Manu Singh hung up with his client, the COO of a small appliances manufacturer in New Jersey. He had expected this. As the head of Networker UK Ltd, an IT operations company, Singh had seen similar panic before, at small companies and large enterprises alike. The panic when IT is the reason a business grinds to a halt.
It was March 23, 2020. New York was already in lockdown due to the novel coronavirus. New Jersey Governor Phil Murphy was about to announce similar steps. It would mean that within days the manufacturer's offices would become inaccessible to its 350 employees. If they could not access critical IT systems like ERP, the entire operation would shut down. The company prided itself on its loyal customer base. People would understand, but the lost opportunity would be significant: among many appliances, the company also made sewing machines.
All previous business continuity planning (BCP) had centered on limited physical disruption: Is the business resilient if one location is compromised? The planners had prepared for earthquakes, terrorist attacks and fires. They had discussed data backups, inventories, redundant locations and distributed supplier base.
For the last decade or so, cybersecurity has also been a prominent line item on every threat assessment risk. Still, outside of some key-man provisions, few plans thought about the people. Current business continuity plans generally assumed that people will simply show up at the new location.
COVID-19 changed that assumption. The new question that BCP managers are asking is: Can the business continue normally in a completely virtual format?
1. Enable Truly Virtual Operations
In the next half hour, Singh created a migration plan. Enable remote access to critical applications. Start BYOD (Bring Your Own Device) support for personal laptops and tablets. Install an IVR suite for customer service agents to work from home. He knew this was only the first — and easiest — step towards business continuity.
Many questions were still unanswered. First, the mobility infrastructure at most enterprises is meant for occasional remote working, not a completely distributed workforce. Under security policies for most enterprises, remote access is limited in its permissions and bandwidth. IT and other support functions are based out of physical locations. In many situations even drive backups occur only over the office wi-fi. In other words, the current setup expects everyone to show up to work at least periodically.
That's no longer sustainable. A redesign of most collaboration and remote access tools is unavoidable in the long term. Another example of that is videoconferencing software. While vendors continue to add features like screen sharing, polling and more, most of popular videoconferencing tools are but extensions of a telephone. They're fine for occasional meetings, but if everyone is going to spend their entire time on these tools, they must emulate office desks instead.
2. Redesign Physical Operations for Flexibility, Redundancy and Automation
Then there is the question of physical manufacturing. The only way through is to design shop floors that can easily adopt ad hoc safety procedures. This time it's social distancing and masks. Next pandemic it may mean something else. Next crisis may not even be a pandemic. The important thing is to plan for some of these scenarios and design flexibly.
Some have learnt these lessons quickly. Weeks before Singh was thinking through the long-term roadmap to secure the manufacturer's future, KC Ang, Thomas Morgenstern and Ron Sampson at GlobalFoundries came up with a plan to ensure its fabrication plants (FABs) kept going. They focused on essential operations only, invested in employee morale and ensured there was an abundance of PPEs and sanitation materials. Most importantly, GlobalFoundries redesigned its FAB operations and staffing procedures to minimize exposure while running at full capacity.
Planners at Amgen were also prescient. They made sure that their laboratory work was split across at least two of their three labs in India, China and Poland. To do this Amgen had to decentralize decision making and delegate more to mid-level leadership. Given the waves in which the pandemic has hit the globe, Amgen has been fine, albeit at a slightly higher cost.
GlobalFoundries and Amgen had the foresight, resources and the luxury to do this. Most enterprises had to scramble. The public spat between Elon Musk and the Alameda County comes to mind. In either case, these lessons are not being lost on the BCP managers.
Related Article: CIOs Share Business Continuity Plans Amid COVID-19 Pandemic
3. Think Holistically, Including About the Ecosystem
Given the complexity of value chains in the modern economy, a strong BCP strategy for a firm is no guarantee for a resilient business. “What will you do if your key supplier shuts its shop one fine day?” asked Ashutosh Chaudhary. In 2019, Fitbit tasked him with diversification of its sourcing base, which was primarily in China. The idea was to hedge against the risk of an all-out trade war.
After a long and tiresome process, Chaudhary's team worked with vendors to include three more countries. "Because Fitbit now has four countries in its supply chain footprint instead of one, it is in a far stronger position to deal with crises like COVID,” said Chaudhary. “If you choose vendors with multinational presence, such diversification does not necessarily come with increased costs. The overall scale for the vendors remains the same.”
Ensuring redundancy among suppliers and jurisdictions of those suppliers is one clear way to go. In the post-coronavirus world, when BCP managers evaluate a company, they will also prefer to pass-through some of the BCP requirements to other critical players in that company’s ecosystem, including key suppliers. Such pass-through provisions exist today, for example, for prime, sub-prime and sub-sub-prime contractors in large government contracts. “This legal template will become more common in the coming years,” Chaudhary agreed.Related Article: Supply Chains Face an Inflection Point
4. Replace the Water Cooler With Automation and Discovery Tools
“Once the immediate crisis is resolved, my clients start talking about implementation of tools for automation and information discovery,” Singh reflected on the general trend. The physical proximity of coworkers in an office and the conversations it supports are conduits for a lot of informal, yet critical, knowledge exchange. Who hasn’t craned their neck, asked a colleague and immediately received an answer to something that had been blocking them?
The work-from-home world poses a huge barrier to these quick chitchats. While this is not strictly a part of business continuity, BCP managers have begun to think about tools that enable collaboration, rigorous planning and automation, including intelligent process automation. Another focus is information discovery tools like natural language search. All to make sure that workers don’t miss the comfort and validation of having colleagues around them.
“We are trying to replace the water coolers with IT,” said Singh.
5. Redefine Security Protocols
Physical boundaries with a lock on the gate have been a critical part of most security and business continuity threat assessments so far. Evaluation of a company for any industry accepted certification stresses on such features.
In the new world, however, physical walls won't matter. This also means that CISOs must now approve remote access to the most important data of their companies. So far, physical restrictions on such access have provided another layer of protection. All this is happening in the context of GDPR, CCPA and other similar legislation that increases the sensitivity of data stored within businesses.
Eventually, the certifying agencies will change their standards, and the acceptance of risk in the industry will evolve, but, in the meantime, CISOs and BCP managers may choose to adopt a range of solutions to protect their data. This includes embracing a new way of thinking about identity and access management, as well as redefining security protocols especially around device support and data access. Fortunately, many tools are already in the market, and startups are innovating on new ones. For example, real time redaction of sensitive content for data in motion.
The COVID-19 crisis hit enterprises, small businesses, government, academia and nonprofits alike. Professor Anurag Pande leads the community-engagement initiative at California Polytechnic State University in San Luis Obispo. He believes the risks will force everyone to reevaluate community-University partnership agreements. “We sign MOUs with public and non-profit agencies we work with. These MOUs have a lot of clauses to protect our students and the members of the respective communities. Now each of those clauses may have to be renegotiated due to COVID-19. In many cases, there may be disruption to the relationship, at least in the short term. That is a serious business continuity problem. "
The story of the small appliance manufacturer in New Jersey has a happy ending. With timely planning, it was able to minimize disruption. At the time this article was written, it was successfully catering to the need for cloth masks and of sewing hobbyists. At the same time, over phone calls and video conferences, BCP managers around the world are back to the drawing board.