Coronavirus is not the risk – but it has increased the likelihood of risks in your organisation
I have been observing over the last few weeks, a constant flow of articles on how organisations should prepare for a Coronavirus outbreak that impacts staff.
There has been a lot of talk of Pandemic Plans and working remotely from home with some organisations considering taking the drastic step of closing down entire operations.
The issue is that Coronavirus is not the risk – it is a cause for risks that have been present within organisations well before this outbreak.
I will look at this from two perspectives – strategic risks and operational/enterprise risks – using specific industries to highlight the points raised.
Strategic Risks
We are hearing how many industries are being affected by the global spread of the virus – particularly travel and tourism companies as well as educational institutions. We will look at some examples from strategic risks that I have previously developed for organisations.
Great Barrier Reef Marine Park Authority
Every tourist that visits the reef is subject to an Environmental Management Charge (EMC). The environmental management charge (EMC) is a charge associated with most commercial activities, including tourism operations, non-tourist charter operations, and facilities, operating under a permit issued by the Great Barrier Reef Marine Park Authority.
These charges range in cost depending on the activity and can be found here: http://www.gbrmpa.gov.au/access-and-use/environmental-management-charge/what-are-the-charges
Needless to say, a significant drop in tourism impacts the levy which, in turn, impacts funding for reef sustainability projects.
So, what were the strategic risks identified that would lead to this outcome?
- Change in geopolitical environment in countries that provide a significant number/ proportion of tourists
- Travel restrictions imposed on countries that provide a significant number/proportion of tourists
- Significant/sustained global economic downturn
Obviously Coronavirus is linked to only the second of these risks, however, (and this is the most important point to consider), the materialisation of any of these risks would lead to the reduction in tourist numbers with the flow on effect on the EMC.
These were risks well before the Coronavirus and will also be present once it has been controlled.
University
A similar theme emerged when I developed a strategic risk register for a university.
In Australia, universities have a significant reliance on overseas students for revenue. The table below highlights that the proportion of revenue generated from fee paying overseas students, has increased significantly between 2008 and 2017.
Whilst this has been a boon for Universities, an increased reliance on overseas fee-paying students has also left them vulnerable to a number of strategic risks:
- Changes to Commonwealth International Visa rules/requirements
- In-country (China, India etc.) changes to Legislation/Regulation relating to students studying abroad
- Significant global/regional economic downturn
- Change in geopolitical environment in countries that provide significant number/ proportion of overseas students
- Travel restrictions imposed on countries that provide a significant number/proportion of overseas students
Once again, the manner in which it occurs is not the issue, the end result is still the same – fewer students – reduced revenue – panic!!!!
My point here is that if we focus on the cause and not the risk itself, we leave our organisations exposed. My simple question is this: take out Coronavirus and substitute it with any number of things (e.g. conflict between nation states where Australia is allied to one and not the other, trade war, political instability, civil war – just to name a few) and, in both cases presented, the outcome would be the same – a reduction in numbers – but the severity may be different.
In summary, we need to stop trying to consider how it could happen and focus on the most important question: what happens if?
Operational Risks
Once again, for most organisations, Coronavirus is not a risk, it is a cause, particularly when it comes to disruption related risks.
Having everyone work from home might be appropriate for some organisational functions, however, within most organisations there are critical business functions that rely on people and can’t be done remotely.
And this is where I believe a significant number of organisations are ill-prepared, mainly because a pandemic as seen as a risk – and not the cause of a risk.
For those that may not be familiar with the term, a critical business function is defined by www.bcmpedia.org.au as: business activities and processes that must be restored in the event of a disruption to ensure the ability to protect the organization’s assets, meet organizational needs, and satisfy regulations.
Personally, I do not believe this definition to be complete. When I use the term critical business function, I am defining it as: any function carried out by the organisation where a disruption to its provision would result in Severe consequences for the organisation in a short space of time. It is not only critical to have plans in place to restore functions when it is a disrupted but also to implement controls to reduce the likelihood of the disruption occurring where possible.
The biggest issue I have with Business Continuity Management as a discipline is that it is focused almost primarily on the following:
- What happens if I cannot access my buildings?
- What happens if I have no people?
- What happens if I lose my IT?
These are not risks, they are causes. Once again, I will use a range of industries that I have worked with to identify and develop strategies for the management of disruption related risks.
Hospital
We will start with an industry where, for the most part, working remotely is not an option. Here are a range of risks where the Coronavirus may be a cause:
- Disruption to hospital catering operations
- Disruption to hospital emergency surgical operations
- Disruption to hospital elective surgery options
- Disruption to hospital emergency room operations
- Disruption to hospital patient care operations
- Disruption to hospital cleaning operations
In the case of a hospital, with those requiring treatment presenting themselves, there is an increased chance of being exposed and then transmission. All these functions rely on staff and, in the current environment, therefore, there is a significantly higher likelihood that these disruption related risks will materialise
Council
I recently received an email from a former student that they were required to present to the Council Executive Leadership Team on staffing options and contingency plans for each Division of Council.
Once again, there are a number of functions undertaken by Council that will not be able to be done remotely and, even more importantly, could have significant impacts on Council if they are disrupted. These risks include:
- Disruption to collection and disposal of household and/or industrial waste
- Disruption to in-home care operations (if done by Council)
- Disruption to meals on wheels operations (if done by Council)
I am not sure how it will be possible for Council (or their contractors) to collect waste from home. And if you are a Council that has outsourced rubbish collection and disposal, the continuity of the function is not the responsibility of the contractor – it is the responsibility of Council, something I wrote on a few years back.
Manufacturing Company
Manufacturing companies in this environment may be disrupted by Coronavirus – but not just because of a lack of staff turning up to work. If we look at the risk: Disruption to manufacturing operations the causes here might be:
- Insufficient staff available for manufacturing operations (illness, industrial action etc.).
- Inability to source raw materials necessary for production (freight restrictions applied; supplies unable to be unloaded at dock etc).
This is going to particularly problematic in businesses where there are single points of failure in the supply chain.
In all three cases above, these risks are foreseeable, and plans could have been developed in advance in order to reduce the vulnerability (i.e. the likelihood and the consequence).
Other considerations when staff work remotely
The way I have seen it reported and the social media blogs I have read, it would appear that the work from home option is as simple as people logging into laptops from home – but that in itself increases the likelihood of some of your existing risks. To that end, here is a series of questions that organisations will need to answer before moving forward:
- Can our IT infrastructure support the number of users that will be accessing the remote system?
- What are the information security ramifications if people are working from home and have taken sensitive information with them?
- What are the information security implications if workers are accessing the network through personal devices? Is that possible? What happens if I don’t have enough hardware for the required number of people to work remotely?
- What are the WHS implications because people’s homes will be considered as a workplace for the time they are working remotely?
- What will be the implications from a staff well-being perspective of working remotely and not having the ability to interact with colleagues?
- What is the potential impact of working remotely on productivity?
Working remotely might seem like a good idea to reduce the likelihood of the virus spreading through the workforce, however, organisations need to be mindful of the potential to increase the likelihood of occurrence of current risks.
Conclusion
The irony in all of this is that planning for such an eventuality should have been happening for a long time but, of course, many organisations are now scrambling to play catch-up.
The reality is that, at this point in time, the strategies required to protect organisations from the impact of the disruption related risks may have passed.
As an example, if you are a Council who has contracted waste removal and disposal to an outsourced provider, what happens if they come to you in the near future and tell you that over 50% of their workforce has been required to be isolated for a period of at least two weeks and the others may well have been exposed as well, so they may need to be isolated in the future as well.
We had a saying in the Army when posed with these questions: what are you going to do now platoon commander?
We will simply get another contractor
You could but ………
- The same contractor is probably servicing a number of Councils and they may be experiencing the same thing.
- Other contractors may be in the same boat anyway and not be able to provide.
- The timeframes required to develop the procurement documentation, contract the provider, familiarise them with the routes and commence the service is more likely to be measured in weeks not days.
We will simply use the contractor’s vehicles with our own people
You could but ………
- Does the contract you have for the service allow for that?
- What would be the liability for Council taking over the trucks in terms of insurance?
- Do you have sufficient staff with the required licences?
- How long would it take to get them qualified on that type of vehicle?
- What are the worker’s compensation/WHS implications if Council rushes people through before they display the required level of competence on the vehicle?
We will simply hire vehicles and use our own people
You could but ………
- Who has a spare lot of trucks of this type sitting around waiting to be hired?
- Do you have sufficient staff with the required licences?
- How long would it take to get them qualified on that type of vehicle?
- What are the worker’s compensation/WHS implications if Council rushes people through before they display the required level of competence on the vehicle?
My hope is that the current crisis highlights the fact that Business Continuity Management the way it is currently done is inadequate as it focusses on the cause and not the disruption itself.
Learn more about courses run by Paladin Risk Management Services that include Business Continuity Management/Organisational Resilience:
- Diploma of Risk Management and Business Continuity here
- Advanced Diploma of Governance, Risk and Compliance here
For more information please do not hesitate to contact rod@paladinrisk.com.au 0400 666 412