Security and risk management leaders responsible for business continuity management must plan for COVID-19 shaping 2021 and beyond. Businesses will face a perfect storm of threats from COVID-19, cybercrime, severe weather events, climate change, civil unrest and political instabilities.
Security and risk management leaders are currently providing ongoing cybersecurity, secure remote access, expanded identity and access management, network security and business continuity management (BCM) to support their organizations through the disruptions caused by COVID-19.
As the situation with COVID-19 continues to unfold, severe weather events, cyberattacks, civil unrest and political instability will introduce additional challenges to already disrupted business operations. Security and risk management leaders will need to be able to respond to these challenges to ensure that the business can survive and prosper.
Accordingly, security and risk management leaders will need to develop BCM frameworks, methodologies and strategies that enable their organizations to resist, absorb and recover from multiple disruptive events by:
Contextualizing the threats by working with other risk management partners and colleagues
Reviewing business priorities and mapping to recovery tiering
Implementing an overarching BCM response, crisis management and recovery framework
Security and risk management leaders must:
Anticipate multiple and possibly converging threats while still dealing with the pandemic disruption by engaging with all managers through the planning, response, recovery and restoration process.
Respond to multiple disruptive events, regardless of their nature and scale, by implementing a “scale, duration and impact” methodology.
Establish ongoing robust response activation procedures by defining disruption levels into low, medium and high, with associated actions.
The global COVID-19 pandemic of 2020 required an organizational response with strategic direction from senior management teams. However, it became apparent early on that traditional BCM planning, which is often carried out in silos, could not provide the support required to manage the impacts effectively.This note will outline the current challenges that threaten the current operating environment and outline effective strategies to prepare for and respond to multiple disruptive events.
Gartner research confirms that in the early stages of the COVID-19 outbreak, one in four organizations had to suspend their operations for at least a few days (see ). This included sectors such as manufacturing, logistics and aviation. In a Gartner snap poll, 50% of HR leaders indicated their contingency plans were either partially successful or not successful in responding to the outbreak (see Figure 1).
In a Gartner board of directors survey, it was confirmed that there were a number of areas where plans could be updated to help ensure a more robust future response (see Table 1).
One of the primary responses by many organizations to the COVID-19 outbreak was to quickly implement a remote-work policy. However, the increased emphasis on remote work is contributing to the evolving threats related to cloud computing, data privacy and cybercrime. The dynamic and increasingly complex threat landscape and unpredictable business environment mean that flexible and scalable operational resilience planning will be a key differentiator between success and failure as the pandemic develops and the world resets. For example:
Organizations must evaluate if they’re supporting the accelerated switch to digital business.
Critical deliverables will change as product lines and service outputs are reinvented, leading to changes in suppliers and third parties.
New technologies and a greater emphasis on remote work will require additional considerations around information security and response strategies.
Remote work possibilities may impact the need for alternative work area recovery sites.
Organizational resilience will become even more of a strategic imperative if businesses are to thrive and prosper in the face of growing adversity. Therefore, a cohesive, integrated and organizationwide approach to BCM is the only way to succeed in implementing the organization’s strategy in the next business landscape.
The Gartner Pandemic Response Phases outline the business challenges faced as the pandemic develops over time. This is illustrated in the diagram below in Figure 2.
Within each phase, consider the differing activity levels, procedures and actions that will be required. These will range in intensity, as further illustrated below in Figure 3.
The prepare phase occurs during “business as usual” and represents the best opportunity to prepare resilience plans and mitigation strategies to reduce the likelihood of failure and minimize the impacts of a disruption. Typically, organizations that fail to effectively prepare will perform worse through the respond, recover and rebuild phases in the wake of a major disruptive incident. This results in greater impacts as a result of poor management of the disruption and extended rebuild times.
The respond, recover and rebuild phases are characteristics of the “crisis management journey” and involve intense activities at the time of a disruption to enable effective containment of the impacts, allocation of resources and implementing recovery strategies. Those organizations that have prepared and mitigated in a joined-up manner are usually better able to manage their way through this journey, thereby minimizing the impact upon their organizations.
As the current COVID-19 pandemic develops over the coming months (or years), it is likely that organizations will continuously move back and forth along these phases in response to changes in pandemic wave patterns.
Security and risk management leaders must resist the temptation to take the traditional approach of building scenario-based resilience plans, as these are ineffective. It is true that known threats such as severe weather events or earthquakes must be planned for and would require specific response procedures related to the known threat for inclusion into the wider suite of plans. However, they should not drive, but rather inform, the resilience planning agenda. This is illustrated in the diagram below in Figure 4.
The ability to respond to a disruption regardless of its nature, scale and cause is an imperative when dealing with multiple threats. When planning for this, security and risk management leaders should implement a “scale, duration and impact” approach to threats to support the decisions regarding the appropriate level of organizational response required.
The scale, duration and impact approach is illustrated below in Figure 5.
Security and risk management leaders should encourage all managers to adopt this approach. It is also important to be able to assess the level of disruption (or potential disruption) to ensure a timely and proportionate response to a disruption.This is important because not every disruption will represent a “continuity of operations” issue and may be dealt with by applying management actions or standard operating procedures. By contrast, there will be events where it is clear that a major disruption will occur and a full business continuity, IT disaster recovery (DR) and third-party crisis management response is required. The greatest challenge is represented by those disruptive scenarios that slowly develop or do not present an immediate impact. In these cases, managers would need to be continuously reviewing developments, managing the current situation and making preparations to implement a full response (see Figure 6).
Utilizing reference points such as those in Figure 6 reduces the requirement for scenario planning, improves decision making and helps to ensure that the response is aligned to the impacts presented by the disruptive event.
Therefore, security and risk management leaders must:
Ensure a joined-up approach to the BCM strategy through the prepare and mitigate phases.
Build response capabilities first before using scenarios and known threats and risks only as vehicles to consider business impacts.
Strengthen crisis management decision making by implementing scale, duration and impact into the response, recover and rebuild phases.
Strengthen capabilities to enable response and recovery procedures that are proportionate to the nature and scale of the disruptive scenario by building definitions for levels of disruptions and associated actions.
To ensure that the organization can effectively respond, recover and rebuild following any disruption, security and risk management leaders must build teams with the following attributes:
Technical expertise and operational experience will ensure a robust response that will identify, suppress and contain the disruptive situation at the earliest stages. For example, facilities would be the focus of the initial response to a buildings-related disruption, and IT would support the initial response where a cyberattack is taking place. In each case, the aim would be to contain the situation and report the affected business elements to management. In each case, the ongoing damage control and restoration procedures are in line with management directives and recovery priorities.
Strong crisis management expertise and experience is needed through the recovery phase. During this phase, review the extent of the disruption using scale duration and impact, allocating people and resources to minimize the impact. Additionally, implement internal and external communications strategies. including media management, provide support to the technical/operational teams, liaise with third parties and suppliers, brief senior management and implement recovery strategies in line with organizational priorities.
Senior management engagement is needed through the rebuild phase to review the wider strategic impacts, deal with media attention, resource recovery strategies and to implement longer-term rebuild projects with appropriate assigned resources.
In each case, teams may be stand alone or working in unison at different times through the lifetime of the disruptive event.
Organizations with heightened BCM capabilities will be more likely to implement strategies and outperform peers in the post-COVID-19 environment. Change agents such as COVID-19 and the rapid pace of digital innovation mean that businesses with more robust response, recovery and restoration procedures will be better placed to take full advantage of the opportunities presented by this changing landscape.
This research is drawn from client inquiries, and evidence gathered through the Gartner response to the COVID-19 outbreak through 2020.
Gartner Recommended Reading