Despite pandemic risk being recognised as a global threat, the emergence and rapid transmission of the novel coronavirus (COVID-19) across the world has caught out governments, scientists, and businesses. Despite many organisations having Business Continuity Management (BCM) in place, the plans have been unhelpful in guiding the response to the pandemic. In this article, I will be examining some of the reasons behind this phenomenon and suggesting the best way forward.
COVID-19 Is Different
Unfortunately, the novel coronavirus (COVID-19), has proved to be too different for the science to be stated with any degree of certainty or precision. Even the most basic medical facts could only be gathered once sufficient people had become infected. Many gaps remain, for example whether any immunity develops post infection and how long it might last. The problem has been compounded by a lack of either suitable treatments or current vaccines, resulting in high mortality rates. One of the key lessons already learnt is that if the medical community had realised earlier that people could be contagious without showing symptoms (i.e. asymptomatic), governments might have introduced travel bans sooner, thereby slowing the rate of spread around the world. Many other key lessons will undoubtedly emerge in any post-pandemic review.
Not Paying Attention
At a macro level coronavirus was untimely, with the global economic environment just emerging from a decade of austerity. Governments, along with business leadership, were looking to invest in order to raise productivity, not to stockpile ‘unnecessary’ items such as Personal Protective Equipment (PPE). Protectionism and trade disputes were becoming the hallmarks of many global trading nations, creating pressure on global supply chains. Simply stated: everyone was under-prepared whilst reliant on the same critical resources.
Risk Management Failings
Business Continuity Management (BCM) has developed over the last few decades into a well-defined discipline:
‘A holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realised, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.’
Business Continuity Institute, 2018
As implied by the definition, Threat or Risk assessment is undertaken at an early stage of the process and informs many of the subsequent decisions. Much of this activity has been based around ‘horizon scanning’ – a process of considering current and emerging risks. Many assessments are a combination of national risks, coupled with specific risks relating to the organisation (e.g. geographic location risks, along with sector risks). Unfortunately, there has been a tendency to focus on the higher frequency risks (e.g. cyber) compared with the low probability, but high impact risks (e.g. flooding and pandemic).
If we revisit the UK National Risk Register 2017, it clearly sounds a warning:
‘The emergence of new infectious diseases is unpredictable but evidence indicates it may become more frequent…. No country is immune to an infectious disease in another part of the world. In light of evidence from recent emerging infectious diseases such as Ebola and Zika, the likelihood of this risk has increased since 2015.’
There may be a variety of reasons why this was unheeded, but it can be explained by a common planning error. Having identified business risk and potential threats, the next step in the process is consideration of mitigation measures either through active management; implementing response mechanisms; or risk acceptance. In terms of pandemic risk, many organisations simply accepted the risk, based on an assumption that its either not going to happen anytime soon, or its simply beyond its control. By implication, this approach is stating that pandemic will be handled by government, along with the medical community. Essentially their success in dealing with Ebola and Zika, along with the older MERS, Swine Flu and SARS, provided a false sense of security.
Another common mistake I’ve encountered is overly constrained thinking. Crisis or incident management plans, along with business continuity plans, are seen as rigid ‘play books’ which must be strictly followed in a set sequence of actions. As COVID-19 has ably demonstrated, you never get precisely the incident you plan for, consequently flexibility of response is key. This issue is often compounded by plans containing inappropriate planning assumptions. For example, many organisations set a target recovery window of two weeks. Very few extend the period to a month, whilst virtually nobody considers longer. With the disruptive impact of COVID-19 already projected to last at least 18 months, this fundamental planning assumption needs to be modified as a matter of urgency.
Many senior management teams are reluctant to allocate time for crisis management training. Yet the skills required to make decisions in a pressured situation with only partial information need to be acquired. Leadership ‘under fire’ is very different from business as usual. The tendency to conduct crisis management exercises using ‘reasonable worst case’ scenarios is also problematic. In order to maintain credibility with the participants, scenarios usually remain within plausible bounds. This avoids participants feeling overwhelmed, which frequently occurs when people feel they are either moving outside of an agreed response framework or beyond known reference points. By agreement, some crisis management exercises should be aimed at developing more flexible skills. Practice of situational awareness, through dealing with events which went beyond the base planning assumptions, would have been highly beneficial in responding to COVID-19.
The Way Forward
When dealing with a pandemic, or other low probability, high impact events, Operational Resilience is the best solution. The Business Continuity Institute defines the concept as ‘the ability of an organisation to absorb and adapt in a changing environment.’ Given this definition, we can see that some organisations have been able to demonstrate these capabilities during the current pandemic. Typically, these are Small and Medium size Enterprises (SMEs), and it can be ascribed to their flexibility and ability to innovate. For larger or more complex organisations, now is the time to review their Business Continuity Management programmes and take them to the next level. COVID-19 will be with us for quite some time.