Can Your Business Withstand a Flu Pandemic?

By Lloyd F. Reese, CPP, CISSP

Implications for US Businesses

Most US businesses are dependent on a global network of critical supplies and support functions.  Even before the pandemic reaches the US, its impacts on international trade could have a chain reaction resulting in shortages in the private sector, according to the US government in its document explaining preparations for the critical infrastructure.
Congressional Budget Office estimates that a mild pandemic’s impact on the gross domestic product would be one percent; a severe pandemic’s impact would be 4.24 percent.

Once the pandemic hits, the medical sector will be overwhelmed. Expect prolonged government service disruptions, runs on essential goods and services, and business shutdowns.  Interruptions in the transportation industry are likely as the industry already has a shortage of trucks and trained drivers.   The national electric utilities are already strained.  A shortage of the fuel for power plants and absenteeism could lead to power outages and brownouts.  Coal is still widely used for power generation.  According to Michael Osterman, Director of the University of Minnesota Center for Infectious Disease Research and Policy, if oil refineries have a 30 percent or higher rate of absenteeism, the refineries may have to shutdown.   Without diesel fuel from oil refineries, trains cannot deliver coal to power plants.  James McEnery, a deputy vice president for human resources at Exxon Mobil told a recent pandemic conference that shutting down facilities was not an option.  “We are going to ask some employees to come in and live in the facility.” 

A CSO for a major services company explained that companies have to make some basic decisions: how much do they want to prepare and for what reasons?

Is it for business resilience or survival, post event competitive advantage, employee welfare, or civic responsibility? What are the weighted factors for each and what can they afford?  Do they want to go beyond basic due diligence and maximize efforts within resources? Are they prepared to offer special compensation and benefits to employees including family crisis support? Are they prepared for the adverse psychological impacts?  What functions are truly the most critical?

Once these critical assets are identified, they need to be well protected.  Some less critical facilities may have to be abandoned.  If a company is really serious about preparing for a pandemic, it needs to appoint a senior executive with the authority and resources to plan well.  If a company is only interested in protecting its image and avoiding litigation, it will likely give the planning responsibility to its security director who will attempt to form a committee to do the planning. 

Gartner group analysts Dion Wiggins and Steve Bittinger provide this guidance: “What may be more important than deciding whether a pandemic is likely to happen or not is to consider what you can do to protect yourself and minimize the impact if it does”.
As for legal considerations,  Cheryl Falvey, an attorney with Akin, Gump, Strauss, Hauer, and Feld , stated the following at a pandemic conference: “I think it comes down to the concepts in the law of foreseeability and reasonable response to foreseeable risk”.   She suggested that companies carefully assess the risks a flu pandemic would pose and take documented steps to limit them. They need to imagine what kind of lawsuit they could face in the aftermath of a pandemic. 

Companies should get their own medical advisors and not rely entirely on public health authorities alone according to a CSO with a major services company.  This advice will help the companies determine the trigger points at which they must implement certain steps in their plans.  Companies' trigger points will be determined by increases in the phases listed by the WHO as well as information provided by the US government.   

How well prepared are US companies today?  Survey results published by Deloitte Center for Health Solutions and the ERISA (Employee Retirement Income Security Act) Industry Committee in December 2006 found that companies have made progress compared to a year ago. However, there remains a considerable gap between companies that acknowledge the threat (73 percent) compared with those that believe they are adequately prepared (52 percent).  A survey by the Conference Board in July 2006 indicated that 75 percent of companies surveyed are actively engaged in planning for a pandemic. Planning is more likely with large and publicly held companies and gaps are significant between companies in critical industries and others.  
Business Continuity Implications

Existing business continuity plans (BCP) are not adequate for a pandemic. The typical BCP deals with situations were the technology or facility is not available.  The assumption is that the duration is short-term and the disruption is local.

The US government’s advice for critical infrastructure is to think in terms of COP-E (Continuity of Operations-Essential).  It builds on existing contingency plans but considers the impact of a pandemic or a massive biological, chemical, or radiological event, category 5 hurricane, or 8.0 earthquake.  No other disaster will last 18 months to 2 years.  Keep in mind that a pandemic is different from other threats as it is focused on people. Given the potential mortality rate, impact on society and the economy, there could well be serious lingering psychological effects on employees. 

Writer and pandemic consultant Michael Selzer goes a step further in calling for “DOOP” (discontinuation-of-operations plan).  This plan is designed to “safeguard the corporations assets during the pandemic and to maximize its opportunities in the post-pandemic era”.  The plan would be implemented “when times go from being troubled, merely, and become catastrophic”.  Such plans could also be applicable when there are simply no customers who are able to purchase the company’s products or services.

According to Georges Cowan, a BCP Manager with the CGI Group, it takes 12 months for a large organization to adapt its BCP to deal with a pandemic situation.

The ability to telecommute will likely be critical but it is doubtful that many companies or government agencies are that well prepared.  Less than 10 percent of the federal civilian workforce currently telecommutes.  The GAO looked at the preparations in 23 federal agencies and concluded that none of the agencies “could ensure adequate technological capacity to allow designated personnel to telework during an emergency”.

According to the Cyber Security Industry Alliance, about 20 percent of the adult American workforce telecommutes one day or more per month.  Amanda McGill, a program manager with Fairfax County, VA, stated in an interview that the county is determining who the essential workers are.  Some such as payroll specialists may be able to telecommute while fleet management staff needs to work on site. 

Can the last mile support increased telecommunications?  Regina Phillips, a crisis management consultant, notes that most phone systems (landline and cell) are built for 10-12 percent of maximum capacity.  Since cells can easily overload, learn to text message. Text messaging takes very little bandwidth compared with the traditional cell phone call and the message will be held in a queue until it goes through.  E-mail may work when land lines do not.  She points out some alternatives if the phone system becomes overloaded including web-based solutions such as voice-over-Internet (VoiP), instant messaging, and web meetings.  Companies should develop their work at home programs well in advance so critical employees will be familiar with the technology used.  

Others have raised the question as to whether or not the Internet will support the increased volume of users.  The sober assessment presented by the Cyber Security Alliance is “little empirical evaluation has been done of the ability of the Internet infrastructure to support the traffic created when large number of employees…suddenly attempt to log on”. Of course, neither the local phone systems nor the Internet will work if there are interruptions in the power supply.

Gartner Inc. told attendees at its data center conference in November to prepare for possible quarantines of staff in their data centers. Most information technology (IT) managers do not think such quarantines are workable. While USDA is stocking its data centers with food and other supplies if it needs to house quarantined workers there, CIO Dave Combs says it will try to rely on remote management if a pandemic strikes. “The most logical place folks are going to want to be is at home”.

Staffing for key operations such as command centers should involve planning for a depth of three people for each key position. Cross training may work in some circumstances,  but how many people can be easily trained to solve a software malfunction or operate a nuclear reactor? Another alternative is to bring retirees back to work.  However, a west coast emergency manager asks, “Are they still in the area and will they feel safe coming back to work”? 

To the extent that the company seemed to be prepared, employees may be willing to follow its example. A company can also help employees with their family plans to cover storing food, water, medicine and so on.  Child care issues may need to be addressed.  The CDC suggests having enough food and water for two weeks.  Others, such as the University of Pittsburgh Medical Center, suggest between 8 to 12 weeks which is the duration expected for any wave of a pandemic.  Anyone who takes medication on a continuing basis should discuss with their health plan getting at least a 90 day supply.

Some have suggested that now is the time to ask vendors and business partners for copies of their pandemic flu plans.  While this sounds like a good idea, let’s reflect on its complexity.  Selzer wonders how much it would cost a corporation to really “assess the supply chain and all supporting businesses” on which it depends.  Can this really work without asking each supplier to ask its suppliers and so on?  Is this real advice that can be implemented?



The Magazine — Past Issues


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.