In the wake of alerts from the World Health Organization (WHO) and President Obama’s October 24 declaration of a national H1N1 health emergency, public and private agencies in the U.S. and other countries have been mobilizing their responses to the swine flu outbreak. With 74 countries reporting cases of H1N1 infection as of October, the epidemic is providing a real test of pandemic preparedness at all levels of society.
Businesses are also evaluating their plans for dealing with the potential effects of widespread infectious illness on their operations, and requiring evidence of similar preparedness from organizations on which they depend. Symantec has long been at the forefront of the business community in addressing potential pandemic risks and responses to the consequences of a pandemic.
In fact, following the September 11 attacks, Symantec was invited to work with the U.S. White House and Department of Homeland Security to assess risks to the IT industry and to improve recovery strategies. That work has been essential to the company’s pandemic planning activities, which began in earnest in 2005.
“Working with advisory councils to the President and other agencies really drove home the need for multiple layers of recovery options when it comes to business continuity/disaster recovery,” says John Dalisky, a Senior Manager for the BC/DR Program at Symantec.
Following is an overview of Symantec’s overall business continuity approach and the detailed, phase-specific global Pandemic Plan to address pandemic threats. This pandemic response and recovery process has already been followed in 2009 to ensure that Symantec was able to provide essential services to its customers without interruption.
“Thanks to our business continuity planning, Symantec has been able to continue to provide essential services to our customers without interruption during H1N1 ‘impacts’ to our operations in China, France, Mexico, Brazil, and India,” Dalisky observed.
Symantec’s long-standing corporate BC/DR function consists of well-defined processes and procedures to ensure the safety and security of employees and company assets while keeping Symantec’s business operational during and after a business-altering event. When formal pandemic planning began in early 2005, the company already had a foundation of detailed process flows, response teams, and geographically-flexible business continuity strategies in place that allowed Symantec to shift business processes across global regions. This follow-the-sun sequence on a 24x7 basis is implemented as needed whenever any business unit, site, multiple sites, or geographic region experiences a business disruption, including a staff shortage caused by an outbreak of infectious diseas. To date, the full-time BC/DR Program, supported by regional, cross-functional Incident Management Teams (IMTs) from the entire organization, has conducted more than 130 global response and recovery operations—all successfully, with no service interruption to Symantec clients.
In 2005, Symantec implemented a response and recovery mechanism specifically to address the business continuity challenges created by significant employee absenteeism due to a pandemic. The formal Symantec Pandemic Preparedness Program consists of a global team of key business group leaders with deep knowledge of company operations who can respond immediately to a pandemic alert. This global team leverages various resources, communications protocols, business assessment procedures, and business recovery strategies to address the risks and consequences of a pandemic flu outbreak.
The team adheres to a detailed Pandemic Policy that guides the company as a pandemic evolves, with phased responses implemented in response to WHO pandemic alerts (phase 4 or higher) as well as actual incidents. The documented areas are:
- Pandemic Response Structure
- Education and Training
- Business Continuity
- Optimizing Employee Health
- Reduction of Infection Risk
- Management of Infected / Potentially Infected Staff
- Management of Expatriates
- Management of Traveling Staff
For H1N1, an IMT is activated to assess business continuity once a Symantec site experiences employee absenteeism of 10 percent or greater. In addition, an individual business unit can trigger an IMT meeting if absenteeism is affecting their ability to perform critical business processes. To date, the duration of absenteeism due to H1N1 has averaged three to five days, a timeframe for which virtually every Symantec business unit has a documented workaround.
In any BC/DR incident, critical work is transferred to another region as needed. For example, Symantec technical support is located in several sites within the APJ, EMEA, and Americas regions. In the event of a business interruption or staff shortage, work is transferred to the next alternate location in a follow-the-sun sequence. Further, all locations have redundant processes and are configured to redistribute additional loads from sites that experience an interruption. Normal business processing rotates the workflow to these locations on a daily basis, so recovery capability is tested every 24 hours.
Similarly, Symantec analyst teams that compile and review threat data, create antivirus definitions, and provide early warning and security monitoring and management services function from multiple offices throughout the world. Should any of the analyst teams be unavailable, each of the other teams will independently analyze threat data, create definitions, and provide alert services and threat management as needed. Other process flow and escalation strategies such as call transfer and callback mechanisms and remote call queues are designed to ensure 24x7 delivery of business critical services to all Symantec customers.
Communication to key stakeholders is essential to the success of Symantec’s swine flu preparations. As part of the H1N1 response process, the pandemic preparedness team provides weekly H1N1 status updates to senior site executives, global functional leads, and other internal stakeholders such as embedded partners. Monthly BC/DR Program status meetings disseminate company H1N1 guidance and protocol in addition to timely information on other business continuity topics.
Because employee welfare and health considerations are preeminent in the company’s pandemic preparedness activities, Symantec is continually tracking the influenza status of its workforce and communicating information to employees regarding the company’s pandemic mobilization and specific measures recommended by WHO and other medical organizations to mitigate risk of infection. Pandemic awareness training modules have been available to all employees since 2006, and an internal H1N1 Web site was recently launched. The site, which is frequently updated, provides recommended personal and respiratory hygiene practices and flu contact guidelines based on Centers for Disease Control and WHO advisories, plus FAQs and Symantec news and announcements. Where appropriate, Symantec will implement targeted processes to reduce the risk of transmission of pandemic influenza virus within company facilities.
Having a business continuity plan in place is more than just about anticipating potential disruptions or disasters. It’s about prioritizing critical services, delivering the right incident response methodology, and applying best management practices on behalf of our employees, our customers, partners, and vendors.