Contribution by EY.
Spreading contagion – coronavirus effects on the working world
The rapidly evolving threat around the COVID-19 virus has raised concerns among the business and investor community across the world. The global and interconnected nature of today’s business environment poses serious risk of disruption of global supply chains that can result in significant loss of revenue and adversely impact global economies.
As the uncertainty around the evolving event persists, we are starting to see companies take measured approaches to safeguard employees and mitigate financial and operational exposure. Companies and governments around the world continue to closely monitor the situation.
While cyber risk is a relatively recent consideration in resilience planning, companies have long maintained various resilience plans for business continuity, disaster recovery, and crisis management. These plans, while effective for a range of business disruptions, may fall short during a global crisis such as coronavirus or other pandemic events. Moreover, companies typically have less incentive to invest in distinct pandemic management capabilities since pandemics are lower-probability events (the last major pandemic, H1N1 influenza or swine flu, occurred in 2009). And while firms likely refreshed resilience plans in response to the H1N1 pandemic, it is important to consider differences in today’s environment. Companies must think through the implications to their businesses and develop specific crisis management annexures around pandemic threats.
Importance of pandemic planning – why traditional resilience plans are not sufficient to address pandemic-related disruptions
The differences between business disruptions that are caused by natural, human-made, technology or operational failures and those caused by pandemic events persist due to the potential increased scale, severity and duration of pandemic events, necessitating the need for organizations to expand beyond traditional resilience planning strategies. Companies must incorporate pandemic planning considerations into existing resilience management activities to provide a comprehensive response and to provide continuity for their most critical products and services. Additionally, companies should consider establishing pandemic-specific policies and procedures, capabilities for employee communications, telecommuting and personal/family leave to minimize disruptions.
Key takeaways – how to plan and respond differently to pandemics versus traditional resilience planning
Apply a people-first mindset: The very first priority of an organization during a pandemic should be the safety and well-being of its workforce. Employees are unable to focus on work responsibilities when their well-being and that of their family are in peril. It is important for companies to be able to monitor the situation, provide a safe workplace and offer their employees the support that they need. Examples of employee support may include providing access to internal and external resources (e.g., World Health Organization, International SOS, Centers for Disease Control and Prevention), services (e.g., extended child/elder care, transport for late hours) and recognition for employees who take on work for other areas, communicating timely updates to raise awareness and establishing employee standard of care services where possible to provide support to sick personnel or those that are caring for sick household members. To enable timely two-way communication and employee tracking and to disseminate critical information, companies must validate that emergency notification systems are in place and tested on a routine basis. In addition, companies should deliver pandemic-related training to enhance employee preparedness and alleviate any concerns.
Plan for geographical segmentation of functions and activities: A pandemic can have severe consequences in impacted areas and geographies, making them inaccessible for an extended period of time. As a component of a business impact analysis, companies identify the chain of activities and functions, along with interdependencies (e.g., people, process, technology, data, facilities, third parties) and related impacts, to inform potential mitigation strategies. From a pandemic planning perspective, companies should pay closer attention to the geographical concentration of these critical activities and functions, and how to segment them for work transfer to alternate locations and sites. As prudent risk management and to the extent possible, companies should look to diversify supplier base, customers and third-party service providers across geographies to avoid single points of failure.
Invest in technology and infrastructure to support remote work and virtual collaboration capabilities: A pandemic requires employees to stay home to limit exposure and to prevent or slow down the spread of the disease, requiring the activation of remote working capabilities. A pandemic may lead to a complete shutdown of the entire facility in an area, forcing a high number of employees to work remotely for an extended duration. This may in turn result in heavier-than-normal traffic on remote connectivity networks, causing capacity and load access issues. Companies should invest in tools to enable personnel to work remotely and collaborate virtually, perform periodic network stress testing and identify workarounds for critical tasks that are not executable from home. It is worth noting that remote working is a not viable option for manufacturing, thus resulting in critical impacts on product supply chains.
Consider the systemic nature of pandemics when designing response strategies: Companies must challenge and stretch the boundaries for traditional resilience plans to address pandemic events and carefully design distinct strategies; for instance, inter-affiliate contracts to subcontract work to or alternate supply chain vendors to overcome these barriers. Companies should validate that contracts between country-to-country affiliates are in place to reduce uncertainty of terms, rates, payments and regulatory requirements; data-sharing agreements are addressed within the contracts (e.g., General Data Protection Regulation requirements); and, as required in regulated industries, appropriate licenses are in place to conduct the additional work. Further, downstream dependencies should be considered. For example, if contractor onboarding is concentrated in the impacted region, capabilities in other locations that could be quickly mobilized should be entertained.
Assess reliance on third parties: Companies today have increased interconnectedness with third parties, which are also vulnerable to pandemic events. Companies must develop a thorough understanding of their critical third, fourth and fifth parties, and their resilience programs, and develop alternate plans, for instance insource strategies or substitutability, if the critical third party’s ability to perform services is impaired. Companies should also validate alignment between their alternate plans and those of their third parties. However, companies must recognize that their peers and competitors may look to the same third parties for assistance during a market contagion, leading to concentration risk. Where possible, companies must explore opportunities to embed contractual clauses that allow them to be prioritized for products and services in relation to their competitors.
Engage with customers: Customers are generally more empathetic to degradation or discontinuation of certain products and services during disruptions that are beyond a company’s control and involve life safety concerns than they are toward those that are perceived to be preventable (e.g., system glitches). However, they expect transparency and timely updates. Customers may have specific questions around a company’s supply chain, especially if resources are located in impacted areas, and also may have questions around how those resources may pose any potential risks to them for future use of the company’s products and services. A clearly drafted frequently-asked-questions document published and disseminated through multiple channels, including the company’s website and social media, can prove to be a useful tool to proactively address customer concerns.
Develop a robust communication strategy (including social media): Effective communications during any crisis are crucial to maintaining customer trust, restoring employee morale and confidence, and retaining market stability. For companies that have both retail and corporate customers, consistent messaging is key. All channels must reconcile (e.g., social media, customer call centers, public relations releases). Additionally, events like a pandemic can add another layer of complexity due to circulation of false news and narratives on social media. Companies must establish a robust communications strategy that clearly lays out process and protocols to engage with a wide set of stakeholders inclusive of any legal and jurisdictional considerations. For highly regulated industries such as financial services, health care, and power and utilities, companies should determine and comply with applicable federal, state and local reporting requirements (e.g., disclosure of material risks and impacts), and have a process in place to notify and engage with regulators proactively across various jurisdictions.
Team with public sector; national, state and local agencies; and health officials: Pandemics are a public issue first and a business issue second. Hence, it is important for the public and private sector to come together to provide an adequate and comprehensive response to a pandemic event. Companies must leverage advisories, resources and health safety measures prescribed by international, national and local agencies and health officials, and refrain from distributing conflicting materials as this can lead to confusion and fear among employees. Companies may set up matching-grant and other financial assistance programs to help employees and communities in financial distress during this time.
Increase rigor and complexity of testing: Companies must elevate the complexity of existing scenarios used for testing and simulations to assess preparedness for pandemic events. In addition, companies must rehearse crisis management governance and response, including C-suite executives and delegations of authority at least two levels down from primary decision-makers, so that delegates are well prepared to execute timely decisions in the event primary decision-makers are not available. Companies should also include critical third parties in select tabletop simulations to gain a better understanding of interdependencies and points of coordination, and to assess effectiveness of their resilience plans.
Leverage pandemic command center to prioritize and govern effectively: As time goes by, a widespread pandemic event will assert more pressure on existing resources, infrastructure and technology. As resources become constrained, firms must constantly re-prioritize delivery of products and services that are absolutely critical to meet customer needs and provide market stability. Equally important is a thorough understanding of activities that must be de-prioritized to allow effective repositioning of available resources. Companies must have a clearly documented prioritization framework, inclusive of associated risk tolerances, supported by a robust governance process to make risk acceptance decisions (e.g., discontinuation of certain services) during an event.
Establish crisis management exception approval process: In the event of a crisis, there are instances when companies need to deviate from standard policies and procedures to best meet the needs of their customers and employees. For instance, a company may not support or have stringent policies with regard to overtime or remote work, corporate card usage and so on during the normal course of the business; however, these policy exceptions may be necessary and permissible during an actual crisis. All potential changes to existing policies should be carefully reviewed by risk management, compliance and legal prior to being finalized and should take into account what risks are appropriate to accept.
What should companies do now?
- Communicate with employees to raise awareness, enforce policies (e.g., travel restrictions) and familiarize them with available tools and resources
- If pandemic planning considerations have not been incorporated into existing business continuity and disaster recovery strategies or updated, begin rapid planning or refresh of pandemic strategies and actions
- Perform an immediate assessment of processes and functions with high manual intervention and critical third-party dependencies, especially in high-vulnerability and impact locations, to understand key risks, including any single points of failure
- Review crisis communication plan and designate single points of contact to facilitate seamless engagement with local, national and global authorities, and other key internal and external stakeholders
- Identify potential policy exceptions and institute a crisis management exception approval process to manage such exceptions on an accelerated basis in each jurisdiction
- Confirm employees have the requisite capabilities, including access to requisite share drives, documents and other critical tools, to perform critical tasks remotely
- Review relevant standard operating procedures and manuals and update them, as necessary
- Monitor the situation and provide regular briefings to leaders on any emerging threats and issues
- Ask employees to confirm and update contact information (primary and secondary) in company records, as necessary
- Conduct brief pandemic training with employees to enhance employee and organizational preparedness to respond effectively
Alessandro Cataldo, Ernst & Young Ltd, Lugano
Partner, Transaction Advisory Services
Fabio Nani, Ernst & Young Ltd, Lugano
Executive Director, Transaction Advisory Services