Governance in the time of Coronavirus:
Prevent vs Detect and Rectify
By Geoffrey Brown OAM
As we have seen over the last 12 months, the unpredictable has the potential to significantly impact not just business, but also lives. First it was the relentless drought, then the bush fires, now Coronavirus.
Just because you have systems and processes doesn’t mean that things won’t go wrong, especially things that you can’t influence, like drought, fires or pandemics.
However, with the right governance structures you will be better positioned to minimise the impact.
Prevent vs Detect and Rectify
In any corporate risk assessment, events that have a high probably of occurring and the potential to significantly impact your business should have solid prevention controls around them. Conversely, where an event has a low probability of occurrence and its impact would be relatively minor controls that detect the event and actions to rectify the impact are usually sufficient.
The challenge for the events like drought, fire and coronavirus is that their probability ranges from very low to highly improbable, however their impact is severe to catastrophic. So, do you invest in strong prevention controls for such events or a more realistic detect and rectify approach?
It is fair to say that very few businesses or agencies could have predicted the events currently unfolding globally. Though events that impact cash flow in the medium term, impact on supply chain, or workforce availability should have featured in some form in their business continuity planning.
For low risk, high impact events detection and rectification are key. Your organisation should be constantly scanning the horizon for “black swans” and have plans in place for acting upon the impacts caused by such events.
Now that the pandemic has been identified businesses and agencies should be well and truly in rectification mode, with the primary aim of keep their heads above water.
One of the biggest issues in the current environment is loss of labour. For businesses where most activity is computer based or over the phone, the impact is much less. Where this is not the case and remote access to IT systems is not a fix or even possible, it’s time to get creative.
Much of the media has focussed on working from home, but what about those agencies or businesses that have IT systems that are “air-gapped” from the internet for security reasons? Was this situation given due consideration in these organisations’ disaster recovery and business continuity planning? For the short-term scenarios maybe, but what about longer-term disruptions?
Thinking outside the box
For fear of stating the obvious, leadership teams need to think outside the box – fast – and every option must be on the table.
As an example, one strategy I discussed with a senior manager last week was the possibility of rotating staff so that only 33 percent of the workforce came into the office each day. Desks could be cleaned on the days that they are vacant. Staff that became infected could isolate themselves at home and smaller numbers of people would have been in contact them, reducing requirements for precautionary self-isolation. While not a perfect solution, it would avoid a total shutdown.
Clearly many businesses are in the rectification phase and need to be flexible with governance actions as they navigate through unchartered territory. Plan A will need to be backed up by Plans B and C.
The importance of the “ship’s logs”
Keeping completed records of all actions taken and their effectiveness will go a long way to helping you update your disaster recovery and business continuity planning once we are through these challenging times. As with the bush fires and drought, we must learn from these events and use them to better inform our actions going forward.