The reopening of the world’s economies from COVID-19-induced shutdown is happening at different paces. It continues apace in some areas that have contained community spread. In others, the emergence of new hot zones has caused a fresh wave of mandated business closures. Suffice it to say: after months of disruption, businesses are understandably eager to go back to normal as part of the recovery process. The question remains, though, have those businesses prepared themselves to resume operations at pre-crisis levels, especially in a public health environment marked by uncertainty?
Relatively low levels of pandemic preparedness doesn’t inspire confidence. Nor does the rapid acceleration of related threats, like cyber attacks, which have risen as hackers probe new security vulnerabilities created by remote work. Another potential wrinkle in plans for post-crisis recovery that usually goes unstated: the fact that business recovery itself is often poorly understood.
How so? Well, organisations might consult best-practice guidance for crisis mitigation and response. But they often consider that those measures alone will be enough to create the conditions for long-term recovery.
That thinking, in turn, generates negative effects. The most severe being a failure to adequately allocate sufficient resources, both in terms of budget and capabilities, to the recovery effort.
Facing all the headwinds produced by the largest, ongoing public health crisis in a century, organisations will need to begin treating recovery as a distinct stage in the lifecycle of an incident. And what will help: understanding the goal of recovery in the first place.
Well, according to international business continuity management system standard, ISO 22301, recovery aims to restore and return business activities from the temporary measures adopted to support normal business requirements after an incident, i.e. response.
In the relevant literature, recovery also follows prevention (P), preparedness (P), and response (R). That entire lifecycle has come to be called PPRR. With roots stemming back to the 1970s, PPRR has been widely embraced as a best-practice emergency and disaster arrangement, with extensive applicability to the business community. And it’s easy to understand why. PPRR offers two broad rationales:
- PPRR usefully sequences or phases emergency incidents, describing the events that occur before, during, and after an event
- PPRR helpfully outlines a menu of available incident management interventions
Within that toolkit, organisations will find capability requirements, necessary processes, purpose, and outputs for the recovery phase. Key among those is the recovery plan.
The goal of the recovery plan is to help organisations respond more efficiently to an incident or crisis, by shortening recovery time and minimising loss. Aimed at rebuilding, reemployment, and repair, the recovery planning process is meant to give businesses the opportunity to deeply consider how they will get up and running again.
To that end, the recovery plan contains information relating to the resumption of critical business activities after a crisis has occurred. The plan sketches out the time frame in which businesses can realistically expect to resume usual operations. And it typically includes:
- Strategies to recover business activities in the quickest practicable time frame
- Key resources (including equipment and staff) required to recover operations
- Recovery time objectives
- A checklist of tactics
Of course, there’s more to recovery management than planning. Execution matters, too. And to that end, we’ve created a best-practice guide to business recovery from COVID-19 to make sure you get it right.