- Major Studies
This update of our 2009 report outlines the ways in which pandemics are different from other disasters, and it suggests specific actions that IT risk managers should take to prepare for a potential pandemic. If adequately prepared, the IT organization can continue to support critical business functions, and it can provide solutions to help the organization as a whole get through a pandemic.
Please note that this report is not intended to be a comprehensive guide to preparing for a pandemic, but rather focuses on specific considerations from the perspective of the IT manager. There are many excellent resources available to assist organizations in business continuity planning for a pandemic, some of which are listed at the end of this article.
A pandemic is an epidemic affecting a wide geographical area and a large proportion of the population. The trigger for a pandemic can be human-to-human transmission of a disease that was previously confined to another species. The recent outbreak of the new coronavirus, designated 2019-nCoV, is a case in point: The way it has spread outside of Wuhan now strongly indicates human-to-human transmission.
Pandemics historically can have a major impact on business and society as a whole. The Spanish influenza pandemic in 1918 infected approximately 20%-40% of the worldwide population, with over 50 million deaths worldwide and over 675,000 in the U.S. between September 1918 and April 1919. Due to the availability of vaccines, the Asian flu pandemic of 1957 had less of an impact than the 1918 event, although over 69,000 people in the U.S. died. There have been several lesser pandemics since then, including the SARS, or severe acute respiratory syndrome, pandemic, which infected 8,098 people worldwide with approximately 774 official SARS-related deaths.
This new coronavirus is not an influenza virus but a pneumonia-like infection, although they do share some symptoms. Coronaviruses are called that because of their crown-like shape.
There is not yet a vaccine for this new coronavirus, and some experts say we are at least a year away from one being developed. However, while vaccines are being developed, viruses constantly mutate, requiring new vaccines. Moreover, there are questions as to whether the population can be vaccinated quickly enough to prevent widespread impact, and supplies may not be adequate to inoculate all of the population in affected areas. Therefore, the major strategies to combat an outbreak are early identification and treatment of those infected and limiting public contact to avoid spread of the disease. These measures include quarantines and limits on public transportation and congregation in infected areas—all of which will be disruptive to normal business operations.
The rest of this report will lay out the characteristics of a pandemic that IT risk managers should understand in order to refine an IT disaster recovery plan in preparation for a possible pandemic. We will also highlight practical actions that should be considered now to better prepare the organization for such an event.
Most large organizations and many smaller ones have comprehensive business continuity and disaster recovery plans that provide contingency plans in the event of natural or man-made disasters, such as hurricanes, floods, earthquakes, or long-term power outages. In recent years, risk managers have refined those plans to take into account additional issues surrounding general or targeted terrorist attacks.
Although most business continuity plans do a good job of planning for these types of disasters, they are generally not adequate to deal with the entirely different type of threat that is posed by a pandemic. Figure 1 illustrates the primary differences between the threat of a natural disaster and the threat of a pandemic.
First, natural disasters are generally local or regional in nature. For example, an earthquake might strike the Southern California area, or a hurricane might take out facilities up the East Coast. Therefore, most IT contingency plans assume that a secondary data center located several hundred miles from the primary site would be unaffected by the disaster. But pandemics are often national or even international in scope (which is why they are called pandemics, pan meaning “universal”). Although it may be of some use in the event of a local quarantine that involves the primary data center, the backup data center is not the focus of disaster recovery in the event of a pandemic. It is quite possible that both the primary and backup sites may be within the reach of the pandemic.
The impact of natural disaster is generally short in duration, lasting anywhere from a few days to a week or two before a facility is back on line. A pandemic, on the other hand, could last several months. Furthermore, if the past is a guide, a pandemic is likely to come in waves. An initial wave could last several weeks or months, followed by a decrease in infections and then a second or third more severe wave of illness spreading weeks or months later.
Whereas most disaster planning scenarios are concerned primarily with the threat to facilities, infrastructure, systems, and data, a pandemic represents a threat to people, either through extended sickness or loss of life.
IT risk managers should assume that a pandemic will cause 30% or more of the personnel at all locations to be unavailable, many for an extended period. According to the U.S. Department of Health and Human Services, previous outbreaks have affected 20% and 30% of the population and roughly 10% to 20% of workers for periods ranging from two to four weeks.
But sick employees are only part of the problem. Employees may have to stay at home as caregivers for other family members who are ill. Schools may be closed, requiring a parent to be at home. Facilities may be quarantined, requiring employees to work remotely. Public transportation may be canceled, and carpooling may be needed over an extended period. Personnel who are concerned about lost wages or project deadlines may come to work with flu or pneumonia symptoms, when they should be staying away from the facility to prevent the spread of illness.
Furthermore, the threat to personnel may not be limited to the organization’s own employees. A large proportion of suppliers’ personnel could also be incapacitated, so that suppliers and support service providers may also be affected. Organizations that outsource parts of their IT operations should be concerned about availability of service provider personnel. Basic services, such as telecommunications, power, and transportation, may also be affected, as all of these services require staff to support them.
On the other hand, in the event of a pandemic, some personnel may be absent but still able to perform some job duties. Some employees themselves may be healthy but unable to come to work because of quarantine or, as mentioned earlier, the need to care for other family members. Such personnel, if able to work remotely, may still be able to carry out some job responsibilities.
Most disaster recovery plans assume that the disaster incident takes out an entire facility or otherwise disrupts normal business operations. A pandemic, on the other hand, may mean that the facility continues to operate, but at a reduced level of performance. If large numbers of employees are unable to work, or unable to come to work, it still may be possible to conduct business. But the organization may be seriously degraded in its capacity. For example, the help desk may be functioning but with a reduced number of personnel.
There is one additional characteristic that distinguishes pandemics from other types of disasters, and that is in how much advance warning there is that an incident is approaching. Most natural disasters strike without notice, or at best with only a few days warning. A pandemic, on the other hand, may provide several weeks of notice for managers to implement a plan for policy, personnel, and facility adjustments as the threat of a large impact on the business becomes increasingly probable and serious.
Taking all these characteristics together, we understand that the main threat of a pandemic is the temporary or permanent loss of key personnel, over a wide geographic area, for an extended period of time. The organization may still be able to conduct business at a degraded level of performance, and there may be advance warning of the incident.
Now that we understand the nature of the threat, we can consider the practical actions that IT risk managers should take to refine the business continuity plan to take into account the possibility of a pandemic event.
To provide a framework for planning, it is helpful to consider at least three scenarios for a potential pandemic. For example:
A low-impact case, such as a limited outbreak that impacts 10% to 20% of the personnel in the primary data center but leaves personnel in the secondary data center location unaffected. There are no restrictions on business travel outside of the area with the outbreak.
An intermediate-impact case, such as an outbreak that causes a quarantine to be imposed in the area of the primary data center and also causes some unavailability of personnel at the secondary data center. There are some restrictions on business travel.
A worst-case scenario, such as an outbreak that is nationwide or international and affects 30% of personnel in all locations (up to 40% in worst hit locations), with quarantines imposed extensively and severe restrictions on travel.
The contingency plan should also include criteria for escalating actions in the event of a pandemic that progresses from one scenario to another.
In light of the various scenarios, we next suggest some of the actions that the IT risk manager should consider as elements of a contingency plan. This is by no means an exhaustive list, but it provides a starting point for brainstorming appropriate actions. Some of these items can and should be addressed immediately, to lessen the impact of a potential pandemic. Others are actions for which approval should be obtained in advance but only would need to be implemented in the event of an actual pandemic.
The first, obvious, step is to prepare a safe environment for those employees who must report to the workplace. Low-tech measures can go a long way toward fighting the spread of disease and allaying fears of healthy employees that need to report to work onsite. Such measures include making hand sanitizer available throughout the facility; daily cleaning of keyboards, door knobs, and other high-touch surfaces; adjusting HVAC systems to increase the amount of fresh air circulating in buildings; limiting face-to-face meetings; and sending employees home at the first sign of infection.
Most importantly, corporate policies regarding sick time should be examined ahead of time to ensure that they do not produce unintended consequences, such as forcing sick employees back on the job, where they can infect others. In fact, organizations should consider a temporary policy of unlimited sick time once a pandemic is declared.
Company-paid vaccination programs, including pneumonia vaccine, and distribution of antiviral products should also be considered. At the time commercial coronavirus vaccines become widely available, organizations would be well-advised to promote vaccination in a proactive fashion. Such programs, if widely implemented by commercial and governmental organizations, could significantly reduce the impact of a pandemic for society generally.
With a pandemic, the key need is backup personnel. In many IT organizations, there are only one or two trained individuals that know how to perform some important functions. This can be especially true in smaller companies. Clearly, this will present a risk if those key personnel become unavailable.
A useful exercise in mitigating this risk is to list every key function in the IT organization and to identify which personnel know how to perform those functions. Those functions that have fewer than three trained individuals should then be prioritized in terms of their criticality. The IT risk manager should assess the adequacy of the documentation for those functions, develop a plan to remediate any deficiencies, and identify backup personnel for immediate training. If there are too few co-workers available to provide backup, management personnel should be considered as candidates for backup duties. Recent retirees that have performed key functions in the organization may also represent a source for backup personnel.
A side benefit of this exercise is that it also is useful in mitigating other risks to the organization, such as loss of key personnel through routine attrition, and it can help improve overall services levels when key personnel are on vacation or otherwise require backup coverage. Furthermore, ensuring that managers know how to perform the duties of their direct reports, with help from current and accurate documentation, gives them better insight into the jobs of their subordinates, making them better managers.
If not already in place, the IT organization should provide remote access capabilities for both IT staff and users in all key business functions. Technologies such as virtual private networks (VPN) are already in place for remote access in many organizations, but it may be necessary to review if there are any IT administrative functions that cannot be performed using these methods.
The benefits of increased remote access cannot be overstated. Providing the ability to work remotely is one of the primary ways in which information technology can assist the organization in meeting the challenge of a pandemic. Such capabilities will be essential for IT staff and users that are at home recovering from illness and those that are healthy but blocked from a quarantined facility or otherwise off-site to minimize contact.
A broad increase in remote access introduces several planning needs. Network bandwidth and computer processing capacity need to be increased dynamically, but with the advance warning of a coming pandemic, several days or weeks may be available to prepare. Fortunately, the increased use of elastic cloud infrastructure and SaaS applications over the past decade has made the job easier.
Security measures must be considered in light of the increased use of remote access. In a natural disaster of limited duration it may be understandable for security to take a back seat to emergency measures. But in the scenario of a pandemic, with its increased remote access, larger proportion of outside users, and longer time frame, network security should not be overlooked.
During a pandemic, user departments will face the same challenges as the IT organization in conducting business with severe personnel shortages and absenteeism. But just as it is possible for some IT personnel to work remotely, many user personnel will also be able to work from home, mitigating the impact of community containment measures or quarantines.
However, in contrast to IT personnel that are familiar with remote access protocols, many user personnel are not accustomed to working from home. They may not have adequate home computers or broadband access. They may not even have the personal computing skills necessary to implement whatever remote access protocol is needed, such as a VPN. The time to evaluate these issues is now, not at the time that a pandemic is imminent. If an organization does not have a telecommuting program in place, this would be a good time to roll one out in a systematic way, identifying key user personnel that would need to be able to work from home in the event of a quarantine or other situation that keeps them from the office, and preparing their home office environment to enable telecommuting. Equipment and technologies that should be considered include electronic document management, online forms, web conferencing, webmail capabilities for corporate email systems, instant messaging, voice over IP (VoIP), and unified communications and messaging.
Although expanding capabilities for telecommuting can mean a significant expense for some companies, there are many long-term benefits. For example, the ability to work from home one day a week can improve job satisfaction for employees under such programs, and some municipalities provide incentives for organizations that implement telecommuting as a way to reduce traffic and accompanying air pollution. Telecommuting may therefore be justified not only on the grounds of pandemic preparedness but also as part of a Green IT program.
While telecommuting can reduce the need for employees to come to the local office, teleconferencing can be a substitute for much business travel between offices, which may be restricted in the case of quarantine, or international travel to affected areas. Many companies have already implemented sophisticated teleconferencing capabilities, but such systems may need to be complemented by simpler, lower-quality web conferencing to provide access from locations outside of offices where teleconference rooms are deployed.
For organizations that have not yet implemented any form of teleconferencing, now would be a good time to plan for at least some level of teleconferencing capability. Once again, the benefits of this action reach beyond a potential pandemic scenario, as increased use of teleconferencing has a significant benefit in the reduction of business travel expenses.
Organizations that use outsourcing should evaluate service provider preparedness for a potential pandemic. This issue includes IT outsourcing service providers as well as business process outsourcing (BPO) service providers, such as HR and payroll providers, which may not be under the direct management of the IT function.
Once again, the time to perform this evaluation is now, not at the time that a pandemic appears imminent. If the service provider is not prepared, or is not becoming prepared, for a potential pandemic, serious consideration should be given to sourcing an alternative supplier or bringing the outsourced function in-house on a temporary basis. Contractual issues may limit alternatives here, but it is better to recognize such problems now rather than at the time they become critical.
In the event of reduction in personnel availability, difficult choices will need to be made regarding the priorities of maintenance versus new development. Managers should consider the extent to which the elimination of after-hours coverage and help desk support, and the suspension of other non-essential activities can reduce manpower requirements. A plan for a short-term natural disaster may allow for a temporary suspension of routine maintenance and new development, while these functions cannot be completely suspended over several weeks or more in the case of a pandemic.
The key is to become more flexible in who does the work, and where it is performed. To operate effectively at reduced IT service levels, personnel should be able to work remotely, as indicated earlier and it may be necessary to shift some work to an alternate site that is not as seriously affected by the pandemic. For example, it may be necessary to move a tech support function from an area where there is severe absenteeism to a location where there is little or no impact from the pandemic. The personnel at the alternate site might need training, documentation, and written procedures that personnel at the primary site would never access. Alternate sourcing and inventories of supplies would also be needed at the secondary site.
The increased awareness of the possibility of a pandemic through heightened media coverage of the threat should lead IT management to better understand the differences between the business effects of a pandemic versus other types of business interruptions. Depending on the size and type of the business, its geographic distribution, and personnel intensity, these effects may be amplified or reduced.
While we may hope there will be no pandemic, many of the recommendations in this article will be worthwhile whether or not one occurs. The actions needed to prepare for a pandemic will make the business continuation plan more robust and better able to respond to a variety of threats. As we have seen, many of them also are simply good business sense.
Nevertheless, some of the recommendations in this report cannot be implemented without the approval of top management and changes to corporate policies that affect the entire organization, not just IT. For example, implementing broad-based remote access and support for telecommuting is worthless if corporate policies forbid working from home. Furthermore, as we have seen, misguided corporate sick leave policies may actually force employees to return to work even though they are sick, potentially infecting others. Because the IT organization often plays a major or leading role in corporate business continuity planning, it may be necessary for the CIO to force the organization to address corporate policies that need adjustment in the face of the pandemic threat.
The World Health Organization website provides a wealth of information on the Novel Coronavirus.
The U.S. Centers for Disease Control and Prevention website offers many details and resources about the coronavirus.