About This Guide
This guide aims to
provide insights into the relevant impacts of COVID-19. It gives general risk
response guidance for companies to consider when deploying business continuity planning
(BCP) measures to combat the pandemic and, more importantly, to maintain the
agility to overcome the difficulties faced.
We understand that a
single set of procedures or responses might not fit all organizations or each
company’s individual situation, however in this guide we outline impact and
risk response for high-level consideration.
Impact and Risk Response
In the face of the growing spread of COVID-19, many businesses are formulating action plans to mitigate the potential impact on business operations, while at the same time meeting the needs of their customers and other stakeholders.
It is too early to assess the ultimate consequences on U.S. businesses, as the situation is still evolving. We are seeing volatility in the stock markets, travel restrictions, cancellation of events, school closings, constant news coverage and social media obsession with COVID-19.
And while there’s still much uncertainty, prudent leaders should be well-prepared.
Impact on Health and Safety
COVID-19 is an infectious disease.
The virus is thought to spread mainly from person-to-person through respiratory droplets when an infected person coughs or sneezes. It is also possible that a person may catch coronavirus by touching something that has the virus on it and then touching their own mouth, nose or their eyes. Gathering employees together at the workplace or large corporate events may put them at risk of exposure to the virus. The nature of the virus makes it challenging for companies to strike a balance between maintaining productivity and efficiency and providing a safe working environment for their employees. Early adoption of adequate preventive measures and maintaining an effective communicable illness policy can help ensure a safe work environment for employees, customers and clients.
RISK RESPONSE
To protect employee and customer safety while minimizing adverse economic impacts on the business, companies should consider the following actions, among others:
- Remind employees about the importance of maintaining personal hygiene and thoroughly washing hands and/or using hand sanitizer. Refer to guidance provided by the WHO, the CDC and local authorities.
- Encourage employees to stay home at the first onset of any cold or flu-like symptoms.
- Disseminate information on precautions to help stop the spread of the virus.
- Continually update records of travel and monitor employees’ potential exposure to COVID-19.
- Reconsider any non-essential travel plans, especially to events with large groups of people. Social distancing is encouraged at this time.
- Review and evaluate remote work policies and capabilities.
- Provide sufficient and accessible infection control supplies (e.g. hand sanitizer) and ensure cleaning services are properly cleaning and disinfecting frequently-touched objects and surfaces.
- Coordinate with Human Resources to establish procedures for how to respond to any symptoms displayed by employees.
Impact on Governance
The organization’s management is responsible for
identifying, assessing and responding to risks. These include emerging and
atypical risks, as well as risks which are newly developing and difficult
to fully assess but could affect the viability of an organization’s
strategy.
The board of directors has a fiduciary duty to ensure the organization acts in the best interest of its stakeholders. Board members should oversee the organization’s ability to successfully identify and respond to emerging risks, as well as provide timely and transparent information to internal and external stakeholders.
RISK RESPONSE
During times of crisis, people look to their leaders for strength and stability. Leaders do not wish to be caught off guard, especially when a situation escalates and thrusts the organization into chaos. Management and the board must work together to ensure a strong culture and effective communication is maintained throughout the process. Consider the following steps:
- Review the operational risk management capabilities, such as crisis management, business continuity, third-party risk and insurance. Verify that all key members of the team have been identified and fully understand their duties and are confident in their ability to carry out the responsibilities. If the operational risk management capabilities do not exist or are insufficient, consider involving risk management and internal audit professionals to assist in rapid development.
- Encourage collaboration across the organization to develop a strategy for adjustments to business continuity plans that adapt to evolving conditions.
- Center your focus on key business outcomes. This may require a different cadence, specific measurements for remote teams, and empathy during difficult situations. Focusing on your communications plan and your work culture will allow you to manage through distractions.
- Establish clear responsibilities between the board, audit and risk committees, and management team. Assess whether management has adequate resources internally or externally to help in assessing and mitigating risk.
- Ensure timely and relevant information is being received by the board.
- Develop centralized, timely messaging from leaders disseminated to employees to instill confidence and calm, and counter fear and misinformation.
- Require transparency in communications and set expectations for the frequency of communications.
- Ensure there is a platform or communication channel (e.g. hotline or website) to timely communicate information about COVID-19 inside and outside the organization.
Impact on Financial Reporting
Operations for some organizations will be negatively
impacted by the COVID-19 situation. Companies should consider the
additional risks involved and the impact on the company. In some cases,
the impact may necessitate adjustments to accurately reflect the financial
situation of the organization.
On Feb. 19, 2020, the SEC and the Public Company Accounting Oversight Board (PCAOB) issued a joint statement regarding certain matters, including financial reporting considerations related to COVID-19. The statement was intended to remind issuers of its policy to grant relief from filing deadlines in certain situations, including audit firm access to information and company personnel. They also emphasized the need for issuers to consider relevant financial statement disclosures related to the potential effects of COVID-19, including the impact of subsequent events to the organization.
RISK RESPONSE
- Evaluate potential disclosure of subsequent events in the notes to the financial statements, as well as how the organization plans to respond to the events as they unfold, which can be material to an investment decision.
- Due to COVID-19, the SEC has granted relief related to financial reporting and has established a protocol. Contact the SEC staff regarding guidance.
- Reassess the reasonableness of allowance and/or reserve balances, as these may be impacted. For instance, the company could have large accounts receivable amounts from a certain customer who may have incurred severe impact on their business due to COVID-19, causing an inability to pay and thus necessitating an increase in the allowance for doubtful accounts.
- Examine all actions taken by the organization in response to COVID-19. Consider the impact to the financial statement, and ensure appropriate entries are recorded in the general ledger to accurately capture the impact.
- Assess deferred tax assets – the need for a valuation allowance (or the magnitude of an existing valuation allowance) may need to be re-evaluated.
- Assess derivatives and hedging – forecasted purchases and sales and hedging of these activities may be impacted. These factors should be taken into consideration in the valuation of the contracts, and may cause problems from a hedge accounting standpoint as forecasted transactions are no longer probable of occurring. There may be legal questions on whether force majeure clauses are tripped.
- Public companies should consider whether updates are needed to Risk Factors, MD&A (known trends and uncertainties, potential impacts to guidance, capital expenditures, collectability issues, any impacts to cash flows, etc.), and other parts of filings
Impact on Economic Sustainability
As the number of COVID-19 cases continues to climb both in the U.S. and across the globe, businesses of all sizes and across all industries are feeling a significant impact.
Mass cancellations and travel restrictions are having a big impact on the airline industry. U.S. hospitality businesses have seen a sharp decline in their customer numbers. Supply chain disruption is pervasive and only getting more difficult to navigate.
Organizations may be faced with tough decisions to alter operations temporarily, modify business hours, or operate below capacity due to the impact on their workforce, customers or suppliers. We recommend you consider contingency planning and “what if” scenarios to establish back-up plans.
These issues may lead to falling revenue, reduced financial liquidity and the going concerns of key business partners, negatively impacting companies’ sustainability.
RISK RESPONSE
It is difficult to assess how long the novel coronavirus will cause significant disruption. In the meantime, cash is king: The critical element in any time of uncertainty is to ensure that the company’s liquidity position can be maintained and to buy time for the company to recover.
We recommend that company management establish a task force to monitor the level of impact on the business and periodically report to the board on the status of the key performance indicators for critical business units. Companies may also consider the following actions, among others:
- Conduct a thorough risk assessment of business operations, taking a holistic approach across the globe rather than focusing on certain regions, to assess the level of possible interruption and formulate measures to mitigate potential impacts.
- Perform financial scenario, sensitivity and ratio analysis, examining the overall threat to the organization should sales and/or production decrease at various percentage rates. Determine what actions may need to be taken at certain stages to reduce further losses.
- Plan for voluntary/involuntary employee absenteeism and reduction in workforce, which will impact production and service levels. Consider alternative work arrangements such as relocation (working from home or other locations), reassignment of workflow (altering shifts), or reallocation of production.
- Review the pace of expenditure in relation to the company’s expansion plans and existing development projects (if any) and slow down the cash burn rate.
- Re-prioritize the allocation of resources to unaffected business lines.
- Assess any impact relative to customer behaviors or sales over the past month(s) to determine if adjustments should be made to the level of staff needed or business hours.
- Explore and identify business transformation opportunities and models to reduce over-reliance on existing business segments.
- Identify measures for controlling budgets and increasing cost savings, such as assessing the possibility of outsourcing or reduction of non-critical business activities.
- Explore opportunities for collaboration with new strategic business partners for new market development and to meet customers’ needs.
- Identify alternative solutions if forced to suspend operations at the business premises.
Impact on Contract Compliance
Companies are experiencing an impact on sales, production and supply chain, among others, as a result of COVID-19-related issues from business interruptions. These impacts have a cascading effect on the ability to meet contractual obligations.
RISK RESPONSE
We recommend that companies consult their legal advisors and review their contracts to determine what, if any, contractual obligations may be impacted and the rights and remedies they have as a result of the delayed performance of contracts.
Companies should also take (and document) reasonable steps to mitigate the impact of COVID-19. If companies cannot fulfill their contractual obligations, they may need to quantify the amount of financial damage and the impact on their long-term business relationships.
Companies should review their existing insurance policies to find out whether any losses they incur relating to COVID-19 can be covered under existing terms or whether they need to adjust their coverage for additional protection.
Impact on Supply Chain
China is well known as the largest supplier of goods to the U.S.
In 2019, the U.S. imported more than $450 billion from the country. All industries—particularly healthcare, life sciences, retail, hospitality and travel—have already been highly impacted. Consider that 40% of U.S. apparel is sourced from China, 21% of microchips for PCs, servers and mobile phones come from China, and China exports around $35 billion in auto parts and accessories around the world. Governments around the world have begun to take measures that limit the movement of goods and people across borders. Restrictions imposed by the Chinese government, for example, have included quarantine mandates and factory shutdowns across the country. As China is the factory of the world, supply chains are deeply affected.
RISK RESPONSE
If management believes there is a risk of disruption to their supply chains, they should take the following steps, among others, to mitigate the potential consequences:
- Understand the behavior of disruptive models applied to the supply chain and establish the point in time at which such disruption is located.
- Consider re-prioritizing the production line to respond to market impacts associated with the threat, increasing safety stock levels, and stockpiling essential supplies and resources.
- Determine which vendors may be most severely impacted and if alternative vendors can provide a solution to meet business needs.
- Pre-qualify alternative domestic or international suppliers and outsourced vendors in case primary suppliers can no longer provide support.
- Assess if suppliers have documented plans for business unit continuity and information technology disaster recovery, including for critical business.
- Formulate contingency measures, give first response and anticipate possible failures in the supply chain. For example, examine the capacity of other suppliers in other geographical areas, change the production mix and plan for new delivery methods to reach customers.
- Take into consideration the absence of a large number of critical staff over an extended period.
- Estimate the recovery time for the supplier’s “mission-critical” business processes.
- Develop actions for business recovery. For example, find and approve new suppliers and alternative modes of transport, then identify which of those options are available, and sell products on that basis.
Impact on Technology
Many organizations will activate contingency and business
continuity measures to allow employees to work from home to limit the spread of
the virus. A significant number of remotely-connected employees, for an
extended period, may put a strain on the company’s network.
Furthermore, as U.S. businesses and employees are determining the potential impacts of COVID-19 on their operations, some cybercriminals are exploiting the hysteria. There are reports of phishing emails masquerading as guidance about COVID-19, as hackers disguise malware in email attachments purporting to contain information to protect against its spread.
RISK RESPONSE
- Assess whether security settings for remote connections and secured individual access mechanisms are in place and operating effectively.
- Determine sufficiency of network capabilities if a large number of employees are expected to be working remotely for an extended period.
- Enable staff to utilize equipment and tools to maximize their productivity while working remotely, such as video calling, cloud-based collaboration software, and online document authoring.
- Consider moving appropriate applications and decision support systems to the cloud to enhance your ability to not only manage through difficult times, but also harness the innovation, compliance and security features provided by global public cloud vendors.
- Adopt and/or verify enforcement of multi-factor authentication for employees who are logging into the company network.
- Review communications and information technology infrastructures as needed to support employee telecommuting and remote customer access.
- Enhance user awareness of cyber-attacks and provide frequent alerts to employees to enhance cyber vigilance.
- Educate employees on red flags to look out for within phishing emails.
- Practice consistency in communication methods and protocols to heighten an employee’s awareness of phishing attempts.
- Monitor the use of unauthorized computers (especially for companies that have adopted a Bring Your Own Device policy) and their access to the network.
- Review the data backup policy and the frequency