Resetting the Business After the COVID-19 Pandemic
These are unprecedented times for us all. Every business is being tested to its very core. Businesses and organisations across the world have spent the past weeks in firefighting mode, reacting to the impact of the COVID-19 pandemic in an attempt to protect the business and its key assets, primarily its people.
In many parts of the world, government-level controls, namely social distancing, appear to be having a positive effect. But such controls cannot be maintained in the long term as the global economy and social fabric are in distress. When a region hits the top of the pandemic curve, both governments and businesses must look to the next phase and begin planning for initial, multi-phased recovery.
So, what must the business do to recover from this global crisis and what should a modern security department’s role, following an enterprise security risk management (ESRM) philosophy, be doing to support it?
A security department must engage with the leaders of the business to help establish the new context in which the business will recover. The business must develop a clear strategic direction to pursue on the other side of the pandemic. To do that, it must answer these questions:
- What are the recovery objectives? (Avoid bankruptcy? Rebuild toward previous revenue targets? Capitalize on opportunity to increase market share?)
- How can the business achieve its recovery objectives?
- What challenges will arise?
The only way to establish such a strategic direction is by talking with people, from the top to the bottom.
A critical aspect of the external context is situational awareness. What is the current state of the pandemic in the areas we operate? Has a second phase hit? What are the existing and emerging security and operational risks to our people, infrastructure, clients, and suppliers? What options do we have for mitigation? Providing a situational analysis on these questions to the business’s key decision makers is the value security brings to reset. Even if the business is still in a quarantine, closed, or minimally operational environment, the time to get started preparing this analysis is now.
The business should not wait for governments to announce an easing of restrictions; they should understand the parameters used by government, track the same data, and forecast where and when restrictions will be lifted to get ahead of the game. To forecast where and when operations are most likely to be resumed, the security function must effectively monitor not only the ongoing pandemic but the emerging security threats that are becoming all too clear to see with civil unrest and crime on the increase worldwide.
In these teleworking times, decision makers need to be able to view and interact with a common operating picture. A digital approach that can be accessed by all who need it, perhaps hosted in the cloud, that can act as a common operating picture or virtual global security operations center (VGSOC). This will empower decision makers to dynamically visualize, on one platform, the following:
- The organizational global footprint; sites and mobile assets
- The ongoing pandemic spread and recovery
- The current and emerging security threats, e.g. civil unrest, increase in crime
Having established a credible and dynamic operational picture for the business or organization, a rapid standardized risk analysis must be conducted across the organization’s global footprint. The operational risk profile of offices and sites must be established and updated. Only now can the business prioritize and identify opportunities for the most efficient recovery strategy.
An integrated approach is essential at this time. The security function must break out of a siloed approach and effectively engage with the business, for example with human resources; health, safety, and environment; and operations to collectively identify current and emerging risks to the business and its recovery objectives as well as to offer collective options for effective mitigation.
In parallel, a post-crisis analysis must be conducted to identify key lessons learned, identifying what control measures worked well and what didn’t, to inform effective response planning for the future. The impact of COVID-19 is unprecedented and offers an incredible opportunity to collate these lessons and to inform plans that will make the business more resilient than it has ever been. Miss this opportunity and the next time such a crisis happens, and it will, the business may not survive.
If the security function simply returns to an outdated compliance approach, their efforts may well be tangential to recovery objectives set by the business in this new environment, rendering the security function irrelevant. This is the time for the security function to demonstrate its value to the business, by adopting an ESRM philosophy. This means the security function demonstrates an in-depth understanding of the business recovery objectives and identifies current and emerging operational risk to these recovery objectives. These risks, developed in parallel with the financial department’s identification of financial risks, provide the business with a more complete view of risk, empowering the business to seize emerging opportunities when safe to do so.
To get started, review “Pandemic-Based Risk Mitigations” and adapt to your situation.
Paul Mercer is founder of HawkSight Security Risk Management in the United Kingdom and a community leader in the ASIS ESRM Community. He has a background in emergency response as a search and rescue helicopter commander in the Royal Navy. He is trained in crisis management at Cranfield University and has a master’s degree in international politics from the University of Glasgow.