At a summary level, planning for a pandemic typically requires six aspects of preparedness…each very different from traditional DR/BC
The first requirement is to identify pandemic-specific critical business processes. While this requirement appears similar to conducting the traditional Business Impact Analysis (BIA) normally associated with traditional DR/BC planning, there is a slightly different twist. Whereas a traditional BIA frames critical processes relative to a disruption of services (IT or otherwise) and focuses on manual alternatives, a pandemic response would assume all normal services and capabilities except staffing were in fact available. As such, not only are manual procedures not necessary, more effective use of automation is often an overt part of the solution. Accordingly, critical processes may be different for pandemic planning than for traditional DR/BC and any existing taxonomies must be re-evaluated.
The second requirement is that pandemic planning efforts must by definition include upstream and downstream considerations. While traditional DR/BC usually focuses only on the company’s internal process continuance (relatively easy to rationalize due to the relatively low likelihood of concurrent disasters in a supply chain…even during regional outages), a pandemic will almost certainly impact both upstream and downstream components. Even if your internal planning were perfect, you must assume that your supply chain will be impacted and unless their planning is perfect too, a significant interruption will occur. Accordingly, effective pandemic planning requires close coordination and co-development between the company and its critical suppliers and customers.
Next, the minimal staffing requirements to perform the critical functions must be identified. Most experts suggest that you must be able to perform critical functions with less than 50% of your staff for a minimum period of 8 to 12 weeks. This scenario is also more complicated than most DR/BC planning efforts, which assume more available staff and a shorter disaster duration. A substantial iterative business process analysis is typically required to identify the “right” group of critical processes and the best way to perform them given the staff limitations that can be expected. This planning effort will require trade-offs, concessions, training of backup staff and support from the most senior management in order to produce a realistic capability that will work when needed.
The fourth component is communication and education to ensure responsible sickness behavior and life safety. During a pandemic, you will be walking a fine line between wanting employees at work and needing them to stay home. As such, it is imperative that each employee, as well as all levels of management, understand issues of symptom identification, personal hygiene, family protection, social distancing, information dissemination, hotline assistance. etc. Everyone must be sensitized to prevention and containment and must balance their responsibilities to themselves and to other staff. All of this must be stated in clear, formal policy and ongoing communications (automated notifications systems are an excellent tool) so that otherwise good intentions or misplaced heroics do not negatively impact containment efforts.
The fifth component of comprehensive pandemic planning is to implement a robust, flexible, secure remote connectivity solution that will enable the maximum numbers of staff to work from home. This requires re-engineering of both the technical environment as well as the business process environment and often requires significant, proactive capital expenditures. However, remote connectivity is the single most effective way to limit the spread of the disease while continuing the business of the company.
The final component is personal and family assistance. The company must define detailed policy statements as to what they will expect from their employees during a pandemic, what they will provide to their employees, and when those accommodations start and stop.
Then, the necessary capabilities must be identified, implemented and documented.
And obviously, all of the above must be fully integrated with existing emergency and business continuity programs so that they work together seamlessly.