Business Continuity for Remote and Hybrid Workforces: What Changed and What Didn't

On March 11, 2020, the WHO declared COVID-19 a pandemic. Two days later, the FFIEC issued guidance reminding financial institutions that their BCPs “should address pandemics and provide for a preventive program, a documented strategy scaled to the stages of a pandemic outbreak, a comprehensive framework to ensure the continuance of critical operations.”

Most institutions scrambled. Within days, compliance officers were asking questions their BCPs hadn’t answered: How many people can we put on VPN simultaneously? Can our loan origination system be accessed remotely? Who’s authorized to approve wire transfers when the approver is working from a bedroom in New Jersey?

The organizations that handled it best had something the others didn’t: they’d already tested remote work as a BCP scenario, not just a convenience option. Charles Schwab transitioned approximately 95% of its workforce to telecommuting within days, having invested in remote infrastructure ahead of the pandemic. The banks that struggled were the ones that had remote work policies but had never stress-tested whether those policies could sustain critical operations at full scale.

That was five years ago. Remote work is no longer an emergency contingency — it’s the permanent baseline.

TL;DR

• As of 2025, approximately 32.6 million Americans work remotely and 88% of employers offer hybrid options — hybrid work is now a permanent operating model, not a contingency scenario
• Most BCP programs were redesigned for physical disruptions (alternate sites, disasters) not workforce distribution — COVID exposed that gap, and many programs still haven’t fully closed it
• New BCP requirements for hybrid workforces: VPN and connectivity as documented critical dependencies, remote collaboration tools in the critical system inventory, cross-training that accounts for distributed teams, and tabletop exercises that explicitly test all-remote operations
• FFIEC BCM guidance explicitly requires testing remote access and telecommuting capabilities — not just as a theoretical scenario but as a live test of vendor support, technology capacity, and employee effectiveness

Where We Are Now

The hybrid work statistics tell the story of a permanent shift. According to Robert Half’s 2026 workforce research, approximately 32.6 million Americans work remotely in 2025, representing about 22% of the workforce. Zoom’s 2025 hybrid work report found that 88% of employers provide some hybrid work options. Only 30% of companies plan to completely remove remote work by 2026.

The operational reality: a disruption that would have affected only a remote worker or two now potentially affects a quarter of your workforce on any given day. And unlike a natural disaster or facility outage — where everyone is affected simultaneously and the response is collective — hybrid work creates rolling, distributed availability and connectivity challenges that are harder to see and harder to plan for.

This is what “what didn’t change” means: the fundamentals of BCP — identifying critical functions, defining RTOs and RPOs, planning for dependencies, testing your assumptions — are unchanged. What changed is the dependency map. Your critical functions now depend on technology and connectivity infrastructure that didn’t appear in most BCP risk assessments five years ago.

What COVID Actually Exposed

The pandemic’s BCP lessons weren’t primarily about the virus. They were about what happens when you move 80% of your workforce remote and discover your BCP was written for a world where everyone commutes to the same building.

Technology Capacity Failures

VPN infrastructure built for 10–15% of the workforce working remotely on any given day wasn’t designed for 80–100% simultaneous remote access. Organizations that hadn’t capacity-tested their remote infrastructure discovered the hard way that VPN gateways become single points of failure under full load. Every connection, every transaction, every system access suddenly routes through the same bottleneck.

This isn’t hypothetical: the 2024 Zscaler VPN Risk Report found that 56% of enterprises experienced a cyberattack targeting VPN vulnerabilities in the past year, and 91% of respondents expressed concerns about VPN security. VPN concentration isn’t just a performance risk — it’s a security risk that your BCP must address explicitly.

Process Gaps That Assumed Physical Presence

Approval workflows that required physical signatures. Wire transfer authorizations that went through in-person verification. Document delivery processes that assumed someone could walk down the hall. COVID forced the discovery of these dependencies in real time, often during the most chaotic weeks of operational disruption in modern financial services history.

The lesson: your BCP’s process continuity section must be written as if the building doesn’t exist. If a procedure says “the approver comes to the compliance officer’s desk,” that’s not a remote-capable procedure.

Cross-Training Gaps in Distributed Teams

The FFIEC BCM guidance recommends training at least two or three backup staff for every primary resource performing a critical function. In a traditional office, this is achievable through proximity — people naturally absorb knowledge about adjacent roles. In a hybrid environment, that informal knowledge transfer doesn’t happen. Cross-training must be deliberate, documented, and tested.

Distributed teams also create geographic concentration risks of a different kind: if your three people who know how to run a critical process are all in the same city and that city experiences a localized disruption, your redundancy assumption is wrong.

The New BCP Requirements for Hybrid Workforces

VPN and Connectivity as Documented Critical Dependencies

Your BCP’s technology dependency section should now include:

The 59% of organizations now planning to adopt Zero Trust Network Access (ZTNA) within two years are partly motivated by security — but ZTNA also eliminates the VPN single point of failure, which is a direct BCP benefit.

Remote Communication Protocols

Your BCP crisis communication plan was probably written assuming the executive team is in the office and can be physically assembled. Test this assumption: if your primary communication platform (Teams, Slack, email) is down — because of a cyber incident, a vendor outage, or a broader internet disruption — how does your leadership team communicate?

Most organizations discover during tabletop exercises that nobody has an up-to-date phone list for critical staff, that mobile numbers are stored in corporate directory systems that are inaccessible when those systems are down, and that out-of-band communication has never been tested. This is a standard finding from remote-scenario tabletops, and it’s straightforward to fix — but only if you test for it.

See the 10 tabletop exercise scenarios for business continuity for exercises that specifically test remote communication and distributed team response.

Vendor Remote Work Dependencies

Your critical vendors also went remote during COVID — and many stayed that way. Your vendor BCP assessments (per the FFIEC BCM requirements) should now explicitly ask: “What percentage of your staff supporting our engagement is remote or hybrid, and how does your BCP address continuity if your remote infrastructure fails?”

If your critical vendor’s support team is fully remote, their VPN outage is your operational outage. That dependency belongs in your BIA.

What Didn’t Change

The fundamentals remain constant. A business impact analysis still identifies critical functions, assigns RTOs and RPOs, and maps dependencies — the methodology hasn’t changed, just the inventory of dependencies. Recovery time objectives are technology-agnostic: whether you’re recovering from a flood or a VPN outage, a 4-hour RTO is a 4-hour RTO.

Testing requirements from the FFIEC BCM booklet haven’t changed — annual exercise requirements, management review, and findings remediation are the same whether your team is in-office or fully remote. What has changed is the content of those exercises. The OCC’s pandemic guidance (Bulletin 2020-13) reinforced that scenario testing should explicitly include remote access and telecommuting capabilities.

The regulatory expectation for operational resilience — maintaining critical business functions within defined impact tolerances — is unchanged. See the broader discussion in Operational Resilience vs. Business Continuity: The Regulatory Shift for how the framing has evolved while the underlying obligation hasn’t.

Building Your Hybrid-Ready BCP: A Practical Checklist

Business Impact Analysis updates:

• Document remote work and VPN/ZTNA as explicit technology dependencies for critical functions
• Identify critical functions that require physical presence (cannot be performed remotely) and document their backup coverage
• Assess vendor remote work capability for all critical and high-tier vendors
• Update staff availability assumptions to reflect geographic distribution of your team

Plan updates:

• Add a “full remote operations” scenario to your BCP alongside existing facility-outage and disaster scenarios
• Update approval and authorization workflows to function without physical presence
• Document out-of-band communication procedures with verified current contact information
• Specify minimum connectivity requirements for critical roles and backup connectivity options

Testing:

• Annual tabletop exercise includes a remote-operations scenario
• VPN/ZTNA capacity tested under simulated full-remote load
• Communication protocols tested with primary channels unavailable
• Cross-training matrix reviewed and tested for distributed team coverage

So What?

Five years after COVID, hybrid work is table stakes — not a contingency. The organizations that are most resilient have updated their BCPs to treat distributed operations as the default, not the exception. Their BIAs include connectivity infrastructure. Their playbooks work without physical co-location. Their tabletop exercises test what actually happens when everyone is remote and something breaks.

If your BCP was last updated before 2020 and hasn’t been substantially revised since, there’s a specific section you should check first: the technology dependencies section. If it doesn’t list VPN, remote collaboration tools, and home internet access as documented dependencies with documented backup options, your BCP is describing a world that no longer exists.

That gap is solvable. It starts with a BIA update and a tabletop exercise that actually tests remote operations — not just remote access, but remote decision-making, remote communication, and remote execution of the manual procedures your critical functions depend on when systems fail.

The Business Continuity & Disaster Recovery Kit includes a BIA template that captures remote work and technology dependencies, BCP templates with remote operations procedures, and a tabletop exercise kit with facilitator guide and scenario cards — including a remote-operations scenario designed specifically for distributed teams.