By Lloyd F. Reese, CPP, CISSP
What businesses can do to prepare for the business continuity and security implications of a flu pandemic before it hits. (Online Exclusive)
The US Centers for Disease Control (CDC) describes a pandemic as the outbreak of a global disease. A flu pandemic can happen when a new influenza virus develops for which people have little or no immunity, and there is no vaccine. The disease easily spreads from person-to-person, causes serious illness, and can move across the country and around the world rapidly. No one can easily predict when the next flu pandemic will occur or its severity. However, once it starts, everyone is at risk. Measures such as border closures and travel restrictions, might delay transmittal of the virus, but will not stop it.
Health experts are concerned about the continued spread of a highly pathogenic avian H5N1 virus across eastern Asia and elsewhere. This virus may be a significant threat to human health. The H5N1 virus increases concerns about a potential human pandemic because for these reasons: it is very infectious, it is spread by migratory birds, it can be transmitted from birds to mammals and in some circumstances to humans, and it continues to evolve.
Avian influenza is generally a low risk to most people, because these viruses do not usually infect humans. However, H5N1 has crossed the species barrier to infect humans, and it is quite deadly. Most cases of the infection in humans have occurred from contact with infected poultry or surfaces contaminated with fluids from infected birds. To date, the spread of H5N1 virus from person to person has been limited. Because all influenza viruses can mutate, scientists are concerned that H5N1 virus could be able to infect humans and spread easily from one person to another.
If an especially severe influenza pandemic were to occur, it could lead to high levels of illness, death, social disruption, and economic loss. Everyday life would be seriously disrupted as many people became seriously ill simultaneously. The results could range from school and business closings to interruptions of basic services such as public transportation and food delivery. A substantial percentage of the population will require medical care in some form. Health care facilities could be overwhelmed, with shortages in hospital staff, beds, ventilators, and supplies. Additional capacity at sites such as schools may need to be created to handle the demand.
For a pandemic to begin, three conditions need to be present: 1) a new influenza virus subtype must develop for which people are not immune; 2) the virus must cause illness in humans; and 3) it must spread easily and continue spreading among humans. The H5N1 virus in Asia, Europe, and Africa meets the first two conditions and has killed over half of those whom it has infected. The third condition, sustained human-to-human transmission of the virus, has not happened.
The avian flu is highly contagious and yet there are no symptoms for two days after contact. Absentee rates in the workforce could be 30 percent or higher as employees are either sick, caring for a family member, or afraid to come to work. According to CDC estimates, a moderate flu outbreak would cause between 88,000 and 300,000 deaths; a severe outbreak could cause 1.8 million deaths. (The seasonal flu causes about 36,000 deaths per year). It will come in waves lasting from 4 to 12 weeks and continue for one to two years. A vaccine will not be ready during the initial wave as it could take up to six months to isolate the strain and start production. Current anti-viral drugs are not effective against it. The drugs Tamiflu and Relenza, which may or may not work, are in short supply.
The World Health Organization (WHO) has identified five phases leading up to the pandemic (which is Phase 6). The phases are 1) the "inter-pandemic" phase, the period between pandemics; 2) a new virus infects animals, but not, as yet, human beings; 3) human beings are infected, but almost never by other people; 4) evidence of increased human-to-human transmission; 5) the clusters of infected cases which formed during Phase 4 become larger and more numerous; and 6) the virus is transmitted by human beings to one another in an efficient and sustained way: the pandemic—Phase 6—has begun.
We are currently in Phase 3, says the director-general of the WHO.
Implications for US Businesses
Most US businesses are dependent on a global network of critical supplies and support functions. Even before the pandemic reaches the US, its impacts on international trade could have a chain reaction resulting in shortages in the private sector, according to the US government in its document explaining preparations for the critical infrastructure.
Congressional Budget Office estimates that a mild pandemic’s impact on the gross domestic product would be one percent; a severe pandemic’s impact would be 4.24 percent.
Once the pandemic hits, the medical sector will be overwhelmed. Expect prolonged government service disruptions, runs on essential goods and services, and business shutdowns. Interruptions in the transportation industry are likely as the industry already has a shortage of trucks and trained drivers. The national electric utilities are already strained. A shortage of the fuel for power plants and absenteeism could lead to power outages and brownouts. Coal is still widely used for power generation. According to Michael Osterman, Director of the University of Minnesota Center for Infectious Disease Research and Policy, if oil refineries have a 30 percent or higher rate of absenteeism, the refineries may have to shutdown. Without diesel fuel from oil refineries, trains cannot deliver coal to power plants. James McEnery, a deputy vice president for human resources at Exxon Mobil told a recent pandemic conference that shutting down facilities was not an option. “We are going to ask some employees to come in and live in the facility.”
A CSO for a major services company explained that companies have to make some basic decisions: how much do they want to prepare and for what reasons?
Is it for business resilience or survival, post event competitive advantage, employee welfare, or civic responsibility? What are the weighted factors for each and what can they afford? Do they want to go beyond basic due diligence and maximize efforts within resources? Are they prepared to offer special compensation and benefits to employees including family crisis support? Are they prepared for the adverse psychological impacts? What functions are truly the most critical?
Once these critical assets are identified, they need to be well protected. Some less critical facilities may have to be abandoned. If a company is really serious about preparing for a pandemic, it needs to appoint a senior executive with the authority and resources to plan well. If a company is only interested in protecting its image and avoiding litigation, it will likely give the planning responsibility to its security director who will attempt to form a committee to do the planning.
Gartner group analysts Dion Wiggins and Steve Bittinger provide this guidance: “What may be more important than deciding whether a pandemic is likely to happen or not is to consider what you can do to protect yourself and minimize the impact if it does”.
As for legal considerations, Cheryl Falvey, an attorney with Akin, Gump, Strauss, Hauer, and Feld , stated the following at a pandemic conference: “I think it comes down to the concepts in the law of foreseeability and reasonable response to foreseeable risk”. She suggested that companies carefully assess the risks a flu pandemic would pose and take documented steps to limit them. They need to imagine what kind of lawsuit they could face in the aftermath of a pandemic.
Companies should get their own medical advisors and not rely entirely on public health authorities alone according to a CSO with a major services company. This advice will help the companies determine the trigger points at which they must implement certain steps in their plans. Companies' trigger points will be determined by increases in the phases listed by the WHO as well as information provided by the US government.
How well prepared are US companies today? Survey results published by Deloitte Center for Health Solutions and the ERISA (Employee Retirement Income Security Act) Industry Committee in December 2006 found that companies have made progress compared to a year ago. However, there remains a considerable gap between companies that acknowledge the threat (73 percent) compared with those that believe they are adequately prepared (52 percent). A survey by the Conference Board in July 2006 indicated that 75 percent of companies surveyed are actively engaged in planning for a pandemic. Planning is more likely with large and publicly held companies and gaps are significant between companies in critical industries and others.
Business Continuity Implications
Existing business continuity plans (BCP) are not adequate for a pandemic. The typical BCP deals with situations were the technology or facility is not available. The assumption is that the duration is short-term and the disruption is local.
The US government’s advice for critical infrastructure is to think in terms of COP-E (Continuity of Operations-Essential). It builds on existing contingency plans but considers the impact of a pandemic or a massive biological, chemical, or radiological event, category 5 hurricane, or 8.0 earthquake. No other disaster will last 18 months to 2 years. Keep in mind that a pandemic is different from other threats as it is focused on people. Given the potential mortality rate, impact on society and the economy, there could well be serious lingering psychological effects on employees.
Writer and pandemic consultant Michael Selzer goes a step further in calling for “DOOP” (discontinuation-of-operations plan). This plan is designed to “safeguard the corporations assets during the pandemic and to maximize its opportunities in the post-pandemic era”. The plan would be implemented “when times go from being troubled, merely, and become catastrophic”. Such plans could also be applicable when there are simply no customers who are able to purchase the company’s products or services.
According to Georges Cowan, a BCP Manager with the CGI Group, it takes 12 months for a large organization to adapt its BCP to deal with a pandemic situation.
The ability to telecommute will likely be critical but it is doubtful that many companies or government agencies are that well prepared. Less than 10 percent of the federal civilian workforce currently telecommutes. The GAO looked at the preparations in 23 federal agencies and concluded that none of the agencies “could ensure adequate technological capacity to allow designated personnel to telework during an emergency”.
According to the Cyber Security Industry Alliance, about 20 percent of the adult American workforce telecommutes one day or more per month. Amanda McGill, a program manager with Fairfax County, VA, stated in an interview that the county is determining who the essential workers are. Some such as payroll specialists may be able to telecommute while fleet management staff needs to work on site.
Can the last mile support increased telecommunications? Regina Phillips, a crisis management consultant, notes that most phone systems (landline and cell) are built for 10-12 percent of maximum capacity. Since cells can easily overload, learn to text message. Text messaging takes very little bandwidth compared with the traditional cell phone call and the message will be held in a queue until it goes through. E-mail may work when land lines do not. She points out some alternatives if the phone system becomes overloaded including web-based solutions such as voice-over-Internet (VoiP), instant messaging, and web meetings. Companies should develop their work at home programs well in advance so critical employees will be familiar with the technology used.
Others have raised the question as to whether or not the Internet will support the increased volume of users. The sober assessment presented by the Cyber Security Alliance is “little empirical evaluation has been done of the ability of the Internet infrastructure to support the traffic created when large number of employees…suddenly attempt to log on”. Of course, neither the local phone systems nor the Internet will work if there are interruptions in the power supply.
Gartner Inc. told attendees at its data center conference in November to prepare for possible quarantines of staff in their data centers. Most information technology (IT) managers do not think such quarantines are workable. While USDA is stocking its data centers with food and other supplies if it needs to house quarantined workers there, CIO Dave Combs says it will try to rely on remote management if a pandemic strikes. “The most logical place folks are going to want to be is at home”.
Staffing for key operations such as command centers should involve planning for a depth of three people for each key position. Cross training may work in some circumstances, but how many people can be easily trained to solve a software malfunction or operate a nuclear reactor? Another alternative is to bring retirees back to work. However, a west coast emergency manager asks, “Are they still in the area and will they feel safe coming back to work”?
To the extent that the company seemed to be prepared, employees may be willing to follow its example. A company can also help employees with their family plans to cover storing food, water, medicine and so on. Child care issues may need to be addressed. The CDC suggests having enough food and water for two weeks. Others, such as the University of Pittsburgh Medical Center, suggest between 8 to 12 weeks which is the duration expected for any wave of a pandemic. Anyone who takes medication on a continuing basis should discuss with their health plan getting at least a 90 day supply.
Some have suggested that now is the time to ask vendors and business partners for copies of their pandemic flu plans. While this sounds like a good idea, let’s reflect on its complexity. Selzer wonders how much it would cost a corporation to really “assess the supply chain and all supporting businesses” on which it depends. Can this really work without asking each supplier to ask its suppliers and so on? Is this real advice that can be implemented?
The US government Implementation Plan for the National Strategy for Pandemic Influenza suggests that various events could cause challenges for law enforcement. Civil disturbances and disorder could occur as hospitals become overwhelmed, shortages in basic necessities take place, and people try to evade quarantine orders.
The Harvard School of Public Health conducted a survey which showed that “when faced with a serious outbreak of pandemic flu, a large majority of Americans are willing to make major changes in their lives and cooperate with public health officials’ recommendations.” Reasonable people could be expected to give favorable responses when asked a hypothetical question today, but we do not know how people will actually behave during a pandemic. The Associated Press reported that surveys found only 10 percent of Americans were taking steps to prepare for a pandemic. If people do not prepare, they may become desperate for food, water, and warm or cool shelter, depending on the season of the year. As the number of fatalities rises and infrastructure fails, fear may also have an impact on people who would otherwise behave rationally.
When it comes to protecting critical infrastructure , the government in its Implementation Plan makes it clear that the private sector should take care of itself. It suggests that these critical services need to continue without interruption and that security plans need to be developed with the consideration that local law enforcement assistance may be limited.
One must consider the traditional role of security guards in the US. As confirmed in an interview with Cliff Enber, an attorney who works with contract guard firms, most have limited training. With a few exceptions, their role is simply to observe a given situation and report it to local law enforcement. This is especially true if violence or weapons are involved. However, as noted above, the police may not be available. While the National Guard can potentially backup local police if ordered to do so by the governor, the National Governor’s Association has cautioned that their ranks may be depleted by callups by the Department of Defense.
An article in the Raleigh News and Observer describes preparations for a flu pandemic. Hospital security forces are making plans for crowd control and restricted access or “lockdowns” if needed. WakeMed (Hospital) Police Chief Liasa Pryse stated “we got more serious after Katrina because we realized we did not need a bioterrorism event for there to be a threat to a key community asset.” If mobile medical units leave the site as they did to provide assistance in the gulf area after Katrina, her officers will be there to guard the doctors and nurses. “We would not roll a truck out of here without an armed presence” said Bill Atkinson, WakeMed’s President and CEO. By contrast, Carolina Medical Center in Charlotte does not have sworn officers and relies on local law enforcement to guard their personnel. When they headed to the gulf coast, SWAT team members from Charlotte-Mecklenburg PD provide security. WakeMed appears better prepared for the pandemic than Carolina Medical Center.
Jay Schwartz is with North Carolina-based Alex Lee Inc, which owns a chain of grocery stores and also supplies institutions. At a recent pandemic conference he commented that "security is a huge issue." Large food trucks may be targeted by thieves. "Maybe we'll have someone riding shotgun for added security."
Attorney Enber notes that to supplement an existing guard force, contact guards are likely to be the only option. “Contract security companies are in a strong position to respond and cover you. They have an inventory of security personnel they can call on.” He pointed out their record of responding to requests for additional guards after 9-11.
A representative of a major guard company explained in an interview that his company was working closely with its clients to prepare for a possible pandemic. This company made sure that its senior managers were fully informed about pandemic planning. However, when asked how his officers would deal with the lack of police response, his response was “that’s a good question.”
Technology such as cameras, sensors, lighting, and access control can certainly help to protect your employees and facilities. Given that power may have interruptions, anything that is truly important needs battery backup and generators with multiple refueling contracts. It can take from six months to a year to have generators and fuel tanks installed.
Partnering with the Community
The Conference Board survey of companies regarding pandemic planning found that about “30 percent are working with municipal/ local officials about their organization’s ability to provide essential services and access to facilities, equipment, or staffs during a pandemic; and nearly 20 percent have coordinated with first responders.”
While much of the effort for pandemic planning has focused on the public health aspects, the non-medical issues are quite important. No business can operate for long without support provided by the local government especially water, sewage, garbage disposal, and public safety. Water and sewage facilities both need power to operate as well as certain chemicals. Do these facilities have generators and how long will their fuel supply last? How much inventory of these chemicals is maintained? Clearly more businesses need to work with their local pubic officials to determine how well prepared they are to carry out these functions and also how the company can help.
If you are critical infrastructure (CI), you had better be well prepared. Even so, you could fail due to extended power outages and fuel shortages, but you still tried to prevail. Otherwise, you will face the anger of citizens, legislators, shareholders, and others. If you are less than CI, you need to do a careful assessment. Is it best for you to go into a "DOOP" if things get tough or should you try harder to stick it out longer? What will be the cost if you do and if you do not? It may be much less expensive to prepare for a pandemic than for a traditional disaster. You will not need another data center site or backup office space at another location. You do need to plan for how you can operate with 30 percent or more of your staff absent. That's a challenge, but it may not be that costly. Think hard about what is really important for your company to do in order to survive.
All companies need to think about how they will be seen in the communities where they are located. There is much that can be said for working with others to help the community. Many companies such as Wal-Mart and Home Depot, large logistical operations, showed how well the private sector can respond to a disaster such as Katrina. Many other companies also have considerable logistics experience. A pandemic is not simply a public health issue. Surviving it requires getting critical supplies such as food, water, and fuel where they are needed.
Start by checking out your local government's web site. If they refer you to the state or federal government's sites, you need to be concerned. If, when you call them, they say they have an "all hazards approach", you need to start asking tough questions about water, sewer, public safety, etc. Do not take avoidance and denial for answers. After all, you are a taxpayer!