Q&A: Agility and Planning for Multinational Pandemic Response
For international business services company PricewaterhouseCoopers (PwC), managing business continuity and crisis response to the coronavirus pandemic has tested its international, regional and national capabilities. However, key steps—such as the early creation of a dedicated task force for information sharing—have driven a more streamlined, agile crisis response.
Radek Havlis, CPP, regional security director with PwC for Central and Eastern Europe (CEE) and Central Asia, shared some of the organization’s most effective actions during the crisis with Security Management, as well as some lessons learned.
With more than 20 years of experience, Havlis is the primary security advisor to the regional leadership team, as well as to each individual PwC CEE member firm spanning from the Czech Republic to Mongolia—encompassing 29 countries and 59 locations. Havlis has a wide range of responsibilities, including security risk assessments, travel security, premises security, information protection, security awareness, incident management, business continuity, and event security.
The full interview is available below.
In the current pandemic, do you feel your organization was adequately prepared? Can you share one thing you were really prepared for and one thing that surprised you?
RH. Indeed we had our business continuity plans and protocols in place, but many aspects had to be addressed and procedures customized on the go to respond to the very fluid developments. I believe there is no organization that has been 100 percent prepared for such a massive global crisis.
What worked very well in our case, especially in the early stages, was the information and communication flow and fast responsiveness. This was particularly important for establishing the risk context and conducting dynamic risk assessments. Also, continuous best practice exchange across our global network and on all organizational levels, as well as the passion of our people, was and still is a very powerful driving force. This, in combination with state-of-the-art technology solutions for remote work and a wide range of digital collaboration tools, enabled our firms to quickly adapt to the new conditions and face the challenges of the new ways of working.
What partly surprised us, nevertheless, was the speed of escalation and some sudden governmental moves, especially in the area of travel restrictions, where we had to deal with quite a number of cases of our people getting stranded in different countries.
How did you adjust your contingency plans for the different regions you oversee? What difference has that made in the current crisis? Can you share any examples?
RH. Our approach consisted of the application of our regional business continuity plan, that was then customized by national business continuity teams to correspond with their local conditions and specifics (e.g. local contact information, governmental information sources, third-party service providers, or defining specific steps to be taken to ensure a smooth transition to a home-office setup). But the regional plan set out comprehensive protocols and communication and escalation procedures to keep our response synchronized and help provide daily tracking on any relevant developments.
The key moment was bringing all important stakeholders together and establishing a dedicated task force, which started feeding information to the regional crisis management team. Extremely useful were also communication protocols and templates for addressing our employees and clients. To ensure accurate, consistent, and timely messaging, communication has been managed centrally on the regional level from the very early stages of the crisis, with great execution at the local territory level.
How are you reporting new risk information and analysis vertically and horizontally?
RH. Though we have a well-developed risk management system with clearly assigned roles and responsibilities, at the same time we are a pretty complex matrix organization, so vertical or horizontal directions aren’t always sufficient for effective reporting.
Instead, multidimensional communication towards all stakeholder groups on different levels must take place so that we receive the needed variety of inputs and opinions and at the end come up with adequate response strategies. But this, indeed, represents a challenge in times of crisis, where speed of reaction is more important than a proper alignment with everyone. So, just like many others, we also had to partly adjust our procedures and streamline reporting lines.
Still, and as already mentioned before, bringing all relevant stakeholders together and at an early stage assuming communication and information sharing protocols—plus utilizing our global network resources and peer knowledge—helped us to cope with this unprecedented crisis and its rapidly evolving character efficiently and effectively.
How has the position or value of your security team changed since the beginning of the pandemic?
RH. There is no doubt that especially business continuity management gained a lot of visibility and exposure towards the entire organization. But most importantly it also gained support and empowerment from our business leaders, who put a lot of trust in the judgment of our experts and recommended actions that needed to be taken to swiftly respond to the new situation. I believe that going forward, this important traction will also help us to further evolve our security and business continuity programs.
How are you preparing for the next phase of the pandemic, including phased recovery in certain countries or roll-back scenarios?
RH. Simply put, we take the same coordinated approach as at the beginning. The regional crisis management team developed a master guidance touching on all physical distancing and hygienic aspects for providing safe working environment to our employees, which among other things also suggests a phasing-in approach and maximum flexibility in terms of hot-desking. This is now being adopted and tailored to local conditions in all our countries, and once it becomes topical—under the oversight of the regional and local leadership—it will be adopted; respectively in some countries this already is implemented.
But at the same time, as most of us got used to remote working and digital collaboration and realized that in many ways it also can be even more productive, we are in the process of rethinking of how the PwC office of the future could look and operate to effectively combine both technologies and tools for virtual work as well as sometimes needed physical contact of our teams.
What are the main risks or security challenges you foresee during the business recovery phase of this pandemic?
RH. From the business continuity perspective, I am concerned about the risk of resurgence of the virus in the coming fall that some epidemiologists warn about and a related need for reapplying restrictions to avoid possibly an even worse second wave of the disease. From the security point of view, it is then the increasing levels of crime in conjunction with layoffs and growing unemployment rates or protests and strikes, which could lead to further economic and political instability in some more volatile countries.
What lessons learned have you gained so far during your response? How will you adjust your business continuity management (BCM) plans for the future?
RH. Of course, there is always room for improvement, so I won’t lie that we haven’t identified it as well.
As we know, BCM can be a difficult area as, in the normal course of business, it requires a lot of effort and cost without any immediate return on engagement or investment. Also, it often asks product, service, or process owners difficult questions, especially in its business impact analysis stage.
It was Dwight D. Eisenhower who said that in preparing for battle, he always found that plans are useless, but it was the planning process itself that was indispensable. I myself was never a friend of robust plans with hundreds of pages nobody in the crisis mode really uses, but rather of simple protocols and guidelines, whenever possible captured in checklists or similar user-friendly formats. So further simplification of our plans is what we’ll be looking at in the weeks to come.
Where are you looking for accurate, relevant guidance about reopening facilities, keeping employees safe, and resuming operations?
RH. There is a massive information overload these days with all different sorts of webinars, podcasts, white papers, and studies a practitioner can often find hard to navigate themselves through. One of the possible ways to cope with this information noise is to recognize which of those companies also speak of their own practical experience in safeguarding their business operations and service provisioning to their customers and—so to speak—walk their talk.
We combine our own knowledge and capabilities with sound industry guidance. But indeed, we also use government sources and recommendations provided by the WHO, CDC, or ECDC.