Do have more time to think? ACT NOW to Mitigate the Swine Flu Threat.

We know the Swine Flu threat is real, is heightening every next hour, and there is no country boundary. There is no room for complacency, no time to puzzle, and cannot afford to panic. Every organisation must meet this real challenge by putting into place a robust business continuity plan.

There are many similarities between the Swine Flu Threat and the SARS threat in 2003.

In my previous managerial role in the Equity Operations Department of the Asian headquarter of an European Bank, I was on the front line shaping and executing the risk mitigation and business continuity plans throughout the course of the threat. Below are my lessons learnt from the SARS Threat.

Recalling my experience in 2003, as soon as the authority declared any suspicious incidence would require a quarantine and the area evacuated for sanitization, many organizations opted for a “Split Team” strategy. However, the window to implement such a strategy was extremely short considering the likelihood. In fact, I was given, on Friday, 8 hours to deliver (a) the candidates to work at alternate site (due to data confidentiality and then technology limitation, work from home could not be instituted); (b) equip the alternate sites with all the facilities, including application systems identical to the original hot site; and (c) update the workflows for both sites. I have to confess, by the time when my inventory was produced (5 hours after I received the order), The IT resources help setting up the alternate site was allocated to Front Office . With a lot of hardwork and commitment from my colleagues, in particular IT, we managed to switch on the alternate site with full speed on the following Tuesday morning.

Now, with the increased transparency and timeliness of updates from the authorities and the media, we can avoid the mad rush we struggled in 2003.

This very moment is therefore the best (and probably the latest) moment to afford us developing the risk mitigation and business continuity plan in a controlled and comfortable manner.

Lessons learnt from the SARS Threat:

A) Implementing “Split Team”
a-1. “Split Team” strategy is an effective measure to maintain external client service levels.
a-2. “Split Team” requires careful planning to make sure identical facilities (application systems, telephone) are switched on in both sites.
a-3. “Split Team” requires adding certain software license, and the procurement process may take time
a-4. “Split Team” strategy’s effectiveness may be diluted if there is “point to point” external connectivity.
a-5. “Split Team” requires a workflow change to ensure no client services are doubly handled or omitted.
a-6. “Split Team” requires to escalate a cold fallback site to a warm standby due to a possible evacuation of the primary servers site.
B) “Split Team” is only a start, more BCP to develop
b-1. The classical DRP assumes the lost of a primary site and a reduced team working from fallback site together with a “graceful degradation” is no longer appropriate for a “Split Team”
b-2. Because the failure scenarios have been changed, a different suite of BCP/ DRP would need to be conceived and designed from the ground up. During SARS, we need to cater for scenarios evacuating not only the business operation functions but also the server farms.
b-3. Time to develop and document these plans is, again, extremely short. By the same token, an organization may not have the luxury to test these BCP.
C) Do not forget LEAD FROM THE TOP
c-1. A command centre led by the CEO and with members with appropriate knowledge must be instituted to evaluate the risks and the appropriateness of the measures in a continuous manner.
D) Secure enough resources before it is too late
d-1. (SARS Threat happened after the Asian Financial Crisis. This seems an ironic coincidence with the current climate where the Swine Flu Threat happens in the midst of the Financial Tsunami.) When SARS Threat triggered the panic button, most organization enforced embargo to decline visitors including consultants. While the staffing was cut to bear minimum in 2003, due to the Asian Financial Crisis, many organizations struggled to squeeze their internal resources to cope with the additional effort to continue their businesses.

Changes since 2003

Lesson learnt from 2003 SARS Threat gives a starting point, we have to recognize the need to cater for the changes over these years.

In the interest of mitigating the Swine Flu Threat, attracting my attention the most is the Globalization movements. This raises the following questions in my mind:
a. Have the BCP's developed for SARS Threat or Avian Flu been updated and tested every time when there is a migration? Are they valid for the Swine Threat?
b. Do we have thorough understanding of the entire value chain, which business processes is performed by which business functions and in which geographical location?
c. While this Swine Flu does not have a geographical boundary, do we have enough transparency of the severity of the threat in every location?
d. Have we engaged every process and sub-process owners to develop a reasonably sound business impact analysis to cater for different level of threats?
e. Are we satisfied that our business partners, especially our BPO vendors, to put into place an appropriate risk mitigation (eg. “split team”) and business continuity plan?
f. Are we satisfied that appropriate governance and facilities are in place to evaluate the risk continuously and constantly monitor every component in the value chain across the geographical footprint?

Wrap Up

I am sure every organization would have to consider their environment individually so as to tailor their own plans to handle the Swine Flu Threat. All I am trying is to share my experience in handling the SARS Threat.

As a wrap up, may I re-iterate that we can’t afford panic and this moment is high time to ACT, not just think. Let’s step up our effort to meet this challenge.

Terry Ng (B.Sc., B.Com, CPA Aust), with a focus in Change Management and IT-Enabled Re-engineering, served some of the biggest multinational financial institutions and with a Big-4 consulting background.

The first sentence should be read as:

"Do we have more time to think? ACT NOW to Mitigate the Swine Flu Threat."

Sorry for the typo.

No problem. Thanks for the feedback!