The unprecedented surge in the need for social security during the COVID-19 crisis overwhelmed institutions’ service delivery channels, both physical and online. This article deals with the importance of Business Continuity Management in light of the pandemic, building on good practices of social security institutions in Asia and the Pacific.
While pandemic-associated surges and constraints are one form of risk, social security operations can get disrupted by a range of other threats, including natural disasters, political events and international crises. Further, the ever-expanding role of information and communication technologies (ICTs) in social security administration leaves organizations vulnerable to new threats such as technology failures, data losses, and cyber-attacks (ISSA, 2022a). Business Continuity Management (BCM) enables social security institutions to anticipate, prepare and mitigate the impacts of these risks. The BCM Institute defines BCM a holistic management process that identifies potential threats, impacts from threats, and for developing response plans. These frameworks allow organizations to build resilience that effectively safeguards the interests of stakeholders. Prudent management requires institutions to develop a Business Continuity Plan (BCP) to maintain services during such situations while protecting organizational assets.
Developing a BCP typically follows a step-by-step approach (Figure 1). The process begins with a comprehensive Business Process Analysis (BPA), which maps the workflows, activities, personnel, systems, resources, controls, data, and facilities required for the execution of business functions. The BPA is followed by a Business Impact Analysis (BIA), in order to identify which functions are critical to the operations of the organization. The information collected through the BPA and the BIA is then used to design the risk mitigation techniques to be covered in the BCP. The BCP is tested and updated before employees are trained. The BCP requires regular testing, updating and re-training.
Given the significance of BCM for social security administration, the International Social Security Association (ISSA) has developed a range of resources to support member institutions to strengthen their resilience and maintain business continuity. In particular, the forthcoming ISSA Guidelines on Continuity and Resilience in Social Security Services and Systems (ISSA, 2022c), and the ISSA Guidelines on Good Governance outline strategies for risk management both from business (Guidelines 32–34) and ICT perspectives (Guideline 69) (ISSA, 2019a). Further, Part G of the ISSA Guidelines on Service Quality (ISSA, 2019c) establishes continuous improvement principles, and Part F underlines the importance of developing a service culture. Last but not least, Guideline 12 of the ISSA Guidelines on Information and Communication Technologies (ISSA, 2019b) and a new publication on digital operational resilience (ISSA, 2022a) zoom into the ICT‑related aspects of business continuity, given overall operational resilience increasingly hinges on ICT service robustness.
Experiences of business continuity management from Asia and the Pacific
A growing number of social security institutions in Asia and the Pacific recognize the importance of BCM for effective social security administration. Examples of good practices from the region have been presented during the Virtual Social Security Forum for Asia and the Pacific and the 16th ISSA International Conference on Information and Communication Technology in Social Security (ICT 2022), webinars and through other ISSA activities. This article summarizes member institutions’ experiences, lessons learnt and challenges in putting BCM into practice from two perspectives. First, it examines approaches to operationalizing BCM and how different organizations have tackled some specific challenges. Second, it examines some of the results that an operational BCM brought to organizations during the pandemic.
Establishing business continuity management
Different ISSA member institutions have shown the effectiveness of having implemented Business Continuity Management. While there may be different stages of development, the experiences shown below provide solid evidence of the value of having implemented BCMs regardless of the stage of development.
Civil Service Employees Pension Fund, Oman
The Civil Service Employees Pension Fund (CSEPF) of Oman created a Business Continuity (BC) and a Disaster Recovery (DR) site to safeguard business functions from natural disasters, external risks, and critical technology failures (CSEPF, 2015). To do so, the CSEPF considered a range of factors such as location, data centre infrastructure, communication infrastructure, workspace and accessibility, and the use of virtual machines to guarantee the availability of the data. The key objectives were to minimize service unavailability and data loss. In practice, this involved monitoring the plan against two benchmarks: (i) the Recovery Time Objective (RTO), or the lead-time taken to get the system or process up and running, which was set to one day, and (ii) the Recovery Point Objective (RPO), or how much data the CSEPF was potentially prepared to lose in the worst case measured in terms of time, which was set to one hour.The CSEPF conducts annual tests to ensure the robustness of the business continuity plans. These tests are designed to be realistic as the primary sites are disconnected. The goals of the testing are to validate the RPO and the RTO; identify flaws and streamline the business continuity plan, and train the staff.
Public Authority for Social Insurance, Oman
The Business Continuity Management System (BCMS) set up by the Public Authority for Social Insurance (PASI) in Oman identified potential threats, and defined protocols to minimize impacts on assets, people, and operations (PASI, 2015, 2021). PASI first undertook a comprehensive Business Impact Analysis, i.e., “identifying organization’s critical business functions (CBFs) and analysing the potential disruptive impact to the business” (Goh, 2021). This analysis informed benchmarks for the recovery time objective and the maximum acceptable outage. The risks identified are addressed using a 4Ts approach, i.e. Tolerate, Terminate, Treat, or Transfer, in line with Guideline 7 on Risk management from the ISSA Guidelines on Good Governance. The key components of the BCMS included: (i) a contingency plan to avoid data losses, (ii) a disaster recovery site, (iii) a business continuity site, (iv) an occupational health and safety system management manual, (v) a remote working policy, (vi) activation of digital communications, (vii) an accident and incident risk register, (viii) a smart inspection system to avoid the risks of field inspection, and (ix) periodic drills at disaster recovery and business continuity sites. This BCMS proved valuable in maintaining routine services during the COVID-19 pandemic.
General Organization of Social Insurance (formerly the Public Pension Agency), Saudi Arabia
In operationalizing its BCM, the Public Pension Agency (PPA), today part of the General Organization of Social Insurance (GOSI), of Saudi Arabia first conducted a business impact analysis (PPA, 2020). It then developed a business continuity programme through the preparation of an enterprise-wide strategy, policy, plans, and agreements that would enable it to deal effectively with various crises and disasters. In order to implement the programme efficiently, a disaster recovery centre was established in 2013 as a backup centre for data. Awareness campaigns were conducted annually for the PPA’s employees and its subsidiaries, including workshops, awareness emails and questionnaires. An alternative centre was also established outside the capital Riyadh, and the business continuity plan was successfully tested.
Managing business continuity during the pandemic
Research on broader government operations, mainly focused on high-income countries, finds that most agencies did not include a pandemic as a risk factor in their BCPs before the COVID-19 crisis. BCPs were focused on protecting operations from system failures and data losses, with limited focus on personnel and non-system-related issues. Further, existing BCPs were geared towards short-term service interruptions rather than protracted disruptions (Balibek, Storkey et Yavuz, 2021). Therefore, most government organizations were forced to revise their BCPs during the pandemic, and social security institutions were no different.
Maldives Pension Administration Office
The Maldives Pension Administration Office (MPAO) transformed its ICT infrastructure to build resilience and business continuity into its operations (MPAO, 2022). The legacy systems at MPAO relied on in-house IT infrastructure, manual data backups, data on desktop computers, manual call management, email-based internal communication and collaboration, and physical documentation. As a result, it was difficult to access data and continue operations during emergencies. To address this, the MPAO began migrating its infrastructure to the cloud in 2016. Further, it also identified services to enhance internal collaboration. Some of the applications used include Cloudrun, Pub Sub, Cloud SQL, BigQuery, Bucket, Google Workspace, Workplace by Facebook, Amazon Web Services Short Messing Service, and Cloudflare. All services are backed by automated and tested backups and disaster recovery processes. Such broader digital transformation was pivotal to protect the MPAO’s services from the pandemic.
General Organization for Social Insurance, Saudi Arabia
In Saudi Arabia, GOSI initiated remote working and automated services to stay resilient during the pandemic (GOSI, 2020). This ambitious agenda not only had to address security and privacy risks but also source the required ICT infrastructure (e.g. laptops, systems, IT support) amid global market shortages triggered by the demand surge.
GOSI followed the ISSA Guidelines on Information and Communication Technology, Guideline 12 on ICT service continuity management, to ensure that all critical services were available for the customers, and that information availability was maintained at acceptable levels. GOSI established a COVID-19 response committee that met on a weekly basis to resolve issues and maintain business continuity. It transitioned a number of services online while creating a new branch for those who sought in-person service through pre‑booked appointments. It provided laptops to all employees performing critical functions. Ensuring business continuity required integrating and coordinating with several external parties such as IT, unemployment insurance, data exchange, and health. Throughout this process, the business continuity and information security risk register were updated and monitored.
Abu Dhabi Pension Fund, United Arab Emirates
To minimize disruptions at the onset of the COVID-19 crisis, the Abu Dhabi Pension Fund (ADPF) initiated a hybrid model of working that flexibly combined on-site and remote arrangements (ADPF, 2021). While the ADPF had some experience of remote working since 2018, the pandemic demanded rapid organization-wide scaling up of these capabilities bearing in mind data privacy, monitoring and collaboration considerations. In 2015, the ADPF had introduced a service called TAWASOL which allowed business users to remotely access ADPF solutions and provide services to clients. In 2018, the ADPF introduced a secure smart desktop which allows business users to be able to access ADPF service outside its premises.
At the outset of the pandemic, the ADPF revisited its operational impact analysis to identify critical services and deprioritize non-critical services to maximize the limited operational resources available. Every division was requested to plan their availability both inside and outside the organisation’s premises. The ADPF augmented its infrastructure with business continuity and crisis management automation solutions, including solutions for emergency management and mass notifications. It also maintained cyber asset availability in the event of staffing disruptions. The ADPF adopted a specialized software which helped cascade strategic objectives into operational plans, equipping managers with the ability to monitor organization-wide progress. Pre-existing remote access infrastructure and remote working experience were key in maintaining services. The success of the BCM is evident from the staff surveys: 100 per cent of the staff agreed that the ADPF provided technical infrastructure to support remote working seamlessly, of which 95 per cent felt quality of work under remote arrangements was at par with on-site work.
Table 1 summarizes how social security institutions have benefitted from establishing a BCM. It also shows the institutions indicating that they have applied business continuity management during a shock, especially during the COVID-19 pandemic.
|Indicated that BCM has been applied during a shock
|PPA/GOSI, Saudi Arabia
|GOSI, Saudi Arabia
|ADPF, United Arab Emirates
Critical success factors
The experience of member institutions reveals several key factors that are essential to robust and reliable business continuity management.
A comprehensive business continuity plan is the starting point for effective business continuity management. The success of the CSEPF in Oman stems from a plan with key information on critical tasks, standard operating protocols in case of unforeseen events, information on data and site backup, and standard recovery protocols. It is equally important that the BCP is iteratively developed over time, and is updated after a specific disaster event. Indeed, the BCP and the overall BCM strategy at the CSEPF has continued to evolve since their introduction in 2012.
Planning and administering the BCP requires a strong organizational framework. Appropriate staffing is critical for achieving the results of the BCP. For instance, the PASI in Oman put in place a multi-tiered structure with clearly defined roles and responsibilities. At the helm of the BC and crisis steering committee which took strategic decisions. At the operational level, a functional and an IT team were created. The activities of these teams were coordinated by a coordinator.
Realistic testing of the BCP while managing risks to routine functioning is important. All member institutions highlighted the need to test the BCP regularly for any weaknesses. The CSEPF in Oman cautioned that realistic testing requires deliberately causing primary system failures, and therefore, agencies need to prepare for disruptions to running systems during testing.
Continuous awareness building and training of employees is key to operationalizing the business continuity plan. The PASI in Oman emphasized the importance of business continuity management and respective roles to all employees. The PPA in Saudi Arabia organized more than 30 workshops to foster a culture of BCM. The experience of the National Social Security Administering Body for Employment (BPJS Ketenagakerjaan) in Indonesia reiterates the importance of training: The key concerns from the agency’s trial of BCM in 26 branch offices and 10 regional offices were a lack of comprehension of each personnel’s duties and responsibilities, and incomplete outdated BCP documents (BPJS Ketenagakerjaan, 2020).
A digital strategy is critical for effective BCM, as reinforced by the COVID-19 crisis. The ADPF in Abu Dhabi found that effective internal collaboration during the pandemic would not have been possible without investments into digital solutions for communication and performance management. Similarly, having a properly managed Cloud infrastructure was critical to maintaining MPAO’s services in the Maldives. These experiences were reiterated by social security institutions from South-East Asia during an ISSA webinar. In Malaysia, the Social Security Organization (PERKESO) identified non-digitization of files and limited infrastructure as major limitations to operationalizing the BCP during the pandemic (Social Security Organization, 2020).
In summary, a comprehensive BCM is crucial for building resilient social security operations. While each institution’s BCP is unique, several common aspects emerge in analysing effective BCPs, which in turn underpin successful BCM. First, they should contemplate the full extent of front and back-office business processes of an institution, as well as human and ICT resources. When doing a Business Impact Analysis, organizations should identify external dependencies and include these as part of their risk assessment. Second, proper training at both the corporate and branch levels of the organizations is indispensable. Third, a BCP is not a one-off intervention. Indeed, many institutions start with “simple” technology-focused disaster recovery plans before graduating to full-scale BCMs. Fourthly and relatedly, the BCM system will need be continuously reviewed and updated, not only to reflect post-disaster lessons learned, but also to incorporate evolving business processes and service delivery mechanisms. Fifth, regular testing is crucial – while testing can simulate different levels of failure, a full drill should be done at defined intervals for comprehensive testing and assurance. Finally, BCPs should not be limited to short-term disruptions alone, as demonstrated by the pandemic, planning for protracted events is essential.
The pandemic put to test organization’s BCMs, with the main results being i) smooth transitioning to the remote work environment; ii) core services and delivery channels restored within target timeframes, and iii) organizations were able to keep up with the surge in service demand with adequate customer satisfaction. An explicit strategy for digital operational resilience is key given the inextricable link between ICTs and operational services (ISSA, 2022a), as demonstrated by experiences during the pandemic.
ISSA member institutions have already engaged in increasingly improving their capacity by addressing the different issues involved with establishing a full BCM. Supporting the members, ISSA provides new Guidelines on Continuity and Resilience in Social Security Services and Systems (ISSA, 2022b), which can be applied to institutions in different stages of developments in their journey towards more resilient social security institutions, ensuring service quality, delivery and appropriate response in case of eventual systemic shocks.
Abu Dhabi Pension Fund. 2021. Working remotely: How digital enablement allowed Abu Dhabi Pension Fund to survive as well as thrive through the pandemic (Good practices in social security). Geneva, International Social Security Association.
Balibek, E.; Storkey, I.; Yavuz, H. 2021. Business continuity planning for government cash and debt management. Washington, DC, International Monetary Fund.
BPJS Ketenagakerjaan. 2020. Aggressive growth for sustainable protection. Jakarta, National Social Security Administering Body for Employment.
Civil Service Employees Pension Fund. 2015. Creating business continuity and disaster recovery site (Good practices in social security). Geneva, International Social Security Association.
General Organization for Social Insurance. 2020. Business continuity in the context of the COVID-19 pandemic (Good practices in social security). Geneva, International Social Security Association.
Goh, M. H. 2021. What is business impact analysis? Singapore, BCM Institute.
ISSA. 2019a. ISSA Guidelines on good governance (Revised and extended edition). Geneva, International Social Security Association.
ISSA. 2019b. ISSA Guidelines on information and communication technology (Revised and extended edition). Geneva, International Social Security Association.
ISSA. 2019c. ISSA Guidelines on service quality (Revised edition). Geneva, International Social Security Association.
ISSA. 2022a. Digital operational resilience: Strategies and approaches to protect social security data and operations. Geneva, International Social Security Association.
ISSA. 2022b. ISSA Guidelines on continuity and resilience in social security services and systems (forthcoming). Geneva, International Social Security Association.
ISSA. 2022c. ICT response to Covid-19: Leveraging accelerated digital transformation to build better and more resilient social protection systems (ISSA Technical Commission on Information and Communication Technology, Summary report 2020–2022, forthcoming). Geneva, International Social Security Association.
Maldives Pension Administration Office. 2022. Building resilience and business continuity plans in social security institutions (Presentation at ICT 2022). Tallinn, Estonia.
Public Authority for Social Insurance. 2015. Business Continuity Management System (Good practices in social security). Geneva, International Social Security Association.
Public Authority for Social Insurance. 2021. Implementation of business continuity management system (Good practices in social security). Geneva, International Social Security Association.
Public Pension Agency. 2020. Implementation of business continuity plan at the Public Pension Agency (Good practices in social security). Geneva, International Social Security Association.
Social Security Organisation. 2020. Beyond the first wave of COVID-19: Lessons and challenges from SOCSO Malaysia (Presentation in ISSA webinar). Geneva, International Social Security Association.