recovery Plan can restore data and critical applications in the event of a disaster or a catastrophe striking your system. The catastrophe can be as huge as an earthquake or the terrorist attacks on the World Trade Centre or as small as a malfunctioning of software caused by a computer virus.

Steps of Disaster Recovery Plan: There are various ways of developing a disaster recovery plan. To start off with you should do a detailed Business Impact Analysis (BIA). This helps in identifying and prioritizing critical systems and components. You should also have detailed preventive control. These help in reducing the effects of system disruptions and can increase system availability and reduce contingency life cycle costs. You should also have a proper recovery strategy. A good recovery strategy ensures that the system can be recovered quickly and effectively following a disruption

You should also have a good IT contingency plan to get detailed guidance and procedures for restoring a damaged system. A good disaster recovery plan is ineffective if you miss out testing, training your employees and exercising. These exercises help in identifying gaps and trains your employees to recovery in case of any catastrophe. These exercises help in improving planed effectiveness and overall contingency preparedness. You should also ensure that your Disaster Recovery Plan should be constantly updated and remain current with system enhancements.

Pandemic Plan: A pandemic is an epidemic of disease that has spread across a large region, for instance, multiple continents, or worldwide. A widespread endemic disease with a stable number of infected people is not a pandemic. Further, flu pandemics generally exclude recurrences of seasonal flu. History is witness to various pandemics such as smallpox, tuberculosis, the Plague, Spanish flu, H1N1, and the Covid-19 in the year 2019-2020.

The pandemic plan is a plan to address the outbreak of serious infectious disease to protect your employees. During Pandemic businesses, social organizations, schools, and colleges may be required to take steps to slow the spread of the disease. Such steps may include closure or part closure to slow the spread of the disease. Obviously, there is no damage to the building or the IT infrastructure. Other steps to slow the spread of viral may also include limiting or cancelling social and public gathering, stopping public transportation, requiring quarantines, lockdown or shutdown etc. Recovery from these situations may take some time and you will not be able to start the operations immediately. However, it is important to ensure that your core business activities can be maintained for several weeks or months with limited staff. You may also continue your critical operations working remotely maintaining a distance between people so that the virus does not spread. You may have to plan to resume your operations in a planned way. The Pandemic plan should be dynamic. It is practically impossible to determine upfront as to how the virus will spread and how many people will be affected by it, until it happens.

Effects of Pandemic on Business: There could be various impact on the business because of the pandemic. Each of the pandemic situations will be different and the impact can vary. Some of the effects include

Ø Thin employee attendance which includes subcontractor or temporary employees.

Ø Customer orders could be cancelled.

Ø Restriction on travel including air travel.

Ø Interruption in supplies or materials

Ø Change in demands

Ø Possible disruption in essential service like telecommunications, financial or banking services, water supplies, fuels, medicine, food supplies etc.

Steps in Pandemic Plan: The Pandemic plan depends on the type of business or how complex the organization is. You should determine which of the processes in the business are critical for your business. You should identify and train backups for essential functions. You should also plan for overtime requirement from the available employees. You should ensure that you have access to facilities, utilities, computers, communication equipment. This access should also be available if the employees are working remotely or from home locations. You may already have some business commitments. With the help of your attorneys, you should study the legal implications for delay or missing milestones or non-performance. Everyone should be made aware as to who is next in line for the management decisions should someone not be available. You should also ensure that you have continued payroll, finance, and legal functions. You should publish an emergency contact list for your employees and clients to contact. You should establish a pandemic management team. It is critical to know up front who will do what and who will be the leader. You should also appoint a pandemic manager who can coordinate prevention efforts, keep track of employees and who is available to come to work. The skeletal staff at work should be checked frequently for their health status. You should also prepare the team for crisis management and media relations.

Statutory or Legal requirements for Business Continuity Plan/Disaster Recovery Plan: Laws and regulations differ from one country or one industry to another, although there is a basic expectation that organizations will act responsibly. In Australia, regulations to be observed concerning business continuity and disaster recovery exist for specific sectors such as finance. In healthcare in the USA, the Health Insurance Portability and Accountability Act (HIPAA) obliges organizations to have a suitable data backup plan, Disaster Recovery plan. Essentially there are two specific types of regulations. The first being the standards and requirements that must be met in order to become a member of an organization, say for instance ISO. The second being the Government regulations imposed on specific industries which must be adhered to in order to do business. These regulations are usually created for national standards of uniformity. There are few regulations that have an impact on the Business Continuity Plan. Sarbanes-Oxley Act makes the corporate officers liable for business continuity. 

It is relevant for publicly held companies in the USA. IRS Procedure 86-19 requires off-site protection and documentation of computer records of tax information. These records must be available in the event that the primary facility is subjected to an unplanned outage. Consumer Credit Protection Act (CCPA) Section 2001 Title 1X specifies due diligence for the availability of data in electronic funds transfers including point of sale. Similarly, the Foreign Corrupt Practices Act 1977 holds management accountable for publicly held corporations to provide reasonable protection for IT systems. Government of India through the Ministry of Commerce (MoC) issued detailed guidelines vide Instruction No.D.12/25/2012-SEZ dated 22 February 2013 ('guidelines') for setting up Business Continuity Plan and Disaster Recovery Plan for IT/ITES SEZs. 

A robust Business Continuity Plan, Disaster Recovery Plan and Pandemic Plan also gives a lot of confidence to the customers. It has also been observed that in many requests for proposals or request for information the customers now have a specific section to get more details about these plans in the vendor organization. So as a good business practice it is advised to have a detailed plan for business sustenance.

profile-image

K Satish Kumar

Guest Author K Satish Kumar is the SVP & Group Chief Legal Officer of Intellect Design Arena Ltd. He is actively involved in many pro bono activities through Chennai Lawyers. He is an award-winning lawyer and regularly contributes as an author in various forums.

Also Read

Stay in the know with our newsletter