How to Draft a Business Continuity Plan

The war theorist Carl von Clausewitz is often paraphrased about the discontinuity between military plans and war realities with the notion that the ideal conditions of war are never met. Dwight Eisenhower provided another angle in the 20th century with “planning is essential but plans are useless.” It’s hard to imagine a better time than now to revisit the associated notions. COVID-19 is wreaking havoc in whole numbers of places, and causing fear and panic in the rest.

Disaster recovery plans are often wonderfully convincing documents that businesses are required to have (or more likely file away), but we need to start thinking about restructuring for actual resilience.

When it comes to COVID-19, was your entity ready? Did your plans for telecommuting and remote work succeed or fail?

For many startups, the move to telecommuting wasn’t difficult. The end-user environment doesn’t mean clunky desktop computers hard-wired in a specific location anymore. It’s a bunch of laptops with remote access to various internal and external services, such as email and some sort of internal chat systems, where staff work from home as often as not.

How sustainable that remote capable work model is long term is a separate question, but there’s no time better than now to reassess your infrastructure and processes.

The best time to review past planning is when your plans are in action. Since you probably have the time to delay that Netflix series for now, go record what you did for this current emergency in your disaster management plan. That next episode, and you, are probably not going anywhere for a while, anyway.

A lot of thought and planning go into an organization’s resilience. There are a number of basic tenets to guide you, and there is likely time to make adjustments now.

First, determine what is critical in your physical office location. Are there servers that can be shut down for the interim? Are your backups still happening? Are there password lists or digital offline resources that you can’t access remotely? Can you continue operations without physical access for the next month or three?

Second, review any over reliance on a single provider. Monocultures (the reliance on a single provider) are poison to resilience in action, yet choosing the most common providers is often the easiest and most expedient route with services.

It’s unlikely that Google will stop processing your email, or that Amazon Web Services will come to a hault during this COVID-19 pandemic, but what if they did in another scenario?

Third, there are basic areas to review specifically in communications: communications among the staff, communications with customers and communications with service providers.

Communication with staff: You probably have staff cell phone numbers besides their work email addresses and the ability to chat on a service like Slack. Can you send them regular snail mail? Do you have alternate email addresses for them?

Stop making assumptions based on how things normally work, and start imagining if this or that service isn’t operational. Better yet, imagine if the usual pipes aren’t there, i.e., if there was some catastrophic issue with email communications. Some entities maintain old-school numeric pagers for backup communications. Those ancient devices work on regular AA or AAA batteries, and don’t rely on complex systems like 4G cell phone networks. Sure, you might look silly with it, but the old pager networks just broadcast out pages and work when everything else goes to hell. And best of all, adversaries who might attack your infrastructure aren’t likely to simultaneously attack that system.

Communication with customers: If you just have a few customers that you’re acquainted with on a personal level, it’s probably easy. But if you have a large number who you maintain mostly passive interaction with, it’s another. If your web site goes down, does that mean you lose communication with your customers?

Maybe Twitter accounts take up the role, or Facebook. Or maybe you should maintain a separate emergency-only simple web site for broadcasting information.

Communication with service providers: The new organizational models are more difficult to manage. One can’t just ask the accounts payable department to print out a list of service providers they paid in the last 60 days because too many service providers are “free.”

When times are back to normal, you should start listing all of those providers, paid or free, that matter. Having a sense of your full footprint is the first step not just in building resilience but also in assessing privacy and security operations.

Build a hierarchical listing of the service providers ranked by how critical they are for your operations. Your email provider probably ranks high, which might include a data center facility. Do you have support contact information? How do you measure their uptime? Organizations that create and maintain sites like “https://status.hostname.tld" get extra cookies. Those who lived through Superstorm Sandy should remember that.

The COVID-19 “cost” to business is contagion, staff falling ill, sometimes with fatal consequences. The advantage to have an operational and easy-to-implement remote work operation could mean longer term health, both mental and physical for your employees and other employees who are not so fortunate.

Building resilient systems means making a lot of decisions that don’t seem to make much sense in “normal” times. And they often mean incurring costs of money and time that don’t immediately provide proof of a return on investment to management or investors. But like insurance policies, they justify their costs in times like these. Amid the fears and panic of COVID-19, how many organizations and individuals are thinking “I wish we just had done X before this”? Use the time and experience of this pandemic to prepare your business to the next crisis. It may not be a pandemic next time, but planning is essential, even if the implementation of the plan is practically useless.