1. Start preparing for a pandemic early
Organizations early on should review their existing business continuity, emergency management and risk communications plans, says Nitin Natarajan, principal at Cadmus, a domestic preparedness advisory firm. That includes evaluating the impacts from a temporary reduction in workforce or a higher-than-average number of employees working remotely.
“Assess risks and vulnerabilities to physical and cyber systems from a reduction in staff, both internally and among key organizational interdependences,” such as supply chain partners or service providers, Natarajan says. “Communicate early and regularly, internally and externally, since information voids will often be filled with incorrect information.”
Security and IT executives need to brief senior leadership regularly and ensure there is a clear understanding of leadership’s expectations and their true level of risk acceptance, Natarajan says.
2. Establish an “intelligence baseline”
Going on a quest for perfect information about a widespread health concern is unreasonable, Womble says, and will exacerbate the level of frustration security executives might already feel. “Instead, determine which trusted sources of information you’re going to rely on,” he says. Good examples include WHO, the Centers for Disease Control, or a contracted medical response provider.
Leveraging these sources, companies can gain an understanding as soon as possible. “Focus your awareness campaign on those sources, unless gaps emerge that must be addressed,” Womble says. “Sticking with select sources allows you to conduct trend analysis on how the situation is evolving.”
3. Identify potential triggers, risk tolerances and responses
All crises are fluid, but emergent medical issues tend to be even more so, Womble says. “A trigger-based escalation matrix can be an incredibly powerful tool to help you respond more confidently,” he says.
When new information comes in, it’s important to validate it as soon as possible and discern which escalation plans or other pre-vetted decision trees might need to be recalibrated. “Accept that the ‘facts’ as you know them are likely to change,” Womble says. “Be prepared to re-evaluate your assumptions vis-à-vis those so-called facts and then adjust your action plans based on new information or emerging trends.”