There can be no more important topic than this in 2021. The COVID-19 pandemic continues its rampage in most parts of the world and companies have had to respond by dramatically changing their ways of working. A large percentage of employees now work at home, where possible, and this bring new challenges to corporate security. It has become clear that this is not a temporary change, staff are adapting and often embracing the freedoms that remote working gives. However, with these freedoms comes an indisputable increase in corporate risk. Whilst trying their best to protect staff, companies have lost a considerable amount of control. Indeed, the health of workers is under continual threat to the extent that may threaten the very existence of the business. Most businesses rely on key staff and if those staff members become sick, the impacts are often immeasurable.

Business Continuity Management (BCM) is the discipline for predicting the effects of threats to the business and identifying the ones that are most critical. It provides a standard way of identifying the impact of threats and of getting a better understanding of the implications. COVID-19 is now a threat every business must take into account. Organizations need to answer "what if" questions about the impact and the BCM process enables that. However, the BCM standard model can be hard to understand for people who are not versed in it. Yet, it is those people that need to participate knowledgably in order to get value from BCM. Large organizations often have BCM teams that manage the creation of impact assessments and facilitate the inputs from each part of the organization. However, with COVID-19, it is often the Human Resources department that is seen by the executive management as the "go to" function to do this kind of analysis. Indeed, the standard BCM model (ISO 22301), does not so easily lend itself to a pandemic situation without some adaption. For instance, BCM ISO 22301 defines risk tolerance in terms that are not immediately obvious to untrained staff. This is especially important when trying to communicate BCM outputs to senior management. Also, BCM tends to be about putting in controls to mitigate well-defined risk, whereas the effects COVID-19 is not risk that can be so easily mitigated. In the example already mentioned, remote working brings with it new risks which may not be so easy to think through. In technical terms COVID-19 impacts can be more in the category of "residual risk,” (which means after all controls are in place, the risk that remains). "Residual Risk" is better managed as it occurs and therefore it is important to identify events that are moving an organization into areas where your well-thought-out plans (BCM identified Mitigation Controls) simply do not apply.

TeamMacro BCM is a part of the TeamMacro Risk and Security Management (TERSM) solution. As far as possible we have tried to avoid the ISO constraints and make the language more understandable, whilst still following the ISO approach to impact assessments. In this way, BCM should be less of a specialist’s endeavour and can become simpler and more readily cross-functional.

Having identified the areas of risk, for example the effects of reduction of staff hours, especially key staff, on the business processes, it is possible to identify important thresholds. When those thresholds are exceeded, the processes are under critical threat. So alerts can be set based on these thresholds, and the correct team can be notified if the threshold is exceeded. This is underpinned by the reporting of incidents that relate to, in this case, health and safety.

Health and safety reporting is not just for COVID-19, it applies to any event that has an impact on the personal wellbeing of staff. This includes accident, criminal activity, or indeed any other health and safety concern. For this reason, TeamMacro TERSM identifies Health and Safety as a characteristic of many types of incident, not just ones only related to health and/or safety. It is an additional characteristic, not an exclusive one. In this respect TeamMacro TERSM goes beyond traditional Health and Safety reporting and provides a more comprehensive view of a related event.