Disaster Recovery and Business Continuity Planning: Lessons Learned from COVID-19

A global pandemic. Stay-at-home orders. An unprecedented quarantine in which work, school, and life itself were confined within the walls of one’s own home.

For most companies, COVID-19 was a wake-up call. Although disaster recovery and business continuity plans are nothing new, most are written to combat a regional incident, a computer hack, or a natural disaster—nothing as big or all-encompassing as a global pandemic of the magnitude that we're experiencing.

So, where should companies go from here? How can they create a disaster recovery and business continuity plan that truly prepares them for anything? And, just as important, how should they use the lessons learned in 2020 to disaster-proof their company going forward?

We spoke to some experts from SAP Concur and TransferMate to find out.

Look at the controls you have in place

“We are ISO 27001-certified, which is an information security standard that has business continuity planning and disaster recovery as one of its controls,” explained Margaret Corrigan, head of information security for TransferMate. “So, an excellent place to start is by looking at what controls your company has in place. These give you very good guidance in putting together a framework for the recovery of your IT systems and keeping the organization running. So, it’s a good starting point for structure.”

Conduct a business impact assessment

Corrigan also recommends conducting a business impact assessment—a collective exercise across all functional areas that identifies:

• What operations you need to have in place
• The minimum number of employees you need to maintain those operations
• The core systems and service providers that those functions are reliant on

“This assessment forms the scope of what you need to carry on an acceptable level of business, in terms of people, premises, technology, and your core suppliers—as well as identifying how long you could operate without any one of those components in place,” Corrigan said. “That's important because if you don’t need to have 20,000 people up and running day one, but do need 10,000, the support requirements to deliver that plan reduce down, which speeds your recovery time.”

Test your recovery capabilities

Once the Business Impact Assessment is completed, this input goes to IT, so they know the core systems involved, the data requiring recovery, and the number of people who would have to be operational in 24 or 48 hours, or whatever those requirements are.

Then, IT conducts a test that simulates what would take place if an actual disaster occurred.

“If you can’t recover within the predetermined SLAs, then your organization has to take remedial action to address the issues and re-test,” Corrigan said. “Once that effort is successful, IT will continue to perform the test annually. At the same time, the business should revisit the impact assessment every year as well, to ensure those requirements are still valid.”

Make sure the right stakeholders are involved

It’s important to note that, although IT plays a significant role, disaster recovery and business continuity programs are not solely an IT effort.

“Today, disaster recovery and business continuity is a CEO issue. There has to be active involvement and buy-in from the executive management and business owners throughout the process,” said Paul Herrick, chief people officer for Taxback Group. “In Transfermate, that was, and is, very much the case. Our CEO was very involved in the review and oversight of the plan and its implementation.”

Map out the scenarios—but prepare to improvise

While mapping out different scenarios and “what ifs” is part of business continuity planning, as COVID-19 has proven, you won’t be able to plan for everything.

Our experts advise planning for what you can, but being prepared to adjust that plan for the situation at hand.

“You have two things at play here, really. You have different teams prepped for different stages of crisis and disaster recovery. Then, the disaster strikes and you ask, according to our plan, who needs to be in the room?” Herrick said. “That’s your baseline, that is your structure, but there is also an organic element that requires you to bring in the right people as the situation evolves, and to make decisions in real time within the structures you’ve identified.”

Use those scenarios to re-evaluate technology

Simulating the worst-case scenarios in advance also exposes your technological holes.

“COVID-19 is the first crisis of this scale where technology is advanced enough to give companies the option to do something about it,” said Nicholas Wong, presales consultant for SAP Concur. “So, this crisis also presented an opportunity for companies to look at new options to empower their employees to continue to do their daily tasks while operating remotely.”

While some have the processes and technology in place to do this securely, other organizations are starting from square one.

“By working with a provider that has controls in place, you know that your data is completely secure and protected, wherever your employees are working,” Wong said. “We’ve actually seen a lot of clients who looked at some of our products and services as ‘nice to have’ who are now realizing that they are essential—whether it’s technology to automate processes or services that manage manual matching of invoice to purchase order.”

Look at the processes—and the supporting technology—that impeded your agility and find ways to streamline or automate what you currently have in place. If something held you back this time, it will hold you back next time—and was probably weighing down your business’ daily operations long before the pandemic took hold. Just make sure you vet how your vendors are securing your data, their redundancy and approach to disaster response before you commit to the contract.

Don’t wait until a disaster is upon you to start putting the plan in motion

Companies that more successfully responded to COVID-19 were the ones that recognized the potential threat and took action before the pandemic reached its peak.

“The fact that we monitored what was happening in China, followed updates from the World Health Organization and paid attention to the media early on was critical to our ability to respond so well,” Corrigan said. “Our executive leadership and HR team proactively directed us to set up the remote access connectivity for impacted offices, slow down employee travel and get things set in case we needed to pull the trigger. Because of this, we had weeks to prepare, and were totally ready when the time came.”

It’s better to have a false start than to wait until you’re in the midst of a crisis to start taking action. In other words, the umbrella should go up when it starts sprinkling, not stay in the car until the deluge strikes.

Communicate, communicate, communicate

External and internal communications are critical during a crisis. Mapping out how you’ll direct your employees, and reassure your customers, and who is responsible for executing those communications should all be part of your plan, as well.

Just as important, make sure you continually communicate with your employees after the plan is in place to reduce stress and keep them feeling connected. 

“You have to work with executive leadership on key messages which, for us, in the case of the pandemic, was that your safety comes first, and that every decision we were making was based on that belief,” Herrick said. “We’ve also done a lot of listening, so we could understand how they were feeling about working from home, what the barriers were, and how they felt about returning to the office. Staying in touch with your employees as well as your clients throughout the event is essential.”

Although no one can predict what the future holds, a well-tested, well-documented disaster recovery and business continuity plan is critical to weathering challenging times and still being there to serve your customers. It’s that combination of technology, process, planning and people that makes all of the difference.

TransferMate – a part of the Taxback Group – is a global B2B payments technology firm, enabling companies to send and receive cross-border payments faster and easier than ever before. TransferMate has built one of the largest portfolios of payments licences worldwide, including in 51 US states and territories, to support trading in 162 countries and 134 currencies. Leading banks, fintechs & software providers partner with TransferMate to offer an enhanced user experience for their business customers. Using TransferMate’s technology and global banking infrastructure, companies benefit from better exchange rates, greater transparency and improved reconciliation via direct integration into accounting and ERP systems.