๐ฎ๐ฉ Baca artikel ini dalam Bahasa Indonesia
Executive Summary
The COVID-19 crisis has exposed a hard truth: most business continuity plans were built for short-term, localized disruptions โ not a sustained global shutdown. Companies that treated business continuity planning as a compliance checkbox are now scrambling to survive, while those that embedded resilience into their operations are adapting faster. This article examines what went wrong, what frameworks actually hold up under pressure, and what every executive should do differently starting now.
The Wake-Up Call Nobody Wanted
Three months ago, I had a conversation with the CFO of a mid-market manufacturing company. They had a business continuity plan. It was 47 pages long, last updated in 2017, and stored on a shared drive that half the leadership team did not know existed. When COVID-19 forced their offices and factories to close in March, that document was essentially useless.
This is not an unusual story. A Mercer survey from late March 2020 found that 51% of companies worldwide had no business continuity planning measures in place to address a pandemic-scale disruption. Not “insufficient measures” โ none at all. The other 49% largely had plans that assumed a two-week disruption, not an open-ended one.
I have spent the better part of two decades advising organizations on IT strategy, and what strikes me most about this moment is not the scale of the disruption โ it is how predictable the failures have been. The companies struggling the hardest right now are making mistakes that were entirely avoidable. The lessons are not new. They are just being learned, painfully, for the first time by executives who assumed the worst-case scenario was someone else’s problem.
Why Most Business Continuity Plans Failed
The root problem is not that companies lacked plans. Many had them. The problem is that those plans were built on flawed assumptions, tested inadequately, and disconnected from actual operations.
Assumption 1: Disruptions Are Localized and Short
Traditional business continuity planning tends to model for events like a regional power outage, a single-site flood, or a localized IT failure. The playbook assumes you can shift operations to another location or wait it out for a few days. COVID-19 shattered that model. Every location was affected simultaneously. There was no “backup site” because the backup site was closed too.
The organizations that handled this better were those that had already decentralized their operations โ distributed teams, cloud-based systems, location-independent workflows. Not because they predicted a pandemic, but because distributed operations happen to be more resilient by design.
Assumption 2: IT Infrastructure Will Hold
Many companies discovered in mid-March that their VPN infrastructure could handle 15% of their workforce connecting remotely. When 100% needed access simultaneously, systems buckled. Bandwidth was insufficient. Legacy applications that required on-premise access became inaccessible. Collaboration tools that nobody had bothered to deploy suddenly became mission-critical.
A CIO I advise described the first week of lockdown as “discovering every technical debt item we had been deferring for five years, all at once.” That is a precise summary. Deferred infrastructure modernization is not just a budget conversation. It is a continuity risk.
Assumption 3: People Know What to Do
Even companies with documented continuity plans found that employees and managers had never actually practiced them. When I ask leadership teams whether they have run a tabletop exercise or a live simulation in the last 12 months, the answer is almost always no. A plan that has never been tested is a hypothesis, not a plan.
The military has a saying: no plan survives first contact with the enemy. That is why they train constantly. Most businesses do not train for disruption at all. The plan sits in a binder โ or more likely, a PDF โ and gathers dust until the moment it is needed, at which point nobody remembers it exists.
What Effective Business Continuity Planning Actually Looks Like
Let me be direct about what separates organizations that are weathering this crisis reasonably well from those that are not. It comes down to five characteristics that were in place before the disruption hit.
1. Scenario Planning Beyond the Obvious
Good business continuity planning does not just cover the likely scenarios โ it covers the unlikely but high-impact ones. Pandemic was always on the risk register for organizations that took continuity seriously. The ISO 22301 standard for business continuity management explicitly requires organizations to consider a range of disruption types, including those that affect personnel availability across all locations.
The companies I have seen handle this well were those that asked the uncomfortable question: “What if we cannot access any of our physical offices for 90 days?” Not because they expected it, but because the exercise of answering that question forced them to identify single points of failure.
2. Technology Infrastructure That Supports Remote Operations
This is where years of digital transformation work paid off โ or years of delay became painfully visible. Organizations that had already migrated critical systems to cloud platforms, deployed modern collaboration tools, and ensured secure remote access were able to transition to fully remote operations within days.
Companies still running on-premise ERP systems with no remote access capability, using locally installed software without cloud alternatives, or relying on physical document workflows were, in many cases, operationally paralyzed for weeks.
The lesson is straightforward: cloud migration, remote access infrastructure, and digital workflow automation are not just efficiency initiatives. They are continuity infrastructure. Budget them accordingly.
3. Clear Decision-Making Authority and Communication Chains
During a crisis, speed matters more than perfection. The organizations that responded fastest had pre-established crisis management teams with clear authority to make decisions without routing everything through normal approval hierarchies. They also had communication protocols โ not just for customers, but for internal teams โ that activated automatically.
One client of mine had a simple but effective protocol: if a disruption exceeds 48 hours, a cross-functional crisis team convenes daily with authority to reallocate budget, reassign personnel, and modify vendor contracts without board approval up to a defined threshold. That kind of pre-authorization saved them weeks of deliberation when COVID-19 hit.
4. Supply Chain Visibility and Diversification
This crisis has been particularly brutal for companies with concentrated supply chains. Organizations that sourced primarily from a single region โ or worse, a single supplier โ found themselves without alternatives when those sources shut down.
Business continuity planning must extend beyond your own four walls. It includes understanding your suppliers’ continuity posture, maintaining relationships with alternative vendors, and having contractual provisions that address force majeure scenarios in practical terms, not just legal ones.
5. Regular Testing and Iteration
The Business Continuity Institute’s 2019 Horizon Scan Report found that organizations that conducted regular exercises were significantly more confident in their ability to respond to disruptions โ and that confidence correlated with actual performance. Testing does not have to be elaborate. Quarterly tabletop exercises, annual simulation drills, and post-incident reviews after even minor disruptions build organizational muscle memory.
I recommend a simple cadence: tabletop exercises quarterly, a functional simulation annually, and a full plan review every time the organization undergoes a significant change โ a merger, a system migration, a new facility, a leadership transition.
A Practical Framework for Rebuilding Your Continuity Plan
If your current plan failed โ or if you did not have one โ here is a framework for building something that will actually work. This draws on ISO 22301, the Business Continuity Institute’s Good Practice Guidelines, and my own experience advising organizations through operational crises.
Step 1: Business Impact Analysis (BIA)
Identify your critical business functions and the maximum tolerable period of disruption for each. Be honest. Most organizations overestimate their tolerance. If your order processing system is down for 72 hours, what is the actual revenue and customer impact? Quantify it.
Step 2: Risk Assessment
Map the threats that could disrupt those critical functions. Include scenarios that feel unlikely. Pandemic. Simultaneous multi-site closure. Loss of a key vendor. Extended internet outage. Assign probability and impact ratings, but do not let low probability justify zero preparation.
Step 3: Strategy Development
For each critical function, define how you will maintain or restore it under each disruption scenario. This is where technology decisions, staffing plans, and vendor relationships become concrete. Document the minimum viable operation โ what does the stripped-down version of this function look like, and what do you need to run it?
Step 4: Plan Documentation
Write the plan in plain language. Include specific names, contact information, system access procedures, and decision trees. A plan that requires interpretation during a crisis is a plan that will not be followed. Keep it under 20 pages for the core response plan, with detailed appendices for specific functions.
Step 5: Training, Testing, and Maintenance
Train everyone who has a role in the plan. Test it with exercises that simulate real conditions. Update it every time something changes. This step is where most organizations fail. They do Steps 1 through 4 once and then neglect Step 5 indefinitely.
What This Crisis Should Change Permanently
I expect โ or perhaps hope โ that this pandemic will permanently shift how executives think about several things:
- IT spending as insurance, not overhead. The companies that invested in cloud infrastructure, modern collaboration tools, and remote access capabilities before 2020 did not do so because they predicted COVID-19. They did it because modernizing infrastructure reduces risk across all disruption types. That argument should never again be hard to make in a budget meeting.
- Remote work as an operational capability, not a perk. The ability to operate with a fully distributed workforce is a continuity requirement. Even if your organization returns to primarily office-based work, the systems and policies to support remote operations should remain in place and tested.
- Cross-functional continuity ownership. Business continuity planning cannot live solely within IT or facilities management. It is a cross-functional discipline that requires input and ownership from finance, operations, HR, legal, and executive leadership. If your BCP is “an IT thing,” it is incomplete.
- Vendor and supply chain resilience as a procurement criterion. Ask your critical vendors about their continuity plans. Audit them. Include continuity requirements in contracts. Your resilience is only as strong as the weakest link in your supply chain.
Frequently Asked Questions
How often should a business continuity plan be tested?
At minimum, conduct tabletop exercises quarterly and a functional simulation annually. Additionally, review and update the plan after any significant organizational change โ system migrations, leadership changes, new facilities, mergers, or major vendor shifts. The goal is not to check a box but to build genuine organizational readiness. A plan that was last tested two years ago is unreliable.
What is the difference between business continuity planning and disaster recovery?
Disaster recovery (DR) is a subset of business continuity planning. DR focuses specifically on restoring IT systems and data after a disruption โ backup restoration, failover procedures, recovery time objectives. Business continuity planning is broader: it encompasses maintaining all critical business functions, including operations, personnel, supply chain, customer communication, and financial processes. A good BCP includes a DR plan, but a DR plan alone is not a BCP.
Who should own the business continuity plan in an organization?
Executive sponsorship should come from the CEO or COO, with operational ownership typically assigned to a dedicated business continuity manager or a senior operations leader. The critical point is that it must be cross-functional. IT owns the technology recovery components. Finance owns financial continuity. HR owns personnel and communication protocols. Operations owns supply chain and facility contingencies. A single department cannot own it in isolation โ and if nobody owns it, it does not exist in practice.
What is the most common mistake companies make in business continuity planning?
Treating it as a one-time compliance exercise. Organizations invest in creating a plan โ often driven by an audit requirement or a regulatory mandate โ and then file it away. They do not test it, do not update it, and do not train their people on it. When a real disruption occurs, the plan is outdated, unfamiliar, and ineffective. The plan itself is maybe 20% of the value. The other 80% comes from testing, training, and continuous improvement.
Moving Forward
We are still in the middle of this crisis as I write this in May 2020, and the full scope of its impact on businesses will take years to assess. But some conclusions are already clear.
The organizations that will emerge strongest are not necessarily the largest or the best-funded. They are the ones that built adaptability into their operations before they needed it. They invested in infrastructure that did not depend on everyone being in the same building. They tested their plans and found the gaps before a real emergency found them first.
For every executive reading this while managing a crisis in real time: document what is working, what failed, and what you wish you had done differently. That documentation, captured while the experience is raw, will be the foundation of a continuity plan that actually holds up next time. Because there will be a next time. The only question is whether you will be ready for it.
