Del Aden’s thoughts … Is your Business Continuity Plan adequate for COVID-19 and beyond?


While the long-term outlook for the COVID-19 pandemic is still highly uncertain, businesses, individuals and families are nevertheless having to adapt to new, troubling challenges such as severe supply and demand disruption, social distancing and serious health implications.

Business continuity is crucial – staff must be protected and able to work effectively so they can contribute to the good of the economy and society. Thankfully, solutions exist that can be rapidly implemented at scale.

There are three phases to tackling crises such as COVID-19:

  1. Shock – Protect people, understand the situation, and ensure business continuity
  2. Endurance – Manage people and business activity through the crisis
  3. Recovery – Restart activities, assess the damage and rapidly recover

The current COVID -19 pandemic shows us how important Business Continuity Planning (BCP) is, particularly when supplemented by a DR (Disaster Recovery) strategy. The virus has made clear how vulnerable we are in Africa, and has uncovered long-neglected weaknesses in processes and systems of many organisations (Large, Small or Medium)

Unexpected disasters and business disruptions are real – can you afford the risk of not being prepared for a disaster that could damage your business? 

Three months ago, did we really think it would not affect us?                                                             A virus in and of itself can’t shut down an organisation’s systems, operations, or services. It is a lack of sufficient preparation that increases the risk of these sorts of disruptions. Under the current circumstances with so many quarantined at home, even a network outage can have a huge impact on business functions.

Consequently, Disaster Recovery strategies and BCP become more critical as enterprises adjust to the business disruptions caused by coronavirus. While current BCP plans may not take into account a pandemic, can we afford to ignore such situations because they only rarely occur?

Disaster Recovery (DR) and Business Continuity Plans (BCP) are essential to sustain business operations                                                                                                                                                       It’s not often that an organisation faces a pandemic, but natural disasters, man-made disasters, security threats (such as malware attacks) and downtime are all realities.

In fact, the world has experienced serious infectious outbreaks within the last 20 years with bird flu, swine flu and Ebola; fortunately, these diseases did not spread as quickly and easily as COVID-19, so their impact was more limited. Nonetheless, after the H1N1 pandemic as the latest, risks associated with infectious diseases should have been considered in a BCP.

It was Warren Buffet who said “An Idiot with a Plan can beat a Genius without a Plan”               To ensure business continuity and a smooth recovery process following severe disruptions, it is crucial to carry out a risk assessment, establish a recovery strategy and make concrete continuity plans. Otherwise, organisations stumble unprepared into catastrophe; leaving management less able to address the situation calmly and appropriately.

By answering the following questions and evaluating their answers, management can begin to prepare for the worst:

  • How can my organisation ensure that business processes can be restored?
  • How can my organisation access back-up plans or ensure the recovery of lost data?
  • What protective measures have been implemented for the safety and security of employees, their families and the environment (health, social engineering, awareness)?
  • Which IT security procedures can be implemented for employees as a precaution (VPN, home office, training, MFA (Multi-Factor Authentication), requirements and policies?
  • Is there a replacement if the providers’ technical representatives cannot be on site to repair equipment which requires maintenance (supply lines for replacement of machine parts or materials) and may be disrupted?
  • Have sufficient resources (money, time, manpower) been invested in preparation to ensure a seamless, trouble-free recovery or business continuity process after natural or man-made disaster?

So, what is a Business Continuity Plan?

According to ISO 22301, a business continuity plan is defined as “documented procedures that guide organisations to respond, recover, resume and restore to a pre-defined level of operation following disruption”. (clause 3.5).

Every organisation needs a Business Continuity Plan to protect its critical Operations, Resources and Services in the event of unexpected disasters and business disruptions. At the time of a disaster, everyone in the organisation relies on the business continuity plan to ensure continuity of business and restore normal operating conditions. It is critically essential to build a plan that is reliable, comprehensive, and effective for any business disruption scenario.

Whereas Business Continuity is the ability to keep vital business operations running in the event of failure in the existing infrastructure, Disaster Recovery, however, is when the infrastructure is significantly impacted and no longer available. This is most often a major natural disaster or other ‘act of God’ to use legal terminology. The number-one requirement is that the data be protected. Data is the only thing truly unique for a business. It is the only thing that can’t readily be replaced.

In this context, organisations need to work with the assumption that they will not always be able to stop all future incidents, disasters and cyber-attacks with preventative measures, so there needs to be a balance with appropriate investment in both protection and recovery in order to put the organisation in a much better position financially.

Plan testing – To remain current and viable, a business continuity plan must be regularly tested. It is clearly much better to test these plans with a Business Continuity exercise and discover any weaknesses before an actual catastrophic event occurs. However, few organisations have the time, or breadth of experience, to design and facilitate a realistic Business Continuity exercise.

Training – At the time of a disaster, it is critically essential to have a team that is competent and knowledgeable in managing any business disruption scenario. This is the reason why organisations (similar to yours) are required to have their employees trained and certified in globally recognised certification in Disaster Recovery and Business Continuity.

Specialist Training – Over the last two years, Delta3 International has been working with its partner in Canada (BRCCI) to provide internationally recognised Certification Training to employees of some organisations in Ghana – such as BoG, GRA, BOST, Ghana Water, NLA etc.

Leadership – In this complex and challenging time, the people who lead others in your organisation need to ensure the continuity and success of your business. Consequently, leadership in firms need to take creation and testing of BCP very seriously.

Above all, the Three R’s of Business Continuity must be well-defined for your organisation.

  1. RTO (Recovery Time Objective)
  2. RPO (Recovery Point Objective)
  3. RGO (Recovery Granularity Objective)

In Conclusion

Risk is everywhere, and the key is in managing it. In my experience, companies usually find two things in their business continuity management to be the most difficult: risk assessment and business continuity planning.

The multifaceted nature of the COVID-19 crisis is proving overwhelming for many businesses, threatening their continuity. The answer lies in working closely and intelligently with your clients, partners and providers.  By helping your ecosystem of suppliers and clients, you can ensure your partners continue to operate effectively – thus protecting your business in kind.

Finally, the COVID-19 crisis is concerning and disruptive but the way we act now will make a clear difference to the future – ongoing management of the crisis and eventual recovery. Support your people; trust them to take care of themselves, and they will take care of one another and their clients – this way, change can be rapidly and broadly implemented as part of our ongoing commitment to continue offering our clients training and development in areas key to thriving in rapidly evolving business environments.

>>>The author is Managing Partner, Delta3. As an Enterprise Architect and Information Security Consultant, Del Aden is an industry-recognised security expert with over 20 years of hands-on experience in consulting, training, public speaking and expert witness testimony.

As the Managing Partner for Delta3 International, Del now focuses on helping customers prevent security breaches, detect network intrusions, and respond to advanced threats. An astute speaker and trainer, Del is on the cutting-edge of cybersecurity research and development.

For comments, contact author: [email protected]  Mobile: +233 202621350 (GH) or +44 7973 623 624 (UK). Website:    Contact us: [email protected]

Leave a Reply