Business continuity management consists of creating and executing frameworks, plans, and actions to ensure that entities can deliver prioritised services during a disruption. The practice takes on especial importance for government entities, tasked as they are with delivering services critical to residents’ economic, financial, and social wellbeing.
That’s the case with the Victoria State Government, responsible as it is for managing state finances, child protection, transport, criminal justice, and other vital services. And so, the state, having gone through one of the world’s longest, continuous lockdowns, was particularly keen to understand how its business continuity capabilities fared during the COVID crisis.
As a result, an audit was commissioned. The Audit examined the business continuity capabilities of all eight Victoria State Government departments, as well as the ICT platform that provides service management to most departments.
What else was looked at? Considered in the Audit were each department’s business continuity arrangements. The aim, here, was to ascertain whether departments had (1) successfully prepared for a major disruption prior to the outset of COVID and (2) effectively implemented contingency arrangements during the pandemic to maintain prioritised services.
Why does it matter?
Well, key conclusions stemming from the Audit, which the subsequent guide lays out, are of great relevance to most organisations – public entities or not. Indeed, many organisations will likely see their own experiences reflected in the Audit. And so, we advocate using the following findings, recommendations, and suggested solutions as templates for business recovery.
The Audit starts with a frank admission that before the pandemic, most State Government departments’ business continuity arrangements were inadequate. Responses to restoring and maintaining prioritised services were also reactive – less efficient and effective than they could have been.
The failure to plan and prepare suitably for a long-term disruption to services came even though a major event (specifically, a pandemic) was forecasted as a state-significant risk.
In fact, the State Significant Risk Interdepartmental Committee (Risk IDC) rated the pandemic risk as ‘likely’ to occur with ‘severe’ consequences the year before the outbreak of the crisis.
More problematic, pre-COVID tests of existing business continuity planning arrangements found glaring weaknesses. Many of those weaknesses, however, weren’t addressed in time.
Where does the Audit suggest things went wrong? Did no department have mitigation strategies in place?
The Audit finds that many existing mitigation strategies were either inadequate or weren’t put into place entirely. For instance, one department had a strategy for managing state-wide disruption.
That strategy, however, focused almost exclusively on emergency response (i.e., protecting life, assets, and the environment) at the price of the continuity of prioritised services.
Nor was there whole-of-government oversight of business continuity across the State Government, as was reflected in the lack of whole-of-government policies for staff deployments.
Further key findings include:
There were other reasons that the plans that existed were deemed inadequate. According to best practice, BCPs should be focused, concise, specific, and easy to use. However, the BCPs the Audit reviewed were found:
What’s more, BCPs were oftentimes duplicative, including unnecessary information, which reduced confidence from staffers.
Staffers themselves were competent. Their departmental plans, however, were considered difficult to understand and maintain.
But as the Audit notes, preparedness involves more than just adherence to policy – important as that is. Entities must also understand the services they provide, the impact a disruption would have on those services, and how they should respond.
This is the provenance of the business impact analysis. Here, however, the Audit found that many departmental BIAs did not fully assess the impact that a disruption might have on their services.
BIAs also did not fully consider minimum resource requirements and the internal and external suppliers that their services need to run, all gaps which can impact how effectively departments respond and maintain prioritised services during a disruption.
Why’s that? The Audit found that departments hadn’t undertaken sufficient work to collate services and assets relative to organisational priorities.
But it needn’t have come to that. Since departments weren’t sufficiently prepared for such a complex disruption, they had to invest scarce time and resources on the fly into developing documents, streamlining processes, upgrading technology, and transitioning to remote working during the early stages of the pandemic.
Poor inter-agency communication during the pandemic was also called out. Written guidance was lacking on how departments should:
Further issues included:
For one, there was no whole-of-government policy for staff redeployment for continuity of government services. This meant that departments responded reactively to COVID, devoting scant resources to developing new remote working processes and addressing surge capacity issues.
In consequence, state entities saw sharp increases in privacy concerns, cybersecurity as well as occupational health and safety risk.
And though departments have advised staff about the importance of privacy and occupational health and safety, the Audit notes that more still needs to be done to better manage risk as new challenges arise, e.g., work-life balance and/or security.
What then does the Audit recommend for the recovery period, to ensure enhanced contingency processes for the next long-term disruption? For starters, departments ought to better prepare for foreseeable major disruptions of longer durations, i.e., longer than a couple of weeks.
To do so, they will have to make the following changes to their business continuity arrangements
Organisations will firstly have to address the pandemic scenario as a standalone threat, with a dedicated pandemic scenario plan. Some departments did but many did not.
In addition, organisations will have to treat their business continuity plans as living documents, testing them more regularly (at least every two years) to ensure they will be effective in a disruption and that staff knows how to respond. The plans themselves should more clearly highlight organisation-wide priorities and strategies, as well.
Further Audit recommendations for business continuity planning include:
Although there’s much to do, the Audit notes that the pandemic itself has created opportunities for departments to make positive change. One such change is the much-needed acceleration of digital transformation to adopt more efficient processes.
After all, the pandemic has already made entities rethink how they work, leading oftentimes to the quick roll out of new technology-related processes and projects.
Here, the Auditors make especial note of the value of streamlining processes and adopting new (digital) technology, to ensure efficiency in performing business continuity tasks.
Though not singled out directly, pragmatic business continuity software can help organisations of all stripes make the most of the COVID recovery and get better prepared for next time. How exactly can digital technology provide solutions to audit findings and recommendations?
Finally, the COVID crisis pointed up the inadequacy of business continuity arrangements. Audits, like that undertaken by the Victorian State Government, are crucial for pinpointing which particular arrangements were lacking.
But as important as post-mortems are to business recovery, they aren’t the end of the story. Audits provide organisations a list of recommendations. Implementing those recommendations are just as crucial to business recovery.
Here, accelerating digital transformation is considered key to upleveling business preparedness and maintaining business resilience. Within the mix, pragmatic business continuity management software, we note, stands out.
These digital solutions don’t just follow best practice, they bring it to life to drive continuous improvement. As a result, organisations who procure them can scale up business continuity arrangements to any incident – no matter how complex or disruptive – and back down to business as usual as quickly as possible.
Published May 19, 2021