Q&A: CSO Perspectives on COVID-19 Response

Amid floods of information, sales pitches, shifting risks, and staffing challenges, how are enterprise security leaders keeping up during the COVID-19 pandemic? In late March and early April 2020, Security Management interviewed two CSO Center members about how they are managing pandemic responses, working with stakeholders, and presenting updated intelligence, as well as recommendations for other security leaders.

Scott Lowther, CPP, manager of corporate security and HS at PetroChina Canada, shares how his organization is coping with the coronavirus pandemic and how he and his team spun up situational response and trustworthy reporting mechanisms.

What has your organization done to mitigate the effects of the pandemic on operations or the supply chain?

SL. We have been able to stay ahead of the curve as it relates to many mitigations such as an early implementation of educational efforts relating to personal hygiene and physical distancing.

Very early on we formed a COVID Situation Team which met and continues to meet on a regular if not daily basis to discuss what we are doing, what we need to be doing, and when we need to be doing it. This team has issued an ongoing series of COVID-19 Corporate Directives managing such things as employee travel, in person meetings, daily office sanitation, visitor management and assisting our employees to work from home for the foreseeable future. 

At our northern location, we have reduced the worker population at our plant and in our camp to essential staff. This included identifying our essential manpower requirements and determining how we safely feed and accommodate our remote staff, as well as how to get people from their homes to the remote work camp when air traffic is greatly reduced.

Has your response so far matched your existing crisis management or business continuity plans, or did you have to adjust on the fly? If the latter, which challenges surprised you, and how did you respond?

SL. Over the past five years, our organization has invested significantly in our Emergency Response and Business Continuity Plans. The time for building plans has long since passed. We are in a race now, and if you have to take a pit stop to build or rebuild an entire car, versus simply changing a tire or gear ratio, you are losing very valuable time. 

As the person leading our Emergency Response Program, I work hand in hand with our Manager of Risk who oversees our Business Continuity Plan. We have trained all of our applicable staff in Incident Command (ICS) and have conducted countless scenario-based training sessions in recent years. This level of training and competence proved beneficial when dealing with real emergencies such as the Fort McMurray Alberta Wildfire in 2016, and now the COVID-19 pandemic.

When you train like it’s the real thing every time, people know where their seat is at the table and what their respective roles and responsibilities are when the real thing actually happens. There is no gap between this incident and the execution of our response, and that occurs because of our early focus on preparation and training.

As a security leader, how have you worked with other organizational stakeholders during this crisis?

SL. As security leaders we are seeing an almost insurmountable daily deluge of information coming from numerous sources. Some days feel like we are managing information intake versus managing the event. Add to this the almost 200 percent increase in sales-based communications over the past two weeks, and it becomes very easy to become overwhelmed with information overload. What is credible, what is accurate, what is a sales pitch, what is hype, and what is simply fluff?

Every morning I provide a daily briefing to a cross-section of our organization which has to be based on fact based as opposed to hype. As security leaders we need to be very skilled at filtering volumes of data and extracting those nuggets that our organization really needs.

During unprecedented events we need to be nimble and innovative in how we do our jobs. One example of how we have expanded our intelligence capabilities for all things COVID-19 is through the implementation of a weekly Friday afternoon conference call made up of my North American security peers across numerous sectors such as government, energy, education, aviation, and entertainment. It is an off-the-record, no-holds-barred session where we talk about the week that is behind us, what are we seeing in the weeks ahead, and what challenges we are coming up against. We also share intelligence and best practices. The group grows week by week, and using this informal channel has proved to be a great benefit to all involved. 

Do you have any recommendations or key lessons learned so far in the pandemic that might help other security professionals?

SL. I strongly recommend security leaders and those tasked with emergency/crisis management to heed the words of WHO Executive Director Dr. Michael Ryan, delivered during a press conference in mid-March. Dr. Ryan was asked about how COVID-19 compares to his 30+ years of experience dealing with the Ebola virus and what lessons is he applying to this new pandemic. Some of the key points from that message:

• You need to react quickly.
• You need to be coordinated and coherent.
• You need to look at other sectoral impacts.
• Be fast, have no regrets, and be the first mover.
• If you need to be right before you move, you will never win.
• Perfection is the enemy of the good when it comes to emergency management.
• Speed trumps perfection.
• The problem we have at the moment is that everyone is afraid to make a mistake, everyone is afraid of the consequence of error, but the greatest error is not to move and be paralyzed by the fear of failure.

Karen Frank, director of global security for American aerospace manufacturer Pratt & Whitney, shares how ESRM and multidisciplinary resiliency plans have aided in collaboration and response.

Has your response so far matched your existing crisis management or business continuity plans?

KF. Prior to the COVID-19 pandemic, Pratt & Whitney already had a multidisciplinary resiliency approach defined across the various facets of our business inclusive of the business impact analysis, crisis management, business continuity, IT disaster recovery, and business resumption.

While these processes have historically been engaged on a regional basis for a natural disaster such as a hurricane, it has been an impressive test of these processes to engage the model simultaneously on a global footprint. With clearly defined roles, our cross-functional teams have successfully collaborated and responded.

As a security leader, how have you worked with other organizational stakeholders during this crisis?

KF. The embedded Enterprise Security Risk Management (ESRM) approach has served well to enable Global Security to facilitate the crisis management process but also have the cross functional relationships in place to support shared outcomes and not become mired in siloes within organizational charts. Global Security, Legal, Medical, Environment, Health and Safety, Human Resources, Facilities Management, Supply Chain, and Communications are actively partnering with business operational leadership to plan, respond, and reflect for continuous improvement.

Do you have any recommendations or key lessons learned so far in the pandemic that might help other security professionals?

KF. Be honest with yourself and others in this unprecedented global environment. No one has all the answers. Have the courage to readily share that even the best laid plans may encounter shift amid the ambiguity. To mitigate the risk, reach out to peers and leverage the wealth of information amongst the vast network of global security professionals.  

For more pandemic response articles and resources, visit the ASIS Disease Outbreak: Security Resources page.
How are you and your organization adjusting for COVID-19? Share your story on ASIS Connects or email us at [email protected].