In an effort to contribute to a broader conversation about how the business community and corporate leaders respond to both the ongoing crisis and future challenges, Chronograph’s Business Continuity & Disaster Recovery (BC/DR) team is “open-sourcing” our business continuity framework and best-practices guide.
Certainly – as the markets have responded to the rapid development of the COVID-19 crisis – ensuring our limited partner and general partner clients have up-to-date data and insights available through the Chronograph platform(s) has never been more critical.
Through advance planning and ongoing iteration, our team was prepared to quickly enact our corporate business continuity and disaster recovery plans to ensure no disruption to ongoing operations or attainment of business goals, despite being based in New York City – the current epicenter of the COVID-19 outbreak in the United States. As the situation has continued to evolve, we have likewise continued to enhance and refine both formal policies and pragmatic processes: examples include everything from heightened cybersecurity and cybercrime vigilance to a sustained company-wide focus on mental health.
As a Software-as-a-Service business, our BC/DR considerations are obviously quite different than those with physical assets and/or retail locations; as such, we would plainly acknowledge the inadequacy of certain aspects of our approach for such businesses. However, we hope there are some helpful elements to be incorporated into your own plans. For those seeking ways to help directly-impacted businesses and vulnerable populations, we would encourage you to consider the relief efforts being supported by Robin Hood Foundation among many other impact-driven non-profit organizations.
To note, our formal policy outlines four phases of disaster resiliency: 1) planning, 2) event monitoring and plan activation, 3) offsite operations, and 4) resumption and primary operations. In this series, we outline the considerations our team worked through at each stage of BC/DR operations to date.
We will review helpful BC/DR resources, propose an approach for assessing risk and business impact, suggest some tools to enable enhanced collaboration for process improvement, step through our approach to awareness training, and review ongoing strategies for impact mitigation.
“Be prepared, which means, you are always in a state of readiness in mind and body to do your duty; … and also by having thought out beforehand any accident or situation that might occur, so that you know the right thing to do at the right moment, and are willing to do it.”Scout Motto, Lieut. Gen. Baden Powell C.B., Scouting for Boys (1908)
“Be prepared, which means, you are always in a state of readiness in mind and body to do your duty; … and also by having thought out beforehand any accident or situation that might occur, so that you know the right thing to do at the right moment, and are willing to do it.”
Stepping back from the current pandemic crisis for a moment, the scale of economic damage from “catastrophes” has increased steadily (see charts below). Taking a longer view of these trends and factoring for increased risk from steadily-growing threats like the factual reality of climate change, we can see that the businesses everywhere are facing an increased occurrence and impact of broad-based risk:
In the current moment – for those businesses caught off guard by the transition to remote operations – it may seem too late to consider the “planning” phase of BC/DR operations. We disagree. If anything, the current crisis underscores the need for carefully considered and practical business continuity plans that extend beyond standard compliance boilerplate. Our approach to BC/DR planning is laid out below:
Get oriented. Depending on the maturity of your business and compliance / risk management processes, this may be the first time you are having to think through ongoing operations, or perhaps it’s the first time you’ve had to dust off a Business Continuity template pulled together years ago. Fortunately, there is no shortage of helpful information produced by far more authoritative sources than ourselves (though hopefully we are providing some thoughtful guidance). Below are just a few of the recommended resources we’ve used in our own process development:
Delineate the risk spectrum. What constitutes “disaster”? Step one for any team should be to consider and define a range of potential risks, from the relatively benign (e.g. an electrical outage at your offices) to almost-incomprehensible “black swan” events (e.g. COVID-19). Even if every risk cannot be mitigated or even articulated, it is helpful to think through the full range of possibilities and be inclusive (even paranoid) when considering. What we found useful in our own scenario gaming was the start with immediate risks of physical proximity and work “outward” to global considerations. Read the fine print in your insurance policies: you’ll often see language regarding exclusions for war, pandemics (sadly), or nuclear holocaust (game over) – take these into account.
Below are a few examples of a defined risk spectrum:
The point of defining the risk spectrum is not to enumerate every potential eventuality – which is impossible – but rather to have an understanding as to which “bucket” a given situation may fall into, and as such, understand business impacts and potential mitigation strategies. To note, in BC/DR jargon, this element of planning is often defined as two distinct steps: risk evaluation and business impact analysis. Here, we are recommending an inclusive approach to the former to help clarify the latter.
Document and collaborate. Beyond performing the core work of business impact analysis and centrally collating information – risks, responses, policies and so-forth – it is critical to ensure that any documentation is maintained on an ongoing basis. We would humbly submit that in 2020, a Word document saved on a central drive is no longer sufficient for enabling robust collaboration across your organization. At Chronograph, we make use of a variety of collaboration tools including productivity tools like the G Suite Apps. For policy documentation however, we would recommend internal knowledge base tools (internal “wikis”) as a better solution for ensuring broad-based collaboration across your organization. There are a number of advantages over traditional productivity tools, not least natural language searchability, automatic version histories, simple access control, and related-article referencing – among others. We are big fans of Nuclino, but there is no shortage of great knowledge base solutions like Confluence, Zendesk, Guru, and a host of others that can fit into your existing technology and infosec environment.
Train and refine, train and refine – but actually. It’s great if you have a well-defined disaster recovery plan, but can your team speak to the specifics? Unfortunately, in many cases, “compliance training” has been reduced to simply clicking through a series of scripted videos as quickly as possible, and is seen as a task to be begrudgingly completed. While awareness training resources have a key role to play in ensuring a baseline of understanding about procedures, at Chronograph we have made business continuity training an ongoing conversation on our team. Starting on day-one during new hire orientation, we speak to business continuity and remote operations guidelines and expectations to underscore the importance of protecting our employees and ensuring continued delivery. This is supplemented by regular full-team conversations that are practical. Examples of how we incorporate training on an ongoing basis include:
The key takeaway is that assessing and refining business continuity operations should not be seen as an infrequent compliance exercise, but rather, an ongoing light touch practice with a cumulative effect.
Mitigate, diffuse, and assess again. Performing a risk and business impact assessment, documenting and updating plans, and ensuring team understanding is critical, but there are likely steps that your organization can take to further mitigate identified risks or at least ensure that they will not be crippling should they come to pass. Insurance is an obvious part of any corporate toolkit, but closely assessing the actual coverage and qualifying factors is critical. For example, most cyber insurance policies are woefully lacking in scope of qualifying criteria and actual coverage – it’s great that they’ll cover the PR firm to handle publicity fallout, but will they cover the cost of a forensic investigation to understand why a breach happened in the first place? Similarly, many companies are currently discovering that there are significant carve-outs for pandemics, leaving them potentially exposed to material gaps in various coverage types. Following the same principles outlined throughout this article, mitigation strategies should also incorporate second and third order risk and gap assessment, along with continued iteration and refinement. As conveyed in the previous point, there is simply no substitute for a sustained and continued conversation to ensure ongoing enhancement. We hope you have found something useful in the first post of our series. We will look forward to subsequent posts on event monitoring and plan activation, a conversation on offsite and remote operations, and thoughts for post-crisis resumption of primary operations.
Get updates in your inbox
Learn how Chronograph can streamline your private capital investment monitoring and diligence