Business Continuity, Preparing for Challenges under a “New Normal” Paradigm
Business continuity is the capability of an organization to continue the delivery of products and/or services at acceptable predefined levels following a disruptive incident. An incident or crisis could include; natural disasters, human caused events, a pandemic, or some other event that results in the loss of a facility, personnel, or a process critical to business operations.
In March of 2020, companies throughout the U.S. and around the world were forced to activate their business continuity plans as COVID-19 spread across the globe. Many companies were forced to close their doors and require employees to work from home. This article explores lessons learned that may require business continuity managers and other planners to re-examine the vulnerabilities and risks that could impact their companies in a new normal that includes “work from home” arrangements for many employees.
Before the COVID-19 pandemic, 17% of U.S. employees worked from home five days or more per week, a share that increased to 44% during the pandemic.[1] The COVID-19 outbreak forced workers out of the office and into a work-from-home-situation. In cases where companies had work-from-home contingency plans, the infrastructure needed to operationalize those plans was in place. Most had already equipped employees with lap top computers with installed virtual private network (VPN) software that allowed workers to access needed reports, files, and company e-mail servers. Most office conference room meetings were initially held through traditional conference call services and later replaced with “Zoom” type applications that offered the use of video and file sharing capabilities. Those companies that were able to make this adjustment had spent the time and energy to create business continuity plans that accounted for the loss of their company’s offices or other facilities where employees reported to regularly.
As one might expect, business continuity plans are not meant to be a permanent fix in a crisis but rather an alternative solution that allows for the continuance of critical operations until systems, processes, facilities, etc. are brought back on-line. As corporations begin to “reimagine” the work place and create more flexible work schedules, a number of considerations will need to be addressed including, business continuity, health and safety, and security plans and procedures.
Where individual companies are able to put certain controls in place to protect their networks, working from home introduces new risks and vulnerabilities. Companies who have employees working from home and accessing the business network through private (residential) internet connections, need to consider the risk that comes with a less secure network. To address this vulnerability, many companies install, VPN applications to help protect their systems. Essentially, a VPN connection gives online privacy and anonymity by creating a private network from a public internet connection. A VPN connection makes it much harder for a potential hacker to infiltrate networks and steal or corrupt data. The downside exists however if or when an employee logs onto their home network without using VPN protection, companies should therefore consider policy that restrict the use of company computers for personal use.
Along with network security, companies should also consider their approach to other technological needs of their employees that could introduce new risks to company systems. The use of personal printers that require a wireless connection and have an internal memory should have written protocols that include operational guidance for their use. The use of portable hard drives and thumb-drives can also introduce additional risk, companies should consider encryption software for those devices or limit their use all together. The technological risk of data loss or compromised systems isn’t the only vulnerability companies need to focus on.
Operational Security or OPSEC is yet another area where working from home can open the door to unwanted loss of valuable company information. Generally, OPSEC is the process of identifying and protecting various types of information. Where most companies have OPSEC policies that include the handling and disposal of internal, confidential, and restricted information, the work from home paradigm creates some new challenges. OPSEC guidelines and practices should be written to address this new working environment.
Finally, business continuity plans will need to be updated to meet new work-from-home practices. Where some company’s business continuity plans leveraged the work-from-home option in the event of a loss of certain office locations; the new working environment may find those same planners trying to identify work space for work-from-employees, should their home base office be compromised from a major outage or other disaster. Furthermore, where some business continuity plans address the loss of personnel, with the recent and ongoing lessons learned from the COVID-19 Pandemic business continuity coordinators should consider addressing this issue to ensure plans for human resources include social distancing, and other health and safety requirements.
Over the course of the past year business continuity coordinators and emergency planners have learned many lessons. Moving forward it is imperative that companies reevaluate existing business continuity plans, conduct thorough risk assessments, and identify new vulnerabilities the “new normal” work from home environment has created. Understanding that no one has been able to avoid the impact from COVID-19 and that everyone has an experience to share, it is imperative that we will continue to share lessons learned in order to make our respective companies better prepared for the next disaster.
[1] Kimberly Miltz, ”Technology & Telecommunications” Statista.com, April 9,2021, https://www.statista.com/statistics/1122987/change-in-remote-work-trends-after-covid-in-usa/#statisticContainer
About the Author:
Christian Schulz Manager, Business Interruption Management Public Service Enterprise Group (PSEG)
Christian Schulz is the manager for PSEG’s Business Interruption Management Program and a direct report to the Vice President of Business Assurance and Resilience. In this role he oversees matters relating to Crisis Management, Business Continuity Planning, Emergency Response, Life-Safety and Evacuation, and Disaster Recovery for the corporation. Prior to working with PSEG, Christian was the site manager for security and emergency preparedness at Meridian Health Corporations’ Riverview Medical Center. In that position he wrote emergency operations and security plans, conducted vulnerability analysis and co-chaired the Environment of Care and Emergency Management Committees. Christian also served 28 years with the New Jersey State Police. He retired as Lt. Colonel where he served as the Deputy Superintendent of Homeland Security and the Assistant State Director of the NJ Office of Emergency Management. As the Branch Commander of Homeland Security he led a staff of 700 troopers and civilian employees from both the Special Operations and Emergency Management Sections. Throughout his career with the New Jersey State Police he also held various leadership positions including, the role of commanding officer for the New Jersey Regional Operations Intelligence Center (ROIC), Executive Officer of the NJ Office of Emergency Management (OEM), and Bureau Chief of the Communications Bureau. Christian holds a Masters degree (MA) in Homeland Security Studies from the Naval Post Graduate School and a Masters degree in Public Administration (MPA) from Seton Hall University, he is also a Certified Business Continuity Professional through the Disaster Recovery Institute
More on
About the author
