We’re in the middle of a data explosion. Today a Google search of COVID-19 generates almost 3.5 billion results; and searching for coronavirus (official name ‘SARS-CoV-2’), the virus that causes COVID-19, generates almost 2.3 billion Google results. The virus and disease that trigger a growing laundry list of symptoms are also generating a mind-numbing constellation of business and legal risks for almost every company on the planet. How to get a handle on and respond to COVID-19 legal risks in any sensible way when each company needs to build the airplane while flying it? A risk matrix can help organize complex data for ongoing analysis and rapid decision-making.
Creating a risk matrix and organizing your data may sound like cold comfort compared to the tsunami of COVID-related data we’re now inundated with daily. Information management and business analytics are sometimes thought of as ‘nice to have’ instead of ‘must-have’ business capacities for actively guiding rapid decisions, but right now key data about your business needs to be communicated and put into practice. Dynamic risk assessment using a matrix can help your company’s pandemic response team with scenario analysis and advance planning.
Here are eight key types of information and data that require immediate, active management by public or private companies:
- Public disclosure: data points for necessary or desirable disclosure for all stakeholders (customers, employees, shareholders, partners etc.).
- Corporate governance: senior management and board information on the potential impact of pandemic issues.
- People and HR policies: planning, policies and practices.
- Financial management and reporting: treasury issues, additional reporting required by contract partners for financial statements, or by auditors.
- Material contracts: supply chain disruptions, fluctuating demand, new contracts to be considered material and/or critical such as PP&E supply contracts.
- Insurance and risk management policies: analyze pandemic-related loss coverage and negligence risk.
- Continuous due diligence questions: ongoing quality review of PP&E supply and usage; establish process for rapidly raising new diligence questions.
- Business operations continuity information: the who, what, where, how and when of business operations, including risks from curbside, contactless or other new business operations options.
Now turn this list into a matrix. Each factor needs to be addressed in the short term as many people and businesses are still in ongoing triage mode. Plus the medium term to transition; and strategically for the long term.
|Key information||Short term (triage)||Medium term (transition)||Long term (strategy)|
|1.||Public disclosure||Press release or public announcement||Risk factors in continuous disclosure including quarterly and annual filings||Pandemic-proof strategies and emergency response plans. Prospectus disclosure|
|2.||Corporate governance||Form senior management pandemic response team. Engage board to update environmental, health and safety policies||Audit committee review of pandemic issues. Senior management review existing business analytics to anticipate governance issues||Business analytics strategy to mitigate losses. Committees and policies reviewed for pandemic responsiveness|
|3.||People and HR policies||Remote working, quarantine, food security, hygiene, social distancing and PP&E policies||Collaboration of HR roles with pandemic and emergency response teams||Long-term wellbeing strategy including stance towards vaccination|
|4.||Financial management and reporting||Cash management priorities. Covenant management. Enhanced data gathering||Data to forecast pricing issues including interest rates, exchange rates and commodity prices. Additional reporting or financial disclosure||Additional risks or qualifications to be included in financial statements, such as going concern issues|
|5.||Material contracts||Force majeure and pandemic clauses. Assess key supply chain partners including PP&E suppliers||Review of representations, covenants and events of default||Contract playbook to mitigate and prevent pandemic risks|
|6.||Insurance and risk management policies||Assess liability coverage for financial year. Key person insurance and travel policies||Evaluate insurable loss claims and potential for negligence claim exposure||Risk management policy and insurance review regarding pandemic and other emergency issues|
|7.||Continuous due diligence||Best business practices monitoring (online, curbside or contactless operations)||Quality review of new requirements such as PP&E quality and security of supply||Seasonal update for pandemic readiness, inclusion of pandemic questions in all due diligence reviews|
|8.||Business operations continuity||Establish remote work protocols with data and IT security. Add online business channels. Ensure sustainability of online, curbside or contactless operations||Establish new key partnerships for data and IT security. Revenue analytics, with forecasts and prioritization of updated revenue streams. Ongoing technology onboarding or maintenance for end-to-end digitization||Strategy and business analytics for revenue diversification. Pandemic-ready and emergency response CX strategies.
Long term capacity planning (i.e. cloud or Zoom capacity.)
This matrix should also be organized around potential impact and probability, plus corporate risk tolerance. But this raises the need for ongoing information management and data analysis: we’re still not entirely sure which pandemic risks are most critical, most likely or most costly each day. Business leaders need to analyze pandemic response questions as they arise and there often isn’t enough time to structure the data itself. Even a simple risk matrix can help response teams limit foreseeable risk so that they can focus on managing residual risks less within their direct control (such as being unexpectedly caught in the middle between a supplier who can’t deliver and a customer demanding immediate fulfillment of their purchase contract).
As much as we don’t know about the post-pandemic future, managing and acting on COVID-19 legal risks a is a critical mission that calls upon us to rapidly deploy business analytics and information management skills to make strategic business decisions that anticipate intelligently the emerging future.