Monday morning, 9 a.m. The CEO calls you into an executive meeting as word comes that a full-blown H5N1 avian influenza pandemic is spreading rapidly from Central Asia. Your job: Keep mission-critical IT systems working despite staff absenteeism rates that could reach 40 percent at the height of the pandemic, which is expected to run its course over a period of six to eight weeks.
Supply chain disruptions are expected as countries close their borders, so you can't count on spare parts. With emergency travel restrictions in effect, you can forget about moving staffers between global locations to cope with labour shortages. You also need to enable remote access for an unprecedented number of employees who will either be out sick, caring for ill family members or afraid to come to the office. You have weeks, possibly just days, before the outbreak overtakes one of your major data centres.
Are you ready?
For many businesses, the answer is probably no, according to Stephen Ross, national leader of the business continuity management practice at Deloitte & Touche LLP in New York.
"The vast majority of Organisations have not done anything," he says. Even large companies are playing catch-up. In a Deloitte survey of 163 large companies conducted in December 2006, 48 percent of respondents said their companies haven't adequately prepared for a pandemic. That's 14 percentage points better than the same survey the previous year. But, Ross adds, "While many large companies have begun their pandemic planning efforts, there's still a significantly large number that have not."
These websites contain information that might prove helpful if you're adding avian flu to your business continuity plan.
Why such inaction? A major pandemic hasn't occurred in years, and the probability of an outbreak this year can't be predicted with certainty. That may lull businesses into a false sense of security, but the potential for catastrophic losses makes planning vital, say pandemic experts and business continuity planners. "The impact of this is so high that the risk rating tells you this must be a priority," says Don Ainslie, global security officer at Deloitte.
Not if, but when
"The probability of a pandemic outbreak is [100 percent]," says Michael T. Osterholm, director of the Center for Infectious Disease Research and Policy at the University of Minnesota in Minneapolis. It's just a matter of when, he says.
The World Health Organisation has already issued a pandemic alert for the deadly H5N1 virus, although at this point, the virus still isn't able to spread directly between humans. "What we need to do," says Osterholm, "is emphasise to these companies that, unlike many events [such as tornadoes and earthquakes] that may never happen to a company, this is one that will."
A flu pandemic could devastate companies and the world economy. The U.S. Department of Homeland Security estimates that worker absenteeism could reach 30 percent to 40 percent during a pandemic's peak. For a corporation with about 20,000 employees, the cost of lost labour and health care could exceed $60 million, a Deloitte study says.
Supply chain disruptions in one sector, such as the oil and gas industry, could have a domino effect, says Osterholm. According to the Congressional Budget Office, a severe pandemic could cost the U.S. economy more than $600 billion, or about 5 percent of the gross domestic product.
The U.S. hasn't seen a large-scale pandemic since the Spanish flu outbreak of 1918, when one-third of the world's population became ill and at least 50 million people died, according to a government report. In the worst-case scenario described in a WHO report, if H5N1 mutates directly into a human-to-human transmissible form, the mortality rate could hit 60 percent to 65 percent. In contrast, the mortality rate in 1918 was 2.5 percent.
"Obviously, in that kind of worldwide pandemic, it would be as catastrophic as anything we've ever seen or known. We're talking 1 billion -- with a 'b' -- or more deaths," Osterholm says.
But other pandemic experts question the probability of such a deadly scenario. Martin Meltzer, a senior health economist at the Centres for Disease Control and Prevention in Atlanta, says there isn't enough data to make such predictions. Then there are mitigating factors. "Some mathematical models suggest that if you have a very lethal strain of flu, it might be difficult to sustain transmission," meaning fewer people would be infected, he says.
Nonetheless, Meltzer says some sort of pandemic is inevitable, but the uncertainty of when it will occur is affecting the way companies plan. "What happens if the pandemic doesn't occur for two years? Will everyone go home and stop planning? That would be a complete disaster," he says.
The enormity of the problem may lead some Organisations to conclude that there's little they can do. "There is a real potential to be overwhelmed by the potential intensity of a pandemic and take no action," says Bill Raisch, director of the International Center for Enterprise Preparedness at New York University.
But Organisations need to plan now, says Ainslie. "There's a lot you can do, and technology is a critical component in this," he says. And the continuity plans that businesses already have will handle 60 percent to 80 percent of the pandemic challenge, Raisch says.
Although planning needs to take place at the executive level, IT will play a key role. Companies must expand on business continuity plans, which typically assume that disasters will be regional and affect infrastructure, to deal with a disaster that is global and affects staff resources. "You can easily modify your existing business continuity plan to handle this type of disaster," says Kathy Sgroi, manager of service management in the information services division at logistics giant United Parcel Service.
Preparations include cross-training IT staffers to handle critical functions such as hardware maintenance. Beyond that, the IT department can deploy e-learning tools, expand remote access gateways to support more telecommuters and beef up intranet portals, videoconferencing, Web conferencing and other communication channels that will keep employees informed during an outbreak. At Deloitte, Ainslie has used "webinars" to educate executives on the threat and how they should respond.
"The two cornerstones of any plan are being able to communicate and [being able] to receive and distribute timely and accurate information to decision-makers," says Brent Woodworth, a manager with the crisis response team at IBM Global Services.
Wayne Rawlins, national medical director and clinical lead for pandemic planning at Aetna, says the company's pandemic plan has been "layered" into its crisis management plan.
The insurer recently conducted a full-scale simulation of its plan and is ready to operate its data centres at 50 percent staffing levels, says Dana Bennett, head of IT strategy, planning and business architecture.
Aetna will use its intranet portal and an interactive voice-response system to communicate information to employees and its clients during an emergency, and it has deployed e-learning courseware for pandemic education.
About 70 percent of employees are already set up for some level of remote access, Bennett says. Aetna is also ramping up its remote access gateways, which can support simultaneous network access for IT workers and the 10 percent of its workforce who are full-time teleworkers.
Globalisation could magnify a pandemic's effect on businesses, especially in the U.S., says Ainslie. "We're in a just-in-time economy. Everything is offshored and outsourced," he says.
"Thought ought to be given as to whether and when to increase stockpiles of critical equipment," says Deloitte's Ross.
Michael Rasmussen, an analyst at Forrester Research Inc., says IT should plan now for supply chain disruptions. "Spare parts and [things like] new laptop shipments could be restricted to some degree. Even backup tapes and off-site storage could become a challenge" as transportation bottlenecks emerge, he says.
Personnel shortages won't just affect low-level staffers. IT decision-makers could suddenly become unavailable. One option is to predefine task orders or procedures, such as procurements, that normally need several layers of approval, says Woodworth. "If you can get those pre-approved ... it will be easier to get the things you need in a disaster," he says.
At UPS, the data centre is an integral part of operations. "If our computer systems don't run, scanners in our locations all over the world won't work. Our revenue stops because our business stops," says Sgroi.
The virtual office
If employees can't come into the office during a pandemic, why not bring the office to them?
Like most large companies, UPS can remotely manage most aspects of data centre operations, with the exception of hardware maintenance. But UPS also has a plan for moving workloads. If a major site in Asia or elsewhere goes offline, the company's plan calls for diverting data to another location, which must have enough capacity to take on the added workload, Sgroi says.
UPS is also adding a Web-based absenteeism application to help managers during a crisis. "During a pandemic, we would need better control over how many people are in and out of the office. This doesn't exist today," Sgroi says.
Ainslie says it isn't enough to have backup power. He's looking at how to keep running for extended periods without utility power or access to fuel for backup generators. "You have to have enough [fuel] for an extended period of time, if practical," he says.
Sgroi is confident that IT can function with an absentee rate of 25 percent, but she says a rate of 40 percent would require additional steps. Even Deloitte, which advises clients on pandemic planning and has invested considerable time and effort in its own plans, isn't ready for a 40 percent absenteeism rate. "We still have a lot of work to do," Ross says.
Organisations that have outsourced parts of their IT operations should also take a hard look at their collocation facilities and other outsourced IT services, says Rasmussen. "You need to be working with them to make sure you have a right to an audit. Look at their business continuity plans and what processes are in place to execute those plans," he suggests.
Although telecommuting can help some staffers continue to work during a pandemic, in some cases it just isn't practical.
Aetna isn't counting on remote access during a pandemic. Bennett is concerned that users working from home might have extremely slow Internet connectivity -- or no last-mile connectivity at all -- if their Internet service providers aren't capable of handling the expected surge in usage.
The bigger problem, however, is that many job functions simply can't be performed remotely. "Sending everyone home to telework isn't viable in our business," Bennett says. Instead, Aetna is focusing on reducing workplace risks, by using its intranet and e-learning systems to train employees on practices such as "social distancing" (staying three feet away from others), the use of protective masks and gloves, and environmental cleaning.
At other businesses, remote access will be crucial. "The principal role of the IT team has been to enhance our remote working capability," says Dennis Jobin, managing director of the business continuity planning division at The Bank of New York The bank is also ramping up its internal Web site to support more concurrent users.
Security is a concern. Businesses may want to distribute laptops in advance to ensure that endpoint devices coming into the virtual private network are properly secured, says Ross.
Bank of New York has a VPN but is in the final stages of choosing a thin-client, desktop application virtualisation technology that's capable of securely supporting remote access by a large population of users working from home. The new system will securely support any computer equipped with a browser, thus eliminating worry about the security of home computers or supplying company laptops. Configuration and management will all occur on the back end. "The solution we choose will minimise or eliminate any visits to people's homes," says Jobin.
Cross-training employees can help the business cope with skills shortages by making it possible for remaining employees to get critical tasks done, but training must occur before a pandemic strikes. "That has to happen now. You can't wait," says Ross.
But cross-trained employees taking on new roles will need access to different parts of the company's computer systems. "Which applications you can use, which data you have access to, will change," Ross says, and identity management tools will be critical to such provisioning efforts.
Ultimately, dealing with a pandemic is a problem that must be coordinated at the executive management level through a cross-functional team. "IT is not the problem, nor the full solution," says Rawlins. But it is part of the solution. And in a true emergency, information systems might just be the glue that keeps employees in touch -- and holds the Organisation together.