The rapidly spreading coronavirus has upended business operations and lives around the world. After sweeping through Asia and Europe, the contagion is marching determinedly across the U.S. Organizations are stockpiling cash, slashing spending, laying off workers, and rethinking operations – all without knowing how long this crisis will last.
The relentlessly evolving situation is impacting businesses in numerous, concurrent ways. Crisis plans are being tested, and risk and compliance professionals are doing what they can to mitigate the fallout as this real-life crisis unfolds. Recovery could be hampered if suppliers, distributors, or others in the network are affected or if there are other logistical problems.
This handbook is designed to provide risk and compliance professionals with practical, actionable, timely help in navigating these uncharted waters – and build resilience as we move forward.
U.S. businesses began feeling the effects of the coronavirus long before any COVID-19 cases were reported in North America. In mid-January the world became aware of a rapidly spreading novel coronavirus in Wuhan, China, a manufacturing hub and critical link in many supply chains. Within days, Chinese authorities had imposed quarantine restrictions and factory shutdowns, causing supply-chain anxiety everywhere. Within weeks, the virus had spread around the world, ravaging economies as it traveled.
Before the outbreak, the U.S. was experiencing the lowest level of unemployment in decades. With strict quarantine measures and mandated business closures now in place for most of the country, a new reality is gripping organizations across industries. No organization is immune. If anything, the coronavirus crisis has revealed just how connected all segments of the economy are. Shutting down restaurants, for instance, doesn’t only affect those employees, it also impacts the farmers, bakers, cleaners, linen suppliers, and all the others providing behind-the-scenes support. And those people have their own suppliers, who have their own suppliers – all of which are feeling the effects.
Businesses have adapted to these rapidly changing conditions by sending workers home, cancelling events, and switching to videoconferencing. But the depth of the impact of the coronavirus caught leaders off guard. The closest comparison to the current crisis happened with the Spanish flu pandemic in 1919 – an event not in the collective memories of today’s leaders.
What will the coronavirus pandemic mean to your carefully crafted strategy? How can you effectively manage strategic risks in an environment where conditions are changing by the day – or even by the hour?
Some organizations have responded by flipping production of their own products to pandemic-related products like hand sanitizer, ventilators, masks, gloves, and other PPE. Those products may not be the most profitable and may drag down margins, but it makes sense if the move is aligned with corporate values. Workers may be energized to be part of the cause. And it may keep the lights on.
These moves, however, aren’t without risk. The decision to produce hand sanitizer, in particular, brings in additional risks because it is regulated by the FDA as an over-the-counter product, subject to the agency’s safety and efficacy standards (although the FDA has said it won’t take action against any company that produces it for consumers or healthcare workers).
One thing is clear: traditional approaches to managing risk are useless in a crisis like this. By the time siloed functions come to agreement on action, the moment has not only gone, but the situation you thought you were dealing with has completely changed.
While no one could have imagined the exact depth and breadth of this crisis, some organizations are clearly more prepared, with systems, processes, data, structure, and people in place to quickly understand the situation and make bold decisions.
The coronavirus crisis has revealed just how connected all segments of the economy are.
For risk managers, the coronavirus impact will center on claims, specifically in three areas – workers’ compensation, general liability, and business interruption coverage.
As more and more people are tested and diagnosed with COVID-19, many of those will say that they caught the virus at work, sparking a rise in workers’ comp claims. The issue will be in determining whether the employee did in fact catch the virus at work. Between contact with family members, minor interactions at supermarkets and gas stations, grabbing the mail, picking up takeout meals, and more, how can you definitively trace the point of infection back to the workplace? In most cases, the answer is you can’t.
Workers’ compensation coverage is very jurisdictional. However, one commonality is that compensability generally requires that the illness or disease rise out of the course of employment – and that must be proven. Healthcare workers, first responders, grocery-store clerks, and others on the frontline may have a solid case. But what about other workers? It’s important to have a plan in place to determine how these claims will be handled by your adjusters. Will they be investigated or denied outright? You also want to make sure that the right information is collected.
Work with your broker and insurer to determine what is fully covered under your workers’ compensation insurance, as well as the specific regulations for the state in which the employee resides. Pay particular attention to the language used regarding pandemics and infectious diseases since that is new territory for most companies.
Consider also the message you are sending to employees whose claims are denied. In these times of uncertainty and high anxiety, it’s important to help these workers navigate their healthcare benefits and access needed financial and emotional support.
Have a plan in place to determine how COVID-19 claims will be handled by your adjusters.
Many organizations have physical locations that service the general population. As more people test positive for COVID-19, more will likely allege that they contracted the coronavirus while on your property and interacting with your employees. Similar to workers’ compensation, general liability claims related to COVID-19 will be next to impossible to prove – but that’s not likely to stop an influx of claims.
To protect your organization from COVID-19-related liability claims, start by reviewing the language in your general liability policies, specifically regarding bodily injury and medical payments related to disease and pandemics. And have internal discussions to determine exactly how you want to handle these types of claims. Understanding in advance what you could be liable for will be helpful when and if these claims are adjudicated.
With government shutdowns, quarantines, travel restrictions, shelter in place, and other directives, most organizations will have cause to file business interruption claims because of coronavirus. Whether you are covered depends largely on how business interruption is defined in your policy. Have a conversation with your broker and insurer to establish whether coverage is triggered by a pandemic or its subsequent effects.
In addition, make sure you have what you need to file these claims properly when the time comes. If you have a RMIS, you probably already have values and exposures data required for business interruption claims. If you don’t currently have the required data, take steps now to collect it and store it in one place. Anything you can do ahead of time to gather data and set up reports will speed up the eventual submission and processing of your claim.
The coronavirus plague is ushering in a host of new compliance vulnerabilities. Workplaces are going virtual, strict quarantine measures are being imposed, and business closures have been mandated. Organizations are responding with a dizzying array of process and policy changes.
Companies that operated without well-defined controls are scrambling to keep up with constantly evolving recommendations and requirements. Even those with extensive crisis plans are being pushed to the limit given the magnitude of the current situation. As compliance teams look for a path forward, sustainability and financial resilience will be top priorities.
Here are 8 key areas that compliance teams should focus on now:
Keep up with regulatory status. While numerous regulations have been informally relaxed, little concrete guidance has been officially issued. In short, don’t assume you’ll get a free pass just because regulatory agencies are experiencing their own hurdles in adjusting to this new environment. Compliance mandates still exist, and companies still need to conduct business accordingly.
Be mindful of geographic inconsistencies. Companies must cope with coronavirus-related requirements at the federal and state levels, as well as regional and local levels. With no coordinated national response, what is deemed an essential business in one place, may not be in another – even within the same state.
Define new work rules. If your organization didn’t have a work-from-home policy before, you probably have one now. According to a recent Gartner poll, 88% of organizations have encouraged or required employees to work from home due to coronavirus. Employers everywhere are hurrying to replace arbitrary, discretionary practices with companywide, objective WFH policies that specify what jobs can be done remotely, under what conditions, and what the expectations are.
Tighten cybersecurity. With droves of employees now working from home, it’s more important than ever to have strict guidelines and controls to ensure equipment and work-related documents are protected. While most people are using their secure home Wi-Fi networks, many companies are adding security protocols like multifactor identification for newly installed collaboration platforms and other WFH tools – which is especially critical if employees are using their own personal devices for work tasks. This guide from NIST provides considerations and recommendations for securing remote access.
Map the spread of COVID-19. Track the real-time migration of the coronavirus in relation to your business assets so you can identify emerging high-risk locations and direct additional resources and support to alleviate pressure points.
Understand any provisional regulations. With the deployment of the Defense Protection Act, along with voluntary efforts to pivot business models to produce hand sanitizer, ventilators, PPE, and other products critical to fighting COVID-19, unfamiliar regulations could come into play. Does the current crisis offer protection against product liability, for instance? What about patent infringement?
Reexamine paid leave policies. Numerous new and updated regulations around paid sick and family leaves have been enacted in recent weeks in a push to get sick employees to stay home. The Families First Coronavirus Response Act mandates certain employers provide paid sick leave or expanded family and medical leave for reasons related to the coronavirus through year end. Guidance also has been issued around the coronavirus and FMLA.
Prioritize safety. Essential businesses with physical locations that remain open during the crisis need to be extra vigilant about complying with health and safety rules. While there are no new legal regulations per se, OSHA has issued a host of recommendations regarding social distancing, environmental cleaning, and so forth aimed at preventing the spread of the virus in the workplace. Federal and state agencies are reporting a huge influx of workplace safety complaints. Organizations are urged to create exposure-related control plans, as COVID-19 is considered a recordable illness by OSHA.
Companies will likely face continuing compliance challenges as the situation evolves. Some compliance teams may become consumed with new work like navigating government bailout offers or the temporary Families First Coronavirus Response Act. And other controls may be needed if the work-from-home experiment leads to lasting change in the way we work.
Don’t assume you’ll get a free pass from the regulatory agencies.
No matter how well prepared your organization is, your resilience depends on that of your underlying third parties. In a reality check, some 94% of Fortune 1000 companies said they had experienced a supply-chain disruption because of COVID-19. Under these unprecedented conditions, it’s critical to verify that your vendors, contractors, and other third-party suppliers have continuity measures in place just as strong as your own or everything could come tumbling down.
The main question is whether your suppliers will be able to meet their contractual duties. Here is a checklist to help you get the answers you need:
- Formulate a third-party risk management framework. Establishing a framework sets the tone from the top by clearly delineating ways for business lines and stakeholders to identify and manage risk. A framework also ensures that risk and commercial activities are balanced.
- Take a close look at business continuity and pandemic plans. Ideally, you already have these on file, at least for critical suppliers. If not, request those plans now. Make sure they meet or exceed your requirements – and verify that the plans have been tested.
- Reassess third-party classification status. Massive numbers of employees – your own as well as your suppliers – are now working from home. In this new world order, certain suppliers, such as videoconferencing or laptop support vendors, may have risen to high or critical status if your operations now depend on those functions. Make sure you have complete business continuity plans from any vendor classified as high risk or above.
- Implement clear governance and escalation procedures. Break down silos and encourage collaborative decision-making among business units and functions, including compliance, finance, procurement, supply chain, internal audit, and IT.
- Send out a supplementary risk assessment questionnaire focusing on coronavirus-related risks. Have their operations been negatively impacted by COVID-19? Have locations been forced to close or limit service? Will they be able to meet demand for services? Are their employees working from home? Are you experiencing financial issues related to the coronavirus pandemic? Be sure to ask questions about the health of employees and other relevant issues not typically included in a standard business continuity plan. The responses will help you identify which vendors are trending riskier. You can then follow up directly with any concerning situations. And continue to monitor risk levels as they could change significantly as events unfold.
The coronavirus crisis has reinforced how critical it is to check in with your third parties throughout the entire relationship, not just at onboarding. Regularly review your high-risk vendors to identify security or operational issues. Security and financial ratings also can help identify any shifts in risk posture over time. Of course, monitoring only goes so far. Have a remediation plan in place for any critical risk and vulnerabilities that arise.
94% of Fortune 1000 companies said they had experienced a supply-chain disruption because of COVID-19.
Organizations are making dozens of changes to HR policies in response to this fast-moving crisis. Initial concerns about work-from-home edicts and restrictions on travel have given way to simply keeping employees safe and the company running. Both employees and employers are reeling from an unprecedented amount of change – and employees at all levels are worried about their own health, the health of their family members, and the health of their companies.
Risk, compliance, and HR officials will have to work together to balance the organization’s requirements and employee needs with financial realities. In a crisis situation like this, it’s easy to lose sight of the long-term consequences of any coronavirus-related policy you enact. But how you handle this situation could shape perceptions of your organization for years to come.
Here are 7 actions to mitigate human risk:
Lead with empathy. This is the time for leaders to step up and make sure people feel heard and supported. Listen to colleagues’ fears and concerns, address them in the most productive way possible, and provide accurate, up-to-date information. Be human by sharing personal experiences – and encourage people to connect with each other through informal conversations on calls. In fact, 40% of organizations recently polled by Gartner have set up additional virtual check-ins with employees and managers, and 32% have introduced new tools for virtual meetings. Acknowledge this is an unprecedented and unpleasant situation, but everyone will get through it together.
Provide guidance on working from home. People are working exclusively from home while juggling home schooling, young children, pets, spouses, and more. The shift in routine may prove challenging for some employees – especially if it goes on for an extended period. Offer help with mechanics like setting up a workspace and managing time effectively. And establish new protocols like how you will track check-in and overtime requests for hourly employees and what the expectations are for when team members should be available to collaborate. But be flexible as everyone tries to adjust to the new normal.
Prioritize safety. Workplaces that remain open must ensure social distancing and cleaning regiments are properly implemented to help protect staff. All health and safety policies and protocols should still apply, and they should continue to be monitored.
Focus on wellbeing. With all of the virus-induced anxiety, assisting workers with their mental and physical health has never been more important. Remind employees what benefits are available – healthcare, sick days, time off and leave options, etc. – and how to access this support.
Add training. Many organizations quickly rolled out new communication platforms like videoconferencing and document sharing to keep employees connected and productive. Make sure everyone knows how to use these tools and use them effectively. Don’t assume everyone is tech savvy.
Fortify succession planning. What happens if the CEO is too sick to work? A number of CEOs have already contracted the virus, which has then driven many of their executives into quarantine. While plenty of companies – especially public ones – have detailed succession plans, few to none mapped out a credible response to a pandemic on the scale of the coronavirus. Review backup operating procedures for when key employees fall ill. It’s important to identify potential replacements several levels down the corporate ladder because you don’t know who will become sick or how debilitating the symptoms will be. Executives and other key employees need to be able to step into each other’s roles in an instant.
Retain critical talent. With the financial markets plummeting and a significant part of the economy shut down, companies in all industries and locations are looking to pare expenses and save cash. Unfortunately, payroll is often among the largest expenses, and many organizations are having to make difficult decisions to reduce that expense – including layoffs, furloughs, reduction in hours, or change of employment status—just to stay in business. Think strategically about any headcount reduction. Hang on to critical talent so you can rebound faster when conditions improve.
Risk, compliance, and HR officials will have to work together.
Entire companies, school districts, universities, and government agencies shifted in just days to remote work, putting tremendous strain on existing technology infrastructures and support systems. Even the most prepared organizations that have advanced IT security and control capabilities have never encountered anything like the current level of crisis.
With organizations and employees under stress, cyber criminals are exploiting the situation by targeting individuals with cleverly worded emails that appear to come from an official agency such as the CDC – or even their own company. These emails contain malware attachments that infect computers and confiscate personal information. Cyber criminals also are extorting organizations with ransomware demanding payment to maintain business continuity throughout the crisis and beyond.
At the same time, risks from cloud services, videoconferencing platforms, streaming services, utilities, and other critical infrastructure providers are increasing as heavy demand taxes their systems.
Other vulnerable IT targets include:
Third parties. Your vendors and other third-party suppliers have all of your own IT vulnerabilities – which can be amplified by their own cash-flow problems or supply-chain challenges. Given the interconnectivity of supply chains and seamless digital collaboration with vendors, take a close look at where your weak links are. Medium and smaller suppliers may be particularly vulnerable as they often lack sophisticated security capabilities. And always maintain continued visibility into your vendors’ status to understand if they have heightened security risk.
Unsecured devices. Under high-stress scenarios, exceptions to security standards are more likely to be made. Allowing the use of personal devices and home Wi-Fi networks for work-related activities, for instance, provides significantly less protection than in a typical office environment. And websites routinely blocked by corporate networks may be accessible when working remotely. Shore up security with multifactor identification, strong password requirements, firewalls, VPNs, and the like.
Employees. Even conscientious workers may unintentionally add risk by moving data onto unsecured computers and personal devices. Potential exposure of sensitive information increases legal and reputational risks when computers are not appropriately secured and monitored – especially if that continues undetected. Proactively communicate the risks of handling confidential information when working remotely to help avoid those mistakes.
IT support. Simply providing laptop support to a far-flung workforce will stretch the resources of many IT teams. A remote workforce also makes it harder to identify threats or execute a quick response if a cyber incident does happen. And what if COVID-19 strikes the IT team? Establish and test a backup plan if only a portion of staff is able to work because of illness.
As the economic repercussions of the coronavirus deepen, organizations that need to let people go also will want to be mindful of increased IT risk from disgruntled employees, who often are given the news remotely.
Cyber criminals are exploiting the situation by targeting individuals and businesses with malware.
The rules, norms, and challenges for organizations are changing faster than the coronavirus is spreading. Staying within the boundaries of acceptable risk and maintaining compliance under these conditions is putting risk and compliance professionals to the test. Following is a list of resources to help you navigate this very fluid situation. Check back frequently for updates.
Centers for Disease Control and Prevention (CDC)
Business Pandemic Influenza Planning Checklist – A list of specific activities to help large businesses manage a pandemic
Coronavirus Disease 2019 (COVID-19) Risk Assessment and Public Health Management Decision Making – A flowchart to assess the risk level of employee health
Interim Guidance for Businesses and Employers – Tips on preventing workplace exposures to COVID-19 in nonhealthcare settings
Public Health Recommendations After Travel from Areas with Potential Risk of Exposure to Coronavirus Disease 2019 – Recommended precautions for travel-associated and community-related exposure
World Health Organization (WHO)
A Checklist for Pandemic Influenza Risk and Impact Management – A checklist for pandemic influenza risk and impact management: building capacity for pandemic response. Geneva: World Health Organization
Tool for Influenza Pandemic Risk Assessment (TIPRA) – Criteria on assessing the impact of COVID-19
Department of Labor/OSHA
Guidance on Preparing Workplaces for COVID-19 – Recommendations and descriptions of mandatory safety and health standards
COVID-19 Standards and Directives – Instructions for compliance officers relating to worker exposure to coronavirus
COVID-19 and the Family and Medical Leave Act Questions and Answers – A breakdown of eligibility and provisions related to the FMLA
Families First Coronavirus Response Act: Employee Paid Leave Rights – Details who must provide paid sick leave or expanded family and medical leave for reasons related to COVID-19
Federal Drug Administration (FDA)
Guidance on enforcement policies related to:
Pharmacist Letter: Coronavirus Resource Hub – Free resources from TRC for hospital pharmacists
COVID-19 Coronavirus Outbreak – Cisco Supply Chain Response – FAQs about Cisco’s plan to keep operations running
COVID-19: Operations and Supply Chain Disruption – A PwC editorial on how short-term coronavirus measures can set the foundation for proactive resilience
COVID-19 Checklist – A GBQ roundup of considerations for responding to the coronavirus crisis
What you can do right now to prepare for next crisis
So your black-swan plan wasn’t modeled for a pandemic on the scale of the coronavirus? You aren’t alone.
By definition, the anatomy of a black swan cannot be fully known in advance. While you may be able to anticipate the types of events that could trigger a catastrophic risk, how things play out in real life, how they flow through markets, supply chains, and across borders, is essentially unknowable. The complexities, interdependencies, and uncertainties are simply too great. And COVID-19 has clearly exposed how far reaching and interconnected risks can be.
With crisis management plans out the window, many businesses are thinking creatively about solutions that will help them emerge from the coronavirus relatively intact and ready to go. So far, the organizations that seem to be handling this the best already had well-oiled processes in place to move quickly and decisively in a situation few could have imagined. They know where their risks are and aren’t afraid to make impossibly difficult decisions around the risk-reward calculus of action. Whether it’s shutting down retail outlets and cutting executive pay to keep frontline workers or switching from producing retail window displays to face shields, these organizations are nimble.
Resilience in the face of uncertainty
No matter where your organization is, there are some things you can do now – in the midst of the crisis – to help you become better prepared for the next one. Here are three actions to prioritize today:
- Assess and quantify the risks you’re facing and get leaders aligned on the organization’s exposures. Market share, financial leverage, diversification, and the ratio of fixed and variable costs all come into play.
- Map and prioritize your risks and model the impact on your current strategy. What’s your Plan B – or Plan C? Identify all the weak links and have a plan if one – or more – breaks. Take supply chain, for instance. If you are highly dependent on one company or one country for supplies, consider diversifying with suppliers in different locations, possibly closer to home.
- Note the information you need right now. Are you missing critical information that would help you better navigate this crisis? What parts of your crisis management plan are working? What parts are lacking? What systems, people, data, or processes do you wish you had before making the tough decisions you’ve had to make? What would help you make decisions more confidently? Record all this now while it’s still fresh, otherwise small, but important, details may be forgotten.
In short, what do you need so that you don’t find yourself in the current situation ever again?
The way forward is to focus not only on the risks you know, but on preparing for those you don’t expect. This pandemic is a powerful reminder that risks do not respect silos. An integrated, coordinated response is essential for survival. The coronavirus pandemic may feel like a once-in-a-lifetime experience – but alas, the next crisis will be coming.
For more on operating through the coronavirus pandemic, watch our on-demand Risk@Work webinars, Navigating Chaos: Engaging the First Line of Defense in a Time of Crisis and Navigating Chaos: Monitoring Risk in the Second Line of Defense in a Time of Crisis, featuring internationally recognized GRC expert, Michael Rasmussen. Click here to register for the final webinar in this special, three-part series.