Lessons Learned from the COVID-19 Pandemic

PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The
reader is available for free

Lessons Learned from
the COVID-19 Pandemic

by James G. Barr

Docid: 00018042

Publication Date: 2211

Publication Type: TUTORIAL


Even more than The Great Recession of 2008-2009 – the century’s first
largely-preventable business and personal tragedy – the COVID-19 pandemic
of 2020 (and beyond) disrupted all elements of our global society. For
example, the pandemic accelerated, literally overnight, a long-simmering
remote work movement, forcing millions of knowledge workers to suddenly
abandon their corporate offices and setup a business shop at home.
COVID-19 also revealed the inherent fragility of the global supply chain
(and globalization itself) as the production and distribution of raw
materials and manufactured products was slowed, if not halted. Although
the pandemic is far from fully contained, risk professionals (and others)
are turning their attention to lessons learned.

Report Contents:

Executive Summary

[return to top of this

Even more than The Great Recession of 2008-2009 – the century’s first
largely-preventable tragedy – the COVID-19 pandemic of 2020 (and beyond)
disrupted all elements of our global society.

Faulkner Reports
Remote Work Best Practices
The Intersection of
COVID-19 and Information Technology Tutorial

The pandemic:

  • Acccelerated, literally overnight, a
    long-simmering remote work movement, forcing millions of knowledge workers
    to suddenly abandon their corporate offices and setup a business shop at

  • Revealed the inherent fragility of the global
    supply chain (and globalization itself) as the production and distribution
    of raw materials and manufactured products was slowed, if not halted.

  • Denied children and school-age adults the
    opportunity to learn – and, importantly, socialize – in person.
  • Stretched the resources of hospitals and
    other healthcare facilities that were ill-equipped to treat tens of
    thousands of critically-ill patients.
  • Produced mass layoffs in vulnerable sectors
    like retail, hospitality, and travel, among others.
  • Aggravated mental health-related phenomena
    like depression, addiction, spousal and child abuse, and suicide.
  • Required the federal government to borrow and
    spend massive amounts of money to stabilize the economy and provide for
    indebted citizens.
  • Prompted criminals – especially cyber
    criminals – to increase the frequency and intensity of financial fraud
    attacks, notably ransomware.
  • Although the pandemic is far from fully contained – in the US, for
    example, there are still hundreds of deaths per day attributed to COVID-19
    as of late 2022 – risk professionals (and others) are turning their
    attention to lessons learned, such as:

    Remote Is Forever – While
    some bosses have managed to wrangle their workers back to the central
    office, others have decided to accept the reality that remote – or, as a
    concession, “hybrid” – work is the new norm, virtually an employee

    Disaster Planning Is Not Our Forte
    – Although it’s still fresh in our mind, we are not ready for the next

    We Need “Agile” Management
    The Agile style features a network of teams that can analyze a situation
    quickly and act decisively.

    Deploying the Right Technology Is
    – With the traditional central office being displaced
    by hundreds (or thousands) of home offices, operational success relies, in
    large measure, on leveraging the right mix of security, communications,
    and business process technologies.

    Automation Is An Answer
    COVID-19 is, above all, a people-compromising development. While it may
    seem harsh, the best way for an enterprise to immunize itself against a
    people-compromising event, situation, or circumstance is to reduce its
    workforce through automation.

    Work Will Never Be the Same

    [return to top of this

    As McKinsey analysts Matt Craven, Mark Staples, and Matt Wilson observe,
    Work will never be the same. The pandemic’s first year
    proved three things:

    • “Our old definition of essential workers was inadequate;
    • “The numbers and kinds of workers we need are profoundly different
      now; and
    • “Most knowledge workers can do the job from home.

    “In the second year of the pandemic, people across the income spectrum
    internalized those lessons. Millions quit – especially women – and people
    who kept their jobs are questioning the old assumptions. Employees and
    employers see the world differently. That disconnect is having lots of
    effects. For one thing, it’s sharpening a labor shortage that had been
    slowly brewing. It is also causing owners and occupiers of real estate to
    rethink the role of the office.”1


    While large enterprises suffered – particularly in the retail,
    hospitality, and travel industries – small-to-medium-sized enterprises
    (SMEs) were especially hard hit. After surveying the damage, the
    Enterprise Center recommends that SME owners and operators:

    Be Prepared … for Anything
    – For instance, many restaurants, bakeries, and food stores shifted to
    curbside pickup, delivery, and contactless pickups. No one could foresee
    the need for this just weeks in advance, but innovative leaders were able
    to see the advantages of this and pressed forward to be able to continue
    their business dealings in a safe and profitable way.

    Build an Emergency Fund
    Businesses should set aside 3-6 months worth of expenses. This may take
    some time and effort to cut spending and automate deposits into a fund for
    circumstances such as future catastrophes, but it can be done, even for
    the smallest businesses.

    Mitigate Your [Employees’] Stress
    – Listen and act according to your [employees’] needs. Making them happy
    and secure during chaotic times will help both their mental well-being and
    your business as a whole.”2

    Future of Work

    The future of work is normally determined by a wide variety of factors,
    from globalization to industrial policy. Major work-related events or
    movements, like the COVID-19 pandemic, can alter these influences and,
    thus, change the trajectory of enterprise operations. While it may be too
    early to offer anything but conjecture, here (in Table 1) are some
    preliminary takeaways.

    Table 1. The Future of Post-Pandemic Work
    Factor Description Post-Pandemic Lessons or Leanings
    Globalization Moving the means of production to low-cost
    Globalization initiatives may decrease owing to
    renewed calls for “Made in America” products.
    Outsourcing Transferring enterprise operations (and jobs) to
    low-wage countries.
    Technology and other high-skill vacancies may
    increase the demand for outsourcing.
    Immigration Inviting high-end technical workers to relocate to
    the US or Europe, for example.
    Always a political issue, immigration in general may
    decline owing to the current high rate of US-Mexico border
    Education Encouraging employees to pursue management and
    technical training programs and certifications.
    Management training may increase owing to a
    heightened emphasis on team building, particularly remote teams.
    Automation Reducing workforce requirements by automating
    business processes.
    Automation initiatives – like robotic process
    automation (RPA) and machine learning (ML) – may explode due to
    worker shortages, and to lower personnel counts.
    Benefits Improving employee benefits to enhance employee
    recruitment and retention prospects.
    Increases in the minimum wage and further provisions
    of health and wellness benefits may find widespread support.
    Technology Utilizing technology to optimize enterprise
    operations and minimize enterprise risk.
    Enterprise executives may advocate for more cloud
    and managed services operations, especially as the technology
    landscape becomes more diverse, complex, and risky.
    Security Protecting the integrity of enterprise assets and
    the confidentiality of enterprise data.
    Cybersecurity attacks – in particular, ransomware –
    have escalated coincident with COVID-19. Enterprise executives
    will demand more effective security solutions.
    Industrial Policy Promoting best practices like
    Science-Technology-Engineering-Mathematics (STEM) education.
    Expect enterprises to codify the rights of remote
    and hybrid workers.

    Bad Things Happen In 3’s
    (or 4’s or 5’s)

    [return to top of this

    “One of the major lessons from the pandemic is
    to never focus on only one crisis at a time. The all-encompassing nature
    of COVID-19 has made this clear. The virus simultaneously triggered
    multiple related crises:

      • “A medical crisis;
      • “A mental health crisis;
      • “A political crisis;
      • “A supply chain crisis, and so on.

    “Organizations that had a narrow focus on only
    one of these issues often found themselves unprepared to manage the other

    – Mick Sharp, Group Director Security Services
    at International SOS.3

    Rethinking Risk

    As a result of COVID-19, analyst Richard Chambers recommends that
    enterprises embrace a broader and more nuanced set of risk metrics.
    Traditionally, risk managers rated risks on two criteria:

    1. Impact – What effects would a particular risk produce, if realized?
    2. Likelihood – What are the chances that a particular risk will

    In addition to these measures, Chambers would add:

    • Velocity – “How quickly would the risk spread across [the]
      organization if [it] were impacted?
    • Volatility – “How long will [the] risk persist before losing priority
      to another emerging risk?”

    “Identifying emerging risk events is hard enough in regular times, but in
    a time of high volatility, a risk that seems like a high priority can just
    as easily be replaced days or weeks later. When risks are evolving as
    quickly as [they were during the pandemic], you cannot afford to rigidly
    adhere to past prioritizations. New risks will come up, and your focus
    will inevitably need to shift as priorities change.”4


    [return to top of this

    “The only real mistake is the one from which
    we learn nothing.”

    – Henry Ford5

    Update BC, DR, and IR Plans

    It’s safe to say that in 2020 the overwhelming majority of enterprise
    business continuity, disaster recovery, and incident response plans did
    not provide for a pandemic. In the aftermath of COVID-19, BC, DR, and IR
    planners should amend their plans to cover pandemic or other healthcare
    contingencies, along with the now-expected secondary effects, including:

    • Loss of key personnel;
    • Greater use of high-speed, high-capacity telecommunications channels;
    • Increased reliance on enterprise employees to safeguard digital assets
      stored on smartphones or home office personal computers. 

    Create an “Agile” Organization

    Having to deal with the rapidly-changing dynamics of the COVID-19
    pandemic have convinced many management experts that enterprises would be
    best served by adopting an “agile” organizational structure. According to
    McKinsey, “Agile organizations maintain a stable top-level structure, but
    replace much of the remaining traditional hierarchy with a flexible,
    scalable network of teams. Networks are a natural way to organize efforts
    because they balance individual freedom with collective coordination. To
    build agile organizations, leaders need to understand human networks
    (business and social), how to design and build them, how to collaborate
    across them, and how to nurture and sustain them.”6

    As an example, the US Government Accountability Office (GAO) released an
    analysis of bank regulation during the pandemic, saluting the many
    procedural modifications made by regulators to accommodate a challenging
    business environment.

    “To manage pandemic-related challenges to their supervisory missions,
    banking regulators:

    • “Deferred examination activities,
    • “Expanded off-site monitoring of institutions,
    • “Adjusted telework policies, and
    • “Provided technology tools and internal guidance to examiners.”7

    Figure 1. Federal Banking Regulators Actions to Address
    Pandemic-Related Challenges to Conducting Fully Remote Examinations

    Figure 1. Federal Banking Regulators Actions to Address Pandemic-Related Challenges to Conducting Fully Remote Examinations

    Source: GAO8

    Establish Remote Work Standards

    With remote (or hybrid) work the new norm, enterprise IT and security
    departments should establish – and enforce – a new set of “acceptable
    technology use” standards. Among the items to be considered are:

    • Mandatory multi-factor authentication (including biometrics);
    • Standard hardware, software, and service sets (no “shadow IT”
    • Mandatory anti-malware protection (anti-virus, firewall, intrusion
      detection, data loss prevention, etc.);
    • Mandatory file backup (to the Cloud); and
    • Mandatory data encryption (in-place and in-transit)

    Hit the Automation Accelerator

    People are an enterprise’s greatest strength and its greatest
    weakness. While controversial, enterprise executives should allow for the
    “downsizing” of their workforce by automating, as possible, routine
    operations. Implementing or expanding robotic process automation (RPA) is
    an ideal first step.

    The Association for Intelligent Information Management (AIIM) defines RPA
    as “the term used for software tools that partially or fully automate
    human activities that are manual, rule-based, and repetitive. [RPA] tools
    are not replacements for the underlying business applications; rather,
    they simply automate the already manual tasks of human workers. They
    essentially look at the screens that workers today look at and fill in and
    update the same boxes and fields within the user interface by pulling the
    relevant data from the relevant location.”9

    The commonly cited advantages of RPA include:

    • Accelerating business operations – thereby enhancing business
    • Achieving greater accuracy – eliminating tedious and unnecessary
    • Regaining employee time – freeing employees to engage in more
      productive and profitable activities.
    • Cutting costs – improving the “bottom line.”
    • Providing better customer experiences – increasing customer
      satisfaction and decreasing customer churn.
    • Ensuring regulatory compliance – avoiding fines and other governmental
    • Improving employee productivity – enabling a more satisfying work
      environment, both for employers and employees.
    • Permitting cross-platform work processes – leveraging the fact that
      RPA is application agnostic.
    • Allowing scalable processes – expanding or contracting processes
      according to business demand and operational capabilities.
    • Harnessing artificial intelligence – extending, for example, the
      boundaries of automation to include unstructured data.10

    Prepare for Pandemic 2.0

    Figure 2. Hold On To Your Mask

    Figure 2. Hold On To Your Mask

    Source: Wikimedia Commons

    In addition to warning that the COVID-19 pandemic is not entirely over,
    public health officials are urging the leaders of private sector companies
    and public sector agencies to begin planning for the next pandemic. Dr.
    Craig Spencer advises that while “dozens of reforms [are] needed and
    debated,” there are “three areas [that] require immediate attention and

    1. “Disease surveillance,
    2. “Strengthening of the global health care work force, and
    3. “Ensuring equitable access to treatments and vaccines.”11

    [return to top of this


    About the Author

    [return to top of this

    James G. Barr is a leading business continuity analyst
    and business writer with more than 40 years’ IT experience. A member of
    “Who’s Who in Finance and Industry,” Mr. Barr has designed, developed, and
    deployed business continuity plans for a number of Fortune 500 firms. He
    is the author of several books, including How to Succeed in Business
    BY Really Trying
    , a member of Faulkner’s Advisory Panel, and a
    senior editor for Faulkner’s Security Management Practices.
    Mr. Barr can be reached via e-mail at jgbarr@faulkner.com.

    [return to top of this