Best Practices In Business Continuity Planning

Identifying risks in a crisis, ensuring safety, and forming a strong foundation to help offices recover and repopulate.

popularity

Cameron Burks, head of Global Security, Enterprise Business Resiliency and Health, Environment & Safety with Adobe Systems, and a member of the White House Task Force for COVID-19 response, briefed members of SEMI’s IT Leadership (ITL) and Environment, Health & Safety (EHS) groups on April 20, 2020, on enterprise resiliency principals specific to the current COVID-19 crisis.

Burks has spent over 20 years in the global security, crisis management and business continuity fields for public and private global companies. In the meeting, he noted, “This is all new. No one has had to respond to a crisis of this magnitude and impact. Ever.” On top of all of the learning and responding that teams are doing in real-time, it is helpful to have a strong business continuity plan (BCP). The following is a recap of insights that Burks shared on best practices for business continuity with examples from Adobe’s BCP.

The long-term picture: How to plan for business continuity

Burks emphasized that the first step in any crisis is identifying risks and ensuring the safety of all human life.

Once human safety is assured, the next part of the plan must form a strong foundation for escalation, operation evaluation and response. A solid foundation also creates the business factors to restart operations efficiently. The foundation of the Adobe pandemic plan was laid during the summer of 2019 while the global team was updating their infectious disease plan and rehearsing with headquarters and regional offices.

That plan includes six main sections:

  1. Crisis Management Plans– escalation, roles and responsibilities, team operations
  2. Crisis Communication Plans– internal and external stakeholder communications
  3. Incident Management Plans– site or regional management response
  4. Emergency Response Plans– immediate local response to events
  5. Business Recovery Plans– business and facility recovery
  6. Disaster Recovery Plans– IT and technology recovery

This format has worked and scaled well over the past few months, and the company is now in the stage of evaluating how to help offices recover and repopulate.

Response team structure – global and local

Although it is critical to have plans and leadership coming from headquarters when it comes to a crisis, LOCAL teams are on the front lines since most crises start and evolve quickly. In the planning process, the local teams need to know and be trained on plans for a wide range of incidents and events including:

  • People- and product-related
  • Security – both external and internal
  • Operational (e.g. cyberattacks)
  • Natural disasters
  • Health-related, such as this pandemic

The severity of the event will determine the corporate impact and activation of appropriate plans. Low-impact events include those where stability is quickly reached and response plans have effectively contained the incident. High-level events will cause severe disruption for employees and customers and require an efficient and coordinated response. Regardless of the severity level of the event, all response teams need to be prepared to quickly activate and then to thoroughly coordinate on crisis management and communications. It is critical to have established actions to implement based on the severity level of an event. Table 1 provides an example of Key Trigger Levels for implementing specific actions depending on the severity of an event.

Table 1 – Key Trigger Levels 
X = phase to consider first implementing controls

The team needs to understand what the staff requires to maintain business continuity. Burks recommended aligning with ISO 22301, the Business Continuity standard. The standard will lead a company to understand what redundancies need to be in place to keep essential operations running. In Adobe’s case, this includes keeping data centers running and providing essential gear to the 90+ members of the response and global security teams. Adobe tests the plans every month and addresses the bugs – every time.

Repopulating business facilities during COVID-19

While COVID-19 infection and death rates are currently flattening in many locations, there remain a significant number of new infections, limiting the ability to repopulate business facilities without threatening the health of the workforce and their families. Adobe is using multiple indicators to calculate when the virus is contained, the threat is reduced, and employees can return to workplaces. For now, Burks recommended maintaining social distancing as much as possible while keeping operations running. He believes summer may see some abatement due to weather. However, most experts expect to stay hyper-aware and responsive well into 2021.

Although Adobe tries to provide actual dates for return to their employees – and did early on with best estimates – they have had to change to a “until further notice” statement. Repopulating is going to be much more complicated than the original decisions to work from home.

The Adobe operations team is providing much larger conference rooms, enhanced cleaning regimens, and new norms of interacting at the workplace for everyone. The goal is to bring people back in small groups on a site-by-site basis. The first group will be only 7-10% of the workforce. That group includes the cleaning and facilities crews to support the professional staff, who would return to reap the benefits of a collaborative environment. Many people want to come back to the office. They are suffering in isolation, and productivity is dropping in those cases.

Adobe is planning to create a manual on interacting at the workplace and will require training and adherence to new social constructs. Security officers will be “ambassadors,” helping the workforce remember and adhere to the new rules. The company will use footprint stickers to provide visual clues to employees on walking single file and avoiding groups. Stickers will designate desks that can and cannot be used. To provide a more open office plan, they will remove desks and arrange movable white boards to accommodate the collaboration employees want.

The situation is complex and dynamic and requires decision-making based on a definitive set of criteria. The following is a summary of information that Burks shared on Adobe’s criteria for returning to work after COVID-19:

  1. Indication of health and safety assurance utilizing risk assessment criteria – locally assessed and qualified for a minimum of six weeks. Travel prohibitions and local/external meeting guidelines to be modeled separately utilizing case-by-case risk assessment criteria.
  2. Assessment of the case fatality rate, infection peak and downside projections – curve must be flat. Management team decision on how much risk to assume, as this disease is durable.
  3. Assessment of infection vector and prevalence vis-à-vis relaxation of nonpharmaceutical interventions; assessment of local healthcare capacity.
  4. Government shelter-in-place restrictions fully (or partially) lifted; declarations by public leaders that the virus has been contained at some level (city, state, country).
  5. Assessment of facilities to physically distance employees and/or staggered shift schedule; assessment of security capability/resource availability.
  6. Assessment of public transportation and infrastructure, including parking garage.
  7. Assessment of school closures, childcare and/or adult-care.
  8. Assessment of nonpharmaceutical intervention awareness campaign, medical surveillance program, and/or onsite medical or clinical support.
  9. No visitor program until approved by global security staff when office repopulation program begins. Create exceptions list.
  10. Emergency plans formally in place.
  11. Site capacity identified; Emergency Response Team (ERT) skeleton crew part of the repopulation.
  12. Full plan in place to close offices for a period of no less than three weeks if one employee or vendor tested positive for COVID-19 during repopulation exercise; plan includes informing workforce within “return population” of circumstance and having the facilities team execute a deep clean. The plan would then activate communications for the crisis management remediation phase, which includes full workforce transparency via town halls, webinars, emails, etc.

Burks noted that contact tracing has moved from an unthinkable invasion of privacy to a likelihood for most workplaces, taking into consideration privacy laws predominant in Europe and U.S. If anyone falls ill or tests positive for the virus, they will automatically be sent home and everyone who has been in contact with them will need to enter a 14-day quarantine before returning.

Burks’ presentation, and his thoughtful approach to planning and the current situation with COVID-19, allowed the attendees to consider their positions and paths for bringing their workers back to the offices and facilities. A lively question and answer session enabled members to further clarify points and get immediate feedback on their plans and strategies. Burks finished with a request to industry members to continue the dialogue and send industry data for him to report back to the White House Task Force.

For additional resources from SEMI, visit our COVID-19 response website, which provides best practices and the opportunity to submit company stories.



Leave a Reply


(Note: This name will be displayed publicly)