Agencies face a series of challenges in establishing continuity of operations (COOP) plans, starting with the array of threats and potential emergencies that can crop up. They can result from hurricanes, terrorist attacks, government shutdowns, cybersecurity incidents or pandemics.
COVID-19, however, does offer some lessons on the importance of COOP, particularly because its impact and the response it has triggered haven’t been seen in modern times.
Pandemic threats have been on the radar of health and intelligence agencies for years, but they weren’t a front-of-mind possibility for most government officials or employees. The response the pandemic necessitated was unexpected. It had a huge impact on agencies’ full range of operations and entire workforces and left them with an uncertain timeline for when things might return to normal. In fact, post-COVID “normal” might not be what it was, as some changes could become permanent.
“I think organizations are using their COOP plans,” said Patrick Potter, Digital Risk Strategist for RSA. “What was set up as a workaround in an emergency is becoming a longer-term operational procedure in some cases. They’re adjusting on the fly. It’s an interesting phenomenon.”
Meanwhile, agencies face other challenges when developing COOP plans, some of which align with the COVID-19 response. An RSA and Four Points Technology survey of public-sector professionals – taken several years ago but still applicable – found that “staying relevant in a dynamic world” was the top challenge in creating a COOP strategy, cited by 35% of respondents, followed by issues involving compliance requirements (18%), resources (17%) and measuring progress (also 17%). A lack of resources was also the most commonly cited reason (43%) for agencies not testing their COOP plans.
Many agencies are now wondering, “What’s the new normal going to look like post-pandemic, and how should COOP plans change while most workforces work from home?” said Jae Kim, Director of Product Management at BlackBerry AtHoc. But the next crisis that threatens critical operations – and the response to it – may also be unexpected.
The answer lies not in being able to predict the next crisis but in being prepared for whatever it may be. And that calls for a COOP plan that addresses a complex threat environment, covering three primary areas:
Physical security, which can be threatened by natural or manmade events that can cause flooding, power outages or structural damage that may close buildings, require telecommuting or working from alternate locations.
Cybersecurity attacks, which can come from outside or inside an organization, can disrupt services and freeze access to government systems.
Policy and compliance risks that can result from employees inadvertently or deliberately failing to follow directives such as the Federal Acquisition Regulation (FAR), Federal Information Systems Management Act (FISMA) or other federal requirements, many of which have counterparts in state and local governments.
An effective COOP plan accounts for all potential threats, coordinates a COOP response with disaster recovery and crisis management teams and is aligned with policy and compliance mandates.
Technology is essential to every part of the plan. The plan should utilize automated processes and centralized management to swiftly identify and categorize events, determine response and assign and coordinate response teams. It should also make use of unified notification and crisis communications systems that accommodate multiple formats and mobile devices.
And the plan should be designed for continuous improvement, evolving alongside technology to stay current with dynamic threats.