PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The
reader is available for free
download.

Lessons Learned from
the COVID-19 Pandemic

by James G. Barr

Copyright 2022, Faulkner Information Services. All
Rights Reserved.

Docid: 00018042

Publication Date: 2211

Publication Type: TUTORIAL

Preview

Even more than The Great Recession of 2008-2009 – the century’s first
largely-preventable business and personal tragedy – the COVID-19 pandemic
of 2020 (and beyond) disrupted all elements of our global society. For
example, the pandemic accelerated, literally overnight, a long-simmering
remote work movement, forcing millions of knowledge workers to suddenly
abandon their corporate offices and setup a business shop at home.
COVID-19 also revealed the inherent fragility of the global supply chain
(and globalization itself) as the production and distribution of raw
materials and manufactured products was slowed, if not halted. Although
the pandemic is far from fully contained, risk professionals (and others)
are turning their attention to lessons learned.

Report Contents:

• Executive Summary
• Related Reports
• Work Will Never Be the Same
• Bad
  Things Happen In 3’s (or 4’s or 5’s)
• Recommendations
• Web Links

Executive Summary

[return to top of this
report]

Even more than The Great Recession of 2008-2009 – the century’s first
largely-preventable tragedy – the COVID-19 pandemic of 2020 (and beyond)
disrupted all elements of our global society.

The pandemic:

Acccelerated, literally overnight, a
long-simmering remote work movement, forcing millions of knowledge workers
to suddenly abandon their corporate offices and setup a business shop at
home.

Revealed the inherent fragility of the global
supply chain (and globalization itself) as the production and distribution
of raw materials and manufactured products was slowed, if not halted.

Denied children and school-age adults the
opportunity to learn – and, importantly, socialize – in person.

Stretched the resources of hospitals and
other healthcare facilities that were ill-equipped to treat tens of
thousands of critically-ill patients.

Produced mass layoffs in vulnerable sectors
like retail, hospitality, and travel, among others.

Aggravated mental health-related phenomena
like depression, addiction, spousal and child abuse, and suicide.

Required the federal government to borrow and
spend massive amounts of money to stabilize the economy and provide for
indebted citizens.

Prompted criminals – especially cyber
criminals – to increase the frequency and intensity of financial fraud
attacks, notably ransomware.

Although the pandemic is far from fully contained – in the US, for
example, there are still hundreds of deaths per day attributed to COVID-19
as of late 2022 – risk professionals (and others) are turning their
attention to lessons learned, such as:

Remote Is Forever – While
some bosses have managed to wrangle their workers back to the central
office, others have decided to accept the reality that remote – or, as a
concession, “hybrid” – work is the new norm, virtually an employee
entitlement.

Disaster Planning Is Not Our Forte
– Although it’s still fresh in our mind, we are not ready for the next
pandemic.

We Need “Agile” Management –
The Agile style features a network of teams that can analyze a situation
quickly and act decisively.

Deploying the Right Technology Is
Essential – With the traditional central office being displaced
by hundreds (or thousands) of home offices, operational success relies, in
large measure, on leveraging the right mix of security, communications,
and business process technologies.

Automation Is An Answer –
COVID-19 is, above all, a people-compromising development. While it may
seem harsh, the best way for an enterprise to immunize itself against a
people-compromising event, situation, or circumstance is to reduce its
workforce through automation.

Work Will Never Be the Same

[return to top of this
report]

As McKinsey analysts Matt Craven, Mark Staples, and Matt Wilson observe,
“Work will never be the same. The pandemic’s first year
proved three things:

• “Our old definition of essential workers was inadequate;
• “The numbers and kinds of workers we need are profoundly different
  now; and
• “Most knowledge workers can do the job from home.

“In the second year of the pandemic, people across the income spectrum
internalized those lessons. Millions quit – especially women – and people
who kept their jobs are questioning the old assumptions. Employees and
employers see the world differently. That disconnect is having lots of
effects. For one thing, it’s sharpening a labor shortage that had been
slowly brewing. It is also causing owners and occupiers of real estate to
rethink the role of the office.”¹

SMEs

While large enterprises suffered – particularly in the retail,
hospitality, and travel industries – small-to-medium-sized enterprises
(SMEs) were especially hard hit. After surveying the damage, the
Enterprise Center recommends that SME owners and operators:

“Be Prepared … for Anything
– For instance, many restaurants, bakeries, and food stores shifted to
curbside pickup, delivery, and contactless pickups. No one could foresee
the need for this just weeks in advance, but innovative leaders were able
to see the advantages of this and pressed forward to be able to continue
their business dealings in a safe and profitable way.

“Build an Emergency Fund –
Businesses should set aside 3-6 months worth of expenses. This may take
some time and effort to cut spending and automate deposits into a fund for
circumstances such as future catastrophes, but it can be done, even for
the smallest businesses.

“Mitigate Your [Employees’] Stress
– Listen and act according to your [employees’] needs. Making them happy
and secure during chaotic times will help both their mental well-being and
your business as a whole.”²

Future of Work

The future of work is normally determined by a wide variety of factors,
from globalization to industrial policy. Major work-related events or
movements, like the COVID-19 pandemic, can alter these influences and,
thus, change the trajectory of enterprise operations. While it may be too
early to offer anything but conjecture, here (in Table 1) are some
preliminary takeaways.

Bad Things Happen In 3’s
(or 4’s or 5’s)

[return to top of this
report]

“One of the major lessons from the pandemic is
to never focus on only one crisis at a time. The all-encompassing nature
of COVID-19 has made this clear. The virus simultaneously triggered
multiple related crises:

• “A medical crisis;
• “A mental health crisis;
• “A political crisis;
• “A supply chain crisis, and so on.

“Organizations that had a narrow focus on only
one of these issues often found themselves unprepared to manage the other
crises.”

– Mick Sharp, Group Director Security Services
at International SOS.³

Rethinking Risk

As a result of COVID-19, analyst Richard Chambers recommends that
enterprises embrace a broader and more nuanced set of risk metrics.
Traditionally, risk managers rated risks on two criteria:

1. Impact – What effects would a particular risk produce, if realized?
2. Likelihood – What are the chances that a particular risk will
   manifest?

In addition to these measures, Chambers would add:

• Velocity – “How quickly would the risk spread across [the]
  organization if [it] were impacted?
• Volatility – “How long will [the] risk persist before losing priority
  to another emerging risk?”

“Identifying emerging risk events is hard enough in regular times, but in
a time of high volatility, a risk that seems like a high priority can just
as easily be replaced days or weeks later. When risks are evolving as
quickly as [they were during the pandemic], you cannot afford to rigidly
adhere to past prioritizations. New risks will come up, and your focus
will inevitably need to shift as priorities change.”⁴

Recommendations

[return to top of this
report]

“The only real mistake is the one from which
we learn nothing.”

– Henry Ford⁵

Update BC, DR, and IR Plans

It’s safe to say that in 2020 the overwhelming majority of enterprise
business continuity, disaster recovery, and incident response plans did
not provide for a pandemic. In the aftermath of COVID-19, BC, DR, and IR
planners should amend their plans to cover pandemic or other healthcare
contingencies, along with the now-expected secondary effects, including:

• Loss of key personnel;
• Greater use of high-speed, high-capacity telecommunications channels;
  and
• Increased reliance on enterprise employees to safeguard digital assets
  stored on smartphones or home office personal computers. 

Create an “Agile” Organization

Having to deal with the rapidly-changing dynamics of the COVID-19
pandemic have convinced many management experts that enterprises would be
best served by adopting an “agile” organizational structure. According to
McKinsey, “Agile organizations maintain a stable top-level structure, but
replace much of the remaining traditional hierarchy with a flexible,
scalable network of teams. Networks are a natural way to organize efforts
because they balance individual freedom with collective coordination. To
build agile organizations, leaders need to understand human networks
(business and social), how to design and build them, how to collaborate
across them, and how to nurture and sustain them.”⁶

As an example, the US Government Accountability Office (GAO) released an
analysis of bank regulation during the pandemic, saluting the many
procedural modifications made by regulators to accommodate a challenging
business environment.

“To manage pandemic-related challenges to their supervisory missions,
banking regulators:

• “Deferred examination activities,
• “Expanded off-site monitoring of institutions,
• “Adjusted telework policies, and
• “Provided technology tools and internal guidance to examiners.”⁷

Figure 1. Federal Banking Regulators Actions to Address
Pandemic-Related Challenges to Conducting Fully Remote Examinations

Source: GAO⁸

Establish Remote Work Standards

With remote (or hybrid) work the new norm, enterprise IT and security
departments should establish – and enforce – a new set of “acceptable
technology use” standards. Among the items to be considered are:

• Mandatory multi-factor authentication (including biometrics);
• Standard hardware, software, and service sets (no “shadow IT”
  contributions);
• Mandatory anti-malware protection (anti-virus, firewall, intrusion
  detection, data loss prevention, etc.);
• Mandatory file backup (to the Cloud); and
• Mandatory data encryption (in-place and in-transit)

Hit the Automation Accelerator

People are an enterprise’s greatest strength and its greatest
weakness. While controversial, enterprise executives should allow for the
“downsizing” of their workforce by automating, as possible, routine
operations. Implementing or expanding robotic process automation (RPA) is
an ideal first step.

The Association for Intelligent Information Management (AIIM) defines RPA
as “the term used for software tools that partially or fully automate
human activities that are manual, rule-based, and repetitive. [RPA] tools
are not replacements for the underlying business applications; rather,
they simply automate the already manual tasks of human workers. They
essentially look at the screens that workers today look at and fill in and
update the same boxes and fields within the user interface by pulling the
relevant data from the relevant location.”⁹

The commonly cited advantages of RPA include:

• Accelerating business operations – thereby enhancing business
  opportunities.
• Achieving greater accuracy – eliminating tedious and unnecessary
  rework.
• Regaining employee time – freeing employees to engage in more
  productive and profitable activities.
• Cutting costs – improving the “bottom line.”
• Providing better customer experiences – increasing customer
  satisfaction and decreasing customer churn.
• Ensuring regulatory compliance – avoiding fines and other governmental
  sanctions.
• Improving employee productivity – enabling a more satisfying work
  environment, both for employers and employees.
• Permitting cross-platform work processes – leveraging the fact that
  RPA is application agnostic.
• Allowing scalable processes – expanding or contracting processes
  according to business demand and operational capabilities.
• Harnessing artificial intelligence – extending, for example, the
  boundaries of automation to include unstructured data.¹⁰

Prepare for Pandemic 2.0

Figure 2. Hold On To Your Mask

Source: Wikimedia Commons

In addition to warning that the COVID-19 pandemic is not entirely over,
public health officials are urging the leaders of private sector companies
and public sector agencies to begin planning for the next pandemic. Dr.
Craig Spencer advises that while “dozens of reforms [are] needed and
debated,” there are “three areas [that] require immediate attention and
investment:

1. “Disease surveillance,
2. “Strengthening of the global health care work force, and
3. “Ensuring equitable access to treatments and vaccines.”¹¹

Web Links

[return to top of this
report]

ASIS International: http://www.asisonline.org/
Continuity Central: http://www.continuitycentral.com/
SANS Institute: http://www.sans.org/
US National Institute of Standards and Technology: http://www.nist.gov/

References

¹ Matt Craven, Mark Staples, and Matt Wilson. “Ten Lessons
from the First Two Years of COVID-19.” McKinsey & Company. March 11,
2022.

² “Lessons Learned: What Small Business Owners Learned From
Covid.” Salem State University Assistance Corporation d/b/a the
Enterprise Center. February 9, 2022.

³ Maggie Shein. “COVID-19 Lessons Learned in Enterprise
Security.” Security (magazine) | BNP Media. March 9, 2022.

⁴ Richard Chambers. “Four Risk Management Lessons Learned
from the Pandemic.” Forbes. March 8, 2022.

⁵ Ibid.

⁶ Wouter Aghina, Karin Ahlback, Aaron De Smet, Gerald
Lackey, Michael Lurie, Monica Murarka, and Christopher Handscomb. “The
Five Trademarks of Agile Organizations.” McKinsey & Company. January
22, 2018.

⁷ GAO-22-104659: “Bank Supervision: Lessons Learned from
Remote Supervision During Pandemic Could Inform Future Disruptions.” US
Government Accountability Office. September 8, 2022.

⁸ Ibid.

⁹ “What Is Robotic Process Automation?” AIIM. 2019.

¹⁰ “Robotic Process Automation (RPA).” Automation Anywhere.
2021.

¹¹ Dr. Craig Spencer. “We May Have Only a Few Months to
Prevent the Next Pandemic.” The New York Times. October 24,
2022.

About the Author

[return to top of this
report]

James G. Barr is a leading business continuity analyst
and business writer with more than 40 years’ IT experience. A member of
“Who’s Who in Finance and Industry,” Mr. Barr has designed, developed, and
deployed business continuity plans for a number of Fortune 500 firms. He
is the author of several books, including How to Succeed in Business
BY Really Trying, a member of Faulkner’s Advisory Panel, and a
senior editor for Faulkner’s Security Management Practices.
Mr. Barr can be reached via e-mail at jgbarr@faulkner.com.

[return to top of this
report]