Some biologists predict an increasing probability that Covid won’t be the last pandemic we experience in our lifetime. That’s just one of many things that keep emergency planners up at night, and another reason why business continuity planning (BCP) must be built into the very fabric of our organizations.
However, each organization is unique, and some risks resonate more in particular sectors or industries. For instance: An incident on a manufacturing floor can create millions of dollars in losses in just a few minutes. But that’s not especially relevant to a university, for example, or to a healthcare institution. Context really matters.
That is why, in the weeks ahead, we’ll take a look at critical event management (CEM) in the context of specific industries. To kick off this business continuity discussion, I would like to shine a spotlight on our own approach — as a security- and safety-focused software company with global operations.
BCP in the Technology Sector
How does a technology company like BlackBerry organize its own CEM efforts? How do we keep our employees safe and up-to-speed through crises and emergencies? And what are the most important pieces in the BCP/CEM jigsaw puzzle that every tech or software business needs to have in place?
To get answers, we spoke to BlackBerry Director of Enterprise Business Continuity & Disaster Recovery Management Laura Beattie. Laura has almost 20 years of experience in the field and led BlackBerry’s response during a number of emergencies, including the pandemic. Laura identified four key issues that tech companies need to address to prepare for disasters. And, while these come from her experience in a software-focused business, the tips she provides may apply to many other organizations, as well. The following are Laura’s comments from my conversation with her.
BCP Issue 1: Preparing for Disaster
“How many organizations had regularly practiced their pandemic plan prior to COVID-19? Today, global tech businesses are dealing with a wide variety of different emergencies from wildfires to violent protests and security breaches. You need well-tested plans that can be quickly activated during unexpected events. This includes crisis management, emergency response, and business continuity plans. Having these documents sitting on the shelf isn’t going to be very effective if no one's familiar with them.”
Practicing Your BCP Plans
“By conducting regular exercises, you can reinforce your processes and set everyone up for success during real events. Even if your processes aren't perfect yet, start testing them, and run tabletop exercises with pretend scenarios. Set the scene: What would you do if a disgruntled employee were to walk into one of your buildings and announce they've planted a bomb? What if some of your `single points of failure’ employees go out sick, and they're gone for a while? Set up scenarios and have key staff discuss their responses to them.”
BCP Issue 2: Having the Right Resources to Respond
“Another challenge for many tech organizations is not having dedicated resources or expertise on staff. This makes it difficult to develop plans ahead of time, and also to operationalize them. In many cases, employees are wearing multiple hats, and smaller software companies are less likely to have 24/7 operation teams to monitor global impacts and identify affected employees — especially now with employees working from everywhere.”
How to Build Business Continuity Teams
“The key is to build on what you already have in place. For your incident crisis management process, you probably already have key contacts at each site, or in the regions that you engage during incidents. They could be your emergency volunteers, HR facilities folks, security, and so on. You can start to assemble local incident management teams with these key contacts, as well as senior leaders representing the business groups that reside in these areas.
Once you have these groups formed for each area, you can set up global distribution lists, so that at the time of an incident, you have one thread of communication with that local team, keeping everyone on the same page. These teams can help with situational awareness and providing direction. Then you formalize one executive crisis management team consisting of your top senior leaders. You escalate information to this team for more severe impacts, and when you want overall directions, such as a decision on whether to close all your sites for the pandemic. Now you've established a clear chain of command and you have a framework for your incident and crisis management process.”
BCP Issue 3: Prioritizing Risks
“With so much to account for, how do you know where to focus? Do you have critical system infrastructure that’s getting old and you don't have fail-over plans for it? What effort have you put into succession planning or cross-training for your single points of failure? How reliant are you on your third parties? Do they have business continuity plans in place? All of these are potential risks for your organization. Tech companies are now having to deal with overlapping emergencies, too. Many of us are working from home, but what if some of your employees, while working from home, are then displaced due to wildfires or hurricanes? This adds another layer of complexity to business continuity planning.”
How to Prioritize in BCP Planning
“When it comes to assessing your risks, you need to understand impacts, and put the necessary plans in place. Prioritize by starting with what you identify as the highest risk for your business. From a safety perspective, perhaps you have offices or employees in areas where floods or tornadoes are prevalent. From a business continuity perspective, we assess risks associated with loss of site, people, technology, and third parties.”
BCP Issue 4: Ensuring Communication That Is Consistent, Timely, and Accurate
“If your emergency messaging is delayed or contains inaccurate information, it's going to discredit your communication with your employees. For example, if your alert says that there's an active attacker in the area, yet the person was apprehended an hour ago, your message is no longer relevant, and employees will start to ignore them because they won't see value in them.
One thing I’ve learned when it comes to communicating during difficult times is that employees want more — rather than less — from their employers. They want to know that their employers care about their safety and wellbeing, that they're on the pulse of what is happening, and that they’re transparent in what direction the company is taking to address communication challenges.”
How to Improve Critical Event Communications
“Leveraging technology really helps to reduce manual effort. At BlackBerry, during recent hurricanes, we were able to promptly send an alert via multiple delivery channels, such as text, email, and app. These included response options such as, ‘I'm safe,’ ‘I need assistance,’ or ‘I'm not in the affected area,’ to confirm the safety of our employees. We were able to get responses quickly. This is where security of information is so critical. You want the confidence that what you’re sharing internally and collecting from your employees is protected.”
Building Your BCP/CEM Checklist
As we look to the future, certain factors indicate a positive shift in mindset since the pandemic. Examples include a renewed focus on preparedness and the rise in “resiliency officers” taking a seat at the C-suite table.Laura’s advice should help you build on your BCP plans and add any elements you may have missed, like having a dedicated CEM platform with two-way communication.
At BlackBerry, we’ve found it invaluable to have features that help us with planning, such as step-by-step guides and built-in review cycles, plus real-time status updates, and the ability to track and report the status of recipients and stakeholders during any critical event. With continual reviews, rehearsals, and secure communication in place, you can be ready for whatever comes next.