As most workers who are able to have now settled into working from home arrangements, one of the most significant challenges facing organisations at present is Business Continuity Management (BCM). Our recent article discusses Business Continuity Management and some of the issues that should be addressed in any organisation’s BCM plan. This article seeks to discuss the risks to business continuity posed by COVID-19.
Risk and its Impact on Objectives
If we examine BCM from the perspective of risk, we can readily see why risk is defined in ISO31000 as ”the effect of uncertainty on objectives”. As we are now experiencing, a global pandemic has the potential to catastrophically impact many organisations’ ability to achieve their objectives. These objectives are not just strategic in nature. ISO31000 applies to any organisation, group or individual - we all have objectives.
In a business context, any organisation will have the following three key objectives (although not necessarily articulated in this manner or order of priority):
- the safety and wellbeing of workers, including engaging in safe, meaningful and professionally satisfying work
- the maximisation of value for clients and stakeholders
- maintaining client, stakeholder, and community confidence as a highly reputable organisation.
These fundamental business objectives, or very similar ones, can be significantly disrupted by the current COVID-19 pandemic, particularly with legal restrictions on movement and commerce.
Risk Treatments and Control Measures
We can articulate BCM risk as:
failure to implement and maintain a Business Continuity Management Plan appropriate to the size, nature and level of complexity of the organisation, as well as the interruption to the continuity of business operations.
Many organisations will already be advanced in their planning and implementation of control measures for this risk. However, some organisations may find that they require additional risk treatments or control measures to be put in place after reviewing their BCM risk specifically in the context of the current COVID-19 pandemic.
It is also essential to note that risk treatments or control measures may need to be modified or replaced entirely as more information is reported, and as situations change, which we are seeing on a near daily basis regarding COVID-19. Organisations cannot assume that any plans put in place should remain static. BCM Plans must be reviewed, re-assessed and continually implemented as the situation unfolds, as is the case with any risk management framework.
Nevertheless, the first control measure is to have a BCM Plan in place; accessible and clearly communicated to all staff. If there is no such Plan in place, the organisation should develop one as quickly as possible. Next, review any existing BCM Plan to see whether it is appropriate for the size, nature and complexity of both the organisation and the interruption to continuity of business operations.
Most organisations do have existing BCM Plans in place to care for their workers, such as evacuation plans, informal working from home or remote working arrangements. However, many do not plan adequately for the event of a total closure of the organisation’s primary premises, which can amount to a complete loss of business operational continuity.
Many BCM Plans relate to natural disasters and the destruction of the primary premises. Few organisations have Plans that contemplate a pandemic, and had (until recently) investigated insurance options in relation to business interruption due to pandemics.
Generally speaking, risk treatment can take many forms including:
- changing the likelihood of the event/interruption to continuity
- managing the consequences of the event/interruption to continuity
- risk transfer/sharing
- risk avoidance.
In the context of the COVID-19 pandemic, many of these risk treatments have already been undertaken or attempted through forced isolation of people who have come into contact with confirmed cases, tracing contacts, building closures where there have been confirmed cases, and restrictions on large gatherings. Many of these risk treatments are directed to treating the likelihood aspect.
Strategies for risk transfer can relate to reviewing insurances to see whether there is coverage in existing policies held by the organisation for pandemics, and changes to travel arrangements such as working from home to reduce COVID-19 exposure from public transport and the general public.
What is perhaps most striking in relation to the pandemic is the complexity of the issues involved and the ongoing impact of consequences that go beyond providing working from home arrangements for all workers. There are consequential effects for caregivers who must stay at home to care for children and family, as well as the broader mid-to long-term impacts on the national and global economies.
The challenges at a business level in managing the consequences of a pandemic are not all known yet. We are navigating uncharted territories. The specific challenges will depend on the operating profile of the organisation. Key considerations include which industry the organisation belongs to, whether its workforce can continue remotely, whether it is viable to continue business operations and meet the needs of existing and new clients and customers; and if so, how, and to what extent.