When COVID-19 began to spread, it was billed as the great leveler. The pandemic posed a global risk, and no one would be immune.
That was certainly true from a public-health perspective, but some organizations proved far better-equipped to handle the crisis than others. Some companies had internalized the lessons of the H1N1 and MERS outbreaks, in 2009 and 2012, respectively, and subsequently developed pandemic response plans. More recently, others took note after Bill Gates in a 2015 Ted Talk laid out the stark possibility of an infectious virus claiming millions of lives worldwide.
There was no Big Precipitating Event that led Sovos Compliance, a decades-running, Massachusetts-based tax compliance company, to develop a pandemic plan in the years prior to COVID-19. Rather, it was an honest assessment of the nature of the company’s work and the greater demands of an expanded portfolio.
“Our customers rely on us as an essential partner to help them navigate the digital transformation of tax globally,” said John Strasser, chief security officer at Sovos, who was involved in developing and finalizing the company’s pandemic plan. “Because of that, it’s our responsibility to provide uninterrupted service, even during times of unusual human or societal impact.”
The same forethought that kept clients from losing service also made it easy to transition to the new work-from-home reality. “As we’ve grown as a company, our pandemic plan has by necessity grown with us, and it has enabled our entire workforce to function effectively while employees work from home to help contain and reduce the possible risk of spreading COVID-19,” he told Built In via email.
Here’s how they made it happen.
Putting Together a Plan
When looking at companies that had a pre-established pandemic plan ahead of COVID-19, a few commonalities tend to emerge. Many are companies that do business at the enterprise level, have an international presence, operate within or adjacent to government-regulated industries, or do some combination thereof. Sovos checks all three boxes.
The National Institutes of Standards and Technology offers lengthy contingency guidelines for federal agencies in order to help them comply with their responsibilities under the Federal Information Security Management Act. But many global corporations — especially ones that deal in industries with rigorous oversight, like finance — use these same recommendations as jumping-off points in developing their own plans. That includes Sovos, which has numerous international clients that must adhere to government regulations.
The company used the NIST playbook as a “seed,” adapting the guidelines alongside recommendations it had gathered from global business continuity experts who work in the financial industry. “Using this guidance, we adopted the principles and recommendations and tailored them to accommodate the rapid nature of our agile operations,” Strasser told Built In.
Along with the NIST-framework option, the other available starting-point standard is FEMA’s guidelines, National Incident Management System and/or Incident Command System. Best match varies by sector and degree of oversight, but each is similar — and each must be adapted to fit, according to Scott Ream, the national board chair of the Association of Continuity Professionals and CEO and president of business continuity consultancy Virtual Corporation.
“Companies always need to tweak it to match the culture, organizational structure and the need of that enterprise,” Ream said.
Virtual Corporation’s pillar verticals are healthcare and government, and it also services compliance-focused sectors like insurance and finance. But a focus on preparedness should span industries, he stressed. “If you haven’t done a business impact analysis or developed business continuity plans, you’re going to have to make this up in the moment,” he said.
Sovos found itself well-positioned when the pandemic struck, but it took much concerted effort to reach that point. The company spent several years iterating and testing its plan, according to Strasser. Sovos initially rolled it out to just one office, then began to scale it across the company, which spans more than a dozen offices across 10 countries.
Sovos pinpoints three key tenets that drove the plan’s success. No. 1 is tech. There’s plenty of risk, cost and complexity baked into global tax compliance, so software security was a must. “Resilient and globally distributed technology enables all of our employees to work remotely while still maintaining the same access and security they have in the office,” Strasser said.
Second, the company established a framework for effective communication. Specifically, that meant creating a critical response team, which enjoyed the support of Sovos leadership and proved vital come implementation time. Finally, Strasser credits an ingrained customer-centric approach, “even when so many other facets of our work and personal environments are changing.”
Other companies that had worked out pandemic plans have stressed the importance of on-hand supplies and not skimping on human resources.
Ream shared with Built In pandemic plan details of one client, a regional utility provider he declined to name due to promised anonymity, which based its process on FEMA’s ICS. Much of it underscores the importance of pre-staging key resources — cleaning supplies for facilities and staff, personal protective equipment, restoration supplies with which to handle possible outages.
“Obviously, there’s a limit to what you can feasibly stockpile, especially not knowing details in advance of the nature of the virus,” said a company official in the provided overview.
But regardless of industry, administration is vital. “HR plays a key role because of the need to manage illnesses or exposures, modify work rules, time off policies (sick time, exposure/quarantine rules, etc.), manage insurance policies and more,” said the official.
Time to Implement
An international presence is hardly a prerequisite for effective business continuity, but it seems to have been an asset for some global companies as they started to grapple with the coronavirus pandemic. If nothing else, it made the reality hit home sooner.
That’s how Justen Noakes, director of emergency preparedness for Texas supermarket chain H-E-B, described it to Texas Monthly, noting that the global nature of the company’s supply chain led to China-focused impact reports as early as January. By February, H-E-B, which got high public marks for its effective response, was diving into how to implement its pandemic plan.
That mirrors pretty closely Sovos’ own experience and timeline. The company doesn’t have offices in any of the countries that were early outbreak hotspots, like China, South Korea, Italy or Spain, but its European footprint in particular led the company to take notice early on.
“The global nature of our business and workforce spurred early planning and preparation, as COVID-19 began to affect various countries,” Strasser said. “We formed a critical response team of various functional leaders that met daily beginning in February as cases began to increase in Europe, where we have numerous offices.”
When federal agencies began to react, the company knew it was time for it, too, to move.
“As governments and public-health organizations in the regions where we operate began addressing COVID-19, Sovos did as well,” Strasser said. “By the time customers wanted to understand our plan for what was then a potential pandemic, we had already activated that plan.
All-Hazards Planning and Department Ownership
Strasser credits the effectiveness of the company’s pre-established pandemic plan with its wider applicability. If it’s not one-size-fits-all, it’s one-size-fits-a-whole-lot.
“The strength of the Sovos plan lies in the fact that it is not predicated upon types of catastrophic events,” he told Built In. “Instead, we have taken an impact-based approach that is independent of any specific instigating event.”
Rather than focus on specific disasters or emergencies, Sovos focused on potential impacts to business-critical functions and offices, regardless of challenge. “This allows us to design operational contingencies that are flexible and can adapt to any situation, allowing us to keep our promise to our customers no matter what occurs,” he said.
This is what’s known in the continuity industry as all-hazards planning, Ream noted. It’s a two-pronged approach: emergency management runs training simulations and, in the event of actual emergencies, consults a response checklist, be the event a bomb threat, fire, active shooter or some other emergency.
The flip side is the business operations. “Now I don’t care so much what happened,” Ream said. “What I care about is which of my critical dependencies was impacted.”
Business continuity can either be developed within a department or across the entire organization. But in any event, Ream emphasizes strong departmental leadership when it comes to implementation. In effect, if you lead it, you own it.
“The point of placing plan ownership with the department manager or director is very simple,” he said. “You can have a business continuity professional, either inside the organization or as a consulting firm, but when the event actually happens, who’s going to do the recovery? The department. The executives don’t have to have written it themselves, but they clearly need to be invested in it.”
Staying Nimble
Of course, even the most deliberate planning and training can’t entirely prepare one for the fluid, fast-changing nature of a pandemic, and companies have to remain adaptable in such quicksilver situations.
The utility provider for which Ream consulted noted that, even though the plan had been practiced since 2007, before even H1N1, employees still had to be educated once it was implemented. “No matter how thoughtful, complete and detailed the plans are, they will need modification as the events unfold,” the company said.
Similarly, for all of Sovos’ planning, the company was still struck by how quickly the pandemic accelerated.
“The single most surprising aspect of responding to the COVID-19 pandemic was the speed at which it developed,” Strasser said. “When we activated our plan in the beginning of March, we were looking at office closure decisions on a site-by-site basis. Within four days, we made the decision to close all Sovos offices globally.”
“While we did not imagine such rapid implementation, the preparation we had conducted enabled us to execute and weather the change without any interruption of service,” he added.