This is a guest article written by Robert A. Clark (www.bcm-consultancy.com), editor of January’s book of the month, In Hindsight – A compendium of Business Continuity case studies, which focuses on business continuity and disaster recovery. The author’s views are entirely his own and may not reflect the views of IT Governance.
In the northern hemisphere, we have entered the flu season, and people are starting to become sick. As each new season is different from its predecessor, it is difficult to predict how mild or severe it might be.
Influenza continually circulates round the world and the viruses mutate. This creates the need to offer annual vaccinations because, for the more vulnerable in society, it could prove fatal.
Based upon Australia’s recent experience, this has been the worst year for some time. A number of prominent clinicians have predicted that it could be comparable with the Hong Kong flu outbreak of 1968, which resulted in around one million fatalities worldwide.
Organisations need to be prepared for staff absences
I am reminded of an article that I read in ‘The News’ last year, which reported that Portsmouth City Council had lost more than 33,000 days last year to staff sickness. With the council workforce numbering around 3,600, the article estimated that this was the equivalent of each employee taking an average of 8.42 days’ sick leave during the year 2015/16.
At first glance, the figure of 33,000 may seem staggering, and it certainly beats the UK’s average figure of 6.9 sick days as established by a Chartered Institute of Personnel and Development survey. Even so, with the survey suggesting a median cost of £554 per employee per year, the cost to the council in lost productivity would have been nearly £2 million.
But let’s add some perspective to this and consider for a moment how often can we expect 100% of an organisation’s workforce to actually be at work. Staff can be absent for any one of a number of perfectly justifiable reasons – business trips, vacation, jury service, reserved armed forced training, maternity or paternity leave, and sickness. The list goes on.
Incorporate absences into your business continuity plan
In an attempt to quantify this, I refer back to the five-year period when I was Fujitsu Consulting’s resourcing director for Northern Europe, a position that came with responsibility for a pool of around 1,500 consultants. For planning purposes, I worked on the basis that the average number of consultants available to assign to client activities would be 80%, which took account of the various acceptable reasons for absenteeism. I would expect other organisations that have been through this type of exercise to have come to a similar conclusion.
I am raising this issue because, from time to time, I come across business continuity plans (BCP) and IT disaster recovery plans that assume every employee will be available to support any appropriate recovery activity following a disruptive incident. Yet, as you cannot rely upon your entire workforce to be consistently present for 100% of the time, this could be a very dangerous planning assumption to make.
Moreover, if faced with a serious incident that is also life threatening, organisations need to be prepared for a loss of employees due to injury, trauma and even death. It will also be fate that dictates whether any key employees, perhaps considered vital to a recovery, actually number among those ‘lost employees’ statistics.
Learn from previous business continuity disasters
In my book, In Hindsight: A compendium of Business Continuity case studies, one case study looks at the 2005 Buncefield Oil Depot explosion, which measured 2.4 on the Richter scale. The head office of neighbouring Northgate Information Services was destroyed but the company responded with a textbook IT disaster recovery. However, Business Recovery Director Mark Farrington later remarked: “Had we lost any of the thirty core support staff that knew the systems best, we would have been stuck.”
Fortunately for Northgate, despite the disaster being described by emergency services as “apocalyptic”, fate was kind that day, as the incident occurred around 6 am on a Sunday morning and, remarkably, injuries were slight with no fatalities. Had this event instead occurred during the working week, a very different and tragic outcome is highly likely.
Such scenarios equally apply to an organisation’s suppliers and, in fact, Northgate was a vital supplier to many high-profile clients. It was also responsible for processing the payroll for around one-third of the entire UK workforce. Despite the disaster occurring just a few days before Christmas, everybody received their salary remittance on time.
Conversely, in another incident I can recall, a supplier on a 24/365 two-hour response-time contract was asked by a client to participate in a live unannounced exercise for which provision had been made in the contract. A rather embarrassed supplier manager had to admit that the entire company had literally sailed off across the English Channel on a 48-hour Christmas trip to France. During this time, had the client been faced with a genuine incident, the supplier could not have met its contractual obligations as its entire workforce was legitimately absent from work with nobody left to respond to any client demands.
As part of the BCP validation, organisations need to consider scenarios dealing with recoveries in which they are deprived of key employees who would normally be an automatic choice in resolving incidents. Ideally, these key individuals will have named backups, and simulations of life-threatening scenarios can provide these backups with invaluable opportunities to get hands-on incident recovery experience.
One such exercise I was involved with randomly selected 50% of the employees to act as ‘lost employees’ following a life-threatening incident. The exercise proceeded with the ‘survivors’ endeavouring to demonstrate that they could recover without being able to refer to those ‘experts’ who were among the victims.
Take extra measures to survive in the evolving threat landscape
But how often are organisations going to be faced with the prospect of losing up to 50% of its employees in one incident? Admittedly, not often and organisational risk assessments are likely to reflect that.
Even so, it does happen. The increasing threat from terrorism needs consideration, especially in the aftermath of 9/11 and the more recent high-profile attacks, including the 2015 targeting of the Charlie Hebdo offices in Paris.
There are certainly organisations out there that consider themselves potential terrorist targets, and others that realise that they are located in close proximity to a potential target and could suffer collateral damage.
Nonetheless, while individuals involved with civil emergency planning will almost undoubtedly have terrorism on their radar, they will also be aware of the looming threat from pandemics. Avian flu currently presents the greatest threat.
The 2017 UK National Risk Register records the probability of a serious pandemic occurring within the next five years as being between 1-in-20 and 1-in-2, with the expected impact rated as ‘catastrophic’.
Current estimates show that as much as 50% of the UK population could be infected, with as many as 750,000 resultant fatalities. Such an occurrence is likely to make Portsmouth City Council’s sickness absenteeism record pale into insignificance. With the threat of what is being referred to as ‘Aussie flu’ looming large, could 2018 be the year of the pandemic?
History has taught us that influenza pandemics usually come in waves and can last for up to two years. They also present a multifaceted threat, and organisations need to be prepared to deal with the impact of workforces, suppliers and customers suffering the effects of a life-threatening contagion.
In addition to a likely increase in sickness with potential associated fatalities, the reasons for absenteeism from work could also include bereavement, fear, transport disruption, and caring for sick relatives or children, if kindergartens and schools are closed.
In Hindsight: A compendium of Business Continuity case studies also considers the case of the 2002-03 severe acute respiratory syndrome (SARS) outbreak when approximately 25,000 people were quarantined in Toronto and a further 18,000 in Beijing.
To add a further degree of complexity, we must not forget that during a pandemic there will be no moratorium on other serious incidents occurring, and for the likes of fires, floods, cyber attacks, terrorism and natural disasters it will be business as usual. Consequently, organisations can still expect to have to deal with these incidents while depending upon a seriously depleted workforce.
Organisations should plan for the worst
So, in conclusion, how should organisations respond to the title question, ‘Can I really rely upon my entire workforce to support a recovery?’ Even when faced with a non-life-threatening incident, I believe it would be unwise to make such bold assumptions and organisations should plan accordingly.
However, in addressing serious incidents that could well have a detrimental impact on the health and safety of the workforce, being prepared to respond with limited resources, and possibly even without your most experienced staff being available, could make the difference between survival and total catastrophe.
For more information on business continuity and disaster recovery, we recommend you read Robert A. Clark’s book, In Hindsight: A compendium of Business Continuity case studies, which is an essential guide to enable faster recovery when things do go wrong.