- Major Studies
The swine flu outbreak has turned the spotlight back on the subject of pandemic planning. At the time of this writing, governments were reacting to the potential crisis by restricting border crossings, closing schools, and warning against travel. These are hints of just how disruptive a full-fledged pandemic could become.
Because pandemics are fundamentally different from the disasters commonly envisioned in business continuity plans, most IT organizations are not prepared to face this threat.
This Research Byte is a summary of our full report, Preparing IT for a Different Kind of Disaster: an Influenza Pandemic. The full report is an update of 2006 study, which was triggered by early cases of avian flu and the implications that a potential pandemic posed for IT disaster recovery and business continuity planning.
What is a Pandemic?
A pandemic is an epidemic affecting a wide geographical area and a large proportion of the population. The trigger for a pandemic can be human-to-human transmission of a disease that was previously confined to another species. In the case of avian flu, the 411 human infections documented since 2003 have been the result of contact with infected birds. However, public health officials fear that if the primary virus that causes avian flu (H5N1) mutates into a form that can spread between humans, a pandemic could begin. The new form of the virus in recent Egyptian cases raises concerns that, because humans can carry the virus without showing symptoms, it could more easily mutate into a form that could be transmitted from person to person.
An influenza pandemic could have a major impact on business and society as a whole. The Spanish influenza pandemic in 1918 infected approximately 20%-40% of the worldwide population, with over 50 million deaths worldwide and over 675,000 in the U.S. between September 1918 and April 1919. Due to the availability of vaccines, the Asian flu pandemic of 1957 had less of an impact than the 1918 event, although over 69,000 people in the U.S. died. There have been several lesser influenza pandemics since then.
The World Health Organization in its planning scenarios for an avian flu pandemic uses what it calls a "relatively conservative estimate" of between 2 million to 7.4 million deaths worldwide. While vaccines have been developed, viruses constantly mutate, requiring new vaccines, there are questions as to whether the population can be vaccinated quickly enough to prevent widespread impact, and supplies may not be adequate to inoculate all of the population in affected areas. Therefore, the major strategies to combat an outbreak are early identification and treatment of those infected and limiting public contact to avoid spread of the disease. These measures include quarantines and limits on public transportation and congregation in infected areas--all of which will be disruptive to normal business operations.
The full version of this report lays out the characteristics of a pandemic that IT risk managers should understand in order to refine an IT disaster recovery plan in preparation for a possible pandemic. We also highlight practical actions that should be considered now to better prepare the organization for such an event.
Pandemics Present Special Challenges for IT Risk Managers
Most large organizations and many smaller ones have comprehensive business continuity plans that provide contingency plans in the event of natural or man-made disasters, such as hurricanes, floods, earthquakes, or long-term power outages. In recent years, risk managers have refined those plans to take into account additional issues surrounding general or targeted terrorist attacks.
Although most business continuity plans do a good job of planning for these types of disasters, they are generally not adequate to deal with the entirely different type of threat that is posed by a pandemic. Figure 1 illustrates the primary differences between the threat of a natural disaster and the threat of a pandemic.
The full version of this report outlines the ways in which pandemics are different from other disasters, and it suggests specific actions that IT risk managers should take to prepare for a potential pandemic. If adequately prepared, the IT group can continue to support critical business functions, and it can provide solutions to help the organization as a whole get through a pandemic.
The increased awareness of the possibility of a pandemic through media coverage of both avian flu and swine flu should lead IT management to better understand the differences between the business effects of a pandemic versus other types of business interruptions. Depending on the size and type of the business, its geographic distribution, and personnel intensity, these effects may be amplified or reduced.
While we may hope there will be no pandemic, many of the recommendations in this article will be worthwhile whether or not one occurs. The actions needed to prepare for a pandemic will make the business continuation plan more robust and better able to respond to a variety of threats. As we have seen, many of them also are simply good business sense.