BCM for WFH

Hurricane-damaged house

Since home and mobile workers rely on IT to access critical business systems and corporate data, and to communicate with others, organisations need a robust IT network infrastructure that extends to workers' homes or wherever they hang out. If, in reality, the infrastructure turns out to be fragile and unreliable, business activities are likely to be equally fragile and unreliable, leading to frustration and grief all round. In other words, the extended IT infrastructure is quite likely business-critical.

Working From Home or on the road can increase various information risks relative to conventional office-based work, due to factors such as:
  • Use of cloud computing services*;

  • Workers using their own or shared devices and internet connections for work purposes, raising questions about their suitability and security, ownership of and access to any intellectual property or personal information on them;

  • Less well controlled workplaces with access to family, friends and visitors, perhaps even complete strangers (e.g. working in airport departure lounges or waiting rooms and on public transport in general);

  • Greater possibility of being overlooked, or of theft of IT equipment and media (e.g. backups and paperwork), or accidental damage/loss;

  • Less social contact (especially casual/unplanned), perhaps even social isolation reducing morale and productivity, increasing the chances of depression or other mental ill-health;

  • Changes to/dissipation of the corporate culture, blending with regional and personal cultures;

  • Fewer opportunities for in-person training, mentoring and peer support;

  • Greater potential for worker carelessness, laziness, fraud, collusion and other forms of mischief; 

  • Weaker/slower physical responses to incidents and calls for help. 

* Properly designed, configured and managed commercial cloud services may be less risky (more secure, more reliable, better supported ...) than in-house IT services. They are increasingly used in conventional offices, as well as by home/mobile workers, so this may not be a distinguishing factor.

On the other hand, home/mobile working:
  • Decreases the dependence on shared conventional offices and the associated in-house office services;

  • Physically distributes the workforce;

  • Enables workers to establish reasonably comfortable personal work spaces according to their preferences and circumstances;
     
  • Increases self-determination, self-reliance and independence among the workforce;

  • Facilitates reflective creativity, critical thinking and innovation;

  • Increases flexible workday/week options, which suits some workers; and

  • Reduces the environmental and mental harm caused by commuting. 

The information risks should be evaluated and treated appropriately, typically being mitigated using controls such as:
  • Security policies, procedures and guidelines;

  • Providing employees with secure devices and connections, or helping them secure their own e.g. antivirus, firewalls, backups;

  • Providing technical support and monitoring for security issues;

  • Changing supervision and meeting arrangements; oh, and

  • Updating Business Continuity Management ...




... except that last bullet point is easily forgotten. BC arrangements may have been neglected during COVID, especially if they were decidedly iffy before the lockdowns. 

So:
  • Has your organisation reviewed and updated its BC arrangements in line with the changing nature of work and mobility of the workforce?

  • Have the associated policies, plans, procedures and guidelines been maintained? What about BC exercises, tests and audits?

  • How will the response to, say, a major storm, flood, bushfire, earthquake, invasion or some other region-wide incident be coordinated?

  • How will workers even be contacted if the local power and comms infrastructure is down?

  • Does anyone know where they are?

  • Are various business partners part of your BC and resilience planning?

  • Do workers have clear instructions about how to react, what to do, who to contact (if they can) and how to re-establish comms (if not)?

  • Do critical workers have generators and redundant comms ... and what about the non-criticals, particularly if they turn out to be critical after all?

  • Do workers have first aid supplies, food and water?

  • If remote/online working is simply not possible, what can workers do to help?

  • Have you considered resourcing true contingency arrangements, such as stockpiling or making plans to acquire two-way radios, 4x4 vehicles, generators etc. in a hurry?

Loads of questions already, and I've hardly started! This is, of course, just a generic blog piece. I have no idea about your particular business situation. I bet there are interesting wrinkles there. 

If this has struck a chord with you, do get in touch. A little independent advice and guidance may be just what you need to review, update, document and gain assurance as to your BC and resilience. Someone simply asking the right questions can prompt you to think about this stuff differently. Let's start by talking. Talk is cheap - in fact, it starts off free, within reason!