Are You Reopening? Coronavirus Draws Attention to the Need for Pandemic Planning in Disaster Recovery / Business Continuity Policies

29 April 2020 Blog
Authors: Chanley T. Howell Maxwell S. Harwitt
Published To: Coronavirus Resource Center:Back to Business Privacy, Cybersecurity & Technology Law Perspectives

The dramatic interruption of business processes resulting from the COVID-19 pandemic has revealed major inadequacies in the disaster recovery / business continuity policies of many organizations, both large and small. Companies are being forced to address working environments across the whole enterprise that mandates physical distance between employees or in many cases, completely remote operations. These scenarios raise many risks, which can and should be mitigated by implementing a robust disaster recovery plan with special considerations for pandemic preparedness. 

Pandemics Versus Other Disasters

Most business continuity planning focuses around events like fires, earthquakes, server crashes, cyber attacks, and similar disasters that typically cause only a brief disruption until the disaster passes or is resolved, or operations can be relocated to an unaffected area. IT disruptions as well as natural and man-made disasters frequently impact only a particular geographic area, facility or system. By definition, a pandemic (an epidemic or outbreak of infectious diseases that have the ability to spread rapidly over large areas, including worldwide) affects vast numbers of people and, therefore, organizations. As we have seen, the toll on individuals as well as companies and the economy, can be widespread and devastating. 

The unpredictable duration of pandemics requires additional considerations, including preparations for continuity of procedures and protocols that might simply be diverted or delayed under other types of disruptions. Other disasters also often only impact a limited number of individuals or processes. COVID-19 has interrupted business at all levels, with few processes unimpacted. Pandemic planning requires companies to anticipate alternative arrangements and fallbacks for all stages of operations. 

Another way in which pandemic planning requires more extensive diligence is that third party vendors, suppliers, and licensors will also be impacted. It is important that businesses adequately assess the preparedness and resiliency of third party vendors upon which they rely. A supplier’s failure can be incredibly disruptive to business and should be anticpated with mitigation efforts.

Risk Assessments

The most important step to ensuring that a company’s disaster recovery plan is sufficient to address a pandemic is conducting a current state assessment of operations and processes and comparing it to anticipated needs in the event of a long-term disruption arising from an epidemic. 

Some key risks include the following: 

  • Preventative / Mitigation Program. Having preventative and mitigation plans in place can help avoid or reduce the impact of a pandemic. This includes monitoring of potential outbreaks, communicating in coordinating with critical service providers and suppliers, and appropriate hygiene training and tools for employees.

  • Board and Senior Management Involvement.  As a mission critical function, the company’s board and senior management should be actively involved in the development and oversight of the organization’s pandemic planning process.

  • Infrastructure Preparedness. Moving employees to remote operations will place a greater burden on remote systems. For example, having all resources VPN into a firm’s systems at all times will increase server load and may lead to slowdowns. Companies should also review their SaaS solutions and review concurrent use restrictions or other issues that may interfere with scaling and business continuity in the event of a pandemic. Additionally, business should assess the preparedness of IT operations, which may need to be deployed remotely to the home offices of employees across the enterprise.

  • Employee and Security Preparedness. COVID-19 has led to a strong uptick in phishing scams and hackers activity. The sudden switch to remote operations has exposed vulnerabilities as firms and their employees utilize new and sometimes untested home and other remote software and processes. Businesses must develop security protocols and monitoring for remote operations and ensure that employees are familiar with them. Robust training on remote communications and security procedures will help mitigate the dangers to business systems that arises without on-site support and monitoring. 

  • Operational Preparedness. The key concern in pandemic planning is to ensure that operational and communications processes are continuous and that disruption is minimized. Remote solutions and operational flexibility to respond to rapidly changing circumstances is an essential part of preparing for a pandemic. Reaction procedures and supply chain workarounds should be developed in advance, so they can be deployed swiftly. Business operations incorporating social distancing should be envisioned and tested. To the extent feasible, customers should be given remote alternatives, such as online portals and videoconferencing solutions. It is also essential that businesses assign clear roles and responsibilities to individuals within the organization so that it is clear who should be contacted for the various discrete disruptions that can emerge in the midst of an epidemic.

  • Testing.  As with any disaster recovery / business continuity plan, the pandemic plan should be periodically tested to ensure the planning practices and capabilities are effective and will allow critical operations to continue, even if at reduced efficiency levels.

  • Oversight. The plan should be subject to proper oversight and periodic (no less than annually) review and updates to ensure the program remains up-to-date and consistent with relevant information provided by regulatory and other governmental sources, industry best practices and the organization’s overall compliance program.

Operationalizing a Pandemic Plan

At the outset of a pandemic, businesses will need to assess the timing and appropriate level of implementation of the disaster recovery plan. Constant monitoring of the progress of the disease and governmental responses will assist management in determining which elements of the disaster recovery plan should be rolled out to mitigate the harm. For example, the geographic development of an outbreak may cause third party suppliers to be impacted earlier than the command centers of the enterprise. A business that is tracking these details will implement workarounds to minimize the harm from such disruptions while simultaneously adjusting its other continuity measures to account for new and changing realities.  

As the pandemic unfolds, it is essential that the disaster plan allows for flexibility, so that the unique and unpredictable consequences of the pandemic can be targeted and contained as they arise. Constant testing of disaster scenarios will improve the likelihood that the disaster plan will allow operational continuity in a wide variety of scenarios that may arise during an extended pandemic. 

Ensuring business continuity is the primary concern for any disaster recovery plan. The unique problems that arise in connection with a pandemic can be predicted and mitigated with sufficient and targeted planning and preparation.  

Foley has developed a comprehensive checklist for developing pandemic language for a disaster recovery / business continuity program. Please contact your Foley attorney to obtain a copy of the checklist. 

We have also created a multi-disciplinary and multi-jurisdictional team, which has prepared a wealth of topical client resources and is prepared to help our clients meet the legal and business challenges that the coronavirus outbreak is creating for stakeholders across a range of industries. Click here for Foley’s Coronavirus Resource Center to stay apprised of relevant developments, insights and resources to support your business during this challenging time. To receive this content directly in your inbox, click here and submit the form.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Related Services