The US Center for Disease Control (CDC) has confirmed 64 cases of swine flu in the United States and as other countries including Canada (6), New Zealand (3), the United Kingdom (2), Israel (2), Spain (2), and now Germany have confirmed cases, the World Health Organization has raised the worldwide pandemic threat level to Phase 4. This means health officials have confirmed that the disease can spread person-to-person and has the potential to cause "community-level" outbreaks. The CDC recommends avoiding travel to Mexico and if you get sick, to stay home from work. Large numbers of employees out sick will impact the business (revenue) and cost your company a lot of money in productivity loss (you still pay employees their salary when they're out).
Stopping the spread of the disease and treating those infected is obviously a health issue, but the swine flu outbreak does have implications for IT professionals in both the short term and the long term. First, if you haven't done so already, you need find a copy of the bird flu business continuity plan (BCP) that your company developed in 2006 and call a walk through exercise immediately. And if your responsibility is IT disaster recovery and not necessarily business continuity, don't wait around for someone else to dust of the plan and call the exercise – this is too important to wait. Call your CIO, CISO, COO, and CEO and tell them it needs to be done now. There's a good chance that the plan is out of date and that it hasn't been exercised in a long time.
A plan walk through is no substitute for a more thorough exercise but its a good place to start. This will help you:
- Validate the currency of the plan and the procedures.
- Validate team member roles and responsibilities.
- Understand what technology and services you currently have in place.
After the plan walk through, you will need to conduct a more thorough exercise that will validate team member competence, confirm the time it takes to execute each activity, and validate the technology you have in place to support the plan including:
- Automated communication and notification solutions for crisis and emergency communication.
- Remote access procedures to ensure that the greatest number of employees can effectively work from if there is a "community-level" outbreak and more travel restrictions.
As you dust off the plan, update it, and exercise it, you've also got to make sure that you roll out a training and awareness program so that employees know what to expect in terms of communication from senior management, where to go for information, and what to do when and if you invoke your pandemic BCP. As IT, this might not be your responsibility, but you need to raise the issue during exercises.
What swine flu has done is reminded us all of the necessity to plan for threat scenarios that affect people more than they do data centers and other physical corporate facilities. Alternate work area facilities, mobile recovery units, and other workforce recovery strategies aren't effective when people are home sick or there are travel bans in place. In these scenarios your workforce recovery strategy must rely on remote access solutions or virtual workforce solutions.
In a recent joint Forrester and Disaster Recovery Journal survey, we asked 285 BC/DR decision makers if their company had strategies for workforce recovery in their BCPs, 68% said yes. This means that 32% of you out there have a lot of work to do. Of the 68% that have strategies in place, 86% use remote access procedures as part of their strategy;
Remote access or virtual workforce solutions can be as simple as VPN procedures for employees with laptops or remote desktop solutions like Citrix GoToMyPC or LogMeIn or more advanced solutions like desktop virtualization or application virtualization. Bottom line, you want employees to be able to access their data and applications so long as they can get to a computer with Internet access.
You also have to think about your own employees: how will you run IT operations if key employees are out sick or can't get to work? There's a lot you can do remotely, but not everything. You have to ask yourself: how many employees have we cross-trained for other job functions? Can your storage administrators run backups? Could your server admins allocate storage or debug a storage network problem? Cross-training in critical functions is another part of workforce recovery or, I should say, workforce continuity.
I have an upcoming report that looks at the human side of business continuity and disaster recovery planning. I'm interested to hear how the swine flu has changed your priorities and how senior management has asked IT to help in the response.
Check out Stephanie's research