Terms to facilitate your pandemic recovery planning process

In the midst of a global pandemic, organizations around the world are in varying stages of recovery. While some businesses may be in the reopening phase, many are still in the business resumption planning stages. No matter what stage your organization is in, pandemic recovery planning can and should be a priority.

Perhaps pandemics weren’t given much attention in your previous disaster recovery plan. In recent years, natural disasters and ransomware seem to have overtaken disaster recovery planning, and outbreaks were generally not listed as potential threats. While you can’t change how your organization responded to the COVID-19 pandemic, you now have the information you need to create a thorough plan in the event of a future outbreak.

There are many overlaps between a pandemic plan and a general disaster recovery strategy, but the processes and tools can be tailored specifically to pandemic recovery planning. The terms below are likely to appear in the planning process, and many of them can apply to different disruptive events. Something similar to a Business Impact Analysis (BIA) should be done for all potential disasters, but the effects of a hurricane are very different from those of an epidemic. Although you may be familiar with all the terms, it may be helpful to review them in the context of a pandemic.

Types of packages

Pandemic plan. Chances are this is high on your disaster recovery priority list right now. In many ways, a pandemic plan resembles a general disaster recovery plan and is often included in preparedness guidelines as a recovery scenario. However, an increase in ransomware attacks and natural disasters in recent years may have pushed back pandemic planning. Including a section for pandemics in your disaster recovery plan may be sufficient, but a separate plan can allow for more targeted testing and preparation. Viruses can affect people in different ways, such as how they spread, how contagious they are, and how badly they affect those who get sick.

Pandemic-specific planning should be part of your overall disaster recovery plan.

As we’ve seen with the coronavirus, it’s not just people with symptoms who can no longer come to the office. A pandemic plan should also include social distancing measures and remote work plans.

Crisis management plan. Along with pandemic preparedness and recovery, crisis management is an integral part of managing an ongoing pandemic and its aftermath. Like a pandemic plan, a crisis management plan overlaps with general disaster recovery planning, but it also focuses on how the organization deals with issues such as workflow, profitability, reputation and public relations. Communication, media management and post-crisis maintenance should be covered by a crisis management plan. Crisis management should be consistent and easily integrated into disaster recovery and pandemic plans to ensure all bases are covered.

Elements of a Pandemic Plan

Business Impact Analysis. It is an essential part of any recovery plan and a powerful tool in dealing with a pandemic. An in-house or third-party team performs a BIA to provide an in-depth look at how different disasters will affect an organization’s operations. BIAs are used for business continuity planning and can reveal weaknesses in an organization’s business continuity and DR (BCDR) strategy.

There is no universal set of standards for a BIA, but a comprehensive analysis typically includes gathering information about business processes and resources from employees knowledgeable about the business. The BIA team writes a report on these findings and submits it to senior management, who can then act on this information, if necessary. Information discovered in a BIA may include certain risks that an organization is vulnerable to, how the organization will be affected by particular risks, and guidance for repairing those vulnerabilities. Your BIA results should directly inform your DR and pandemic planning. Be sure to update your BIA after a disaster, taking into account what the organization was good at and areas for improvement.

Pandemic plan
Pandemic planning for staff should cover remote working, downsizing and travel.

Crisis communication. A key part of crisis management, crisis communication ensures that anyone who needs to know the state of the organization in the event of a disaster is informed in a timely manner. In the event of a pandemic, crisis communications may include telling employees to stay home, distributing remote access information, or notifying on-site personnel if anyone within the organization has been exposed. to disease. With COVID-19, precautions and policies are changing rapidly, especially in the early stages. It is essential to have an effective, reliable and rapid means of communicating important information to the personnel concerned.

According to Ready.gov, this can include customers, employees and their families, the media, the surrounding community, company management and investors, government officials and other authorities, and suppliers. Common methods of crisis communication include call trees and emergency notification systems, which automatically send information via email or SMS.

Tabletop exercise (TTX). One way to train in unprecedented scenarios is to perform a tabletop exercise. A TTX allows a disaster recovery team to walk through a disaster scenario from start to finish, ensuring there are no gaps in the disaster recovery plan. In the event of a pandemic, a TTX is a great way to execute a plan before disaster strikes, as it goes through emergency communication processes with staff, as well as any outside organizations you may need to contact in the event of a pandemic. Tabletop exercises should be part of your organization’s DR testing strategy, as they also assign leadership in the event of a pandemic recovery and involve the necessary parties and make them aware of their responsibilities.

ISO standards to know

The International Organization for Standardization (ISO) has many standards for business continuity and disaster recovery. These universal standards can be used as a reference when developing a BCDR plan, and while no two organizations are the same in their planning, ISO standards can set out some basic guidelines that must be followed to ensure that your organization is covered. The standards to which it may be useful to refer in the event of a pandemic are as follows:

  • ISO 22301:2019Security and resilience — Business continuity management systems — Requirements. This standard provides details on how to use a business continuity management system (BCMS) and the activities to be performed to meet compliance requirements. ISO 22301 can serve as a useful reference when creating a customized annual schedule of BCMS activities specific to your organization.
  • ISO 22330:2018Security and resilience — Business continuity management systems — Guidelines for the human aspects of business continuity. While ISO 22301 deals with the compliance side, ISO 22330 is for people involved in a BCMS. In pandemic planning, people are a critical part of the plan, from internal staff to the public. Reference this standard when training staff, managing the business response, and considering what recovery might look like for those affected, not just the business. This may include ongoing support for employees who are ill, injured or dealing with trauma as a result of a pandemic.
  • ISO/TS 22317:2015Societal security — Business continuity management systems — Guidelines for business impact analysis. This standard can provide useful guidelines when creating or updating your organization’s BIA. While there is no universal requirement for what a BIA should include, this standard outlines what makes a BIA successful and why it should be updated often.

The ISO 9000 family of standards can also apply to a pandemic planning scenario. This group of standards covers quality management for many different industries and types of organizations and may be the most widely used set of ISO standards. In pandemic planning, the ISO 9000 family of standards can help ensure that your organization still meets compliance and regulatory requirements while working remotely or with reduced staff and resources.

Louisa R. Loomis