Let’s talk about business continuity in the time of Coronavirus, or any time for that matter, because this is something an organization needs to think about and have an idea of what needs to be done to keep the lights on. While it is still unknown how COVID-19 will impact everyone, let’s raise some questions that you should think about in order to create the documents, policies, and procedures you need.
Chain of succession
If something happens to the principal of an organization, who is next in the chain of succession to run things? If you’re a one person show, how do you keep the organization operational if you are incapacitated or unable to perform your duties?
Whether it’s hardware/software failures, a fire, natural disaster, biological incident, etc, what do you currently have in place, and what do you need to prevent loss of productivity. If Coronavirus is going to be disruptive, is your business flexible where you can allow employees to work remotely? How are you going to handle employees that are infected and will be out for two weeks or more? How are employees going to share the workload if many more are unable to work?
Do you have multiple vendors that provide the same goods and services in case your main supplier is unable to fulfill your needs for whatever reason?
Your technology and data
Do you have a VPN for employees to use so they can work from home/remotely? If you have someone such as a sysadmin taking care of your technology and they are unable to carry out their duties, how will you manage your I.T.? If this person is the only one that has access to the organization’s various systems, why aren’t you building redundancy into your operations, where you, as the owner, also have the same access? Who is taking care of backups and testing data restoration? Do you have spare workstations, laptops, and other devices ready to go if there is equipment failure or you need to use a secondary site and be up and running in a short amount of time?
While on the topic of time, have you estimated how long it would be to get new hardware, to set it up, restore data, and restore virtual machines? Do employees who need access to data know where it all resides and how to access it, whether it’s stored on site or in the cloud?
How are you going to communicate with your employees, contractors, vendors, and consultants during an incident? How will you ensure it’s clear, concise, and uniform? What do you currently have, or need, that allows employees to communicate with each other on or offsite?
While what’s written here is just a drop in the bucket, it’s important to bring this up and create documents for your business continuity plan, your disaster recovery plan, and your incident response plan. And when you have these things in place, review it on a set basis (quarterly, semi-annually, or annually). Not only review it, but run tabletop exercises and if possible run a live simulation of various scenarios. It can be a small event such as a workstation failing to something of a larger magnitude like a severe cyber attack.
Hope this provides some food for thought.