Its Time to Plan

Strategic Security
It's Time to Plan
 

ON FEBRUARY 21, 2003, Dr. Liu Jianlun, a specialist in southern China who was treating patients with a baffling new respiratory disease, made a momentous decision. Despite experiencing the flu-like symptoms himself, he opted to visit nearby Hong Kong for a wedding. Dr. Liu checked into Hong Kong’s Metropole hotel, where he unknowingly transmitted his infectious disease to other guests; they, in turn, set off devastating outbreaks in Toronto, Canada; Singapore; and Vietnam. The hotel became ground zero for the 21st century’s first major epidemic, caused by a deadly new virus—later called Severe Acute Respiratory Syndrome (SARS).

From its epicenter in southern China, SARS went on to infect 8,096 people around the world and kill 774. National and international public-health resources were stretched to the breaking point. For example, in a matter of days, Toronto officials cornered the North American supply of N95 disposable respirators, leaving no room for error if another crisis had erupted. Air travel was curtailed. Economies in the affected countries were crippled and supply chains worldwide were disrupted. Morgan Stanley put the global economic hit at $30 billion.

SARS showed that, in an age of international travel, “a sneeze on the other side of the world can bring infectious disease to us in days, if not hours,” said the SARS Commission, which conducted a judicial inquiry into the Toronto outbreak. Even so, the deaths, illnesses, and economic disruptions it caused were relatively constrained because it was a multiregional event—not a global incident.

Imagine, then, what could happen in the event of a worldwide pandemic, such as might be caused from a new influenza strain. (SARS was not caused by a flu virus, though its victims suffered from flu like symptoms. Instead it was caused by a completely new coronavirus.) The worst flu pandemic, which occurred in 1918-19, is estimated to have killed more than 50 million people. As Dr. Danuta Skowronski of the British Columbia Centre for Disease Control has noted, “A pandemic could make SARS look like a cakewalk.”

How Ready Are We?
The encouraging news is that many large companies have begun to take seriously the need to develop pandemic plans. A survey of ASIS members conducted in conjunction with this article found that about three-quarters of respondents have both a documented pandemic plan and a pandemic coordinator or a team with defined roles and responsibilities for pandemic preparedness and response planning. (About two-thirds of respondents were from the private sector, with about 9 percent from a federal, state/provincial or local/municipal agency. About 76 percent of respondents were from entities with more than 1,000 employees.)

These pandemic plans also appeared to be scalable, an important factor because a flu pandemic usually occurs in waves and unfolds over a longer period of time. More than 70 percent of respondents said their plans contained a phased response that could escalate as necessary.

Less encouraging, however, was the finding that nearly half of the respondents indicated that their companies had never tested the plan. Despite that low number, survey respondents are likely doing more than the general business population because ASIS members tend to be ahead of the curve.

Other studies support that theory. For example, a survey of a broader business audience by the Deloitte Center for Health Solutions released in 2007 found that while the vast majority of respondents (72 percent) believed that planning could help protect their business from a pandemic’s impact, only 52 percent had adequately planned.

A Mercer Human Resource Consulting survey in 2006 similarly found “a considerable gap between organizational concern about the impact of a pandemic and organizations’ current state of pandemic preparedness.” Countries affected by SARS were “generally more advanced in their pandemic planning,” the Mercer study found. “Conversely, for the United States and other economies that were not impacted by SARS and have not had direct exposure to the avian flu, planning is in its relative infancy.”

Executive Support
Surveys of business executives have shown that pandemics are not top-of-mind among decision makers. For example, “One thing that comes out loud and clear [from Deloitte research] is that corporate pandemic preparedness is simply not a CEO or COO [chief executive or chief operating officer] or board-of-directors level topic,” said Michael Evangelides, a principal at Deloitte, speaking at a 2007 conference titled “Business Preparedness for Pandemic Influenza: Second National Summit,” sponsored by the University of Minnesota Center for Infectious Disease Research and Policy (CIDRAP).

There are many reasons for this, not the least of which is the current economic downturn, with its more immediate consequences. Other reasons include the perception that U.S. corporations may have overreacted to the perceived threat of Y2K. Some studies suggest that the United States might have wasted as much as $40 billion because of fears of massive worldwide computer failures on January 1, 2000. As the Conference Board titled a briefing paper: “Is Avian Flu the Next Y2K? Can We Afford To Think So?”

Another factor reducing the willingness of businesses to spend on pandemic planning is that media coverage of the potential threat—and, thus, public concern—is waning. An Associated Press–Ipsos Public Affairs poll found that only 27 percent of Americans described themselves in July 2007 as concerned about avian influenza, down from 35 percent in 2006. Conversely, 41 percent said in 2007 they were not concerned about avian flu, up from 31 percent in 2006.

Commenting on the noticeable drop in mainstream media coverage, Peter Sandman, a critical incident communication expert, wrote in the CIDRAP Business Source Weekly Briefing: “Journalists are novelty junkies; they get bored fast. For a while, the risk of a pandemic was novelty enough for them. Then, inevitably, reporters started longing for a new angle. The one they found was: ‘Whatever happened to the risk of a pandemic?”’

The problem is, regardless of public and media perceptions or the priorities of corporate decision makers, the possibility of another pandemic has not diminished, nor has the need to have a pandemic plan.

There have been three pandemics since the start of the 20th century. Besides the already-mentioned 1918-19 pandemic, less destructive but still serious global flu events occurred in 1957-58 and in 1968- 69. “Both history and science clearly tell us that influenza pandemics are inevitable,” said Dr. Julie Gerberding, director of the Centers for Disease Control and Prevention, in testimony at a 2006 hearing on the issue before the Senate Appropriations Subcommittee on Labor, Health and Human Services, Education, and Related Agencies.

Part of the difficulty is that top-level decision makers are generally focused on quarter-to-quarter performance. This is often called “short-termism,” or the overwhelming pressure of meeting short-term quarterly earnings. Pandemic planning, on the other hand, requires a long-term perspective. The challenge, said Dr. Gerberding, speaking at the CIDRAP conference, is: “How do we run this marathon when we’re living in a society that only wants to sprint?”

The bottom line: Whenever you put together a business plan for creating a new pandemic preparedness program or sustaining an existing one, you need to keep in mind what’s topmost on executives’ minds and the status of other business drivers like public opinion and mainstream media coverage.

Broader benefits. One way to counter short-termism and any skepticism about the value of allocating resources to pandemic planning is to make a business case that the investment in such plans yields much broader benefits. It does so by making the organization more resilient and better able to survive a variety of more common catastrophic critical incidents, such as those caused by severe weather.

“Pandemic planning definitely creates value,” says Bernie McCabe, chief security officer for Marathon Oil Corp. of Houston. Marathon, the fourth largest United States-based integrated oil company and the nation’s fifth largest refiner, has a cutting-edge pandemic plan.

The company has also invested heavily in the infrastructure necessary for employees to work from home in the event of a pandemic. It has seen this investment pay off. “We’ve had a couple of ice storms the last couple of winters, and we activated our pandemic infrastructure to see if we could operate remotely, and it worked perfectly,” says John Weust, manager of emergency preparedness at Marathon.

A pandemic plan will help a company achieve the following goals, outlined in the ASIS Business Continuity Guideline: save lives and reduce chances of further injuries/deaths; protect assets; restore critical business processes and systems; reduce the length of the interruption of business; protect reputation damage, control media coverage; and maintain customer relations.

Another selling point: An Oxford University study showed that companies that effectively manage critical incidents gain market value, while the shares of ineffective ones can lose a lot of value. The study found that corporations lost an average of 15 percent in net stock value in the months following an ineffective response to a large-scale emergency. An effective response increased companies’ total market value by about 22 per cent.

Best Practices
Once you get top management to buy into the concept, you have to make sure that you include the right elements in your pandemic preparedness program. Your goals are those just stated in the ASIS guidelines, but it’s useful to look at some key specifics with regard to achieving those objectives.

Personnel concerns. One characteristic that makes pandemics different from other critical incidents, such as fires and floods, is that physical assets are not at primary risk, people are. In a fire, earthquake, or hurricane, it is the damage to facilities and infrastructure that prevents the company from operating. A pandemic will degrade operational capabilities by causing severe illness and death and through disruptions resulting from containment efforts, such as travel and transportation restrictions.

A pandemic plan needs, therefore, to consider how the company will address these personnel issues. One way is to include policies and programs for allowing people to work from home, known as telecommuting. Only 12 percent of respondents to the ASIS pandemic survey said that their companies had policies for telecommuting and flexible work hours.

Encourage cooperation. Another aspect of the human factor is to look for ways to encourage employee cooperation in avoiding or containing the threat of infection. One way to do this is through awareness. Companies should consider establishing policies and programs for preventing influenza spread at the work site by promoting respiratory hygiene and etiquette.

The company should also have clear procedures for prompt exclusion of people with influenza symptoms. In the ASIS member survey, only 12 percent of respondents said they had policies for preventing influenza spread at work sites.

Another way that companies can encourage employee cooperation is to have provisions in their pandemic plan for supporting or compensating staff who suffer an unfair burden of personal cost for cooperating in public-health measures like a quarantine. In the ASIS member survey, only 3 percent of respondents said that they had policies for employee compensation and sick leave absences unique to a pandemic.

Stockpiles. The plan should also address how the company will help staff deal with special needs that arise in an outbreak. Stockpiling supplies is one way to address this issue. In the ASIS pandemic survey, two-thirds of respondents said that their companies stockpiled protective equipment for employees, such as protective gear or antiviral medicines but only about 30 percent said that their stockpiles were intended to last more than one week. (There is no right time period for stockpiling to prepare for a crisis that potentially unfolds in waves over a period of time. It’s up to each corporation to make its own best guess as to how much to stockpile.)

Succession. The pandemic plan, as with other contingency plans, should also address succession in case executives are affected. About 62 percent of the ASIS survey respondents have this in their plans.

Training. Staff must be properly trained with regard to their responsibilities under the plan. As the ASIS Business Continuity Guideline has noted, a response plan is “only as valuable as the knowledge that others have of it.”

There should also be a strong testing program to evaluate effectiveness, help responders to clarify their roles and responsibilities, and reveal areas for improvement. Testing should involve both simulation and tabletop exercises. As noted, however, the survey of ASIS members, found a major weakness with regards to testing. Only a third of respondents had tested their pandemic plans since 2007, and nearly half had never tested them.

“You should test frequently to keep it in people’s minds,” says Dr. Robin McFee, an ASIS member who is also one of the nation’s top bioterrorism response experts. “I’m a big believer that, at least once a year, you do a surprise drill.”

Collaboration. Since no company will be going through a pandemic in a vacuum, it’s important for every organization to reach out to federal, state, and local public-health agencies and emergency responders to make sure that internal plans are coordinated with those of the public sector. If possible, the company should participate in the planning processes of these public bodies and share their own plans with the appropriate counterparts.

“If you are in communities where pandemic planning is being paid attention to, you need to become part of that process and part of the solution,” says Marathon Oil’s McCabe.

Dr. Clete DiGiovanni, a retired physician who was a speaker at the ASIS Annual Global Terrorism Conference, seconds this, noting, “I would encourage the people who develop pandemic plans to figure out how all their plans would mesh with their community’s plans.”

That’s one point that ASIS members understand and have acted on. In the ASIS pandemic survey, 88 percent of respondents said that their companies collaborated with other government agencies.

Supply chain. Pandemic plans should include contingency arrangements with suppliers, which 85 percent of respondents said their companies had.

As a part of the planning process, you should identify dependencies and weak links, make sure that there are sufficient redundancies and alternate sources of supply, and make sure that your pandemic plans align with those of your company’s key vendors and customers.

Reasonable action. Unlike single-event emergencies, such as fires and plane crashes that unfold over a distinct time frame, a pandemic lasts one to two years and comes in waves of six to eight weeks. Each wave is expected to cause large numbers of hospitalizations and deaths, high rates of absenteeism, and serious economic and social disruption.

A pandemic offers neither a clear-cut perimeter nor a simple way to monitor its status. Any assessment of its extent at a given point in time has to be largely based on conjecture.

Tracking its progress depends on identifying the number of people affected (those who have died or who are showing symptoms) at that point in time and knowing the incubation period, which is the time between infection and when symptoms appear. If the pandemic strain has an incubation period of 10 days, for example, the number of symptomatic patients at the time the tally is taken shows how many people were infected as recently as 10 days prior. But anyone infected less than 10 days before that assessment likely won’t show symptoms.

The theory in tracking and controlling a pandemic or a forest fire are the same, said Dr. James Young, who led the fight to contain SARS in Toronto. But with a pandemic, unlike a fire, “the difficulty and the problem is, I have no idea where it is. I only know where it was 10 days ago [the most recent incubation period], and I have to not only catch up that 10 days, I must get further ahead.”

This means that during a pandemic, your facility may have employees and visitors who are infectious but don’t exhibit any symptoms. As a result, your containment measures should err on the side of caution, relying on what the SARS Commission called the precautionary principle: “Reasonable action to reduce risk should not await scientific certainty.”

In a 1957 speech to the National Defense Executive Reserve, Dwight Eisenhower famously said: “In preparing for battle, I have always found that plans are useless but planning is indispensable.”

Richard E. Widup, senior director, corporate security, Purdue Pharma in Stamford, Connecticut, and a member of the ASIS Board of Directors, says, “If you are doing pandemic flu planning, you are engaging in one of the better business continuity planning processes.”

Department of Homeland Security Secretary Michael Chertoff echoed both sentiments in a recent speech on the topic, saying, “And what I’m concerned about is that if we push this off, push the planning, training, exercising, stockpiling, and everything else off until we actually have efficient human-to-human transmission of pandemic flu, if it should happen, I guarantee you there is not going to be enough time to deal with the issue…. [P]lanning well in advance is the only way to deal with a massive threat.”

Some of those plans have to be developed by government. Meanwhile, it’s up to the security professionals, working with others in the public and private sectors, to make sure that their companies will be ready when the time comes.

Mario Possamai, CFE (Certified Fraud Examiner), CAMS (Certified Anti-Money Laundering Specialist), was senior advisor on the SARS Commission, the inquiry into the outbreak in Canada. He is also a member of the ASIS Global Terrorism, Political Instability and International Crime Council. He co-chaired the ASIS International 26th Annual Government/Industry Conference on Global Terrorism in March.