Business resilience in hard times

Home / Blog / Business resilience in hard times

19 Feb 2022 Author: Andrew Buldyzhov

How we ensure business continuity for our company and our customers

Since the end of 2021, the risks of military operations are increasing in Eastern Europe. Therefore, we consider it necessary to share some ideas from our business continuity plan with our potential and actual customers and partners.

On the one hand, we want to demonstrate our company’s resilience. On the other hand, we want our customers and partners to be resilient as well. So we would like to share our experience in mitigating risks associated with quarantine, social unrest, and any other contingencies.

Introduction

Since time immemorial, business owners have tried to foresee possible risks of natural, social, and technogenic origin. For example, the risks of accidents, disasters, fires, floods, riots, warfare, epidemics, personal problems of staff, and other incidents or emergencies.

The history of business continuity as a corporate discipline dates back to the 1950s. It was around this time that companies began to address the problem of disaster recovery systematically. This was the beginning of some backup centres where duplicate documents and drives were stored.

Over time, the activities of such centres gained momentum and developed qualitatively and quantitatively. By the end of the 1980s, there were more than a hundred companies in the United States that provided backup storage services. As the computer industry evolved in the 1990s, the more general term ‘business continuity’ began to be used alongside the term ‘disaster recovery’.

Today, there are a number of international and industry standards and methodological frameworks for business continuity. For example, ISO 22301 and NIST SP 800-34.

The problem with any standards is their inherently abstract level. When standards and generic methodologies are applied, they need to be adapted to the specific business processes, systems, geographical and cultural features of a particular organisation. Such adaptation takes time and resources.

The purpose of this article is not a tedious retelling of standards, but a brief description of the key ideas and most significant business continuity practices of a service company like ours. These ideas and measures have worked well for us and some of our clients. We, therefore, have reason to believe that other companies will find this article useful.

What’s the first thing to do

We had a fairly simple business continuity plan when we first started our company. That plan described all the automatic backup systems for all our critical systems and data, as well as how to restore them. In addition, that plan described the urgent and non-urgent functions of all our employees and included a list of backup persons responsible for each urgent function.

Our backup system was built from the beginning in such a way that data was copied to the cloud storage in several European countries. This way, even in the event of total destruction of any city, major natural disasters, or social unrest in one country, our data would remain secure and available in the other countries.

Among other things, our backup system also works as a versioning system. That is, it allows us to retrieve data as of any day, week, month, or year in the past, within the relevant time frames.

The onset of the pandemic and quarantine in March 2020 did not affect our business continuity. Moreover, we immediately invited all our customers to test and improve their business continuity systems. Also, we shared reliable guidance on secure remote work.

Thus, our experience has shown that a full transition to remote working is an excellent first step to building a robust business continuity system. To summarise the idea, a company becomes more resilient to business interruptions with the increased mobility of information, office, and employees.

Disaster resilience levels

We review our business continuity plan semi-annually and on-demand, as the levels of risk change, which we continuously monitor. For example, we had reviewed our plan on schedule in November 2021, but then, due to increased cyber threats and threats of military action in Eastern Europe, we reviewed the document again in January 2022.

To visually model risks and assess the company’s resilience to incidents, we use planning and assessment of resilience to certain disasters.

We define disasters as security incidents with an extremely high level of damage. For example, large local or regional incidents.

The planned level of the company’s resilience to disasters assumes uninterrupted operation of our company, with a possible partial reduction in productivity, if one or more of the following scenarios occur:

Complete destruction of any one city in Germany, Ireland, Sweden, USA, Denmark or Finland (the countries where our company’s resources are located).
Complete disruption of services from one of our key online service providers, such as Google, AWS or Cloudflare.
Complete compromise of the public key infrastructure (PKI), digital certificate root authority, or banking infrastructure.
Invasion of Eastern Europe by Russian troops and/or social unrest throughout Eastern Europe.

It is necessary to maintain the level of resilience to all of the above disaster scenarios by regularly checking and correcting the operation of existing risk mitigation measures and introducing new adequate measures.

In addition to the measures mentioned above, you should also compile a table with the contact details of your key online service providers, support phone numbers, and their Facebook and Twitter pages.

Don’t forget to draw up and test a disaster recovery plan. This plan is logically built on business continuity measures. By testing the plan you can identify the measures you forgot to consider, designed ineffectively, or implemented incorrectly.

Employee safety

One of the main objectives of business continuity is the physical safety of people. Employees are the most important value of many companies.

Our recommendations below can be framed as instructions for your employees. These guidelines will help them not to panic and to remain calm even in difficult situations.

These recommendations are intended for peaceful people and are not applicable for individuals who seek or have to fight.

The basic idea for ensuring the physical safety of personnel is their timely evacuation.

Psychological training

The psychological basis of physical and information security firstly implies that any risks must be perceived using the mind and not the senses. In other words, one should not fear but apprehend.

The difference between fear and apprehension is that in apprehension we apply rules according to which we must act. We have learned these rules and practised them beforehand. For example, traffic rules, fire safety, and hygiene are the most obvious examples of apprehension that we apply on a daily basis. All other safety rules should be perceived in the same way as traffic rules, fire safety, or hygiene – without emotion.

Given that hostilities and social unrest are often accompanied by propaganda from different parties to the conflict, it is advisable to learn how to protect against psychological manipulations.

Information preparation

Local incidents are occasionally accompanied by communication problems. Back up all important personal information to your mobile devices.
Go to the Google Alerts service and set up as-it-happens email alerts for keywords such as “Russian invasion of Ukraine” and “Chernobyl radiation”. Getting into the habit of using this service saves a lot of time and energy in reading and analysing the news and allows you to focus only on the events that really matter to you instead of the flood of information rubbish.
Install the Google Maps (iPhone version) and Maps.me apps on all your smartphones. In Google Maps, click on your profile icon and select Offline Maps. Download (cache) a map of your city as well as all the areas on your way from your city to the city you’re heading to. Downloaded Google Maps and Maps.me maps should be updated monthly or more often.
There are various books and guides on the internet in the public domain on how to survive in the city, in nature, in hostilities, social unrest, etc. The basic idea here is that it is not necessary to study this literature in case of a timely evacuation. Such study can be associated with negative psychological effects and excessive emotional strain, distorting the perception of reality and causing unnecessary overuse of energy and resources.
Improving our professional skills is not only the best information preparation, but it is also the best investment not only in our own safety and comfort, but also in our general well-being.
Having some useful or interesting books on your mobile devices is always handy, and especially so when there is no connection.

Preparing resources and documents

It is advisable to prepare items that are usually taken on trips abroad:

Essentials: cash in dollars or euros, payment cards, basic documents, laptop, smartphone, chargers and keys (mechanical, electromechanical, electronic, digital).
Comfort and safety: clothing, shoes, optical and sunglasses, earplugs, cosmetics, medical masks, etc.
Health: your personal medication, ascorbic acid, alcohol etc.
Travel passport (if relevant).
It is highly recommended to obtain a paper certificate of Covid vaccination. Those who have not been vaccinated should be vaccinated as a matter of urgency.

We recommend that you keep in your bank accounts not more than the amounts needed for daily use with payment cards (not more than your monthly earnings). You can hold an additional amount in cash in your local currency up to the same amount. We recommend using cryptocurrencies, namely USDT or USDC stablecoins. Attention should be paid to the security of crypto wallets. The rest of the funds can be carried as cash dollars.