12 minute read 19 Mar 2020
Empty office

COVID-19 and pandemic planning: How companies should respond

By EY Global

Ernst & Young Global Ltd.

12 minute read 19 Mar 2020

Traditional resilience planning doesn’t do enough to prepare for a pandemic. Learn how organizations can improve their response.

The rapidly evolving threat around the COVID-19 virus, commonly referred to as coronavirus, is impacting the business and investor community across the world. The global and interconnected nature of today’s business environment poses serious risk of disruption of global supply chains that can result in significant loss of revenue and adversely impact global economies.

The impact on the global economy may increase depending on the extent of geographic spread of the virus. However, the pandemic has already negatively impacted the global economy as a whole.

Closed signs on wet glass
(Chapter breaker)
1

Chapter 1

Enterprise response

Conventional approaches and why they fall short in today’s environment.

As the event evolves, we are seeing companies take measured approaches to safeguard employees and mitigate financial and operational exposure. For example, at the time of publication of this paper, many multinational businesses have reduced output of facilities and or suspended operations in affected regions, as travel restrictions and mandatory social distancing and homeworking have been invoked. Companies and governments around the world continue to closely monitor the situation.

While cyber risk is a relatively recent consideration in resilience planning, companies have long maintained various resilience plans for business continuity, disaster recovery and crisis management. These plans, while effective for a range of business disruptions, may fall short during a global crisis such as coronavirus or other pandemic events.

Moreover, companies typically have less incentive to invest in distinct pandemic management capabilities since pandemics are lower-probability events (the last major pandemic, H1N1 influenza or swine flu, occurred in 2009). And while firms likely refreshed resilience plans in response to the H1N1 pandemic, it is important to consider differences in today’s environment.

For example, cyber criminals may be more likely to target a situation where security operations centers are largely managed in the affected region. Given the high severity, potential human impacts and greater contagion effect that these events can pose on the ongoing viability of operations, companies must think through the implications to their businesses and develop specific crisis management annexures around pandemic threats. These annexures can serve as critical mechanisms by which companies can coordinate response with federal, state and local authorities, in addition to their own incident response and crisis management framework and protocols, to provide an effective response to these events.

Toilet rolls on shelf
(Chapter breaker)
2

Chapter 2

How to plan and respond differently to pandemics

Why traditional resilience plans are not sufficient to address pandemic-related disruptions.

There are significant differences between business disruptions that are caused by natural, human-made, technology or operational failures and those caused by pandemic events. These differences persist due to the potential increased scale, severity and duration of pandemic events, necessitating the need for organizations to expand beyond traditional resilience planning strategies. Companies must incorporate pandemic planning considerations into existing resilience management activities to provide a comprehensive response and to provide continuity for their most critical products and services.

Additionally, companies should consider establishing pandemic-specific policies and procedures, capabilities for employee communications, telecommuting and personal/family leave to minimize disruptions. Due to their duration, impacts on personnel in the regions that absorb additional work cannot be overstated, from the start of the pandemic to several weeks in, when contractor resources can start to meaningfully contribute. Scale can also vary, and to date it has been regionally concentrated with some global impacts; we have not seen a fully global crippling pandemic yet, although this remains a possibility.

Differences between traditional business disruptions and pandemic-related disruptions are listed below:

Dimension Business disruptions* Pandemic-related disruptions
Scale Localized: impact a specific firm, geography, facility, third party, workforce Systemic: impact everyone, including workforce, customers, suppliers, competitors
Velocity Typically are contained and isolated quickly once root cause of failure is determined Spread rapidly as a market contagion across a geography or even globally with severe cascading impacts
Duration Generally shorter duration of disruption; e.g., less than a week Extended and more long lasting; e.g., can last up to several months
Workforce shortage May result in temporary shortage or repositioning of workforce May result in a quickly increasing, significant shortage of workforce, e.g., more than half the workforce
External coordination May require some coordination with public, government, law enforcement and health officials Require high degree of coordination with public, government, law enforcement and health officials and may require coordination with more than one regional jurisdiction
Infrastructure availability Requires reliance on the availability of public infrastructure (e.g., power, mass transit, telecommunications, internet) to complement primary business strategies May constrain or restrict the availability of public infrastructure as scale and severity of event increases, especially as other companies are impacted by the same issue

* While some of the characteristics and impacts of business disruptions caused by natural disasters (e.g., hurricane, earthquake, tsunami) may be similar to those caused by pandemic events, a natural disaster is limited to a particular area/geography, whereas a pandemic can start in a particular area/geography and quickly spread globally.

Business colleagues having meeting in office conference room
(Chapter breaker)
3

Chapter 3

Key takeaways and next steps for leaders

How to plan and respond differently to pandemics versus traditional resilience planning.

Apply a people-first mindset

The very first priority of an organization during a pandemic should be the safety and well-being of its workforce. Employees are unable to focus on work responsibilities when their well-being and that of their family are in peril. Hence, the critical question firms must address at the onset of a pandemic event is whether their employees are safe, followed by whether they are available to perform critical functions. It is important for companies to be able to monitor the situation, provide a safe workplace and offer their employees the support that they need.

Examples of employee support may include providing access to internal and external resources (e.g., World Health Organization, International SOS, Centers for Disease Control and Prevention), services (e.g., extended child/elder care, transport for late hours) and recognition for employees who take on work for other areas, communicating timely updates to raise awareness and establishing employee standard of care services where possible to provide support to sick personnel or those that are caring for sick household members.

To enable timely two-way communication and employee tracking and to disseminate critical information, companies must validate that emergency notification systems are in place and tested on a routine basis. Alternative communication channels such as social media may be used, especially if the telecommunication network capacity is strained. In addition, companies should deliver pandemic-related training to enhance employee preparedness and alleviate any concerns. 

Plan for geographical segmentation of functions and activities

A pandemic can have severe consequences in impacted areas and geographies, making them inaccessible for an extended period of time. As a component of a business impact analysis, companies identify the chain of activities and functions, along with interdependencies (e.g., people, process, technology, data, facilities, third parties) and related impacts, to inform potential mitigation strategies.

From a pandemic planning perspective, companies should pay closer attention to the geographical concentration of these critical activities and functions, and how to segment them for work transfer to alternate locations and sites. As prudent risk management and to the extent possible, companies should look to diversify supplier base, customers and third-party service providers across geographies to avoid single points of failure and increased exposure due to regional outages and geopolitical events.

Invest in technology and infrastructure to support remote work and virtual collaboration capabilities

A pandemic requires employees to stay home to limit exposure and to prevent or slow down the spread of the disease, requiring the activation of remote working capabilities. Unlike an occasional weather event, which may prompt some employees to work remotely, a pandemic may lead to a complete shutdown of the entire facility in an area, forcing a high number of employees to work remotely for an extended duration. This may in turn result in heavier-than-normal traffic on remote connectivity networks, causing capacity and load access issues.

Companies should invest in tools to enable personnel to work remotely and collaborate virtually, assess their current bandwidth to support remote work, perform periodic network stress testing and identify workarounds for critical tasks that are not executable from home. It is worth noting that while remote working is a viable option for the service sector, it does not work as well for manufacturing, thus resulting in critical impacts on product supply chains.

Consider the systemic nature of pandemics when designing response strategies

Companies must challenge and stretch the boundaries for traditional resilience plans to address pandemic events. During a pandemic, some of the standard strategies such as work transfer to alternate sites, relocation of workforce and staff augmentation may not be viable options as personnel and alternate locations/sites may be just as impacted by the event.

Additionally, degradation or limited availability of core infrastructure such as mass transit, telecommunications and internet may pose further challenges to activating plans and strategies. Companies must carefully design distinct strategies; for instance, inter-affiliate contracts to subcontract work to or alternate supply chain vendors to overcome these barriers, and especially plan around areas of high manual intervention and concentration risks, including single points of failure.

Companies should validate that contracts between country-to-country affiliates are in place to reduce uncertainty of terms, rates, payments and regulatory requirements; data-sharing agreements are addressed within the contracts (e.g., General Data Protection Regulation requirements); and, as required in regulated industries, appropriate licenses are in place to conduct the additional work. Further, downstream dependencies should be considered. For example, if contractor onboarding is concentrated in the impacted region, capabilities in other locations that could be quickly mobilized should be entertained.

Assess reliance on third parties

Companies today have increased interconnectedness with third parties such as outsourced vendors, cloud service providers, data processors, aggregators, payment processors and suppliers for delivery of products and services. These third parties are also vulnerable to pandemic events. Companies must develop a thorough understanding of their critical third, fourth and fifth parties, and their resilience programs, and develop alternate plans, for instance insource strategies or substitutability, if the critical third party’s ability to perform services is impaired.

Companies should also validate alignment between their alternate plans and those of their third parties. Conversely, companies should also identify instances where there may be opportunities to rely on certain third parties with geographically dispersed operations to assist with critical activities performed internally. However, in planning for such third-party alternatives, companies must recognize that their peers and competitors may look to the same third parties for assistance during a market contagion, leading to concentration risk.

Companies must assess third-party capacity and bandwidth considering these market dependencies and, where possible, explore opportunities to embed contractual clauses that allow companies to be prioritized for products and services in relation to their competitors.

Engage with customers

As observed during natural catastrophes, customers are generally more empathetic to degradation or discontinuation of certain products and services during disruptions that are beyond a company’s control and involve life safety concerns than they are toward those that are perceived to be preventable (e.g., system glitches). However, they expect transparency and timely updates.

Companies must continue to communicate with customers through multiple channels, reinforce that customer interests are a priority and provide information to alleviate their concerns. Customers may have specific questions around a company’s supply chain, especially if resources are located in impacted areas, and also may have questions around how those resources may pose any potential risks to them for future use of the company’s products and services.

A clearly drafted frequently-asked-questions document published and disseminated through multiple channels, including the company’s website and social media, can prove to be a useful tool to proactively address customer concerns. Additionally, companies may consider reaching out to affected customers to check in on their safety and offer assistance, where appropriate.

Develop a robust communication strategy (including social media)

Effective communications during any crisis are crucial to maintaining customer trust, restoring employee morale and confidence, and retaining market stability. While companies have a communications strategy and designated points of contact to engage with internal and external stakeholders, often times the messaging is inconsistent and untimely. For companies that have both retail and corporate customers, consistent messaging is key. All channels must reconcile (e.g., social media, customer call centers, public relations releases).

Additionally, events like a pandemic can add another layer of complexity due to circulation of false news and narratives on social media. To provide cohesive and timely enterprise messaging, companies must establish a robust communications strategy that clearly lays out process and protocols to engage with a wide set of stakeholders (e.g., customers, counterparties, regulators, employees, third parties, governments, media, health officials) inclusive of any legal and jurisdictional considerations.

For highly regulated industries such as financial services, health care, and power and utilities, companies should determine and comply with applicable federal, state and local reporting requirements (e.g., disclosure of material risks and impacts), and have a process in place to notify and engage with regulators proactively across various jurisdictions. Furthermore, employees should receive training on the characteristics of a pandemic and how pandemics differ from traditional disasters. Lastly, companies should identify alternatives if corporate communications are centralized in one location.

Team with public sector; national, state and local agencies; and health officials

Pandemics are a public issue first and a business issue second. Hence, it is important for the public and private sector to come together to provide an adequate and comprehensive response to a pandemic event. Companies must leverage advisories, resources and health safety measures prescribed by international, national and local agencies and health officials, and refrain from distributing conflicting materials as this can lead to confusion and fear among employees.

While well intended, companies must closely coordinate on any direct efforts (e.g., providing supplies) to support communities with local agencies to avoid chaos, and to not impede any public assistance efforts underway. Communication strategy and channels to engage effectively with local and national authorities should be established. Companies may set up matching grant and other financial assistance programs to help employees and communities in financial distress during this time.

Increase rigor and complexity of testing

Companies must elevate the complexity of existing scenarios used for testing and simulations to assess preparedness for pandemic events. This includes testing against scenarios that evaluate their response to extended periods of outages; total shutdown of a major operational facility, city or region; increased absenteeism (more than half workforce); multiple outages; and so on.

In addition, companies must rehearse crisis management governance and response, including C-suite executives and delegations of authority at least two levels down from primary decision-makers, so that delegates are well prepared to execute timely decisions in the event primary decision-makers are not available. Companies should also include critical third parties in select tabletop simulations to gain a better understanding of interdependencies and points of coordination, and to assess effectiveness of their resilience plans.

Leverage pandemic command center to prioritize and govern effectively

As time goes by, a widespread pandemic event will assert more pressure on existing resources, infrastructure and technology, resulting in significant degradation of products and services. As resources become constrained, firms must constantly re-prioritize delivery of products and services that are absolutely critical to meet customer needs and provide market stability.

Equally important is a thorough understanding of activities that must be de-prioritized to allow effective repositioning of available resources. Companies must have a clearly documented prioritization framework, inclusive of associated risk tolerances, supported by a robust governance process to make risk acceptance decisions (e.g., discontinuation of certain services) during an event.

Additionally, a pandemic command center setup can go a long way in enabling rapid decision-making, drive clear accountability, provide heightened event monitoring and reporting, and disseminate cohesive enterprise messaging, internally and externally. Companies must also institute a back-end quality control process to identify and rectify errors if work is performed by employees with less tenure and cross-training, or by those operating in overtime conditions.

Establish crisis management exception approval process

In the event of a crisis, there are instances when companies need to deviate from standard policies and procedures to best meet the needs of their customers and employees. For instance, a company may not support or have stringent policies with regard to family travel expenses, overtime or remote work, corporate card usage and so on during the normal course of the business; however, these policy exceptions may be necessary and permissible during an actual crisis.

Companies must expand on existing human resources, finance, legal, operations and business processes to accommodate certain critical exceptions, and clearly communicate the revised policies, criteria and processes to allow such waivers in an accelerated manner. All potential changes to existing policies should be carefully reviewed by risk management, compliance and legal prior to being finalized and should take into account what risks are appropriate to accept and any legal and jurisdictional nuances (e.g., local overtime laws across different geographies).

10 next steps for leaders

  1. Communicate with employees to raise awareness, enforce policies (e.g., travel restrictions) and familiarize them with available tools and resources
  2. If pandemic planning considerations have not been incorporated into existing business continuity and disaster recovery strategies or updated, begin rapid planning or refresh of pandemic strategies and actions
  3. Perform an immediate assessment of processes and functions with high manual intervention and critical third-party dependencies, especially in high vulnerability and impact locations, to understand key risks, including any single points of failure
  4. Review crisis communication plan and designate single points of contact to facilitate seamless engagement with local, national and global authorities, and other key internal and external stakeholders
  5. Identify potential policy exceptions and institute a crisis management exception approval process to manage such exceptions on an accelerated basis in each jurisdiction
  6. Confirm employees have the requisite capabilities, including access to requisite share drives, documents and other critical tools, to perform critical tasks remotely
  7. Review relevant standard operating procedures and manuals and update them, as necessary
  8. Monitor the situation and provide regular briefings to leaders on any emerging threats and issues
  9. Ask employees to confirm and update contact information (primary and secondary) in company records, as necessary
  10. Conduct brief pandemic training with employees to enhance employee and organizational preparedness to respond effectively

Lead through the COVID-19 crisis

We have a clear view of the critical questions and new answers required for effective business continuity and resilience.

Explore

Contact us for immediate support

Gain access to our help with crisis management, business continuity and enterprise resilience.

 

Contact

Summary

Pandemics are a serious wake-up call for supply chain professionals and companies with global operations to develop several alternate sourcing and manufacturing plans in different regions of the world to mitigate the risk from such adverse conditions.

About this article

By EY Global

Ernst & Young Global Ltd.