Planning for Post-Pandemic Business Continuity

Shifra Kolsky, CPA SVP, Chief Accounting Officer, Discover Financial Services
What's Trending in Public Company Finance

When COVID-19 struck, many businesses swiftly shifted to remote work, sending office workers home to learn how to hold video conferences, obtain electronic signatures, and manage digital workflows. With necessity as the mother of invention, the global workforce generally found ways to keep things moving forward despite the challenges of shelter-in-place orders. Now, after two years of uncertainty and shifting requirements, does it make sense to continue the cycle of business continuity planning? Haven’t we already figured out how to be sufficiently resilient in an emergency?

First, let’s define business continuity planning. An effective business continuity plan allows an organization to continue delivering its products and services in the wake of a disruptive event. While the pandemic is certainly disruptive, it is by no means the only form of business disruption we could experience: Just days after my organization moved to remote work at the start of the pandemic, one of our physical locations that provides essential services was hit by an earthquake. Hurricanes, power outages, fires, and unexpected staff resignations are all disruptive events that could affect business continuity.

No business is too small or too simple for a business continuity plan. I recently observed a small organization struggle to regain its footing when a key person unexpectedly took medical leave. Even after all the pandemic-era pivots this organization had withstood, this unexpected turn of events demonstrated the strong need for a robust, well-documented, and up-to-date business continuity plan at every organization.

According to my colleague Travis Pons, senior manager of business continuity planning at Discover Financial Services, “There are three pillars of resiliency: emergency response, incident and crisis management, and business recovery. A good business continuity plan will address each area and will include robust documentation to support every aspect of the plan.”

The emergency response pillar should cover site-based considerations like how to keep people safe in the event of an emergency. The incident and crisis management pillar should ensure the organization is prepared to respond to incidents that have potential to create an operational outage, cause the company damage or loss, or damage the organization’s reputation. The business recovery pillar concerns the restoration of activities and processes to bring a business back to an acceptable level of operations following a disruption.

Another framework for examining business continuity planning is found on Ready.gov. Key elements of this framework include business impact analysis, recovery strategies, plan development, and testing and exercises. Let’s review these four elements, as well as an important fifth point.

• Business impact analysis: This phase of continuity planning involves thinking about what could go wrong and what the impact would be. Identify critical processes and the people, technology, information, and resources required to remain functional. Rank the importance of these processes based on the negative impact to the organization if they were suspended. Consider which supporting technologies are critical and which aren’t and identify whether there are critical dependencies on secondary processes. Finally, consider financial, legal, and regulatory impact.
• Recovery strategies: Recovery strategies will guide how to get business operations up and running again after a disruption. There are often several strategies to pursue, and it can be helpful to document all of them, as circumstances may make some of those options impossible to implement. Some considerations as you develop recovery strategies may include: What do you do when a process is dependent on a vendor and that one vendor fails? Which vendors operate in risky areas? Are there any special devices needed to restore processes? What plans do you have for data backup and security? Is data stored in different locations so you can shift quickly to a backup if the disruption is localized?
• Plan development: Create a team to develop and maintain the plan. Keep a list of all the people responsible for implementing the plan and ensure roles and responsibilities are clearly communicated. Communication and action plans should be explicit so that everyone knows what they need to do and when. Each part of the plan should be fully documented to enable swift execution. The documentation should include details of critical processes, critical systems, vendors, and employee contact lists.
• Testing and exercises: Create a test plan and practice exercises that allow you to determine whether you have all the relevant information and documentation to support plan execution. Consider targeted testing along with a full-scale practice run of your plan.
• Modify and maintain: Based on the results of your testing, adjust your plan, update your documentation, and test again. Between planning cycles, continually update your plan as technologies, people (including third-party vendors), and processes change. While it’s important to keep your plan current, there’s no need to start from scratch for each cycle—update, enhance, and expand the plan to make it better every year.

Here at Discover, we practiced a pandemic scenario in our business continuity planning exercises long before COVID-19. Having now lived through that reality, we found our preparations enabled us to rapidly shift to remote work and keep all our business processes operating effectively without any meaningful disruption.

However, the world has changed and the way we execute critical business processes has changed with it. The pandemic drove rapid technological advancements that require new thinking or even expert input to understand business impact and recovery strategies. The fires, floods, storms, and earthquakes that we’ve experienced over the years keep us searching for new and better ways to identify risks and maintain continuity through disruptive events.

The case for continuously enhancing our business continuity plans is strong. To ensure readiness for the next disruption, whether it be the zombie apocalypse, rogue robots, space invaders, or those dinosaurs that are always escaping from their park, identify what could negatively impact your business, what’s important to continue operations, then build a plan that allows your organization to carry on no matter what 2022 and beyond brings.