• Search by category

  • Show all

Zombie apocalypse anyone?

March 19, 2018

I cannot help myself; I am a sucker for a zombie movie. I am not alone. More than 50 cities worldwide have taken up World Zombie Day celebrations since the first event was held in the Monroeville Mall, Pittsburgh in 2006. The 2017 event held in London had over a thousand participants.

Zombies and zombie movies have been with us for over 80 years, since Victor Halperin's White Zombie in 1932. Though they are notoriously low budget, most of us have seen at least one zombie movie and possibly an episode of the highly successful Walking Dead television series. Consequently, we are all well versed in the drill. Patient Zero experiences an unfortunate encounter with a leaking canister, an obscure mist or an unidentifiable critter, and then experiences a brief and uncomfortable period of fever that is promptly followed by death. Their demise is short-lived and within 20–30 seconds Patient Zero is reanimated but now with an insatiable desire to eat your brain and an ability to cover 100 metres faster than Usain Bolt (optional). Within 24 hours most of the world has become either a happy eater or a Happy Meal. A small proportion of the population are left adopting any means possible to remain 'normal'.

We all generally identify with the survivors. But why should we survive? In the US, a handy Uzi and an unoccupied toilet cubicle are usually sufficient to ensure you live. I worry what would happen in the UK with fewer public rest facilities and limited access to firearms.

Beyond gun ownership, just how quickly would your business be impacted if there was an actual zombie apocalypse? Obviously, the situation is a little ridiculous. But safety is a prime motivator in the pharmaceutical industry, and it is generally accepted that failing to plan is planning to fail. Similarly, small businesses need to be prepared for all emergencies, including a zombie apocalypse. We are only one freak mutation away from becoming hosts to zombifying organisms or some equally business-debilitating catastrophe. Should that happen, you will be looking back thankfully to the day you read this article.

Modern quality management thinking has moved beyond simple disaster recovery towards the broader concept of organisational resilience [1]. Disaster recovery focuses on restoring systems after an incident, whereas business continuity is concerned with maintaining critical operations throughout the disruption. The International Organization for Standardization's ISO 22301 provides a framework for business continuity management systems [2], while ISO 9001:2015 introduced risk-based thinking as a core principle of quality management [3]. Both standards recognise that resilience requires proactive planning, not merely reactive recovery. Your quality management system should therefore integrate disaster recovery planning as an essential component rather than treating it as a standalone IT procedure.

Below are preparations every small business owner should consider:

Create a disaster recovery and business continuity plan

Most businesses have standard operating procedures, but does your SOP system include a disaster recovery plan? It should. The Quality Team at Niche report that this is the SOP most often missing when we perform reviews, audits and vendor assessments (the other is the SOP on writing SOPs; we are happy to share our template if yours is missing. Email us at info@niche.org.uk).

A disaster recovery plan usually takes the form of a documented process or set of procedures to recover and protect your business infrastructure in the event of a disaster. Such a plan specifies the procedures an organisation must follow. The disaster could be natural or man-made. Man-made disasters might be intentional, for example a break-in, or unintentional, such as commuter disruption following a major derailment. Given our increasing dependency on information technology, disaster recovery plans often focus on the recovery of information technology data, communication resources, assets and facilities required to maintain normal working. The plan usually addresses three basic questions: objective and purpose, roles and responsibilities, and actions to follow when disaster strikes.

Before developing your recovery plan, you should identify which activities are genuinely business critical. In the pharmaceutical sector, these typically include regulatory submissions, clinical trial safety reporting, sponsor communications, payroll, financial systems, document management systems and electronic Trial Master Files. This process, known as Business Impact Analysis, helps you prioritise resources and ensure that the most vital functions receive attention first [4].

There is no single acceptable disaster recovery plan template; no one-size-fits-all. When we prepare these plans for our clients, we make sure we include these three basic components:

  • Preventive measures to identify risk and prevent an event from happening or reduce its impact, such as disaster training.
  • Monitoring procedures taken to discover the presence of any unwanted events, often within IT systems. Their aim is to uncover new potential threats but could include installing fire alarms, using up-to-date antivirus software and installing server and network monitoring software.
  • Corrective activities to define mechanisms by which you can restore optimal functioning after a disaster. These measures may include recovering critical business assets from secure locations, having appropriate insurance policies in place and conducting post-apocalypse lessons learned activities.

A disaster recovery plan sitting on a shelf offers little protection. Organisations should periodically test their recovery procedures through tabletop exercises, simulated outages and recovery drills to identify weaknesses before a genuine emergency occurs [2]. Testing validates that your plan actually works and that your team understands their roles. Without regular testing, you may discover too late that your backups are corrupted, your contact lists are outdated, or your recovery times are unrealistic.

Cyber security considerations

In 2018 ransomware was becoming a significant threat. Today it represents one of the principal reasons organisations activate disaster recovery procedures. Ransomware attacks, phishing campaigns and cloud service outages can paralyse a business just as effectively as any zombie horde. The National Institute of Standards and Technology Cybersecurity Framework provides practical guidance for managing these risks [5]. Essential safeguards include multi-factor authentication, immutable backups that cannot be altered or deleted, offline backup copies stored separately from your main systems, and periodic recovery testing to ensure your backups are actually usable. Cloud service dependence introduces additional vulnerabilities; if your cloud provider experiences an outage, you need contingency arrangements to maintain operations.

Supply chain resilience

Many pharmaceutical companies rely heavily on outsourced vendors. A disaster affecting contract research organisations, cloud providers, laboratories, courier services or document management providers may be just as disruptive as a flood or fire. Vendor contingency planning is now regarded as good quality practice. You should understand your critical suppliers' own business continuity arrangements and consider whether alternative providers are available should your primary vendor become unavailable [6].

Employ survivors

A critical aspect of apocalypse preparation starts with your team. Your company is only as strong as your weakest employee, especially during bad times. So, select your people well. Avoid screamers. You want to hire survivors who will be willing to find new ways to thrive when the dead start to roam the streets. These hustlers tend to do well under any circumstance.

What qualities should you look for? Adaptable employees who can pivot quickly when circumstances change. Resilient individuals who maintain composure under pressure. Team players who understand that no one survives a crisis alone. Employees with diverse skills who can step into different roles as needed. Research on crisis management in small and medium-sized enterprises emphasises that workforce adaptability is a key determinant of organisational survival during disruptions [7]. Your team need to be able to work with others, to offer and thereby receive trust and loyalty, and to balance short-term and long-term thinking.

Establish a succession plan and delegation strategy

No matter how much you prepare, there is always a risk that zombies infect you, your business partner or key employees. What should happen next? Unfortunately, three out of five businesses do not have a succession plan in place to ease the transition if something unexpected happens. If a key person in your organisation falls victim, someone should be ready to take over their role. The hierarchical structure of your business should be clearly documented so transition becomes seamless in times of disaster.

I speak from experience when I say it is especially important for small businesses that you are not the only person who knows what is going on. A disaster is not just a flood or a tsunami; it could be a medical emergency that places you out of commission for several months. Do not leave it too late to train up someone to manage your business. Start grooming your successor and make sure that your business will still be able to operate legally. Key man insurance ensures that the people left after the zombie attack have the financial means to continue operating the business.

Operational redundancy

You might not be able to return to the zombie infestation zone for some time. In most situations, workers will be able to telecommute from their homes or another remote office if adequate equipment and tools are available to them. To minimise the impact of a zombie apocalypse or even a snow day, you should consider building redundancy into your IT infrastructure. Fortunately, zombies have little appetite for electrical cables. So, as long as there is power, the internet should continue working. After all, it was designed as a decentralised network, so even if one location goes down, there are other ways to connect. Points to consider are:

  • Communications: in any disaster, being able to communicate with employees, key agencies and clients is vital. After assessing your situation, the first thing you will want to do is contact your team. Contact lists and mobile phones will allow you to keep everyone informed of what is going on and what plan of action you are going to take to keep the business running.
  • Data availability: you can make your data available to your team through portable data storage backups, cloud services, online servers and virtual private networks. There are plenty of options to securely store gigabytes of data. Types of data you might make available include customer emails, internal emails and Skype contacts; personnel information; important business documents such as employment contracts, partnership agreements or vendor contracts; a backup of your website and blog posts; and to-do lists, job tracking and time tracking systems. Be sure to encrypt any data before making it available online.
  • Hardware: laptops and mobile phones give employees an edge when it comes to power outages, possibly giving them just the time they need to complete their work, update their clients and save their data to your remote servers. Access to portable storage also provides a certain redundancy.

Home workspaces and remote working

The number of people working from home has risen considerably since 2018, and the COVID-19 pandemic fundamentally transformed attitudes towards remote working. What was once an interesting option has become an integral part of many business continuity strategies. Research before the pandemic showed that working from home once a week made married employees in the UK more satisfied with their job and likely to stay longer with their employer [8]. The virtual business model has made its way into pharma, with some companies leveraging remote working and flexible operations, contracting development and manufacturing, and focusing on core management and licensing deals.

Niche Science and Technology Ltd embraced this approach to working in the late 1990s and, after using it for almost a decade, we undertook an analysis of the benefits working from home offers both the employee and employer [9]. These days, businesses often use teleworking as an initiative to recruit and retain valuable employees. At Niche, we have since adapted our model to encompass a more holistic approach to home working that ensures our team members do not miss out on the benefits of office working.

In regulated environments, remote working requires additional considerations. Secure VPNs, cloud collaboration platforms, electronic signatures and validated electronic systems are essential for maintaining compliance when staff work away from the office. Your employees' home workspaces should conform with health and safety requirements and should be configured so that they function exactly like their desks would at the office. You should also consider ergonomic assessments, appropriate IT support and clear policies on data protection and information security.

Human wellbeing

Disasters create stress, and organisational resilience depends heavily on staff wellbeing. Recovery plans should consider communication strategies that keep employees informed and reassured. Mental wellbeing support, including access to counselling services, can help staff cope with anxiety and uncertainty. Flexible working arrangements allow employees to balance work with personal responsibilities during crises. Employee support programmes demonstrate that you value your people, not just their productivity. Research following the COVID-19 pandemic confirmed that organisations which prioritised employee wellbeing experienced better outcomes during disruptions [10].

Conclusions and lessons learned

Zombies may just be a figment of our nightmares now, but there are plenty of everyday setbacks that can have a serious impact on revenue for small businesses. The simple spread of an illness through a company can quickly turn fantasy into reality. Planning and preparation will help you prevent a business from going under even if the undead are roaming the streets.

The lessons learned from any disaster should feed directly into your quality management system through the Plan-Do-Check-Act cycle [3]. Plan your recovery arrangements, do implement them, check their effectiveness through testing and review, and act on what you discover to improve your plans. When you have conducted lessons learned activities after any disaster, however minor, you should consider amending your disaster recovery plan accordingly. This continuous improvement approach ensures that your organisation becomes more resilient with each challenge it faces.

Remember that resilience is not a destination but an ongoing journey. The threats we face evolve constantly, from new cyber risks to emerging infectious diseases. Your disaster recovery and business continuity arrangements should evolve with them. Start preparing today, because the zombies might not wait until you are ready.

References

  1. Hollnagel E. Safety-I and Safety-II: The Past and Future of Safety Management. Ashgate; 2014.
  2. International Organization for Standardization. ISO 22301:2019 Security and resilience – Business continuity management systems – Requirements.
  3. International Organization for Standardization. ISO 9001:2015 Quality management systems – Requirements.
  4. Herbane B. Exploring crisis management in UK small and medium-sized enterprises. Journal of Contingencies and Crisis Management. 2010;18(2):82-95.
  5. National Institute of Standards and Technology. Framework for Improving Critical Infrastructure Cybersecurity.
  6. Sheffi Y. The Resilient Enterprise: Overcoming Vulnerability for Competitive Advantage. MIT Press; 2005.
  7. Taleb NN. The Black Swan: The Impact of the Highly Improbable. Random House; 2007.
  8. Clark SC. Work/family border theory: A new theory of work/family balance. Human Relations. 2000;53(6):747-770.
  9. Gotham S, Hardman TC. Is it possible to work virtually in medical communications/study management? Poster 0-5, ICR 30th Anniversary Conference & Exhibition, ICC Birmingham, UK; 17-18th March 2009.
  10. Kniffin KM, Narayanan J, Anseel F, Antonakis J, Ashford SP, Bakker AB, et al. COVID-19 and the workplace: Implications, issues, and insights for future research and action. American Psychologist. 2021;76(1):63-77.

About the author

Tim Hardman
Managing Director
LinkedIn logo - blue square with white 'in' textView profile
Dr Tim Hardman is Managing Director of Niche Science & Technology Ltd., a bespoke services CRO based in the UK. He also serves as Managing Director at Thromboserin Ltd., an early-stage biotechnology company. Dr Hardman is a keen scientist and an occasional commentator on all aspects of medicine, business and the process of drug development.

Social Shares

Subscribe for updates

* indicates required

Get our latest news and publications

Sign up to our news letter

© 2025 Niche.org.uk     All rights reserved

HomePrivacy policy Corporate Social Responsibility