COVID-19: The Ultimate Tabletop Exercise

COVID-19 is proving to be the ultimate tabletop exercise for 2020. ERM professionals have been required to bring their organizations up to speed on their business continuity plans (BCP). COVID-19 has required many businesses to quickly transition to a 100 percent remote workforce. Maintaining IT systems, validating contact information on phone trees and ensuring that IT security mechanisms are in place are top priorities. Equally important is publicizing the availability of EAP services and other critical supports for employees as it relates to their emotional, mental and physical well-being.

Prior to the COVID-19 pandemic, ERM professionals continually emphasized the need to be vigilant and to be ready for what’s around the corner. ERM departments proactively monitor the global landscape in their role as organizational early-warning systems. ERM functions need to walk a fine line, balancing the need to be aware and ready for the next unanticipated business interruption and at the same time guarding the credibility of the ERM function itself, which could fall victim to a “the sky is falling” perception. A systematic approach of raising awareness by building broad-based contingency plans that focus on people, processes and IT systems will serve your organizations well as they navigate uncharted territories.

While we hope for the best, we prepare for the worst. At some time, hopefully sooner rather than later, things will return to normal. ERM professionals should take full advantage of our business leaders’ heightened sensitivities around this unprecedented challenge. As business operations return to a state of normalcy, we shouldn’t waste the opportunity to take a critical look at where our BCP failed to make the grade. A critical self-analysis of shortcomings, blind spots, gaps and missed opportunities will serve our organizations well in strengthening our BCP and readiness for the next unprecedented challenge.

At this time, it appears it will be awhile before things return to normal. Even at this early stage, there are relevant observations and questions we should be inventorying. This inventory may prove extremely valuable in our quest to continually improve our overall readiness for the next unanticipated challenge. Some recommendations, early observations and trends worth noting include:

• Begin to develop a post-COVID-19 survey for colleagues at the manager level and higher, soliciting feedback on shortcomings and gaps regarding the implementation of the BCP. The idea is to get this survey out while the most recent experience is fresh in the minds of colleagues.
• The ERM team should assess to what extent they have meaningful information and knowledge of the BCPs of key vendors and business partners. Post-crisis may be an opportune time to require increased transparency and insight into the readiness of key external partners.
• Should your organization formally approve secondary vendors that provide video-conferencing services? Most organizations have one primary approved vendor. Post-crisis is the time to execute a contract, conduct any required security reviews and test for IT issues. Going into the next business interruption with some built-in bench strength around video-conferencing services has little to no downsides.
• What percentage of employees still work from desktops? A transition to a workforce completely equipped with laptops and VPN capability will ease the burden when a quick transition is needed to a full work-from-home status. It’s also an opportunity to ensure the most updated security measures and related policies are in place as it relates to remote computing.
• Was employee awareness and utilization around EAP service offerings acceptable? Making such services available to employees requires ensuring that employees are aware of the services and know how to access them. Demonstrating that we truly care about each other during uncertain times requires that we make awareness and access a top priority.
• Was the process around IT tickets for computer issues acceptable during the extended work-from-home period? This area deserves a deep dive; if remote fixes are not available or effective, it will severely hamper the morale, productivity and effectiveness of a remote workforce.

Being ready for the next unanticipated business interruption requires ERM leaders to be well-positioned to assess the successes and failures of our programs in light of the COVID-19 challenges. To do this effectively, ERM leaders should begin to inventory key questions and observations now. Having a plan to share these findings with leadership in the early post-COVID-19 days will pay dividends in further strengthening our ERM programs and BCPs.