- COVID-19 - Impact
- Operational resilience
- Crisis response planning: Some areas for boards and senior management to consider
- How Norton Rose Fulbright can help
COVID-19 - Impact
The COVID-19 outbreak has been declared a public health emergency of international concern by the World Health Organization, and is having a major impact on people's lives, businesses and the wider economy.
While a significant effort is being made globally to contain the virus, crises such as these can unfold unpredictably. As the situation develops, businesses across all sectors are having to work rapidly to ensure that their services can continue to operate, their staff (and places of work) remain safe and their customers remain properly and appropriately served.
The effective and successful management of such crises is directly related to how well-prepared organisations are to respond. Of critical importance are the key operational resilience considerations that firms need to be across.
Good organisational responses to this crisis should also lead to improvements in your overall risk management and controls framework and greater resilience, versatility and mobility within your business and workforce. Tapping the learnings from your response to COVID-19 will be crucial for your future fitness-for-operation.
The COVID-19 outbreak has brought operational resilience into sharp focus.
The outbreak needs Australian firms to adapt their mind-set from prioritising their own commercial interests to also considering the vulnerabilities of consumers and the market system (in which they operate) as a whole when making decisions.
The ongoing uncertainty and crisis mentality is also highlighting the need for a culture where firms are forward-looking, and making decisions today that help prevent operational incidents tomorrow, that impact consumers, markets and the broader Australian market system.
This changed mind-set means that:
- Firms will be in a position to continue providing business services that are heavily relied on, even in the event of severe operational disruption.
- Robust contingency plans will be in place that take into account high impact but low probability events so firms are prepared for the worst.
Whilst avoiding disruption to particular systems is a contributing factor to operational resilience, it is ultimately the business service of a firm that needs to be resilient. Firms therefore need to:
- Consider the chain of activities that make up the business service, from taking on an obligation to delivery of service, and determine which part of the chain is critical to delivery.
- These activities vary from business to business and in some cases the chain will be long. However, the most critical parts of the service should be operationally resilient, and firms should focus their work on the resources necessary to deliver those activities in the chain.
- Australian boards and senior management not only have to identify the critical business services within their firm but also assess each services' relative importance and then conclude an impact tolerance test on each critical service.
'Impact tolerance' is the upper limit for the impact to a business service that a business can tolerate as a result of severe operational disruption. It should be set by boards and senior management and expressed as a set of metrics on duration, volume or nature of a disruption.
So, when concentrating on their operational resilience, boards and senior management have to consider the following:
- Identify their important business services that if disrupted could cause harm to consumers or market integrity.
- Identify and document the people, processes, technology, facilities and information that support a firm's important business services.
- Set impact tolerances for each important business service.
- Test their ability to remain within their impact tolerances through a range of severe but plausible disruption scenarios.
- Conduct lessons learned exercises to identify, prioritise and invest in their ability to respond and recover from disruptions as effectively as possible.
- Develop internal and external communication plans for when important business services are disrupted.
- Create a self-assessment document.
Crisis response planning: Some areas for boards and senior management to consider
A robust crisis response plan and capability is key to minimising the impact the crisis has on a business, its staff and its customers.
Firms should have in place crisis management and business continuity plans as part of their operational resilience frameworks that consider a range of scenarios, including a health pandemic, which should help them respond.
Given the various unknowns at this early stage in respect of COVID-19 and how it may impact nationally and internationally, it's important that firms, if they haven't done so already:
ACTION POINT 1: Assemble a proportionate but robust cross-functional response team to review their plans in detail:
It is possible that an outbreak such as this could touch on all parts of an organisation, therefore it is important to include relevant stakeholders from across the business – HR, communications, customer services, legal, compliance etc. – headed by an appropriately senior individual to ensure it gets the profile it requires.
ACTION POINT 2: Scenario plan and consider the impacts on the crisis response plan:
Consider the range of scenarios that could occur as a result of the crisis in the short, medium and longer term. These should be plausible, but severe in nature, so as to prepare the organisation for what could be a prolonged period of high-stress. Various broad factors can influence this.
Take for example, as we have seen in a number of Australian states already, the impact of school closures, which may seem like a small and trivial matter, at first glance. Some things to think about in respect of this example may include:
- Staff: Will more people need to work from home as a result (particularly those with childcare responsibilities)?
- Systems: If so, will systems accessed remotely be able to cope with a higher number of users for an extended period?
- Operations: If system bandwidth is an issue, are there other things that can be done to reduce the impact (e.g. amend working hours, operate a shift system etc)?
- Customers: If factors impacting the level of service change (such as a change to opening hours), how will this be communicated to customers? How will customers be kept up to date if and when your response changes?
As part of scenario planning, it's important to establish accurate factual information from credible sources. In situations such as these social media in particular can be awash with inaccurate information or speculation, which may be unhelpful and impair decision-making.
ACTION POINT 3: Test the plan and its key components:
Undertake testing of your crisis response plan using the plausible, but severe, scenarios that you have considered. Some of the key components of the response plan include the communication media that you intend to use to keep staff and other stakeholders up to date on your response to the crisis, systems stress testing and effective/safe management of sites from which you operate, be they head offices, operations hubs or branches.
As you conduct the testing, you should ask:
- What do the results show you?
- To what extent does it highlight previously unforeseen weaknesses that need addressing promptly?
- Which stakeholders need to be involved in addressing these weaknesses and how do you satisfy yourself that once action has been taken, this addresses the weaknesses identified?
All of these factors will serve to enhance your crisis response plan and overall preparedness.
ACTION POINT 4: Communicate to stakeholders:
In fast moving and unpredictable circumstances such as these, clear and timely communication to stakeholders is key.
Staff, customers and regulators are all important stakeholders to keep updated in respect of an organisation's planned response in the run up to and throughout the period of crisis response:
- Staff: Will need to know what is expected of them if the crisis management plan is invoked. Staff will also want to know how their safety has been considered, so this should also form a key element of any communications that are issued.
- Customers: Will need to know the impact that any implementation of a crisis management plan will have on them and this should be communicated in a timely manner. Consider the extent to which their access to services will be impacted in any way. Will online systems / apps be available as normal? Will telephone lines operate as normal? Is it likely response times / processing times will take longer? Clear explanations of the impacts, timescales and reasons behind these will help to manage your relationships with your customers.
- Regulators: Will expect firms to have in place robust crisis management and response plans and may ask to see these or ask you how you are satisfied that your plans are sufficiently robust. Be ready for this as it is likely any request will require an almost immediate response.
How Norton Rose Fulbright can help
We are able to help businesses on their operational resilience and can provide support in the following areas:
- Governance and oversight arrangements in respect of operational resilience matters.
- Management information, reporting and oversight.
- Third party provider risk and controls assessments.
- Scenario planning and building outputs into crisis response plans.
- Preparing for and responding to requests for information from Australian regulators.
- Monitoring the latest developments from Australian regulators.
- Sharing our broader experience in respect of operational resilience matters with relevant management.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.