COVID-19 Organisational Considerations
Almost no organisation has ever dealt with the outbreak of a new virus like COVID-19 and the adverse impact it can have on employee health and their families, contaminated workplace facilities, questionable food sources, stockouts of essential goods due to supply chain disruptions and other facets of business operations.
While some organisations have already taken precautionary actions, such as disinfecting offices and conference rooms, sending communications to customers, cancelling non-essential travel, prohibiting large group meetings, converting face-to-face meetings to web conferencing and splitting the workforce between multiple facilities, it is becoming clear that so much more will likely be required. All organisations need to adjust priorities, re-evaluate all aspects of their business, refine messaging and plan for the recovery that will come.
In addressing the effects of COVID-19, organisations are also distracted from their normal day-to-day tasks to a large extent and this potentially has a negative impact on areas such as:
- The control environment generally (one needs to consider the impact on the control environment due to a large number of staff working remotely from home as well as the changes to the internal controls as the extent of lockdown is being lifted and in the period subsequent to the lockdown).
- Execution of specific internal control procedures for which staff members are
- Creation of new opportunities for fraud and corruption to
- Exploiting existing control weaknesses to perpetrate fraud and
While several organisations have been addressing the effects and risks relating to COVID-19 at varying levels for some time now, the following pointers may be useful to management in their assessment of the impact on:
- Internal control;
- Business Continuity Management;
- Strategic financial planning and management (finance function, consumers, supply and inventory management);
- Pandemic specific considerations;
- Back-up employees;
- Remote working arrangements and Information Technology infrastructure requirements;
- Social engineering; and
- The future and recovery.
refer to our article on internal controls here
1. Business Continuity Management
It is important that management should take immediate and continued action in either developing or revisiting their Business Continuity Plan (BCP) and continue to monitor and report on the implementation of its BCP.
In facing a crisis, planning is critical. A good starting point is using Business Continuity Planning as a foundation for deciding how to address catastrophic events that can negatively affect an organisation. The strategy that management puts in place must ‒ at a minimum ‒ consider its employees, critical processes, customers, suppliers, and other stakeholders.
While most events are confined to a specific geographic area, the response to a pandemic is more complex and forces management to strategize on different severity levels, requiring assumptions about the anticipated spread and duration.
COVID-19 is an example of how a threat that appears to have its origins in China has evolved into a global issue due to travel and transportation.
With every BCP, there should be a risk assessment component that identifies the potential threats and vulnerabilities and prioritizes the severity of each business disruption. Management needs to involve employees in multiple areas and departments to understand the risks and the associated likelihood and impact and identify the existing or potential controls to mitigate these risks. The specific risks related to the pandemic must be incorporated into the business impact analysis (BIA) portion of the BCP, which should include:
- Assess and prioritize the critical business processes and locations affected by COVID-19.
- Determine the impact of COVID-19 on the business processes, employees, customers, service providers, technology, and
- Estimate the recovery time objective (RTO), which is the target time management sets for the recovery of the organisation’s Information Technology (IT) and business activities after a
2. Strategic Financial Planning and Management
The financial challenges organisations will face during the crisis requires a clear view of its finances. Timely financial data, cash flow and scenario planning are all required to help make the best decisions possible. Additionally, scrutinizing and reducing costs may be required.
Factors to consider include:
- Do you have access to relevant, accurate and timely financial information?
- Do you have a contingency plan in place if your financial resources are impacted by COVID-19?
- Are your accounting, tax, and legal teams proactive, responsive, and collaborative with you and your advisors?
- Will they be available to address any issue that presents itself, as you work through this crisis?
- Do you have legal and tax resources to provide you with up-to-date information on relief programs to assist your business and employees during and after the crisis?
2.1 Finance Function
A robust accounting and financial management function is critical to timely and effective decision-making as well as the BCPs during the crisis.
As a result, organisations are taking a closer look at their business operations and contingency plans in order to determine what is critical to their success and longevity.
Cash flow forecasting is critical given the evolving nature of the pandemic. Cash flow forecasting is an essential tool that will help you manage liquidity and provide some clarity. Forecasting should be constantly updated for new information as it becomes available. Make sure you have the right members of your management team involved and use your outside advisors as a resource. Put ancillary projects, capital spending, marketing and otherwise, on hold and focus on accelerating receivable collections where possible. Also, speak with your bank. In difficult times, you will get a better idea of your relationship with the bank. Know your availability and accessibility to additional funding.
With regards to the cost structure, clearly understanding fixed, variable, and semi-variable expenses have been and will become an even more important exercise to understand how the organisation reacts to operational changes. It is one thing to know qualitatively what these costs are, but:
- Does the organisation have controls in place to accurately measure and monitor these costs?
- How has the pandemic impacted these types of expenses?
- What will the impact be on the cash burn rate if there is a sudden need to re-implement shelter-in-place and business lockdowns?
- Will social distancing and other workplace safety measures result in a shift in cost structures and a change in operations (e.g., adding a shift to reduce the number of employees on site at any given time, providing employees with personal protective equipment, implementing additional sanitation protocols, having a higher percentage of employees working remotely, )?
Although the full impact of the COVID-19 pandemic cannot be reasonably estimated, management should be considering the possible effects on future results of operations, cash flows, and financial condition, as well as the following:
- Going concern – Will the organisation be able to continue as a going concern? Does it have the ability and sufficient liquidity to meet its obligations?
- Impairment of long-lived assets – Are the closures permanent or temporary? Will the asset still generate revenues and income to justify the valuation of the assets?
- Compliance with loan covenants – Many loan agreements contain covenants that are based on organisations meeting certain levels of income in order to meet debt service and make deposits in various restricted Will the organisation be able to meet its debt service obligations and covenants? Organisations should start looking at their loan agreements and start having discussions with their lenders regarding any future inability to make such payments and deposits.
- Internal controls over financial reporting ‒ Many organisations have resorted to requiring its employees to work from Did the organisation reassess or make changes to the design of its internal controls in order to properly process, review, and approve transactions given that most employees are working remotely?
- Subsequent event disclosures – Adequate disclosures should be made regarding the effects of the pandemic on its Management may also need to reassess if any of its assets are impaired or require reserves.
2.2. Customers (i.e. Domestic, Business and Industrial Consumers)
Talk often with your customers during this time. Organisations must continue to communicate with customers through multiple channels, reinforce that customer interests are a priority and provide useful and relevant information.
Find out how they are doing and adjusting to the new realities.
The organisation also may need to spend more time on collections over the coming weeks. The organisation needs to balance the needs of its customers while not losing focus on your business and cash flow needs.
2.3. Supply and Inventory Management
The outbreak of COVID-19 in China and, subsequently, Europe and elsewhere created severe supply chain disruption.
While many factories in China have come back online, the process was slow, and the disruption created bottlenecks and complicated production plans. Numerous organisations are currently re-evaluating their reliance on China and considering diversifying sourcing.
This could potentially have an adverse impact on the availability of inventory items. Inventory management (such as minimum stock and reordering levels) should be reviewed and adjusted where needed in cases where longer lead times are expected between placing an order for products from suppliers and the receipt thereof.
3. Pandemic Considerations
Due to the complexities associated with any pandemic, management should develop a Pandemic Plan, which requires careful planning, preparing, responding and recovery.
Numerous internal and external factors and interdependencies should be considered including:
- Assign a group to monitor the stages of the virus outbreak.
- Identify possible work-related exposures to COVID-19.
- Monitor absenteeism, which can be a result of quarantined households, ceasing public transportation and school closings.
- Educate employees on preventive care and human resource policies or topics (i.e., workplace and leave flexibility, non-essential business travel).
- Identify key individuals at different locations who will have the authority to take appropriate action that is documented in the pandemic
- Make procedure manuals available and consider cross-training for critical functions or
- Identify and establish communication protocols with employees, investors, customers, and
Responding to a pandemic requires significantly more collaboration between management, employees, and outside parties than other types of events. Pandemic events will likely last far longer than typical BCP threat scenarios, so communication is essential as the pandemic continues to evolve. Assigning individuals to closely monitor the situation and communicate with key stakeholders should be a top priority.
The most likely direct organisational problem that will occur during the crisis is that an employee cannot come into work due to sickness, obligations to care for family members affected or children home from school.
- Does the organisation have back-up coverage?
- Have people been cross-trained?
- Do they have access to software, documents, and applications?
5. Remote Working Arrangements and IT Infrastructure Requirements
In addition to the above, many organisations will also face problems from quarantine and other restrictions on travel and social distancing/public assemblies.
- Is the organisation prepared to support a remote workforce from a human resource and technology perspective?
- Does the organisation have a secure IT infrastructure that can host data and software that provides permissioned access, back-up, and disaster recovery?
The first priority of an organisation during a pandemic should be the safety and well-being of its workforce. Provide people with the necessary protective equipment and support remote work and virtual collaboration capabilities.
Over the past few weeks, many businesses have been minimizing office staff and requiring employees to work from home. Conferences are being cancelled and meetings are moving into the virtual spectrum. Many businesses have a BCP, but a lot of businesses still do not. For those that have a plan, remote access strategies will be put to the test. For those that do not, the urgency to create one will be pushed to the forefront and defined on the go.
If the organisation has not already defined and verified its remote access solution, be sure that security is factored in. While one certainly needs to operate, you do not want to expose the organisation to being compromised or trigger an inadvertent data breach. For example, allowing employees to take copies of data on removable drives from the office location to work from home may result in data loss should the drive be misplaced.
The following should be considered as part of the strategy:
- If employees access sensitive data, they should be provided an organisationally controlled and secured laptop, inclusive of encrypted hard drives. While ideally everyone will have a laptop to work remotely, that may not be a financial reality or a If one needs to prioritize, focus on the high-risk employees based on the sensitivity of the data they need to access.
- Any remote access or cloud-based application should leverage multi-factor This is particularly important if the organisation embarks on a rapid deployment of a remote desktop software to allow employees to utilise their own equipment at home to connect to their at-work resources.
- If the organisation has the resources, offer to have the IT department perform a security check on employees’ home devices if the ultimate decision is that they need to work from home using their own
- Try to limit the options for employees to save data out of secured locations to their own The capabilities will depend on the solution you implement.
- Ensure the organisation establishes and communicates clear expectations of the work-from-home While one may not be able to implement the ideal set of technical controls to manage risk, the organisation can ensure its employees play their role and know how to work efficiently and securely when not in the office. Empower them with the knowledge of the risk so they know how to manage it.
- Once the crisis begins to subside, it is imperative to communicate to employees that any saved data to non-traditional locations during the course of the crisis must be securely returned to the organisation (physically and in the cloud) and removed or destroyed from those other
Though an organisation may have a well-documented plan with detailed analysis, testing is a critical component in the program. Testing allows the identification of issues and promotes employee confidence. By performing tabletop or other testing methods, it allows individuals to understand their roles and responsibilities.
One example of a technical challenge is the heavy reliance on remote access if an office is closed and personnel must work from home. The IT Department should work with management to test their remote access capabilities and determine whether their infrastructure has the capacity to handle the workload and that users are aware of the steps to access network-based computing resources. This assessment should extend beyond on-premise systems to those applications hosted by Software as a Service (SaaS) providers where less may be known about their capabilities under such circumstances.
6. Social Engineering
Issues or events that trigger emotional distress or curiosity are key topics for cybercriminals to use in creating social engineering campaigns.
A social engineering campaign is an act through a social mechanism ‒ be it email, phone calls, text messages, etc. ‒ that are designed to manipulate the victim into performing an action, e.g. clicking on a link, opening an attachment, or disclosing information.
For these types of attacks to be successful, they must trigger an emotional response with the target. The COVID- 19 scare is the perfect mechanism for cyber criminals to leverage and trigger that emotional response. Remind the employees to be cautious of emails with links or attachments that reference COVID-19 or the status thereof.
The following scenarios are examples of how the virus could be leveraged to manipulate employees:
- An email from a spoofed news outlet claiming a cure has been found or a pandemic has been A link is supplied to access an article for the victim to click to read the additional details. While the act of clicking alone may sound benign, that is enough for the cyber criminals to infect an organisation’s systems, steal data, or hold it hostage with ransomware.
- An email claiming to be from Human Resources or Senior Management with an updated work from home policy in response to the The memo is provided in an attachment that needs to be opened. The act of clicking on the attachment and opening the document could be enough in and of itself to become compromised.
- A message from a fraudulent charity soliciting donations to find a cure or help those As with any time of crisis, people will try to create fraudulent schemes to steal money.
Remind employees that when receiving any messages that reference the virus to Pause, Inspect, and Think (PIT) before acting. Remind and encourage them to control their emotions and not to let their fear or curiosity drive their response. It is critical that the organisation also has someone who the employees can reach out to if they have questions about the communication and want to confirm the legitimacy.
If there are standard methods of communicating significant issues, such as posting the information to an intranet, remind employees of these methods.
7. The Future and Recovery
It may not seem that way now, but we will find our way through this. When this crisis passes, there are several things an organisation should consider.
- Review customer and market data and determine how customers weathered the crisis and identify priority actions.
- Rebalance inventory
- If not done so already, create a supply chain contingency plan for the next crisis. This would be a good time to consider other sourcing
- As a greater sense of normality returns, review those expense items that were delayed and
There is no doubt that the current crisis is having a significant impact on consumers. Organisations need to take a short-term view for obvious reasons.
This is also a time to re-evaluate all aspects of operations and by doing that and planning with an eye toward the more intermediate term, organisations can navigate effectively through this and emerge stronger on the other side. Some considerations could include:
• Planning for Restoration – The new normal we will face in the coming months:
- Scenario 1: Geographic-based reopening/low cases and high
- Scenario 2: Skelton workforce onsite allowing social
- Scenario 3: Many locations except older/health-challenged
- Scenario 4: Some combination or another
• Technology and Operational Impacts:
- Hybrid computing with remote and on-site
- Expand the use of mobile computing devices to more of the
- Revisit vendor performance-fiscal health, invoke contract clauses, seek
- Shift from applications hosted on site to cloud
- Revisit key supplier dependency, especially
- Accommodating possible increase in
- Rethinking space, site, and other
- Applying lessons learned to enhance BCPs for pandemics (e.g. Insurance, People and Facilities, Rolling and global pandemics, Alerts and warning lead time, Duration)
• Digital Transformation considerations could include: Leveraging technology, evaluate the archaic paper pushing workflow, quicker decisions, and transparent action
• Remote Workforce considerations could include: Improve work life balance, cost savings, flexible hours, and employee retention.
• Third party considerations: Perform a due diligence, evaluate vendor related business continuity, evaluate their business resiliency and assess their control
• Robotic Process Automation (RPA) could be considered to: Perform routine tasks when employees are unable to work, increase accuracy for transaction processing and provide 24/7
Not only will COVID-19 be a turning-point in our business lives, but also in every facet of our lives. And although it has been a challenging time for everyone at numerous levels, whether it be business, financial, emotional or health, the human race’s resilience, compassion for one another and ability to identify and explore new opportunities have been brought to the fore.
These times give us all the wonderful opportunity to re-evaluate the way we have been doing things, grab new opportunities, stay humble and thankful for all we have, and move forward as stronger and better individuals and communities!