Вы находитесь на странице: 1из 2

Maintaining business resilience

in the face of COVID-19


March 2020

COVID-19 is a fast growing and unique challenge to organizations globally. Understanding what it is
and what precautions to take and preparing your organization to be resilient will likely prove crucial
in protecting employees and maintaining operations. This includes understanding your organization’s
position in terms of business continuity and crisis management, specifically as it relates to your staff,
vendors, supply chain, and IT operations and infrastructure.

As the global challenge of COVID-19 potentially increases, Have we planned for a pandemic and are we postured
organizations should assess the following considerations to to respond?
protect themselves and their staff. Given that COVID-19 has now been declared a pandemic,
organizations need to have a clear strategy for managing the
How do we keep our organization operating?
virus as it spreads. In particular, while staff continues to work
Confirm mission-critical outcomes are well understood from
from a central location, the depth and breadth of cleaning
end to end and contingency plans are in place to keep them
services should be confirmed. However, to contain the virus,
operating. In particular, key dependencies—processes,
organizations should have formalized processes and policies
locations, people, vendors, and IT systems—need to be
for implementing social distancing (i.e., work from home
confirmed and documented (typically achieved through a
(WFH), split shifts) and managing mission critical outcomes
business impact assessment (BIA)).
using the minimum number of staff (i.e., “skeleton staff”).
Can the strategies included in our continuity plans be
relied upon? What can we do right now?
Make sure business continuity plans (BCPs) reflect critical Alternative working arrangements
outcomes. Organizations should have BCPs and continuity Clarify the WFH processes. Organizations often lean on
strategies that reflect critical business outcomes and the “we’ll just work from home” strategy in the event of a
dependencies mapped out in a BIA. If possible, these plans challenge of this nature. However, it is important to confirm
should be pressure-tested (either immediately or in the a number of key questions related to this strategy prior
recent past) to ensure they remain fit for purpose in the to implementation:
face of a potential global pandemic. Additionally, confirm
—— Do policies/procedures allow the organization to
whether business continuity insurance arrangements provide
seamlessly transfer staff to WFH arrangements?
adequate coverage.
—— Will staff continue to be paid their full salary if a WFH
How do we manage if this becomes a crisis? culture is not currently in place?
To safeguard the effectiveness of an organization’s strategic
response to a significant global incident, it is important that —— How long can we maintain mission-critical processes with
crisis management arrangements be formalized. This includes staff working from home?
clear, repeatable, processes for activating an executive —— Are all staff equipped with laptops? If so, do we have
leadership team—either locally in an emergency response a list of steps staff need to complete in order to WFH
center or remotely using teleconference platforms— (e.g., logging into a remote VPN)?
steering the strategic direction of the organization, and —— Do we have the technical capability to provide all staff
communicating clearly internally and externally. with remote working licenses and have we tested this
type of load?
—— Are we setup to enable the majority of our workforce to
WFH while maintaining mission-critical outcomes?

March 2020
© 2020 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.
All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. NDP071400-1A
Vendor and supply chain management IT infrastructure
For organizations that rely on global manufacturing locations Organizations should identify peak network traffic in the
and/or vendor distribution partners for mission-critical event that the majority of the workforce is working remotely
outcomes, planning for the eventuality that these locations and should also include VPN throughput and licensing. An
and vendors become unavailable is critical. This planning assessment should be performed to identify the gaps and
should include confirmation of any contingent strategies/ remediate as necessary. Network security, including remote
providers that could be relied upon and any continuity access management, should be included in the plan. In
processes that could support mission-critical outcomes in the the event that key staff members are not available locally,
short to medium term. alternates should be identified and provided access from
remote, possibly international locations.
Staff communications
Organizations should monitor and maintain regular Access to cloud services should also be reviewed to make
communication with staff, providing staff with regular, sure it can scale to meet the requirements of the remote
up-to-date information on the state of COVID-19 and the business users. It is important to understand that business
processes being implemented to protect staff and maintain processes may be modified during a pandemic, which could
critical operations. result in more demand than usual on IT services.
Organizations should advise staff to communicate with Stay cyber vigilant throughout your data supply chains
Human Resources if they have personal international travel— As more energy is spent ensuring employee well-being,
particularly to locations that may have confirmed cases. cyber teams must remain vigilant to confirm security
processes don’t break down across internal and external data
IT operations
supply chains. Resist tendencies to create workarounds that
Organizations that rely on international third-party service
might introduce new downstream risks. There have already
providers for their IT operations support should plan to take
been some signals that criminals are using coronavirus
on additional workload in case a third party is impacted by the
information or misinformation to target victims. Work closely
virus. Planning should include skills assessment, tools and
with key cyber partners at your vendors to ensure a good
technology requirements, security and identity and access
understanding of security challenges and that resiliency plans
management, and the ability to support the work remotely.
are being activated. If there are going to be known supplier
Onshore/internal IT teams may be impacted as well. challenges, work to determine security and compliance
To mitigate the impact, organizations should consider impact. Consider setting up a cyber war room with regular
acceleration of automation of routine operational activities. communication and access to resources by your vendors.
Keep an eye on signals like reduced patching cadence,
Self-service offerings should be increased to alleviate the increased attack patterns, and spear phishing across your
workload of a potentially reduced staff. A minimun level ecosystem. Work collaboratively to determine impact, share
of acceptable support for critical applications and core information about cyber activity across the ecosystem,
services should be defined and SLAs should be defined for and triage response based on available resources and
potential pandemic. potential impact.

Contact us
If you would like more information on how KPMG can
assist your organization, please contact:
Some or all of the services described herein may
Glenn Siriano not be permissible for KPMG audit clients and their
Principal, Business Resilience affiliates or related entities.
T: 203-521-8129
E: gsiriano@kpmg.com
David Tarabocchia kpmg.com/socialmedia
Managing Director, CIO Advisory
T: 727-641-8272
E: dtarabocchia@kpmg.com
Franco Cordeiro
The information contained herein is of a general nature and is not intended to address the
Director, Business Resilience circumstances of any particular individual or entity. Although we endeavor to provide accurate
T: 720-469-2595 and timely information, there can be no guarantee that such information is accurate as of the
E: francocordeiro@kpmg.com date it is received or that it will continue to be accurate in the future. No one should act upon
such information without appropriate professional advice after a thorough examination of the
Jonathan Dambrot particular situation.

Principal, Cyber Security Services © 2020 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the
KPMG network of independent member firms affiliated with KPMG International Cooperative
T: 973-467-9650 (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are
E: jdambrot@kpmg.com registered trademarks or trademarks of KPMG International. NDP071400-1A

March 2020

Вам также может понравиться