No one could have predicted the far-reaching effects of the COVID-19 outbreak. 1 However, many organizations had invested in business continuity and disaster recovery (BC/DR) to prepare for such unexpected disruptions. The success of these investments should be scrutinized by all organizations because the next disruption may be equally unexpected. Differences between organizations, from size to risk appetite, prompt different levels of commitment to BC/DR. The benefits of BC/DR during a disruption, compared to the costs of plan development and maintenance, should not be ignored by organizations of any size.
Analyzing future trends in investments and modifications to BC/DR planning and the frequency and pervasiveness of testing BC/DR plans helps determine best practices across industries. To obtain research data, a 16-question survey was conducted with 27 respondents across eight industries. The results offer insights into organizational preparedness for the COVID-19 disruption and the effectiveness of their responses. The questions were designed to focus on BC/DR practices in 2019 and BC/DR modifications from March 2020 through December 2020 in response to COVID-19. Respondents were classified based on industry, annual revenues and number of paid employees.
It is beneficial for organizations to analyze the characteristics of a well-developed BC/DR plan, including the methods of testing, reviewing and updating the plan. The effectiveness of well-developed plans can be observed in the case of COVID-19 and applied to future crises. Using the COVID-19 pandemic as precedent, organizations can communicate to management the value of allocating resources to BC/DR development.
US Founding Father, inventor and statesman Benjamin Franklin is credited with saying, “By failing to prepare you are preparing to fail.” 2 Although Franklin’s declaration is overdramatic in most business cases, the statement reinforces the ideology of BC/DR. Business continuity is the broad idea of preparing to continue business operations through major or trivial disruptions, while disaster recovery is a continuity process focused on reestablishing critical operations and resources after a disruption event. 3 In the context of a disruption, preparation in BC/DR is its own reward.
Through investments in BC/DR planning, “organizations have the opportunity… to influence whether they are among the winners or losers after a disaster event.” 4 The influence depends on the organization’s analysis of alternative corrective measures, recovery time objectives (RTOs) and the often-overlooked downtime costs. These measures fluctuate depending on several factors including industry and size. The cost of alternative corrective measures includes the development and maintenance of BC/DR plans that decrease with RTO. 5 Downtime costs encompass several components, making the measure difficult to analyze. On average, downtime costs increase quickly in the short run and the detriment grows with the length of the disruption to operations. 6 Through BC/DR planning, organizations seek to limit the downtime of operations, preventing a disruption from leaving the organization in financial ruin. Identifying a specific RTO for a disruption aids the organization in determining estimates of the minimum downtime costs and alternate corrective measures costs required to achieve the specified RTO. Effectively minimizing the cost of downtime and recovery can only be achieved through a well-developed risk assessment and BC/DR plan.
Creating a thorough BC/DR plan can be a daunting task, even for organizations with a response already in place. There are a number of BC/DR guidelines, written by professional organizations such as the Disaster Recovery Institute International (DRII) and Business Continuity Institute (BCI), with the purpose of assisting in plan development. Planning should start with a risk assessment to identify critical resources (e.g., capital, human, IT), processes critical to operations, and potential threats and vulnerabilities. Identifying the criticality of operations can also be influenced by the regulatory or contractual requirements driving the need for a BC/DR program. Then, it is helpful to conduct a business impact analysis (BIA) to evaluate the impact of disruption to a critical process or resource, which can determine the RTO for key operations. 7 In this phase, organizations should prioritize the critical resources and processes needed to support operations on criteria that is relevant to the organization. After prioritizing critical resources and processes, the BC/DR policy and procedures can be created to resume critical operations. For example, after the attacks on the United States on 11 September 2001, a crucial aspect of restructuring the BC/DR plan was involving employees throughout the organization in the plan. 8 Giving all employees a stake in the plan leads to better awareness and ownership of procedures. This leads to more effective and efficient execution of the plan. However, writing the BC/DR plan does not mean the process is finished.
BC/DR plan development is a continuous process, requiring routine testing and maintenance to build an effective response. The exact procedures and frequency of testing depend on several factors, including organization size, nature of the business, plan complexity and resource availability. For example, after 11 September 2001, Lehman Brothers instituted virtual workplace arrangements and held biannual tests of each employee’s remote access to build dependability and member awareness of the plan. 9 Testing the plan either through walk-throughs or a simulated disruption allows staff members to see their stake in the plan and practice their response in a disruption. Executing the plan, either in testing or an actual disruption, identifies weaknesses, gaps and areas for improvement to be evaluated. 10 Evaluating results helps the organization restart the development cycle by confirming the effective plan areas and updating the ineffective areas. A continuous BC/DR development process prepares an organization for a disruption to key operations.
COVID-19 has been disrupting lives for more than a year, and there are still many uncertainties regarding the virus. As seen with COVID-19, unknowns in the early stages of a disruption can create a snowball effect of unforeseen and indirect vulnerabilities. COVID-19 reduced the ability of operations to be conducted in person, which increased the number of remote access workspaces. Thus, COVID-19 had an indirect effect of increased cyberrisk. 11 This served as a lesson for BC/DR development, showing that a disruption can present threats and vulnerabilities to critical operations that were not previously anticipated in risk assessments.
Another lesson learned from COVID-19 is to include analysis of the supply chain impact in BC/DR development. For example, the automotive manufacturing industry was seriously impacted by COVID-19-related government shutdowns affecting overseas suppliers. Similarly, downstream supply chains were impacted. The oil and gas industries were affected by travel restrictions impeding large customers in the airline industry. 12 These lessons and examples of COVID-19 impacts from other industries can be useful for any organization to consider as it modifies its BC/DR plans.
To facilitate this research, a 16-question survey was distributed to obtain data to evaluate organizations’ preparedness for COVID-19 and their response effectiveness and BC/DR plan modifications from before March 2020 to the period of March 2020 through December 2020. The evaluated modifications to BC/DR include scope of risk assessment and frequency of tabletop, preparedness, full-operational, and audit or review tests for the respective periods. The survey was distributed via email to more than 300 organizations throughout the Midwest United States. The Midwest was chosen for the broad mix of industries that serve as a representation for most regions of the world. Approximately 9 percent of organizations responded, providing for 28 records of results. Of the 28 respondents, 27 were deemed reliable, complete responses. Respondents were grouped by industry classifications, ranges of revenue and paid employees for the fiscal year ending in 2019. Figure 1 shows how the organizations were classified. Revenue and paid employees were used to classify respondents as small and medium-sized businesses (SMB), small and medium-sized enterprises (SME), and large enterprises. Professional judgement was used when an entity did not specifically meet class criteria. 13
Figure 2 shows respondent demographics by industry and size classification.
Based on the survey, 63 percent of respondents considered their COVID-19 response to be “Very effective” or “Extremely effective” (figure 3). This includes more than half of the large enterprises, which could mean that organizations with more resources are able to leverage more effective BC/DR planning. All SMB respondents noted that they were at least in the “Very effective” category, which may indicate that smaller organizations have greater adaptability in response plans due to simplicity of scale.
The results shown in figure 4 support investing in BC/DR; 70 percent of respondents increased the scope of risk assessments for the period of March through December 2020 in response to COVID-19. If the trend continues, it appears as though more organizations will expand their risk assessments and decrease their risk appetite after the pandemic runs its course.
In the survey, respondents were asked to select the disruptions they included in risk assessments or BC/DR plans prior to March 2020 (figure 5). Fire and tornado were the most assessed of the 10 events, while pandemics were the least assessed. However, organizations should focus their response plans on the potential impacts to their operations rather than planning for every possible disruptive event. 14 For example, organizations should have a plan for when their facilities cannot be accessed, which could be the result of a fire or tornado. A tornado could also impact the workforce and customers, which, indirectly, impacts recovery. For another example, instead of planning for how to respond to a ship being stuck and blocking a major waterway for several days, 15 it would be prudent to plan for what the organization would need to do without access to inventories from suppliers or with an inability to reach customers. Organizations will never be able to prepare for every possible disruption to operations, but it is a good exercise to include in BC/DR testing.
BC/DR testing procedures and terms are likely to vary by organization. For the purposes of this research, a tabletop test is a paper walk-through of the plan, involving personnel critical to the plan’s execution. A preparedness test is a simulation using actual resources to test the full plan or a portion of the plan on a localized or small scale. A full operational test simulates a full-scale disruption across all operations. Audits of the BC/DR plan are procedures performed by internal or external audit departments, and reviews are performed by business continuity members or other responsible personnel. These tests are included in the analysis.
The survey asked respondents how frequently their organization tested BC/DR (figure 6). Tabletop and preparedness tests are less extensive and are executed most frequently. More than 50 percent of respondents performed them at least annually. This is likely because these tests require fewer resources and can be performed with little regard to organizational size and plan complexity.
As tests increase in extensiveness and require more resources, frequency decreases across all respondents. Nearly 41 percent of respondents do not perform a full operational test. More than half of respondents perform the more extensive tests at least every other year. These differences are likely based on organizational size impacting plan complexity and available resources. Organizations with more resources, such as an internal audit department or available capital, can afford the time and cost of performing extensive tests more frequently. However, as plans become more complex, it may be more difficult to perform extensive tests, leading organizations to perform more localized preparedness tests. COVID-19 also affected testing frequency.
The survey also asked respondents how their frequency of BC/DR testing changed for the period of March 2020 through December 2020 (figure 7). Given the short period of measurement, not many changes were expected due to the active response and management of the COVID-19 disruption. However, at least 15 percent of respondents adjusted to COVID-19 by increasing the frequency of testing in the four testing categories. A minor percentage of respondents decreased tabletop and preparedness tests for the period. This may have been caused by a limitation of resources or another factor caused by the COVID-19 disruption.
Changes in frequency of full operational tests based on testing frequency prior to March 2020 were also noted (figure 8). Most increases in frequency were from respondents who, prior to March 2020, had tested every other year or less. Dependent on the organization, this could show that the best practice for a full operational test is at least annually. Some industries, such as the financial sector, can set this precedent by having regulations to test BC/DR plans annually. 16 Organizations could also include BC/DR testing requirements in contracts with third-party vendors. It is likely that more organizations have increased BC/DR testing as more discoveries are made regarding COVID-19 responses, impacts and best practices.
All things considered, allocating resources to BC/DR planning is a business decision. Survey results have indicated an upward trend of organizations allocating resources to plan development through expanded risk assessment and testing frequency and pervasiveness. The majority of survey respondents, regardless of organization size, considered their BC/DR plans effective in responding to COVID-19, which supports investing in plan development. Effectively managing the impact of a disruption, such as the pandemic, requires recurring investments to plan development, and although the scale of investment and development procedures will differ between organizations, the BC/DR conversation should frequently be held with management to produce an acceptable level of risk in preparing for the next disruption.
Future research into this issue should provide more insight into BC/DR development. An analysis of software and other tools could provide guidance for how organizations can leverage technology to develop more effective BC/DR plans and execution. A BC/DR analysis with a larger sample of industries could create standards for development that would be more persuasive in the BC/DR investment decision. More BIA guidelines and techniques could also be researched to assist in downtime and recovery cost estimation. This could reduce uncertainty, resulting in more valuable information for BC/DR decision makers. Although the future is uncertain, organizations can prepare by implementing the lessons learned from COVID-19 to satisfy their reduced risk appetite.
1 Fauci, A. S.; C. L. Paules; H. D. Marston; “Coronavirus Infections-More Than Just the Common Cold,” Journal of the American Medical Association, vol. 323, iss. 8, 2020, p. 707–708
2 Mayberry, M.; “By Failing to Prepare, You Are Indeed Preparing to Fail,” Entrepreneur, 22 April 2016, https://www.entrepreneur.com/article/274494
3 Weinberg, N.; “Business Continuity and Disaster Recovery Planning: The Basics,” CSO, 25 March 2021, https://www.csoonline.com/article/2118605/business-continuity-and-disaster-recovery-planning-the-basics.html
4 Sampson, K.; T. Hatton; C. Brown; “The Silent Assassin: Business Demand Changes Following Disaster,” Journal of Business Continuity and Emergency Planning, vol. 12, iss. 1, 2018, p. 79–93
5 ISACA ® , CISA Review Manual, 27 th Edition, USA, 2019, https://store.isaca.org/s/store#/store/browse/detail/a2S4w000004KoCbEAK
6 Ibid.
7 Ibid.
8 Alesi, P.; “Building Enterprise-Wide Resilience by Integrating Business Continuity Capability Into Day-to-Day Business Culture and Technology,” Journal of Business Continuity and Emergency Planning, vol. 2, iss. 3, 2008, p. 214–220
9 Ibid.
10 Disaster Recovery Journal, “Testing Your BC or DR Plan: What Would Confucius Say?” 14 January 2013, https://drj.com/journal_main/testing-your-bc-or-dr-plan-what-would-confucius-say/
11 Op cit Weinberg
12 Haydon, D.; N. Kumar; N. Brooks; “What’s the Market Sentiment? Top Five Industries Impacted by COVID-19 From a Probability of Default Perspective
13 Sangoma, “SMB, SME, and Large Enterprise: Why Your Business Size Classification Matters,” https://www.sangoma.com/articles/smb-sme-large-enterprise-size-business-matters/
14 Hodge, N.; “Resilient, Ready, and Responsive,” Internal Auditor, vol. 78, iss. 1, 2021, p. 36–41
15 Stevens, P.; “The Ship That Blocked the Suez Canal May Be Free, But Experts Warn the Supply Chain Impact Could Last Months,” CNBC, 29 March 2021, https://www.cnbc.com/2021/03/29/suez-canal-is-moving-but-the-supply-chain-impact-could-last-months.html
16 FINRA, “4380. Mandatory Participation in FINRA BC/DR Testing Under Regulation SCI,” 3 November 2015, https://www.finra.org/rules-guidance/rulebooks/finra-rules/4380
Is an associate professor of accounting in the department of accounting and management information systems at Bowling Green State University (Ohio, USA). He has published several papers in leading practitioner journals, such as The CPA Journal, ISACA ® Journal and Internal Auditor.
Is a master of accountancy student at Bowling Green State University. He will join the Risk and Financial Advisory Program at Deloitte in Cleveland, Ohio, USA, following graduation and is currently pursuing his certified public accountant (CPA) license and a Certified Information Systems Auditor ® (CISA ® ) certification.
