Are pandemic plans a thing of the past?

Are pandemic plans a thing of the past? Every organization must regularly review its BCP. One of the scenarios is a pandemic. Pandemic plans were the hottest thing in 2006 tem 2009. Then there was bird flu, H1N1, swine flu, Mex**** flu, etc. Are these pandemics a thing of the past? Or does a pandemic plan still belong in a good and sound BCP? Statistically, there is a pandemic every 30 years….In this contribution, I express my own opinion, not that of any organization.
Author: Manu Steens

All threats technology

When you do a risk analysis and you consider a pandemic to be a real threat, you need to create a pandemic plan. So says the common sense within BCM at first glance. The same goes for strikes, bomb alerts, fraud, electricity blackouts, ICT unavailability … and those plans have to take everything into account every time.

If you take an “all threats” approach to pandemic plans you could take a “loss of key personnel” as a case. And then you have to find a response to the loss of service, all losses, by having a strategy that provides a solution if these people are (temporarily) unavailable.

This “Loss of Key Personnel” approach makes things both simpler and more complex. At first glance, it seems simpler. But one must remember that such a maneuver in the scenarios makes a difference in the results and the necessary approach to the problem. There are differences in impact and solutions according to your “loss of key personnel”

  • is limited to its own department, and the rest of the organization and the world are doing business as usual, (as in a successful bombing of your company) or
  • widespread and the rest of the world also suffers from “loss of key personnel” (as in a pandemic).

This is why I think the pandemic plan as a scenario might remain useful.

But how? Every year there is a new flu that breaks through, and old strains sometimes worry for more than a year. Therefore, measures against spreading disease and preventing getting infected are important as long as there is no vaccine, (but also if there already is). Vaccines against new strains of influenza are also important for staff.

Strategies such as putting trust in people by letting them work from home are now succeeding in the larger organizations. But even there, it is not trivial, and a pandemic plan remains important for those facing illness at home. But there you also notice that the plan is less important than the planning itself. So you come to e.g. education for people’s behavior at home, recommendations how long they should stay at home after having had the illness, so HR involvement is also in it for something. Moreover, the latter may also apply if they are caring for a family member.

“Loss of staff for an extended period of time”

Would the scenario be better “Loss of staff for a longer time”? (e.g., more than 2 weeks) as opposed to for a short time. The difference with short term absences is that perhaps a re-prioritization is needed there, whereas with long term absences it is better to eliminate some of the work.

So there are two things to do: the business needs to plan for long-term loss of staff and how they will absorb that, and the BCM team needs to prepare a pandemic hygiene plan. These are two different things. The pandemic hygiene plan tells staff how to behave and gives behavioral rules and hygiene advice etc. In that view, it is not a continuity plan. The generic plan of losing employees for an extended period of time can also be triggered by a strike or unrest but is identical regardless of the trigger (including a pandemic).

As was declared at the Titanic: “We don’t need training with the lifeboats, because this ship is unsinkable !”

Is a pandemic just a loss of sick people? Not so. With the Spanish flu, there was an impact on much more. Panic value around, healthy people stayed home and cared for their sick, others were afraid to go to work, there was indirect impact on infrastructure due to lack of maintenance….

So it goes beyond having people not at work. The plan must take into account indirect implications of the event. Suppliers unable to deliver, customers unable to purchase, medical care facilities overcrowded, the air conditioning going down, prolonged interruptions to IT and telephony… So you don’t have to look at it small, you have to look at the whole picture. In a true virulent pandemic plague, there is a very high probability of loss of facilities, IT, infrastructure,…

Thus, if you create five generic scenarios with a hygiene plan for pandemics on top, you are actually prepared for any pandemic. The dependency on air conditioning, for example, might be best planned as a dependency on the supplier/repair service after sales. And the procedure for this scenario should have a script item that says “if the A/C has a problem do X and if X is not possible do Y”.

What is often missing

What is often missing is the description of when to decide to temporarily close your organization or part of it due to external factors. Global organizations, perhaps also region-wide organizations can move their operations to areas without impact. But with a pandemic, this is not easily achievable. So the question is: When do you cancel a contract? When do you suspend services? It depends on the needs of the customer: if he is too ill to take the services of the organization, suspending certain services may be a solution. Or functioning at a much lower level. And when will the owner of a building close the building because there is insufficient security? Or for maintenance? And then later: how to restart when the peak of the pandemic has passed? For this, testing is useful.

“Why plan ‘deep’ for that anyway?”

The advantage of creating a full and deep pandemic plan is the fact that you have to consider a lot of issues that are all about what a crisis is about: loss of people, failure of supplies, loss of buildings, loss of facilities, loss of IT, etc. The difference with a generic worst case plan is that it assumes a specific cause. Whereas in BCM it revolves around consequences and not causes. But then again, this is no different than for a plan for a bomb threat, or an evacuation plan for a fire, or a power outage, which we can surely hope that there is something in the BCP for it or preventive measures have been taken. And that it goes deeply into all the consequences, in order to increase resilience.

But if we agree that the BCP should be more consequence-oriented than cause-oriented why do we want multiple plans like the pandemic plan is one? Those plans are going to have very large overlap with each other. Before you know it you run the risk of “excessive planning” that you can’t get out of. And the more plans we have that end up on the shelf, the more we have to maintain them.

What we typically think

Typically we think all infrastructure and emergency services will be available. Typically we think it’s just about people not being able to work. BCPs typically miss the fact that in a major pandemic (or biological attack) the police are impacted, the fire department, ambulance services, power companies, department stores, small stores, water works, sewer workers,… What if the cities and local municipal services are impacted? How long before your electricity generator needs refueling, if at all… And what if the fire alarm and air conditioning are not connected to the emergency generator? Do you really want people to come to work during a pandemic if you can’t alert firefighters? Or if the police are guaranteed not to be able to do their full job? The benefit is an excellent thinking exercise to make.

Conclusion

In my opinion, leaving these thoughts to me, there is a lot to be said for modular scenarios that interact with each other, supplemented by details for specific causes.

The questions to ask and answer with generic scenarios are:

  • What if the building is unavailable
  • What if facilities are unavailable
  • What if staff is unavailable with us/anywhere; short/long time
  • What if ICT is unavailable
  • How do these problems work together as in a pandemic, for example.

In addition, you then prepare additional advice for the most important threats (according to the risk analysis), such as a pandemic hygiene plan for infectious diseases, etc.

So: “Plan for the worst, hope for the best, and handle everything in between” !

Manu Steens

Manu works at the Flemish Government in risk management and Business Continuity Management. On this website, he shares his own opinions regarding these and related fields.

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Posts