During the 2007-08 global financial crisis, an official-looking announcement appeared on an organisation’s intranet informing employees that: ’During the current financial crisis, the light at the end of the tunnel will be switched off until further notice’.
Perhaps many would echo a similar sentiment about the pandemic crisis we are now facing. How long is this nasty dark tunnel we find ourselves in and when will we get to the end?
Don't be lured into false optimism
A colleague recently suggested that the time was possibly approaching when we should consider starting a review of the lessons we could learn regarding the damage the COVID-19 coronavirus outbreak has caused. He was considering not only the obvious human cost, but the disruption to the global economy and business communities.
Despite his expression of positivity, unfortunately, a potentially discouraging word of caution is perhaps more fitting. We should be circumspect about allowing ourselves to be lured into what may be a premature false sense of optimism.
Even President Trump has curbed his initial enthusiastic ‘it will all be over by Easter’ stance, especially as confirmed COVID-19 cases in the USA have been increasing with alarming momentum. The reality is that there is still a lot more we need to learn about this virus. History tells us that pandemics can last for as much as two years and they can come in waves.
If COVID-19 follows that pattern, we must remember that we are currently only riding the first wave. The second wave of the 1918-19 Spanish Influenza outbreak was far worse than the first, as was the third. So, we must each be prepared to plan for the worst while we naturally continue hoping for the best.
Why didn't we get any warning?
Well, actually we did. In 2002-3 the SARS outbreak, should have acted as a warning. Then in 2015, Bill Gates provided a wake-up call via a TED talk entitled ‘The next outbreak? We’re not ready'. Moreover, many national risk registers have all listed the threat of a severe pandemic at the top of their concerns. The last three versions of UK National Risk Register of Civil Emergencies 2013, 2015 and 2017 are in the public domain and each one flags a pandemic as a major threat to the security of the nation.
Ominously, the 2017 register expected this severe pandemic to be an influenza virus. It further augmented that the likelihood of an emerging infectious disease, such as the COVID-19 coronavirus, actually spreading within the UK, is assessed to be lower than that of a flu pandemic.
Even so, there are a plethora of unregulated organisations that have opted to prepare for a pandemic, only when they were warned that one is imminent.
On February 1, 2020 there were around 14,500 known coronavirus global cases and 300 associated deaths. One month later, those numbers had increased to 88,000 and 3,000 respectively. Within two months the count was 1m cases with 50,000 fatalities. Had your organisation been unprepared, at what point would you have hit the panic button?
We live in an interconnected world and the reality is, that we may not get much warning at all. Modern commercial aviation can facilitate a contagion’s proliferation across the world in a matter of hours. The 2002-3 SARS outbreak was spreading even before the World Health Organisation knew of its existence. Breaking out of China, it took a one-night stopover in Hong Kong before travelling onto Toronto, Taiwan, Singapore and Vietnam ultimately reaching 26 countries.
Isn't this pandemic a business continuity and not an IT issue?
How many times have people said just the opposite - isn’t business continuity an IT problem? The pandemic has created a crisis for the vast majority of organisations across the planet. Whatever their business, public or private sectors and NGOs, IT is definitely an integral part of their operations. So, yes, it is a business continuity issue but with unquestionably IT implications.
Your own IT capability will either be managed in-house, outsourced, in the cloud or some combination of the three. In the event that a serious incident requires some kind of urgent responsive action, perhaps even a full disaster recovery, can you always rely upon all the key staff being available?
When the head office of Northgate Information Solutions was destroyed by the 2005 Buncefield Oil depot explosion, as the incident occurred early on a Sunday morning, fortunately the building was virtually empty. However, as Northgate Business Recovery Director, Mark Farrington, remarked: ‘Had we lost any of the thirty core support staff that knew the systems best, we could have been stuck’.
Some organisations may point to their outsourcing or cloud service providers and claim that ensuring appropriate levels of experienced staff are available at all times is their responsibility. That may be true, but accountability for the provision of your IT services, including disaster recovery, remains very much with your organisation. It would be perfectly reasonable to ask suppliers for sight of a validated pandemic plan that incorporates managing any associated staff absenteeism.
Some organisations’ business continuity plans and IT disaster recovery plans explicitly state that every employee will be available to support any appropriate recovery activity following a disruptive incident. This a very dangerous planning assumption to make.
A couple of years ago, a UK newspaper reported that Portsmouth City Council had lost more than 33,000 days during the previous year to staff sickness. With a workforce numbering around 3,600, the article estimated that this was the equivalent of each employee taking an average of 8.42 days sick leave during the year.
At first glance, the figure of 33,000 days may seem staggering and it certainly exceeds the UK’s average figure of 6.9 sick days, as established by a Chartered Institute of Personnel and Development survey. But we must not also forget that there are, of course, other valid reasons for staff absenteeism.
Before its amalgamation with Fujitsu Services, the Northern European division of Fujitsu Consulting had a pool of around 1,500 consultants. For planning purposes, its resource management worked on the basis that the average number of consultants available to assign to client activities would be 80%. This took account of staff being absent for any one of a number of perfectly justifiable reasons - business trips, vacation, jury service, reserved armed forces training, maternity or paternity leave not to mention sickness.
We must remember, that even in the midst of a pandemic there can still be other causes of sickness, not to mention incidents that can be life-threatening to employees.
But now, we are in the grip of a pandemic, other reasons for non-attendance will become apparent. These can range from total lockdowns, isolation and quarantine, school closures necessitating parental childcare, public transport disruption, family sickness and bereavement or traumatised individuals just too frightened to step outside their front doors.
This presents an organisation with two primary issues. How to backfill missing employees, especially if they perform key roles; and how to deal with the absenteeism.
Do you really know the full capability of your workforce?
In 1996, the Maltese Government initiated its Y2K programme. While most of the IT systems used relatively modern programming languages, some legacy systems were in use. These were primarily COBOL and a language called Massachusetts General Hospital Utility Multi-Programming System (MUMPS). The MUMPS programmes were very large, COBOL-like, monolithic and unstructured - a categorical nightmare for the uninitiated.
Using Excel, a skills matrix was constructed which profiled everyone in the organisation, demonstrating who was experienced in which programming languages, their competency level and their last hands-on experience.
There was no shortage of resources available for the modern languages. However, for COBOL the news was not good. The code had hardly been touched in years and the handful of recognised COBOL programmers, still in the organisation, were now senior managers. The news about MUMPS wasn’t much better. There was only one MUMPS programmer and he had been allowed to accrue 12 months’ vacation and planned to depart on a lengthy round-the-world trip. But the matrix had demonstrated the employee strengths and weaknesses.
This skills matrix concept was also adopted by Fujitsu Consulting, but it contained far more skills than just programming languages. It covered other relevant areas such as academic and professional qualifications, systems management, management consulting, Information Technology Infrastructure Library, project management, networks, operating systems, security, data and document management and relevant industry experience.
In addition to facilitating tactical resource management, this approach provided a strategic top-down view of the organisational capability which further supported recruiting, training and succession planning initiatives. Ideally, succession planning should extend well beyond the C-Suite and identify everyone who is in a key role. For example, the only Maltese Government programmer familiar with MUMPS, or perhaps the one person in your organisation who knows how the payroll process works.
So, if the pandemic randomly decimated your available workforce, would you know who you could call upon to step into potentially exposed roles and responsibilities?
Could people have worked from home without IT?
Some thirty-six years ago, an IBM UK Senior Operations Analyst, Jeff Grady, was nominated to pioneer the concept of home working. An IBM 3270 terminal, modem and a leased telephone line were installed at Jeff’s house. He was regularly on call outside normal business hours and this facility meant avoiding a 25-mile (40km) round trip when called-out especially at night.
This was shortly after the release of the Hollywood blockbuster Wargames. Matthew Broderick played a high school student who unwittingly hacked into the US nuclear missile control system at NORAD, almost starting World War III.
Wargames was a massive wake-up call for the IT industry and certainly raised the profile of the largely under-estimated and ignored cyber threat. Perhaps, it was also influential in IBM, insisting that the link to Jeff’s home terminal was always activated from the data centre. Maybe this was the origin of the expression ‘don’t call us, we’ll call you’?
How things have evolved since those early days of home working. Today, in principal, if you spend much of your working day fettered to a computer or smart device, then it is possible that you could work from home as many national governments are now encouraging their citizens to do.
Some organisations may already have made provision for staff working from home by providing appropriate IT equipment in addition to validating that it functions correctly in the home location. This may be an arrangement similar to the 1984 IBM initiative, or even as part of a work area recovery plan, perhaps developed to address a denial of access threat scenario.
Alternatively, others may choose to adopt ‘bring your own device’ (BYOD) as a cost saving ‘panacea’, but they should remember that BYOD does have its pros and cons. While it can offer a relatively quick and inexpensive solution, it is also capable of creating serious longer-term issues. Consequently, if BYOD is mismanaged it may stand for: bring your own disaster.
Too late now for pandemic planning?
Whilst it is eminently preferable to have a validated plan in place before a pandemic kicks off, the short answer is ‘no’ especially as this pandemic may have a second and even a third wave. While we cannot stop a pandemic from occurring, we can take steps to mitigate the impact, while helping to better protect employees and visitors to the workplace.
Organisations have a duty of care and should do everything possible to reduce the chances of employees or visitors being infected. This will involve:
- Social distancing recommendations being observed to minimise the chance of direct cross infection.
- Encouraging a safe sneezing and coughing etiquette.
- Maintaining clean washroom facilities with ample supply of soap and hand sanitisers.
- Regular disinfecting of surfaces that might become infected such as work surfaces, door handles, lift buttons, keyboards and telephones.
The list will vary from one organisation to another, but could be extensive. It may also be necessary to provide personal protection equipment for employees whose roles and responsibilities demand contact with others.
A pandemic presents a multi-faceted threat, that not only affects humans, but can instigate both upstream and downstream supply chain failures. The early lockdown in China, resulted in immediate supply chain failures, especially for organisations using a just-in-time model.
Some business sectors such as hospitality, events management, and tourism are vulnerable to disruptive influences like terrorism, civil disturbances, natural disasters and pandemics. In the face of such adversity, downstream supply chains can disappear overnight.
Make no mistake, a severe pandemic presents organisations with a crisis which should be managed by senior management. But anyone in an organisation, including senior management, could become a victim of COVID-19 and replacements for every member of the crisis management team (CMT) should be named. As a point in case, one need only look to UK Prime Minister, Boris Johnson, who has himself, at the time of writing, been hospitalised with COVID-19. However, he already had a nominated successor in Foreign Minister, Dominic Raab.
Moreover, social distancing can make traditional round-table crisis management meetings, logistically, very difficult to conduct. Fortunately, technology is at hand to help resolve that constraint and these meetings can now be conducted online. Consequently, members of the CMT can be at home or theoretically anywhere in the world but still engage in a meeting providing they have a suitable internet connection.
Whilst there is absolutely no harm in keeping a record of how the pandemic affects your organisation, it really is too soon to start a formal review. When the time is right, in looking back in hindsight, it would be useful to document what went well, what perhaps could have done better and even what was a complete disaster. For some organisations, there may even be some unexpected opportunities created.
In the meantime, remember that despite any encouraging statistics that may emerge in terms of new cases and fatalities, this coronavirus could be with us for some time to come. Once social distancing and lockdowns start to be relaxed across the world, the virus may come back with renewed vigour. Until such times as a vaccine is available and widely distributed, we need to accept that COVID-19 may continue to loiter with intent.
A final word of caution
Because we are in the middle of a pandemic, there has been no moratorium declared on other crises occurring. Be prepared to address whatever further challenges confront your organisation, while it has a depleted workforce.
Business Continuity and the Pandemic Threat by Robert A Clark, published by IT Governance Publishing.