COVID-19: Business Continuity and Risk Management

PUBLISHED: 7th April 2020

In this article, we look at how the impact of the COVID-19 global pandemic crisis can be mitigated through business continuity and risk management planning.

Contingency planning will generally cover events such as natural disasters and cyber-attacks. They may not, however, deal with issues relating to quarantines, business disruptions due to lockdowns, layoffs and redundancies and income disruption.

Devising a Protocol

A well-devised Business Continuity and Risk Management strategy may often be a requirement of insurers, suppliers or customers of a business. The aim of effective business continuity planning is to be able to push through temporary disruptions in the business environment. When devising a business continuity protocol, the focus needs to be on several practical aspects which drive how the business operates.

These would include planning in areas such as:

• Loss or incapacity of key employees and resources;
• Continuing lines of communication and emergency contact systems and processes;
• Procedures and processes to access IT systems and infrastructure;
• Continuation of internal reporting and supervision in all tiers of management and staff;
• Preservation of customer service and effective and timely communications; and
• Risk management, mitigation and damage control strategies.

Flexibility and review

The protocol should be adept in terms of observing the changing status of the locations in which both the business and its various suppliers, intermediaries and customers operate. Disruptions affecting the operation of any tier of the network of suppliers will likely have an immediate effect on your business.

Managing the risk and having proactive mitigating measures in place may also go hand in hand with new business opportunities. We have recently seen, for example, how Irish businesses, in seeking to mitigate consequences for business disruption and in seeking to assist in a meaningful way the fight to delay the spread of the virus, were well placed to diversify their product ranges, so as to meet and serve a new and urgent demand for hand sanitisers.

The Department of Business, Enterprise and Innovation has issued a Business Continuity Planning checklist. This is a very useful tool for business but needs to be tailored to the individual needs of your sector of industry and the specific requirements of your business.

It is prudent and timely to revisit and update the protocol regularly to implement new measures in response to changes both internally within the business and to reflect external risks. Arguably, COVID-19 and its consequences, is an extraordinary and unprecedented event which triggers a need to review the business continuity and risk management protocol on an ongoing weekly basis in order to respond timely to the short- and medium-term consequences of the pandemic and the economic downturn.

Key Areas of Risk

Some of the primary risks as a result of the pandemic or other global or national crisis include those affecting your employees, supply chain management, insurance and economic and financial risks. The strain of rescinding contracts, seeking to invoke force majeure provisions, finding yourself with large volumes of incomplete goods or stock and dealing with high-risk jurisdictions may constitute an immediate financial stability risk that requires close monitoring.

Some businesses have waited until the effect of the pandemic risk has fully emerged before responding with operations already suffering. There is a need to have preparatory measures in place to deal with different types of emerging risks, mechanisms to track those risks and to have the necessary flexibility to revise and, where required, redesign protocols.

Management of Risk

Managing risk is an ongoing endeavour. It is crucial that a business can identify and analyse risks and the consequences of same. The steps taken for effective risk assessment may include:

1.     Communications with key stakeholders internally to collate and disseminate risk information;

2.     Inspect the information gathered to determine key risks;

3.     Analyse and log particulars of risks assessed;

4.     Plans for control of risks as assessed; and

5.     Ongoing assessment of risk and communications to identify, review and update in terms of communications around risk.

Depending on the structure of your business, you can divide the register among different departments and have departmental sub-risk registers or compile a register that covers the entire business. The inputs can assist with the sequencing, prioritisation and delegation of response actions in a timely manner as well as the rapid analysis of impacts, including the identification of affected stakeholders. A risk questionnaire can be assembled to extract information and improve your understanding of the role of each department (and relevant teams) in your business and the potential risks facing those departments.

Regular Risk Audits

Regular risk audits can help you to analyse, log and pre-empt those risks which are likely to most immediately impact on your business. In categorising the risks facing your business such as operational risks, legal risks and security risks, you can seek to control and certainly mitigate risk by strategically planning how the business can be adapted to control the damage that might be presented.

The risk register will be one of your best assets for business continuity management in this time of crisis. It is important that the register is an active and accurate document that is updated regularly. For example, the relocation of operations poses several new risks. Employees who are working from home may present potential cyber and information security risks which requires effective oversight from management. A good system for data storage and data assimilation needs to be in place and you should seek legal advice if you are unsure about whether remote working conditions meet required health and safety and data protection criteria.

We are actively advising clients in relation to the COVID-19 outbreak. If you would like to discuss the potential impact that COVID-19 may have on your business and any measures that you are considering in terms of business continuity and effective management of legal risk, please contact a member of our Corporate team.

To view our cross-disciplinary coverage of business continuity during the COVID-19 outbreak, please visit our dedicated special insights page and sign up to our mailing list by clicking here.