Every company either has—or definitely “should have” a Business Continuity Plan (BCP). On paper, they’re reassuring; Structured, signed off, tested annually, and neatly filed away for when something goes wrong. The catch? Most of it is hypothetical.
BCPs are built around “what ifs.” What if there’s a snowstorm and no one can get into the office? What if a hurricane takes out power across a region? What if transport links fail, there’s a fire in the building, or even a localized disease outbreak begins to spread?
We try to plan for everything; Weather events, infrastructure failures, terrorism, health risks; it’s a long list of ‘what could really go wrong?’ and how we think we will respond in that situation.
But here’s the real question: “what happens when reality doesn’t follow the plan?”
From Theory to Reality
For nearly 25 years, I worked at a major Wall Street investment bank, where one of my responsibilities was overseeing our division’s BCP across EMEA, as well as collaborating with my colleagues on the global plan. I also sat on the firmwide BCP committee, helping shape broader strategy, so I am somewhat seasoned in crisis response. We experienced all manner of threats to which we had to respond, a fire in a major building, terrorism, the Tsunami in Asia, Bird Flu, Rail strikes. The list goes on.
Our plans were constantly evolving: Updated annually to reflect changes in technology and business needs. Adjusted for new compliance and regulatory requirements. Reviewed and verified by senior leaders every quarter and tested every year, with key functions like trading ‘testing’ from designated backup sites
On paper, we were ready for anything. And then COVID-19 happened.
We’d seen outbreaks before—SARS, H1N1 (Swine Flu), Ebola, Zika. Serious, yes, but largely contained. We had “pandemic scenarios” in our plans, but if we’re honest, they were just that—scenarios.
COVID wasn’t a scenario. It was a full-scale, global disruption that changed everything, overnight.
When the Plan Isn’t Enough
When the pandemic hit, the gaps became obvious very quickly. The designated BCP site? Useless—because “everyone” was affected at the same time and had to remain at home. Suddenly, we had to answer questions we hadn’t fully needed to before
How do you operate when no one can come into the office? What if your systems can’t handle mass remote access? Can regulated activities like trading legally be done from home? Who answers client calls if no one is in the office? How do you maintain compliance and confidentiality ly? How can you protect sensitive information (MNPI) in a home environment? What happens when employees are sharing space with family—or even competitors? And beyond all of that—how do you keep people safe, productive, and supported?
A Rapid Rewrite in Real Time
The response had to be immediate. Banks for example, had to seek urgent regulatory approvals to allow trading from home, something that was previously restricted to licensed office environments.
Technology became the biggest challenge. Not all firms had “soft” phone systems in place; Physical trading turrets and desk phones had to be sourced and delivered to homes; VPN capacity had to scale rapidly; Collaboration tools like Zoom and Teams had to be tested, approved and rolled out—fast!
And then there was the human side. Not everyone had a laptop or pc at home. Some staff didn’t even have a suitable workspace. And suddenly, many employees were juggling full-time work with homeschooling children or caring for sick dependents, or sick themselves, unable to work. It was, without question, a challenge—with a capital C.
What Actually Made the Difference
In the middle of all this, a few things proved absolutely critical.
1. Information is power
Staying on top of developments—globally and locally—allowed decision-makers to respond faster and more effectively.
2. Communication, everywhere
Across teams, across regions, across functions across the firm. The more aligned people were, the faster changes could be implemented. And the more we knew of peoples challenges, the better placed we were to assist with support.
3. Close partnership with risk and compliance
New ways of working required new approvals. Speed mattered—but so did doing things properly.
4. Technology adoption at pace
Tools that weren’t widely used suddenly became essential. The organizations that adapted fastest gained a real advantage and could continue to effectively communicate with clients and vendors.
5. Team culture and support
Daily check-ins became the norm. Managers made a conscious effort to support junior staff and those living alone. Flexibility wasn’t a perk—it was a necessity.
6. Adaptability over perfection
No plan survived intact. The teams that succeeded were the ones willing to adjust, rethink, and move quickly.
So, What Does “Back to Normal” Look Like?
Spoiler: it’s not a switch you flip. A return-to-normal needs to be phased and thoughtful:
Phase 1: Stabilisation
Ensure systems, people, and processes are functioning reliably in the current environment.
Phase 2: Controlled Return
Gradual reintroduction to office spaces, prioritising critical roles while maintaining flexibility.
Phase 3: Hybrid Optimisation
Refine ways of working—who needs to be in-office vs remote? What functions need to be in-office vs remote?
Phase 4: Long-Term Transformation
Embed lessons learned into future operating models, technology, and BCP strategy.
And throughout all of this, one thing matters: listening to your people
Are they comfortable returning? Can they physically return? Do they have childcare challenges or travel restrictions? A successful return isn’t just operational—it’s human.
Preparing for the Next Crisis (Because There Will Be One)
If there’s one takeaway from all of this, it’s that you can’t plan for everything—but you can prepare better.
Here’s how:
Think beyond scenarios” and focus on adaptability, not just specific events.
Invest in scalable technology, especially for remote access and communication
Test real-world conditions not just theoretical exercises
Strengthen cross-functional collaborations; BCP isn’t just an ops issue
Build a culture of communication, support and trust
Keep plans alive and update them with real lessons learned, on a regular basis.
Final Thought
A crisis will always be disruptive. That’s unavoidable. But the “impact” of that disruption? That’s something you can influence. Resilience is how well you adapt to challenges and change, ensuring minimal disruption and maximum efficiency under the circumstances.
The companies that navigate crises best aren’t the ones with the most detailed plans—they’re the ones that can adapt those plans, communicate clearly, and support their people when it matters most. And of course continue to serve clients well and be effective and efficient in spite of the difficulties they face.
We have all been affected by the recent events in the Middle East, whether you are in America, Asia, Europe or the UAE. This too shall pass and those companies who respond well to the current challenges and work with their people, clients and vendors effectively will come out strongest… and more prepared for the next one.
If there’s one takeaway, it’s this: don’t stop at the obvious. The strongest crisis plans come from pushing past assumptions and thinking about what feels unlikely—or even impossible. You can’t predict every threat, but you can challenge your plans, test their limits, and explore where they might break. It’s not just about planning for disruption; it’s about asking “what if everything fails at once?” Even in situations where options seem restricted—like limits on data movement or backup infrastructure—there’s value in thinking through how you’d respond if those boundaries were suddenly tested or changed.
The more you pressure-test these scenarios and walk through them in real terms, the more adaptable and resilient your response becomes. Because when a crisis hits, it won’t play out exactly as expected.
And when theory becomes reality, it’s not the document that saves you.
It’s how you respond.
