Recently there's been a lot of talk about the possibility of a pandemic flu and its affects. Most of the discussion has centered on what the Feds can do. President Bush has called for $7B to prepare and my old boss, Mike Leavitt, has been on the radio and TV talking about where the US is now and what it needs to do to be ready. I have to admit, much of this has washed over my back without much thought that there was something I ought to be be doing. A recent article in Baseline by Larry Barrett, however, talks about how to factor pandemics into your organization's business continuity planning (BCP).
The key thing to remember is that in a pandemic, even healthy people won't be at work. The goal will be to limit person-to-person contact as much as possible. This makes it a different beast from other BCP efforts where much of the attention is on decentralization and redundancy.
First of all, you have to realize that much of your planning will be based on assumptions about what Federal, state, and county health authorities will do. We all have better ideas about what police and fire might do in a natural disaster than we do about government actions following a pandemic. That's because not even the government agencies themselves have firm plans in place in many cases. My advise is to make your best guess and press everyone you can to give you answers. Talk to local elected officials about the problem and ask them for answers.
Your employees might not be able to come to work (or want to). Do you have a VPN? Are employees added to the VPN routinely, of only with special action? Do they know how to use it? Does your VPN concentrator have sufficient capacity to handle the anticipated load. Do employees have network access, computing gear and data at home so they can do their jobs? If the answer to any of these questions is "no" you need to ask yourself how you're going to mitigate the problem. Remember that we're not talking about all or almost all of your employees working from home.
Along with the VPN, also consider voice communications. Conference facilities will be in much greater demand, not just by your company, but by everyone. You might not be able to count on your voice conferencing provider to handle the load. Ask them about their own capacity planning in this regard. Also, consider VoIP with softphones or Skype as an alternative.
It's not just your employees that will be homebound, but your customers and suppliers as well. The more capacity you have for conducting business electronically, the better off you'll be. Capacity planning is vital in this regard since you may experience huge spikes in demand for electronic servicing in a pandemic. People who would have never dreamed of buying online may overcome their fear if it means they can stay at home. When I was Utah's CIO, we believed that a natural disaster or terrorist attack would greatly increase demand for eGoverment services instead of walk-in, in-person services.
As long as we're talking about electronic services and ecommerce, count on transportation networks, including airlines and package delivery services, being offline. If you deal in hard goods, sales may falter, but customer service incidents may increase as people call about delivery and try to work with what they've got.
One of the most important lessons about any BCP effort is to put things in place that get used day-to-day so that they're continually tested. For example, don't plan on using Skype for conferencing in an emergency unless you're willing to start using it now for some activities so that a core group of people know how to make it work when you need it. If there are aspect of your plan that can't be used everyday, put a system of regular testing in place.
As I wrote a while ago on the subject of BCP, in the end it's all about risk and what you’re willing to do. There are only three things you can do with risk:
- You can accept it. That is, just say “we’ll live with it.” This is the de facto position that not making any decision leads to.
- You can assign it. That is, you can make it someone else’s problem. Insurance is one way to do this. Outsourcing is another way of assigning risk.
- You can mitigate it. This is what you’re doing by creating a plan and developing a business continuation strategy.