Does Your Business Continuity Plan Cover Pandemics or Not?

Does Your Business Continuity Plan Cover Pandemics or Not?

In the wake of Hurricane Sandy, many New Jersey businesses developed business continuity plans (BCPs). Unfortunately, many businesses are now discovering that while current BCPs address disruptions due to natural disasters, they do not adequately account for the completely new challenges to firms and individuals created by this worldwide pandemic.

Today’s challenges include global supply-chain disruptions, contaminated work facilities, homes, depleted workforces due to serious illness, government-mandated closures of schools and businesses requiring immediate remote office use and travel restrictions. To address these novel and ongoing threats posed by COVID-19, changes will be needed to your existing business continuity plans (BCPs).

A necessary starting point is to utilize your BCP’s response team members to determine all potential threats to your business operations posed by COVID-19, rank the severity of each business disruption, analyze the effectiveness of your BCP and document failures and weaknesses that surfaced during this crisis to be able to devise remediation measures to address each risk. As we have discussed in prior articles, your BCP should address a wide range of areas that have been impacted and your Response Team should be working on developing workable solutions as developments progress in real-time. Below are several risk areas to consider:

• Risk of widespread disruption: Stay-at-home orders and mandatory closures of schools, religious institutions, libraries, parks, and non-essential businesses are having a significant impact on businesses across the country. Your firm’s Response Team members should determine what steps can be taken to ensure adequate staffing during a pandemic, including how to best facilitate working remotely, the security of your firm’s systems, confidential and personal information programs, IT and abilities to conduct operations with reduced staff levels who are now and will be for some indeterminate period of time working remotely.
• Alternative locations: Alternative locations (i.e., back-up data centers, back-up sites for operations, remote locations, etc.) are essential given the risks of contamination and high rates of employee absenteeism. Given that recovery may happen faster in certain regions of the country, firms should try to achieve geographic diversity. Such decisions will be based on your firm’s size, financial situation, workforce and systems, since diversification may not be possible. Are there available alternatives to complete closure, such as creating a strategic business alliance or interim working partnership?
• Telecommunications services and technology: BCPs should address how to keep technology and telecommunications systems up and running. With regard to COVID-19, one of the unique risks is the strain on IT systems caused by the majority of employees logging in from remote locations. To prevent disruptions, systems should be monitored and upgraded if necessary. With employees accessing your company’s network from home and/or using their own devices, additional measures may also be needed to address cybersecurity.
• Threats or Security Breaches: Has your Response Team identified system/IT threats or actual breaches of your firm’s cybersecurity? Has the extent of hack or penetration of systems or operations involved your firm’s finances? What was the scope of the damage, if any, and how effective was your Plans response measures? What should be done in real-time and by who?
• Communication plans: Firms should have plans in place to maintain communications with customers, staff and third parties, such as investors, vendors, and regulators. This includes keeping the firm’s website updated with important information regarding operational status and general contact information. Firms should also have procedures in place to keep staff informed and stay in touch with critical members. Since it is unclear how long we will be impacted by COVID-19, it often makes sense to create a team or task force to monitor the pandemic and its impact on the company.
• Employee education: Employees are understandably anxious right now, with many worried about their health and their job security. Companies should have procedures in place to keep employees updated on health/safety initiatives, as well as human resource policies (i.e., remote work procedures, paid leave, and non-essential business travel).
• Regulatory and compliance considerations: While many state and federal agencies have relaxed some regulatory requirements, others are taking a “business as usual” approach. BCPs should include plans to ensure continuous regulatory compliance. Have you identified key personnel to monitor developments and maintain effective communication with regulators, industry association representatives and your management?
• Reviewing and testing: Firms should empower its most experienced management members and available Response Team participants to undertake an immediate BCP Effectiveness Assessment to provide Firm leaders with the most current information about the firm’s ability to conduct business and whether remediation steps must be considered for implementation either immediately or in a phased manner. Probably one of the first weaknesses identified will be your training program. As the pandemic evolves, BCPs must too.

COVID-19 presents significant stresses to BCP’s, particularly because there is a lot we don’t yet know about how long its impact will last. Nonetheless, maintaining an effective BCP that reacts reasonably to the unique stressors of this pandemic may be the most important process your firm can utilize.

If you have any questions, please contact us

If you have any questions or if you would like to discuss the matter further, please contact Paul A. Lieberman or the Scarinci Hollenbeck attorney with whom you work, at 201-896-4100.