Pandemic-Based Risk Mitigations
Note: This article was revised on 7 May 2020
So what might a pandemic mitigation approach look like and what controls might be included. Here’s a quick, early analysis derived from an interview with Paul Mercer, managing director of HawkSight Security Risk Management, a security risk consultant based in the United Kingdom.
Preventive Controls
Policy& Procedure
- Pandemic and security awareness training
- Self-identification protocol to identify high-risk or vulnerable personnel
- Cross-training of personnel with critical skills
- Post pandemic lessons learnt
- Update and communicate emergency sick leave policies
- Inform the employee of health insurance benefits
- Establish environmental cleaning protocols
- Incident management plan annex on pandemic
- Business recovery plan
Technology
- Virtual global security operations center
- Temporary CTTV, remote monitoring and response
- A temporary virtual perimeter system
PSC—Physical and manpower
- Seasonal flu shot for employees
Reactive Controls
Team/Competence
- Scenario-based training for all levels of crisis, incident, and emergency response
Redundancy
- Temporary security officers
- Pandemic scenario-based training
- Test enterprise-wide teleworking functionality and communicate to employees
- Identify alternative suppliers
- Identify alternative delivery options
- Procure critical supplies
- Establish emergency financing and cash holding
- Consider childcare for critical staff members
Communication
- Update and test mass notification systems
- Consider facility pandemic signage
- Internal communications plan
- External communications plan
These are a baseline of controls collated from various workshops by emergency response and business continuity specialists over the past weeks. They are far from exhaustive but might stimulate discussion on what controls your business or organization should put in place. What worked, what didn’t, and what was missing so that a documented process for a future pandemic can be developed, communicated, and trained throughout your organization for an extended recovery to this pandemic or a response to the next.
This is a companion piece to "ESRM and the COVID-19 Pandemic" and "Resetting the Business After the COVID-19 Pandemic," which describe how enterprise security risk management enables organizations to act decisively and confidently in times of crisis.
In addition, access all of ASIS International’s pandemic coverage on the Disease Outbreak: Security Resources page.