Swine Flu Fears Raise Questions About Business Continuity Plans

Despite recent power outages in Sydney and the growing risk of a swine flu outbreak, many organisations are lagging behind in their development of full business continuity plans (BCPs), according to local experts.

Athol Yates, director at the Canberra-based Australian Homeland Security Research Centre (AHSRC), says that many organisations do not have BCPs in place.

“The majority fly by the seat of their pants,” Yates says. “But, it also depends on the size of the organisation and how critical [the services it provides] are. Larger ones will tend to have them, as will utilities and those that offer medical services. Smaller ones won’t.”

Yates says a big part of this is due to a lack of, or only limited access to, strategic planning skills. Then there’s the myriad demands CIOs face in keeping the business running.

“[BC planning] is a specialised skill and normally you need an outside group to drive interest and credibility in it, and to build the business case for it,” Yates says. “Also, when you are consumed by the day-to-day activities of trying to make a buck it is difficult to get away from that to the less-pressing issues of something like business continuity planning.”

Stumbling Blocks

John Duckett, CIO at law firm DLA Phillip Fox supports Yates’ claims, adding that while many organisations have implemented effective disaster recovery (DR) capabilities for their IT infrastructure, implementing organisation-wide business continuity plans have proved to be a far greater challenge.

Page Break

“I suspect not many businesses have really got in place full BCPs as they are a challenge,” he says. “They are the sort of thing that organisations look at, and endeavour to implement, but they don’t realise it’s a big undertaking. [As a result] I suspect lots of organisations have incomplete BCPs.”

According to Duckett, the magnitude, drain on resources and the complexity involved in implementing a BCP is a major stumbling block for many organisations.

“You have to come up with strategies for building evacuations, you need a teleworking or remote access component, plus you’ve got to maintain the BCP and keep it all up to date,” he says. “It becomes even harder if you have an organisation which has multiple locations, as you have to have a plan for each of those.”

For DLA Phillips Fox’s part, the law firm has been working for a number of years toward a full BCP, and is currently in the process of implementing a detailed strategy for a full business recovery in its Melbourne Office should its Sydney headquarters become unusable.

“We have been taking steps to mitigate the risk of having to evacuate the [Sydney] building,” Duckett says. “One simple step is to provide mobility to staff -- high level notebooks to key staff and the CEO -- so they can work outside of the premises.”

Bob Hayes, principal at Hayes Risk Management says while preparedness varies widely buy industry -- with the banking and finance, and food production sectors doing well -- a difference in preparedness can also be seen between the private and public sectors.

“It’s fair to say that pandemic planning in the government sector is pretty good, and is better than their continuity planning,” he says. “On the other hand in the wider community, organisations tend to have done the business continuity planning, but have not looked at the pandemic planning.

Hayes puts this down largely to a lack of incentive and direct business need.

“In the government sector, pandemic planning has been an imperative -- state and federal governments have instructed their agencies to get involved and develop pandemic plans. For the private sector, governments haven’t been beating the drum very loudly that you absolutely have to take pandemic planning seriously. It’s just been viewed as one of those things they have to get around to.”

Page Break

First Steps

AHSRC’s Yates says the starting point for any organisation’s BCP should be asking what the impact of a range of different incidents, such as an earthquake, a tidal wave, an electricity blackout, will be upon the organisation.

Next, an impact analysis should be conducted for each incident: how it will affect demand and supply, workers, the overall business, financial systems, occupational health and safety, etc.

Based on this, organisations need to come up with a mitigation strategy: what staff should do, how quickly to get the executive team involved, how quickly certain provision need to be rolled out.

The organisation then needs to create an incident response group for each incident and an overall business continuity team, Yates says.

“The incident response group looks after the minute-by-minute response to an issue. They deal with the here and now -- getting everybody out of the building if it’s on fire,” he says. “Then you transfer over to the business continuity process, which is more about, ‘what do we do tomorrow?’ and ‘how do we work around this?’”

According to DLA Phillips Fox’s Duckett, the current spate of power outages in Sydney and the looming threat of swine flu should prove a strong motivator to get the country’s BCPs in shape.

“You tend to ignore these things until there is pain,” Duckett says. “Pain is a wonderful way to focusing people’s thoughts on what to do to avoid it in the future.”

SIDEBAR: Key Points for Organisational Pandemic Planning

Hayes Consulting offers these key tips for an effective Pandemic business continuity plan

1. Decide that you need to have a pandemic plan and be clear about its objectives of the plan.


2. Identify critical services which the organisation needs to supply during a pandemic. You may find that under the stress of a pandemic you simply can’t provide the internal and external services you normally do.


3. Back up all key service inputs: what are the things you require to provide each service -- critical people, key computer systems, etc? You also need to protect those inputs - in particular, the staff, by preventing cross infection. You need a regime of training and awareness, and a set of policy and procedures , and equipment to stop people cross-infecting each other in the advent of a full blown pandemic.


4. Prepare for alternative work arrangements that achieve social distancing. That is, change or stagger working hours, activate remote worksites, working from home. In order to do that you have to set up the IT infrastructure in advance of the pandemic so it in place and ready to go.


5. Plan for staff absenteeism rates of 50 percent. That doesn’t mean 50 percent of staff will get sick, but that 50 percent of the staff may be absent through things like schools and child care centre being closes and therefore parents needing to be at home.