It is hard to believe, but Net Friends planned for a pandemic in September 2019. We put together a “Pandemic Playbook” of 1,400 words that printed on 4 pages, and directly addressed how we would handle communications, remote work, coordination with authorities, and safety protocols. Our playbook went into depth on quarantine and isolation procedures, including an entire section on “Social Distancing” back before that became a phrase to define the year 2020. After this plan was put together, we performed several drills to test whether we could perform our core duties as a company if we all worked remotely.
How on earth did we “predict” the pandemic? All “Back to the Future” jokes aside, the simple fact is we didn’t predict anything. What we did was more practical: we performed what is called a “Business Entity Risk Assessment” process. This is the most top-level type of risk assessment you can do, looking at broad risks to the business as a whole. The CEB Information Risk Leadership Council (now part of Gartner) defines multiple risk assessment types, and this Business Entity assessment was the one recommended to us by our SOC 2 Type II compliance auditors from Kirkpatrick Price. This risk assessment was based on an Excel template that listed over 40 potential major risk categories. We pared that list down to 22 risks that we determined were applicable to us (a strike of unionized workers was an example of a potential risk that does not apply to our business).
Below is a screenshot from the September 13, 2019 report showing the first 5 Risks we assessed, and “Pandemic” was #3 on the list. We were encouraged to discuss the pandemic risk seriously, as our association with a local major healthcare institution allowed us to be very much in touch with the risks inherent in infectious diseases. As you can see in the image below, we also identified that at the time we had not formally controlled for this risk, and this put us on a path to get the Pandemic Playbook formalized. We asked Ron, our Privacy Officer and resident safety expert with years of experience in healthcare environments, to lead the charge on forming this playbook. By September 26, 2019 we had a final draft ready for review. We then incorporated this into our future business continuity drills.
How much more prepared your business could have been had you performed a similar Business Entity Risk Assessment? Imagine if your leadership team had materially participated and then carried out actionable tasks that stemmed from this assessment, how much more durable and resilient could you have been in March 2020? We find that preparing for any one adverse event often has a positive effect in your daily operations by identifying processes and controls that aren’t serving your business as well as they should. The risk mitigation and business continuity tests you are likely to perform downstream of a risk assessment also prepares your team to respond well when there’s an adverse event.
We don’t know what 2021 and future years has in store for us, but we can assess our business’ controls and capacity to blunt the worst of a predictable event. We would be delighted to share with you our processes of performing risk assessments that can prioritize your efforts and prepare your business for whatever the future might bring.