Using standardized risk management approaches to respond to the coronavirus crisis
Risk management and business continuity planning have moved to the top of managers’ agendas in recent weeks as the coronavirus epidemic has taken hold.
The Covid-19 crisis is unusual in that it impacts both demand and supply. Appetite for consumer goods in China, for example, is hit at the same time as firms face disruption to supply chains.
The dynamic nature of the crisis also makes it difficult for managers to access accurate information. Events are rapidly unfolding. The list of countries affected by the virus grows every day. Some critical questions – the likely impact on populations, how long the crisis is expected to last, and the exact measures governments will take to contain the virus – remain largely unanswered.
The result is that many managers are struggling to assess, understand and manage the risks to their business posed by the outbreak. Many are fighting fires on a number of fronts: a drop in demand for products in certain regions, the closure of supplier factories as workers stay home to fight off infection, and disruptions to operations such as travel bans for head office staff.
Is it too late for a business continuity plan?
Many large companies have business continuity plans in place to address a variety of scenarios, from extreme weather to cyberattack and supply chain interruption. The most effective business continuity planning is flexible and dynamic, with established management structures – think crisis committees and formalized rapid decision-making processes – to handle emergency situations not already identified in the plan.
The International Standards Organization offers a blueprint for planning in the form of its ISO 22301 business continuity management system (BCMS) standard. But is it realistic to start putting in place a management system mid-crisis?
The answer is yes and no! Realistically, the implementation time for a full ISO 22301 BCMS is too long to enable businesses to deal with the disruptions Covid-19 right now. But the standard, built as it is on ISO’s risk management principles, can provide a very useful starting point for a business to fully map and understand the very specific risks it faces, thanks to the context of the organization.
So what can management systems bring to the table?
The coronavirus outbreak poses a number of common risks, many of which are already identified by businesses in the course of normal operations. What is different in today is the scope and scale (for example the number of employees or sites impacted).
The approach used across relevant management system standards to identify and prioritize specific risks and how to manage them can be beneficial to managers as they develop Covid-19 specific action plans. ISO management systems also have a strong emphasis on leadership and communication – defining roles and responsibilities and requirements for information sharing.
The number one risk: health and safety
Occupational health and safety is one clear example. Covid-19 poses direct health risks to employees. Businesses need to work out the best way to implement government guidelines (for example by sharing information in the office on hand-washing and informing employees on what they should do if they suspect an infection). They may also choose to go beyond this, for example by imposing travel bans, or recommending employees in afflicted regions work from home.
So far so good. But even changing guidelines on employee working conditions can create new health and safety issues. For example, employees are working from home for several weeks at a time may not have the appropriate workspace: a chair that supports their back, a computer screen at the right height. The social isolation of working from home may lead to stress and depression. The ISO 45001 management system for occupational health and safety encourages employers to think holistically about workplace risk in order to address all health and safety issues, and not just the most obvious.
Don’t neglect the less obvious risks
The same is true of many other risks. Information security and data protection might not seem like the most obvious issue associated with Covid-19, but if you have no provision in place for employees using secure networks while working from home – aka a VPN – they potentially present a major risk. Dedicated ISO standards ISO 27001 and its extension ISO 27701 provide helpful frameworks for understanding the risks.
Similarly, quality – defined broadly as the quality of products and of your customer service – is likely to be impacted if you suffer supply chain issues. ISO 9001 management system for quality, with its focus on the broader customer experience, provides helpful ways to think about the risks posed by supply chain disruption. Even if your customers are likely to be more forgiving of service interruptions in the current crisis, they will react better if you communicate effectively on any issues.
In conclusion, there’s no quick fix to develop a comprehensive risk management plan - but ISO management systems offer useful frameworks to identify, understand and manage risks as the Covid-19 crisis develops.