As states start to lift restrictions and allow people to “return to work,” companies are left to grapple with the specifics – the when, where, and how. The decisions to be made are not merely operational; they go to the core of the businesses balancing stakeholder healthcare concerns against economic ones. In many ways, the increase of board involvement in risk management and environmental, social, and governance (ESG) matters over the last decade has positioned corporate boards well for managing new types of risks. However, the magnitude and complexity of the current pandemic risk coupled with its evolving nature demands an intensified board process.

Most boards now have an established risk management process that identifies, categorizes and mitigates major risks. The pandemic risk should be viewed using this process – but the rapid accumulation of data and the shifting external guidance on response, including in many places’ laws and regulations, will not allow a board to complete a one-time risk review exercise. Instead, the review must be continuous, and the company’s response must adjust to meet the current demands. Boards will need to constantly monitor and adapt to lessons learned to assure that the heath protection standards it employs are based on the best practices available at the time.

Given the increase in epidemics in recent years, including SARS, H1N1 and Zika, it appears unlikely that COVID-19 is the last pandemic that our country and the companies within it will face. Pandemics present a major risk that boards must learn to oversee correctly starting with COVID-19. The board’s actions now can lay the groundwork for a dynamic, effective response to the current pandemic and any future outbreaks.

How Boards Must Oversee COVID-19 and Pandemic Risks

Coming out of this crisis, boards must assure systems are in place to mitigate the impact of the risk going forward. At the outset, boards should utilize their existing enterprise risk management process (ERM). Of course, the likelihood of occurrence and magnitude of harm are not theoretical as is often the case during the ERM process. Having established and charted the risk, the board should then review the mitigation strategy for the risk. There are two things to consider:

  1. how to mitigate the impact of the current COVID-19 pandemic; and
  2. how to eliminate or mitigate the impact of future pandemics.

The first is the immediate task, but the second will be shaped by the effectiveness of the first.

In responding to the COVID-19 pandemic, the mitigation strategy must address two interrelated challenges:

  1. protecting the health of the company’s employees, customers and other stakeholders while also;
  2. restoring the company’s economic performance for the benefit of its employees, stakeholders and communities.

Restoring a company’s economic performances is generally linked to returning its workforce to their jobs and, particularly if the company is consumer facing, reestablishing a market for its products. To do these things, the company must ensure that it is taking reasonable precautions to protect the health of those groups.

Establishing a Pandemic Compliance Program

Until there is a vaccine, the best protection appears to be slowing the spread so that healthcare facilities are not overwhelmed. The complicating factor is that exactly what is required to slow the spread is an evolving standard. As data accumulates, the science-backed advice is being updated and refined. This is where a consistent board process is critical. Mitigation will be best be achieved through a dynamic pandemic compliance program, which ultimately is folded into the company’s overall compliance program.

In establishing such a program, the board should require management to assemble a high-level committee that is tasked with monitoring the evolving scientific advice, legal regulations and best practices, and make recommendations to the board as to the proper methods to protect the employees and stakeholders. In addition to recommending the protections to be employed, the committee should formulate a plan for training and audit processes to assure compliance therewith. The committee should meet regularly to update their thinking as the situation evolves and keep the board apprised of these meetings and the topics discussed. The committee’s process should be well-documented and may benefit from the protection of the attorney-client privilege. When the committee’s recommendations address fundamental matters, such as reopening businesses, the board should receive with written justifications for the recommended protections – citing governmental or scientific advice, where applicable.

The science on COVID-19 remains in flux. The different views on when and how to return to work provide conflicting guidance to companies. Companies that follow the consistent ERM process, establish a sound pandemic compliance program and document the reasoning for their actions and decisions will be able to adapt to shifts in science and government recommendations. When this crisis subsides, boards will be judged as to whether they demonstrated diligence in caring for the greater good of their employees, customers, and communities in seeking to assure health protected economic performance of their companies.