By Andy Jabbour
TL;DR
- From a preparedness and resilience standpoint, health threats and business continuity are often less focused on and less-developed than other areas (i.e., active shooter, data breach response, etc.)
- Responding to COVID-19, while certainly unique, provides a great opportunity to mature pandemic / health threat preparedness and business continuity capabilities.
- In order to make the most of this opportunity, the after-action process should begin as soon as possible (like, two weeks ago).
- Development of an after-action report could be bolstered by staff that may not presently be fully engaged due to remote work activities; take advantage of available resources.
“Do the best you can until you know better. Then when you know better, do better.” – Maya Angelou
Following notable threats and incidents, in the years when some of my teammates and I supported the Department of Homeland Security, we were occasionally tasked with developing after-action reports (AARs). AARs, sometimes referred to as “post-mortems,” are often developed in the military and following exercises (see the Homeland Security Exercise and Evaluation Program (HSEEP) for references on exercise development and AARs). Many times, organizations don’t do a great job of completing a deliberate after-action process or developing AARs after incidents. Whether a minor or major incident or event, developing an AAR to capture what happened, how the organization responded, and developing an analysis of the response, can help to ensure proper procedures are understood and are being followed, that successes are documented, and that potential improvements / corrective actions can be captured for action. Too often, we miss that opportunity and it would be a shame to miss that now with a global response to the COVID-19 pandemic.
Given limited time and resources, most organizations must prioritize preparedness activities. In that, hot topics and recurring issues – threats like active shooters and ransomware/data breaches – often take up a lot of what is available. Too often, maintaining plans and training for health threats and business continuity are neglected, and exercises not conducted. Gallup recently observed, “Before the outbreak of COVID-19, few residents of Western Europe likely ever expected to find themselves at the epicenter of a pandemic. In fact, just a few years ago, their concern about an outbreak of contagious disease took a relative back seat to all other issues Gallup asked them about.”
The World Economic Forum has regularly developed their Global Risks Report. And while infectious diseases are always noted, the risk is always behind other, “hotter,” topics. As coronavirus has shown, the impacts of a pandemic can wreak havoc worldwide, quickly and severely. At some point, things will start to get back to “normal,” and there will be a big push to catch up and make up for lost time. While it would be easy for many to get through this pandemic and reassure ourselves, “this happens every hundred years,” and to then try to resume “normal” routines and operations, focusing on the next requirement and not the past – that would be a huge mistake, and an even more huge missed opportunity.
Our world is going through what could be a once-in-a-lifetime event in responding to a global pandemic. Could be. Or, we could see a new health threat emerge next year, or in five, ten or twenty. And that time, a very certain eventual next time, the threat could be more deadly. More likely, in the near-term, we’ll continue to see less far-reaching but still impactful local and regional outbreaks. In the U.S., just last year measles and mumps emerged as threats in local areas and on college campuses. Responding to COVID-19, while certainly unique in many respects, provides a great opportunity to mature pandemic / health threat preparedness and business continuity capabilities for the inevitable “next time,” which needn’t be as severe as this pandemic, but may be, and may be worse. More, lessons learned now can apply to a variety of major events – from hurricanes to earthquakes, major terrorist attacks to a spectacular compromise of our networks and capabilities.
In order to make the most of this opportunity, the after-action process should begin as soon as possible (like, two weeks ago). What can organizations do right now?
- Start. This is often the hardest part. Consider designating a champion at a senior level to lead this effort and ensure it is well supported and executed from start to finish.
- Assign resources. There are two pools of people that may be available that can help support the after-action process. One of those pools are preparedness personnel. If you have in-house resources responsible for the development of plans, training, exercising, etc., they can often easily pivot to become real-world after-action personnel. Another option may be to take advantage of staff that may be less engaged than usual right now. Development of an after-action report could be bolstered by staff that may not presently be fully engaged due to remote work activities. Take advantage of all available resources.
- Develop an incident timeline and capture actions the organization has taken to date. When did this threat get identified by the organization? How did concerns get discussed and elevated? What decisions were made, when and by who, and did they follow established processes (do those processes exist)? What actions were taken?
- Begin ongoing data collection. COVID-19 response may continue, longer than we might imagine and like. HSEEP offers some ideas on how to go about observation and data collection for exercises. Much of that carries through to real world events too. Develop an approach and execute.
- Conduct analysis. Start the process now and revisit findings as the response continues. Again, having some staff with time on their hands may allow some extra resources to support this and provide some valuable perspective.
- Draft the After-Action Report and Improvement Plan (AAR/IP). There are many approaches to this, but it will be very valuable to make it inclusive and timely. If a draft can be developed and shared quickly after we start to transition back to more traditional operations, that can help maintain momentum.
- Schedule, plan for and execute After-Action Meetings (AAM). The larger the organization, the more complex the response, the more you may have to consider multiple iterations of AAMs. Those may be conducted with different departments, senior leaders, even clients and vendors. The more inclusive and deliberate the process, the more accurate and valuable the findings will be.
- Take improvement actions! Responding to COVID-19 has already been too long and exhausting for many. As we get through this, many of us will want to put coronavirus behind us to get back to work – and there will be a lot to do. Ensure someone is championing the AAR/IP and is lead for corrective action implementation. This may require having a senior leader providing support for the process and helping to push the process along. Too often, organizations fail right here and follow-through doesn’t occur. Don’t let that be you.
“Perfection is not attainable. But if we chase perfection, we can catch excellence.” – Vince Lombardi
This is a unique time and event. It will be too easy to “get through it” and move forward and to squander what can be a tremendous opportunity to improve preparedness and resilience. Take advantage of this incident to improve your organization – and then keep getting better.