As states continue the phased reopening of their economies, companies are thinking through how to safely resume previously prohibited interactions with consumers and business partners, as well as how to bring employees back to physical locations.
The reopening of the economy is fraught with concerns that executives must factor into planning, both to be a good corporate citizen and to avoid potential legal liability down the road. Companies need to carefully consider specific actions they can take to ensure the safety of all their stakeholders. They must develop sound processes and procedures, track compliance, and capture evidence that managers and staff are consistently following the documented corporate policy. Diligence in enterprise risk management (ERM) has never been more important.
Indeed, risk managers must play a central role in their businesses’ return to work, with the goal of collectively reducing their organizations’ contribution to a potential second wave of Covid-19. The U.K. government, for example, has put risk management at the core of its return-to-work initiative. Before opening their facilities, organizations are required to conduct a risk assessment, publish it to their stakeholders, and provide evidence that they are effectively monitoring the discovered risks.
By requiring risk assessments to be published out to stakeholders, the government is acknowledging the power of the “see-through economy”—in other words, the fast-paced transparency achieved when individuals frequently use smartphones to record evidence of organizations’ negligence to follow through on actions they commit to take. The see-through economy ensures that businesses will face consequences if they expose employees, customers, and vendors to a deadly virus. Each individual who is exposed may go on to spread the disease to family members, then to exponentially more people in the community. And technology will enable rapid sharing of information about any organizations that may have facilitated Covid-19’s spread.
The pandemic has served as a wake-up call for many businesses by teaching them hard lessons about their preparedness to sustain operations during an event of this scale. Risk assessments and business continuity procedures certainly existed prior to Covid-19. They were easily attainable by any organization, but they frequently weren’t prioritized. Now, within most businesses, these tools have the full attention of senior leadership, and managers throughout the organization understand their importance. While these topics are top-of-mind, companies should build an infrastructure for routine risk assessments and risk-based monitoring.
Exposures Expand as Businesses Move Closer to ‘Normal’
Many people will jump at governments’ relaxation of social distancing measures over the next several months, eager to put the pandemic behind them. But simply reverting back to pre–Covid-19 business practices would be a mistake.
Although many experts are predicting a second wave of the disease in the fall, few companies have performed adequate scenario planning or completed risk assessments that specifically target preparations for such a resurgence. Moreover, few planning models account for the fact that the second wave will likely hit during flu season. Covid-19 and the flu are different viruses, but an individual who contracts both diseases at the same time might be more likely to experience a severe case of Covid-19. The flu compromises the immune system, and a compromised immune system is the underlying condition that can make Covid-19 deadly, even for otherwise healthy 20- to 40-year-olds. For the next few months, corporate risk managers have a window of opportunity to evaluate the impact of the first wave of the pandemic before possibly confronting a second, more disruptive wave in the fall.
Another consideration as local economies reopen is that companies may face legal liability if they do not commit to assessing the effectiveness and safety of their return-to-work policies. For example:
- Healthcare providers opening back up to non–life-threatening procedures and appointments could be found negligent if a patient contracts Covid-19 during one of those procedures. The healthcare providers most likely to be vulnerable to claims of risk management negligence will be those that cannot demonstrate the connection between their internal policies, the risks that might undermine these policies’ effectiveness, and evidence that they have consistently implemented controls and follow-up monitoring.
- Banks looking to reopen physical branches, where currency and paperwork frequently change hands (literally), will need to establish policies requiring social distancing, hand washing, and face coverings. Every branch location will need to collect evidence daily to prove that policies are being followed adequately. A bank that fails to collect evidence of controls’ effectiveness may be unable to defend itself against claims of negligence.
- Institutions of higher education are particularly likely to experience Covid-19 outbreaks because they are hotspots for physical contact among unrelated individuals. Students travel to and from campus, then share dormitory facilities. Libraries have students, faculty, and visitors continuously picking up and putting down items. And avoiding close physical proximity is virtually impossible in spaces such as cafeterias and classrooms. Colleges and universities may be liable if their policies for reopening campuses put students, teaching faculty, and administrators at risk of Covid-19.
In addition to these examples, companies in nearly every industry will face the prospect of employee and customer lawsuits over negligence in preventing the spread of Covid-19. Moreover, our see-through economy nearly guarantees that a poorly executed Covid-19 recovery will be exposed publicly. Businesses and brands that don’t learn from the current situation may suffer backlash and brand damage that, when compounded with an already challenging business environment, could threaten their very survival.
Reduce the Risk
How can your business protect employees and operations, mitigate risks, and learn lessons from the pandemic’s first wave that help it better endure the second wave? What are some questions managers and staff should be asking themselves now to identify vulnerabilities and better manage any impending surprises?
Risk management is key. There are three steps organizations need to take now:
1. Risk assessment. Each company needs to consider its unique circumstances through a risk assessment, to determine possible impacts of a second wave of the virus. Identifying and assessing risks to the organization from different root-cause perspectives is the first step toward building a risk mitigation plan.
Executives should mobilize a cross-functional team of experts, with the mission of identifying all vulnerabilities. Pose these questions (along with many others):
- What happens if a large proportion (say, 40 percent) of the company’s staff are out sick at the same time?
- Where are all our suppliers located? Where are their suppliers located? And which ones are critical to our business continuity?
- What new distancing strategies does the company need to implement to ensure on-site protection?
- What procedures are necessary to minimize litigation risk should an employee or customer fall ill?
The risk assessment should also identify all control measures that the organization has put in place to manage and mitigate the risk of the virus. It must include information about who will monitor these control activities, and how, to ensure that stakeholders are following specified policies at all locations.
After developing their Covid-19 risk assessments, companies need to publish the details, to demonstrate that they take the health of their workers, customers, and broader community seriously.
2. Risk mitigation. The risk assessment should serve as a foundation for designing a risk-based approach to reopening, as well as a business continuity plan that prepares the company’s workforce to maintain operations during the pandemic’s second wave.
Organizations that were successful during the first wave of Covid-19 implemented procedures like routinely taking workers’ temperatures and measuring their oxygen levels, as well as enacting distancing strategies and protocols that prevent people from using shared facilities at the same time. There are places to look for inspiration—such as factories that remained open and largely illness-free during the first wave, due to strict protocols and sound risk management strategies.
Organizations are finding that they typically need to implement, and track the effectiveness of, about 250 wide-ranging hygiene and social distancing guidelines, to ensure a safe return-to-work program. Research risk mitigation strategies that have worked for businesses similar to your own.
Further, businesses can prepare for the second wave of Covid-19 by identifying tasks that they can automate in their risk management programs, to free up resources to design and monitor risk management effectiveness and keep costs reasonable. If workers fall ill, automation will be key to ensuring continued productivity.
Companies can also look for activities that they can eliminate. Sixty percent of siloed business tasks are unnecessarily duplicative. Eliminating unnecessary manual activities now will help prepare the organization for whatever may come in the fall, and for any other unforeseeable business disruptions of the future.
3. Risk-based incident management. Companies need to provide a channel for employees, vendors, and business partners to report on Covid-19–related concerns. They should have an encrypted channel—to protect the privacy of personally identifiable information (PII)—where stakeholders can report that they’ve been in contact with someone who tested positive, that they’re worried the company might be experiencing an outbreak, that others in the organization are not properly following protocols, or that they see weaknesses in the supply chain which might become critical should the virus experience a resurgence.
The company also needs to develop a formal mechanism for dealing with these types of concerns and establish tracking and reports for the new reporting channel. For example, a cross-functional committee that consists of representatives from risk management, compliance, vendor management, HR, security, and audit might review each of these incident web forms. One person on this committee might take responsibility for leading the response to incidents of a particular type, following a predefined workflow and engaging other subject matter experts for follow-up.
Every day, functional leads and their teams should review all the submissions in their subject matter area, in order to stay on top of potential sources of exposure throughout the company and ensure they are being resolved. A 15-minute huddle each morning provides an excellent forum for identifying bottlenecks and allocating resources with accountability.
Corporate risk managers should then hold a brief weekly meeting with all the functional leads to work through any cross-functional collaboration issues. An agenda for these stand-ups might include discussion of:
- What has your team done since we last met?
- What will your team do before we meet again?
- Is anything slowing your team down or getting in their way?
- Are you about to put something in another team’s way?
Providing a channel for reporting concerns is a critical element in a company’s preparations to defend itself against accusations that it has been negligent in dealing with the virus. Maintaining an audit log of actions considered and taken in response to stakeholder concerns is also critical. There is significant legal precedent that this approach not only minimizes the risk of liability and regulatory penalties, but also ultimately protects the company’s reputation.
How ERM Protects Companies
Although Covid-19 is unprecedented in our lifetimes, there are well-established risk management best practices that businesses can deploy to protect their customers, employees, and communities. Companies today may look back and wish they had performed formal risk assessments before Covid-19 hit and determined their risk management readiness for a global pandemic. It is too late for that, but it is not too late to prepare for the second wave.
Companies have an obligation to keep their various stakeholders safe. Those that fail to do so may face legal liability for their negligence. Risk management failures may damage the company’s competitiveness, as well. Asking customers to sign a waiver is not likely to meet their expectations—and will likely result in a loss of business. Meeting or exceeding expectations, while managing the liability, is what a risk management approach is all about.
- Prepare Today for the Crisis of Tomorrow
- 5 Steps to Protect Your Business Amid Economic Uncertainty
- Managing Shareholder Value Through Covid-19—and Beyond
- Covid-19 Supply Chain Disruption
Risks are everywhere. Still, effective risk management can protect a company from liability, if the corporate response revolves around a comprehensive risk management framework. Businesses preparing for a potential second wave of Covid-19 must enact rigorous risk assessments and follow-through of monitoring to collect evidence of their effective controls. Only then will they be prepared to defend themselves against accusations of negligence and preserve their reputations.
They will also provide better protection for the people who come into contact with the organization and will save lives in the process.
Steven Minsky is the CEO and founder of LogicManager, Inc., a leading provider of ERM software solutions. He is the author of the RIMS Risk Maturity Model and has provided companies with risk management advice through several crisis events, including the 2007-2008 recession, the associated TARP bailouts, and the H1N1 pandemic of 2009.