Is the Pandemic scenario already part of the company's Business Continuity Management System (SGCN)?
*By Rodrigo Dantas
Companies of all sizes and segments are being impacted and tested by pandemic. The Ministry of Health confirmed, on 02/26/2020, the first case of COVID-19 in Sao Paulo. Thus, the quarantine directly affected and changed the way of working, as well as bringing the concept of the “new normal”. As a response to the crisis, the business continuity it has become an indispensable topic for discussion. Many companies did not have a plan to put the Home Office, for example.
A survey carried out by the Daryus Group indicates that 43% of the companies interviewed did not have a Business Continuity Plan (PCN) or Crisis Management (PGC) to face the effects of pandemic gives COVID-19. Only 12% were structured for the continuity, but they had not tested their plans for a scenario similar to the one in 2020. Not even the most negative would think of a Pandemic scenario with the proportions of the COVID-19, Is not it?
Crisis Management (GC) and Business Continuity (CN)
THE crisis management and business continuity involves the establishment of a Business Continuity Management System (SGCN) which comprises the development and implementation of strategies, teams, plans and actions that will provide protection and alternative forms of operation for an organization in the face of adverse events.
a SGCN well structured will be able to prevent and mitigate scratchs, as well as reducing human, material and corporate image damage and losses arising from accidents, crises and catastrophic contexts.
the scenario of Pandemic is already part of your Business Continuity Management System (SGCN)? If the answer is no, it is necessary to do it as soon as possible, as this scenario is no longer something that can happen, but something that is present in current times.
How to Establish a Business Continuity Management System (SGCN)?
establish a Business Continuity Management System (SGCN) it is an arduous task that perpetuates all levels of the organization from Top Management to Operational. The main objective is that the company must have the ability to continue to deliver critical products and services at an acceptable level during an interruption of its business processes.
Below we highlight the steps that must be followed, at a minimum:
- Business Impact Analysis: This analysis allows the definition of priorities of the business processes based on impacts loss cost to resume activities that were interrupted. The main answer with this analysis is: “What is most important in your company?”.
- Risk assessment: This evaluation will allow evaluate the scratchs interruption of activities previously prioritized in the Business Impact Analysis, so that we can implement the necessary controls to address these The main objective is to understand what the main risks are? How will I treat them?
- Business Continuity Strategies and Solutions: From the results of the business impact analysis and on risk assessment we must select the best strategy for business continuity that consider options for before, during, and after handling the incident or crisis. For example, strategy of Home Office for people, cloud solution backup strategy for information, one site strategy backup to Data Center of the company etc. In this process the question that must be answered is: “What is my strategy in the event of a business interruption incident?”.
- Business Continuity Plans and Procedures: The next step after choosing and implementing the best strategy for business continuity is the development of Continuity Plans and Procedures. A Plan comprises several procedures for handling incidents and recovering incidents. Law Suit business that were interrupted. Each plan must include, at a minimum:
- the purpose, scope and objectives;
- the roles and responsibilities of the team that will implement the plan;
- actions to implement the solutions;
- provide information necessary to activate (including activation criteria), operate, coordinate and communicate actions with the team;
- internal and external interdependencies;
- necessary resources;
- reporting requirements;
- an evacuation process.
- Exercises and Tests Program: All Plans must be periodically tested to validate the efficiency of their strategies, solutions and procedures. business continuity Additionally, it serves to test the team responsible for triggering the Plans in a pressure environment, thus contributing to the training of the team when dealing with a incident or crisis.
In this scenario of Pandemic, many companies needed to implement a strategy of business continuity quickly, which consists of, through remote access, delivering to employees in their homes, all the work tools they are used to using as they were working inside the company. Face-to-face meetings have been replaced by video conferencing, forcibly promoting a digital transformation to maintain the survival of companies in this period of crisis.
O COVID-19 by itself cannot cause the interruption information systems, operations or critical services of a company, however, the lack of preparation and/or awareness of employees can increase the risk of these types of situations.
In these times, serving quarantine at home, even a small interruption on the company's power grid or internet can have a huge impact on business processes. Remember that these impacts also need to be reflected in the Business Continuity Management System (SGCN).
– Rodrigo Dantas is Senior GRC and Information Security Consultant at [SAFEWAY]
THE SAFEWAY is an Information Security company, recognized by its customers for offering high added value solutions, through Information Security projects that fully meet business needs. In these years of experience, we have accumulated, with great pride, several successful projects that have earned us credibility and prominence in our clients, which constitute in large part, the 100 largest companies in Brazil.
Safeway can help customers better understand their Information Security needs, as well as the tools needed to detect, respond and mitigate their risks involving threats and regulatory issues. In this way, our professionals and expert consultants can help eliminate small problems before they become big ones. Security, Vulnerabilities and Fraud Management actively analyzes your company's security through monitoring activities, mitigating risks and attacks in the IT environment.