People-centered business continuity is critical in the age of AI

What is people-centered business continuity?

Recognizing that people are the glue that holds an organization together, loss of people is the most critical disruption to be addressed by business continuity. While the other three elements -- process, technology and facilities -- are no less essential, it takes people to harness all pieces into a cohesive business.

In an emergency, the organization's first activity must be to assess the event's impact on employees and others, followed by actions to protect people and ensure their safety and security. Two examples are evacuation and shelter-in-place plans. Without people, it can be difficult or downright impossible to respond to and recover from a disruptive event.

People are essential for making decisions regarding the launch of business continuity and disaster recovery (BCDR) plans. Members of the teams associated with BCDR are typically responsible for notifying first responders, vendors, government agencies, stakeholders and employee family members of the event. They are also essential when dealing with the public, such as on social media, TV/radio and print media.

Executing a BCDR plan is virtually impossible without people attending exercises, updating plans, and briefing senior leadership and stakeholders.

Examples of how it looks in practice

Business continuity efforts vary widely across organizations, so the involvement of people will also look different with each business. For larger organizations, people-centered business continuity might involve on-the-ground support staff or large-scale trainings. For smaller businesses, it might simply be an update to the crisis communications plans to prevent miscommunications.

To get a better idea of what people-centered business continuity looks like in practice, here are some general ways to focus on staff in business operations.

• Keeping employees and others safe. Business continuity plans ideally prioritize employee safety and the safety of others, such as stakeholders, contractors and others involved with the business. These initiatives can include evacuation and shelter-in-place plans, maintaining an inventory of safety equipment, and specialized support activities such as crisis counseling during and after the event.
• Plans for communicating with people. Keeping employees and others informed of the status of an event is essential both during and afterward. This is where an ENS can be a valuable tool, delivering messages to people and also receiving confirmation messages. Communications plans should use multiple channels and be easily updated to keep messages current.
• Support for remote working. The COVID-19 pandemic demonstrated the importance of remote work. Remote work should be an available option for all people associated with an organization, if feasible.
• Delivering training and awareness programs. Business continuity plans typically address the importance of training employees and emergency team members on their duties and responsibilities in an emergency. Awareness activities, often in partnership with HR, keep employees and others aware of and informed on BCDR-related trainings and processes. A key activity is to identify emergency team members and train them on the plan(s) and their roles during an emergency.
• Creating succession plans. Many organizations overlook who will assume leadership roles if the primary company leader(s) are unavailable. This can be a complex process, and typically is done in partnership with HR. Sometimes the key roles are identified -- not necessarily the incumbent -- and which position is designated as the backup. Succession planning is an essential activity as it ensures continuity of leadership and business expertise.
• Creation of employee assistance activities. Ideally developed in partnership with HR, these programs focus on helping employees and others deal with a crisis, both during and after it. These can include support for families when a family member is an employee, financial aid, mental health support, and options for flexible/remote work arrangements.
• Policies and procedures. Business continuity plans should have policies and clearly defined procedures for various emergency scenarios, such as natural disasters, severe weather, fires and cyberattacks. Sharing this information regularly with employees is an essential way to help them understand their roles and responsibilities during an emergency.
• Regular reviews, exercises and audits. Business continuity plans are only as good as the information they contain and how well employees understand the plans and their responsibilities during an emergency. Periodic plan reviews ensure they are up to date, especially with employee contact information. Exercises ensure that BCDR team members and employees know what to do in an emergency. Audits ensure that the controls embedded in the plans are appropriate and consistent with good practice.
• Continuous improvement. Business continuity programs are not stagnant; they should be regularly reviewed by people within the organization and improved wherever possible.

Benefits to the organization

The principal benefit to an organization of having employees who are well-informed and trained in business continuity is that the organization's chances of survival in an event are much better than if no such arrangements were in place.

Additional benefits include building a company culture that knows the importance of business continuity, an employee population that has confidence in its ability to deal with emergencies, greater customer confidence in the company's ability to stay in business, and a boost to the company's reputation.

Risks of using people vs. automation

As the use of AI grows in BCDR operations, there can be a tendency to rely on AI when responding to potentially disruptive events. After all, AI can gather data on an event, analyze it against historical data from many other events, and be programmed to provide specific responses. But is AI capable of making human-centered decisions regarding an emergency?

Perhaps the key is to strike a balance between the advances of technology, such as automation of specific activities like sending out alerts to employees or initiating system failovers. An automated BCDR system, whether local or cloud-based, can provide specific analytics and recommendations, but the final and overarching decisions should still be made by people.

Paul Kirvan is an independent consultant, IT auditor, technical writer, editor and educator. He has more than 25 years of experience in business continuity, disaster recovery, security, enterprise risk management, telecom and IT auditing.