As every business continuity manager will be aware, the World Health Organization has designated the COVID-19 outbreak as a pandemic. What should organizations do in response? The first action is to validate your pandemic plan says Geary W. Sikich…
Now that WHO has declared a pandemic what exactly does this mean? Should you be worried? Should your organization be worried? Do all the team members know what their functions, duties and tasks are? Is senior management and the board of directors engaged; have they been briefed? What is the status of your supply chain; ‘value chain’, product/service demand? What is your risk profile now? Can you operate if employees are disrupted by school closures, illness, or recall to active duty (for military and healthcare personnel)? Are you able to continue to pay employees? These are just some of the questions that your organization should be addressing at this time.
To inform these questions and to ensure that your pandemic plan is fit for purpose it is important to validate your plan as soon as possible. As part of this process you need to conduct an exercise that stresses your plan, your people and your touchpoints. In order to get a perspective, you have to do an exercise that lasts more than half a day. I suggest that the exercise be one that lasts at least two weeks and is run through the weekend. Sounds daunting; it is not. By utilizing e-mail prompts and limited meetings you can get a pretty good perspective of your organization and its readiness to handle the stress of a prolonged pandemic.
Avoid six common mistakes
We commonly make some mistakes when exercising our plans. Here are six that we need to avoid:
- We think we can manage by predicting extreme events.
- We are convinced that studying the past will help us manage the future.
- We don’t listen to advice about what we shouldn’t do.
- We assume that risk can be measured by standard deviation.
- We don’t appreciate that what’s mathematically equivalent isn’t psychologically so.
- We are taught linear thinking – problem to solution.
Let’s face it, predicting extreme events is impossible. We can speculate all over the board, but we will never be able to accurately predict extreme events. It is the nature of extreme events to be rare, to have high impact and to be unpredictable. The past is not the future, it is the past! We can learn from the past but it will not help us in the here and now. Who would have thought that China since 2010 would become the world’s greatest trading partner and then suddenly in 2020 fall victim to COVID-19? Or, that the world would be caught flat footed by this coronavirus when the US and the rest of the world had time (from 30th January when WHO declared that the outbreak was a Public Health Emergency Of International Concern) to analyze and begin to ramp up preparations.
We do not listen to advice about what we should not do. In 2010 I wrote my book, ‘Protecting Your Business in a Pandemic’. Few paid attention to the focus of the book; which was about protecting your business operations. Rather, they focused on masks, Tamiflu, Relenza and other non-business related preparations. Assumptions were made that are now proving to be wrong, misdirected and, in many instances, will carry a significant liability exposure from a legal perspective. We seek to measure risk exposure when what we need to do is realize that risk is not static; like the coronavirus, risk changes frequently (ask anyone who trades stocks, commodities, works in logistics). We need to develop a risk parity strategy (see below) and execute it continuously, keeping an eye on indicators from non-related sectors.
We tend to depend on mathematics when humans react to events psychologically, emotionally and in many instances without a lot of forethought. This is why there is panic buying, stockpiling unnecessary items and media driven fear. We are taught linear thinking and do not connect the dots outside of what is readily visible. We therefore end up with ‘transparent vulnerabilities’ that can cascade in unanticipated ways.
Focus on achieving risk parity
Risk parity is a balancing of resources to a risk. You identify a risk and then balance the resources you allocate to buffer against the risk being realized (that is occurring). This is done for all risks that you identify and is a constant process of allocation of resources to buffer the risk based on the expectation of risk occurring and the velocity, impact and ability to sustain resilience against the risk realization. You would apply this and then constantly assess to determine what resources need to be shifted to address the risk. This can be a short-term or long-term effort. The main point is that achieving risk parity is a balancing of resources based on assessment of risk realization. Risk parity is not static, just as risk is not static.
When I say risk is not static, I mean that when you identify a risk and take action to mitigate that risk, the risk changes with regard to your action. The risk may increase or decrease, but it changes due to the action taken. You essentially create a new form of risk that you have to assess with regard to your action to mitigate the original risk. This can become quite complex as others also will be altering the state of the risk by taking actions to buffer the risk. The network that your organization operates in reacts to actions taken to address risk (i.e., value chain - customers, suppliers, etc.) all are reacting and this results in a non-static risk.
A good example in the current pandemic situation would be the purchase of, say 10,000 masks. You have a risk that the masks will not be used; that they will be taken under ‘Imminent Domain’ by government for the greater good of the community; that the stockpile will be insufficient for the demand, etc. These and other considerations change the risk profile (non-static). As cited above, purchasing masks creates new risks. In any event you have altered the risk and it has become non-static due to your actions and/or the actions of others within your network and external to your network. This gets us to non-aligned risk which is a risk that is influenced by nonlinear reaction.
I think that ‘relevance’ is a very significant word relative to key risk indicators (KRIs). You can have an extensive list but if they are not relevant to the organization and its operations, they do little to enhance the risk management efforts. That said, we have to assess non-linearity and opacity with regard to the potential obfuscation of ‘relevance’.
Scenarios that validate plans
You need scenarios that validate the plan, stress the participants, are adaptive to decisions that are made and that do not follow traditional steps to develop and implement. Rather than describing the steps to create and execute a validation exercise, I will list some potential scenarios that can be developed into a simulation with variants. The goal, as always, would be to ensure that your plan provides a workable structure, that people are well trained and that the assumptions made still hold valid in the face of a rapidly changing world.
Consider the following, either singly or in combination to create a realistic scenario that participants can learn from.
- Business interruption issues
- Internal and external communications
- Vendor continuity assurance
- Threat, risk, hazard issues
- Consequence management issues
- High impact locations
- Operations issues
- Logistics issues
- Infrastructure issues
- Financial issues
- Interdependencies and action plans
- Operating with 25 percent or greater absenteeism
- Cross-training issues
- Remote work issues
- Infrastructure support needed to support a shift to an at-home workforce
- Internal travel restriction issues
- Facility evacuation, decontamination (heating, ventilation, air-conditioning systems, electronic equipment, cafeterias, curtains, etc.)
- Protocols for staff members needed for critical functions (cannot work remotely)
- Bringing home traveling employees, particularly if they are sick (quarantine, etc.)
- Escalation procedures compatible with governmental procedures
- On-call staff issues
- Exit strategy (Does your organization have one?)
- Federal, State, local government actions
- Workforce absence
- Travel restrictions
- Meeting limitations
- Supply chain impacts
- Revenue chain impacts (customers – revenue sources)
- Recovery funding issues (no business interruption insurance)
- Financial markets issues
- Sustainability issues
- Natural or technological disaster events.
These are a few possible scenarios to consider. Many more can be added to the list. Of course, you want to develop these scenarios as they apply to your organization and its capabilities and capacity to sustain its operations under an indeterminate period of duress.
The time is now, do not delay
Even though the near-term effects of the COVID-19 pandemic are still impossible to predict, we can clearly see that the long-term effects will be felt in all sectors of society, government and business. Given the vagaries, uncertainties, consequences (readily apparent and yet to materialize) of the pandemic, confidence in a plan with a solid foundation, trained personnel and a continuum of consistent decision making is essential. You cannot allow complacency to enter the organization.
You still have time: exercise your plan and people.
Geary Sikich – entrepreneur, consultant, author and business lecturer
Geary Sikich is a seasoned risk management professional who advises private and public sector executives to develop risk buffering strategies. With a M.Ed. in Counseling and Guidance, his focus is human capital: what people think, who they are, what they need and how they communicate. With over 30 years in management consulting as a trusted advisor, crisis manager, senior executive and educator, he brings unprecedented value to clients worldwide. Well-versed in contingency planning, risk management, human resource development, war gaming, as well as competitive intelligence, issues analysis, global strategy and identification of transparent vulnerabilities. He has developed more than 4,000 plans and conducted over 4,500 simulations from tabletops to full scale integrated exercises. He began his career as an officer in the US Army after completing his BS in Criminology. As a thought leader, Geary leverages his skills in client attraction and the tools of LinkedIn, social media and publishing to help executives in decision analysis, strategy development and risk buffering. A well-known author, his books and articles are readily available on Amazon, Barnes & Noble and the Internet. Geary’s book on pandemic planning, ‘Protecting Your Business in a Pandemic: Plans, Tools, and Advice for Maintaining Business Continuity’ is available on Amazon.